Re: SFTP question
You were right, SFTP, FileZilla and Proftp confused the hell out of me ... lol
... I must add in my defense though that I was in a state of panic after syslog
warned me of an attack by someone during the night via ssh ... So I frantically tried to
make ssh and Proftp work together without reading the online guides properly ...
Sometimes one does stupid things ... lol ...
Thanks for everyone's input ...
On Dec 23 14, Bob Proulx :
> To: email@example.com
> Date: Tue, 23 Dec 2014 15:49:34 -0700
> From: Bob Proulx <firstname.lastname@example.org>
> Subject: Re: SFTP question
> User-Agent: Mutt/1.5.23 (2014-03-12)
> X-Loop: email@example.com
> Danny wrote:
> > I am trying to setup SFTP (ssh) with ProFTP.
> It looks to me like you might be confusing ssh sftp with proftpd sftp.
> I assume you are not using ftps.
> > My /etc/proftpd/conf.d/sftpd.conf looks like this:
> > <IfModule mod_sftp.c>
> > SFTPEngine on
> > Port 7003
> > SFTPLog /var/log/proftpd/sftp.log
> > # Configure both the RSA and DSA host keys, using the same host key
> > # files that OpenSSH uses.
> > SFTPHostKey /etc/ssh/ssh_host_rsa_key
> > SFTPHostKey /etc/ssh/ssh_host_dsa_key
> > SFTPAuthMethods publickey
> > SFTPAuthorizedUserKeys file:/etc/proftpd/authorized_keys/%u
> > SFTPCompression delayed
> > </IfModule>
> Here you are using the ssh host keys for proftpd. I assume that is okay.
> > I added the following line in /etc/ssh/sshd_config:
> > Subsystem sftp /usr/lib/openssh/sftp-server
> This flew a red flag for me. If you are using proftpd for sftp then
> why does the above line in ssh matter? Secondly you say you added
> that line to the file and yet that file already contains that line
> when installed. This leads me to think that maybe you are confusing
> ssh sftp with proftpd sftp? Maybe?
> > I generated a key for each user that will use SFTP located in their
> > /home/USER/.ssh/ directory
> > As you can see, I have setup SFTP to listen on port 7003.
> Yes. What is your reasoning? It is okay whatever it is. I know very
> savvy people who like to have a non-standard port just to avoid the
> dictionary attacks causing endless noise in their log files. I on the
> other hand prefer to use fail2ban to watch over the logs and to ban
> abusive users.
> > My question is the following: The users that will connect to the ssh
> > server uses FileZilla and mostly from Windows based machines. I
> > copied the "id_rsa" key files (which was generated on Debian) to the
> > Windows user's "My Documents" folder on Windows. I also added the
> > (copied) "id_rsa" files to FileZilla.
> I don't generally use MS-Windows so don't know how things work there
> but it sounds strange to me to need to have the private key in two
> different places. I expect there to be one exactly correct location
> to have the private key.
> > However, I get an "Authentication Failed" followed by a "Critical
> > Error:Could not connect to server" from FileZilla.
> What a useless error message! :-(
> If it were me I would turn on sshd debug and then connect to the ssh
> sftp and see what the server side of the connection reported. For
> example like this. Then connect to it using port 2222 and watch the
> server side of the messages. Very useful for debugging.
> # /usr/sbin/sshd -d -p 2222
> Since you are trying to set up proftpd instead I suggest looking in
> the /var/log/proftpd/sftp.log file and see what the server side errors
> were in the connection.
> > 1:Do I need to generate different keys on Windows or is it o.k to
> > use the copied ones from Debian?
> > 2:Do I have to name the copied or generated files the same as the user?
> > 3:Where do I put the key files on Windows?
> These would be good questions for an MS-Windows user mailing list that
> deals with FileZilla.
> > (I use puTTY to normally connect to my ssh servers, which works fine)
> But that would use putty+sshd not filezilla+proftpd, right? In which
> case it doesn't have any relationship to the problem you are trying to
> solve now.