[BlueOnyx:02110] Re: How to enable sftp without giving users full access to the system.

Fri Aug 14 06:10:54 -05 2009

Hi Sheldon,

>  I've done the YUM update and ProFTPd is now (Aug 13
> 12:42:03 Updated: proftpd-1.3.2a-1BX3.i386) 

Very well.

> however when I try to connect using FlashFXP or psftp I get:
>
> [SNIP]
> 
> [R] Connecting to x.x.32.20 -> IP=x.x.32.20 PORT=21
> [R] Connected to x.x.32.20
> [R] 220 FTP Server ready.
> [R] AUTH SSL
> [R] 234 AUTH SSL successful
> [R] Connected. Negotiating SSL session..
> [R] Connection failed (Connection lost)
>
> [SNIP]
>
> [R] Connecting to x.x.32.20 -> IP=x.x.32.20 PORT=21
> [R] Connected to x.x.32.20
> [R] 220 FTP Server ready.
> [R] AUTH TLS
> [R] 234 AUTH TLS successful
> [R] Connected. Negotiating TLSv1 session..
> [R] Connection failed (Connection lost)

Hmm ... I think I see what the problem is. For testing purposes go to your 
servers GUI and navidate to "Network Services" / "Email" and activate the 
"IMAPS" and POPS" servers and save the changes. That will create the SSL 
certificates that our ProFTPd uses (yeah, it's sort of a work around).

Then try your secure FTP session again. Please connect to the primary IP of 
the server - or to a site that runs on the primary IP of the server. Because 
offhand I'm not sure if it will work with VirtualHosts that are running on 
IP's other than the primary one.

Perhaps this already sorts your problems.

If not, then you could also run into firewall issue.

Here is how my connection looks in FlashFXP:

[L] Connecting to XXX.com -> DNS=XXX.com IP=[HIDDEN] PORT=21
[L] Connected to XXX.com
[L] 220 FTP Server ready.
[L] AUTH SSL
[L] 234 AUTH SSL successful
[L] Connected. Negotiating SSL session..
[L] SSL negotiation successful...
[L] SSL encrypted session using cipher DHE-RSA-AES256-SHA (256 bits)
[L] PBSZ 0
[L] 200 PBSZ 0 successful
[L] USER [HIDDEN]
[L] 331 Password required for [HIDDEN]
[L] PASS (hidden)
[L] 230 User [HIDDEN] logged in.
[L] SYST
[L] 215 UNIX Type: L8
[L] FEAT
[L] 211-Features:
[L]  MDTM
[L]  MFMT
[L]  AUTH TLS
[L]  MFF modify;UNIX.group;UNIX.mode;
[L]  MLST 
modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;
[L]  PBSZ
[L]  PROT
[L]  REST STREAM
[L]  SIZE
[L] 211 End
[L] PWD
[L] 257 "/.users/2/[HIDDEN]" is the current directory
[L] TYPE A
[L] 200 Type set to A
[L] PROT P
[L] 200 Protection set to Private
[L] PASV
[L] 227 Entering Passive Mode ([HIDDEN]).
[L] Opening data connection IP: [HIDDEN] PORT: 56279
[L] LIST -al
[L] Connected. Negotiating SSL session..
[L] 150 Opening ASCII mode data connection for file list
[L] SSL negotiation successful...
[L] SSL encrypted session using cipher DHE-RSA-AES256-SHA (256 bits)
[L] 226 Transfer complete
[L] List Complete: 889 bytes in 1,22 second (0,7 KB/s)

At that point I'm logged in and able to see the directory listing.

As for the firewall issue mentioned earlier: FTP'ing through a firewall is 
always a bit problematic. Most firewalls have provisions to deal with FTP 
connections in one way or another. There is an active and a passive FTP mode 
and you got the auth and the data part of the FTP(S) connection.

The authentication always happens against port 21 on the server. As you can 
see in the above output:

[L] Connecting to XXX.com -> DNS=XXX.com IP=[HIDDEN] PORT=21

But finally after the Auth part FTP goes into passive mode and establishes a 
highport connection. Which port is used for that is (more or less) random:

[L] 227 Entering Passive Mode ([HIDDEN]).
[L] Opening data connection IP: [HIDDEN] PORT: 56279

In this example it's 56279. 

In our /etc/proftpd.conf on BlueOnyx we have this section which is relevant to 
that:

<Global>
  AllowOverwrite                yes
  <Limit ALL SITE_CHMOD>
    AllowAll
  </Limit>
# Restrict the range of ports from which the server will select when sent the
# PASV command from a client. Use IANA-registered ephemeral port range of
# 49152-65534
PassivePorts 49152 65534
</Global>

So for the data part our ProFTPd will use ports ranging from 49152 to 65534.

If you have a firewall on your BlueOnyx (or in front of it), then you need to 
make sure that the port range 49152-65534 is open. Otherwise both normal and 
secure FTP will have issues with passive FTP.

Of course you can adjust the port range. 49152-65534 is fairly wide, but it's 
the default range set aside for this. If you want it to be smaller, simply 
adjust the ranges in /etc/proftpd.conf to ... say ... 49152-50000 and make 
sure to have the same port range open in your firewall, too.

-- 
With best regards

Michael Stauber