Mark Mills's picture

I've just upgraded my Core appliance and am in the process of reinstalling servers etc.  I'm noticing some strange behaviour with Proftpd which is new (don't remember it happening with the old appliance versions).

I'm using proftpd-basic 1.3.2c-1ubuntu0.1 with the webmin module and accessing an ftp account for the web server.  I've also got the SSH FTP login enabled with the ftp account rooted to its home directory.
With Filezilla 3.5.0 (latest version), I get the following behaviours ...
1. Login via Proftpd (normal ftp) as ftp user, permissions display as flcdmpe (xxxx) and owner:group as 1000:100
2. Login via SSH as ftp user, permissions display correctly (say drw-xr-xr-x) and owner:group as 1000:100
3. Login via SSH as root user, permission display correctly (say drw-xr-xr-x) and owner:group as root:root
With WinSCP 4.3.4 (latest version), I get the following behaviours ...
1. Login via Proftpd (normal FTP) as ftp user, both permissions and owner:group displays correctly
2. Login via SSH as ftp user, permissions display correctly and owner:Group as 1000:100
3. Login via SSH as root user, both permissions and owner:group display correctly.
I've found a couple of references to this behaviour (in Proftpd) on forums here and here (see third post from the bottom) implying that this is a fault with Proftpd and MLSD access not being implemented correctly.
Interestingly, if I remove the home jail for the ftp user, all the WinSCP logins work correctly as do the SSH logins via FileZilla (the normal FTP login still does not) but the FTP user gets access to the whole filesystem which I don't want to happen.
This is the way I've jailed the 'ftpusers' group to their home directory in sshd_config ...
Subsystem sftp internal-sftp

Match group ftpusers
   ForceCommand internal-sftp
   ChrootDirectory %h
   AllowTcpForwarding no
To get this to work, I had to change the ownership of the /var/www to root:root with mode 755.
So, the questions are ...
1. Does anyone else notice the behaviour with Proftpd not showing permissions and ownership properly
2. Is there any way of forcing Proftpd to use LIST rather than MLSD in the config file (as this seems to be the main issue)
3. Is there an easily configurable alternative to Proftpd which does work correctly.
4. I could rely on SSH but have I configured jailing correctly?  Why can't either FTP client get the owner:group names?
Thanks for your time
Mark Mills's picture

(This shows how much of a newbie I am)

I realise that Chrooting the ftp user to his directory stops access to /etc/passwd and /etc/group.  So I have copied just the ftp users credentials in passwd and group into the home directory and the client can now get the correct user credentials.


However, this seems untidy since I would have to manually update these new files each time I add a new user to the system.  Since I only need FTP access for these users, I guess these are the only files I need in the chrooted directory?


Mark Mills's picture

Turns out that simply adding ...

FactsAdvertise Off

... in proftpd.conf sorted it.


Jeremy Davis's picture

And sorry I've been a little slow posting. I have no experience with Proftpd so wouldn't have been much help anyway.

Although had I known you were after simple FTP with chroot gaol (jail) then I would've suggested vsftpd - I'm not sure if it has a Webmin module (probably does) but it's really easy to configure manually. The only catch with vsftpd is that it is used by TKL in the fileserver and torrentserver appliances with the FTP function of eXtplorer (and is bound to localhost) so in that instance you need to reconfigure it (and loose the FTP function of eXtplorer). Anyway that's all irrellevent now anyway...

FYI when you mention chrooting, technically that is not exactly what you are wanting (chroot is change root). It's a chroot gaol (jail) you are wanting - so the user is locked in their chroot (ie their own private root that they can't get out of).

Mark Mills's picture

Thanks for the response Jeremy.  It's a steep learning curve and I sometimes struggle to find simple, clear explanations for things on the web.  I tried VSFTPD which does have a webmin module which you have to install manually but I couldn't let the Proftpd issue beat me!


Jeremy Davis's picture

Yes the learning curve can be steep at times, but IMO it's well worth it. TBH though I've found that once I got a few of the basic concepts (ie unlearned some of my Win knowledge) that it's not too bad (mostly).

Occasionally I have found issues that were tricky to resolve, but all in all I must say I have found the level of support available online for Linux (especially Ubuntu) is quite amazing. You may already know this (but just in case, or for others reading) keep in mind when searching for help with TKL stuff, is that TKL (v11.x) is built on Ubuntu (10.04) server. Sometimes info for Debian can also be useful (but sometimes not and can lead you astray) and same for other Linux distros. Generally basic commands are quite Linux generic as are many common packages, but sometimes things are a bit idiosyncratic. I always try to look in the Ubuntu Server Manual and/or Ubuntu Forums (obviously after checking TKL) before I start searching elsewhere.

Gaurav Kulshrestha's picture

I have created virtual user on proftpd and able to login successfully with the password. now i want ssh keys to be configured for this virtual user so for that i have done as follows

1. generated keys(private and public keys) using puttygen .
2. configure public key in a poftpd.conf file for the attribute " SFTPAuthorizedUserKeys file" and restarted proftpd.
3. use Winscp to login with private key but getting authentication failure .

 Please find below proftpd.conf file FYI...


# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use.  It establishes a single server
# and a single anonymous login.  It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName   "ProFTPD Default Installation"
ServerType   standalone
DefaultServer   on

# Port 21 is the standard FTP port.
#Port    21

# Don't use IPv6 support by default.
UseIPv6    off

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask    022

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances   30

# Set the user and group under which the server will run.
User    nobody
Group           nobody

# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
DefaultRoot ~

# Normally, we want files to be overwriteable.
AllowOverwrite  on

# Bar use of SITE CHMOD by default

# A basic anonymous configuration, no upload directories.  If you do not
# want anonymous users, simply delete this entire <Anonymous> section.
<Anonymous ~ftp>
  User    ftp
  Group    ftp

  # We want clients to be able to login with "anonymous" as well as "ftp"
  UserAlias   anonymous ftp

  # Limit the maximum number of anonymous logins
  MaxClients   10

  # We want 'welcome.msg' displayed at login, and '.message' displayed
  # in each newly chdired directory.
  DisplayLogin   welcome.msg
  DisplayChdir   .message

  # Limit WRITE everywhere in the anonymous chroot
  <Limit WRITE>
AuthUserFile /usr/ramproftp/passwd
AuthGroupFile /usr/ramproftp/usergroup

RequireValidShell off
#Added for sftp
SFTPEngine         on

Port               2222
SFTPLog            /var/log/proftpd/sftp.log
TransferLog        /var/log/proftpd/sftp-xferlog

# Host Keys
SFTPHostKey        /etc/ssh/ssh_host_rsa_key
SFTPHostKey        /etc/ssh/ssh_host_dsa_key

SFTPAuthMethods publickey
SFTPAuthorizedUserKeys file:/usr/ramproftp/convertedkeys/%u

Jeremy Davis's picture

TKL appliance come with OpenSSH Server installed (which by default supplies SFTP over port 22 so no need to configure other software...

Add new comment