SFTP versus FTPS
There is a great deal of confusion and misunderstanding surrounding two very different protocols: SFTP and FTPS.

FTPS stands for "FTP over SSL/TLS". It is the existing FTP protocol, made to run over an SSL/TLS connection; in this manner, it is very similar to HTTPS (HTTP over SSL/TLS). In fact, that is where the name "FTPS" comes from. The mod_tls module for ProFTPD implements FTPS. Since FTPS is still FTP, any FTPS sessions require multiple TCP connections: one TCP connection for the FTP control channel, and separate TCP connections for each FTP data channel. The need for these multiple connections is undesirable for many network administrators, especially those that wish to restrict all protocols to a single TCP connection which can be passed through firewalls/NAT/router equipment. The network equipment, now, often inspects the application-level data in FTP packets in order to dynamically open the necessary firewall rules for the FTP data channels. However, FTPS encrypts those packets, and thus the network firewall must resort to using a statically configured range of ports, or not allow FTPS. There is a third solution: the CCC FTP command, which clears the FTP control channel of encryption, once the user has authenticated. Unfortunately, support for the CCC command is not widespread among FTPS clients and servers; the mod_tls module does support the CCC command.

By contrast, SFTP refers to "Secure File Transfer Protocol", and is not related to FTP in any way. SFTP is based on the SSH2 protocol, which uses binary encoding of messages over a secure channel. Unlike FTP, SSH2 only uses a single TCP connection, and multiplexes multiple transfers or "channels" over that single connection. For this reason, many sites prefer SFTP to FTPS for secure transfer of data.

SSH2 RFCs and SFTP Drafts
For those wishing to learn more about the SSH2 and SFTP protocols, see:

• SSH Assigned Numbers (RFC 4250)
• SSH Architecture (RFC 4251)
• SSH Authentication (RFC 4252)
• SSH Transport Layer (RFC 4253)
• SSH Connection (RFC 4254)
• SSH Keyboard-Interactive Authentication (RFC 4256)
• SSH Channel "Break" Extension (RFC 4335)
• SSH Transport Encryption Modes (RFC 4344)
• SSH Improved Arcfour Modes (RFC 4345)
• SSH Diffie-Hellman Group Exchange Protocol (RFC 4419)
• SSH RSA Key Exchange Protocol (RFC 4432)
• SSH Public Key File Format (RFC 4716)
• SFTP Draft
• SFTP Extensions Draft
• SSH Elliptic Curve Algorithms (RFC 5656)
• SSH SHA-2 HMACs (RFC 6668)
• SSH Increased Minimum DH Group Size (RFC 8270)
• SSH Extension Negotiation (RFC 8308)
• Use of RSA Keys with SHA-256 and SHA-512 in the SSH Protocol (RFC 8332)
• SSH Key Exchange Method Using Curve25519 and Curve448 (RFC 8731)

The mod_sftp module for ProFTPD
The mod_sftp module implements the SSH2 protocol and its SFTP subsystem, for secure file transfer over an SSH2 connection. The mod_sftp module supports:

• Public key authentication
• Password authentication (e.g. user authentication via mod_sql, mod_ldap, mod_auth_file, mod_auth_unix, mod_auth_pam)
• SCP support
• Quotas (via the mod_quotatab module)
• FIPS support (see Usage section)
• Throttled transfers (via TransferRate, and/or the mod_shaper module)
• Blacklisted public keys
• Configurable traffic analysis protection
• Passphrase-protected host keys
• SFTP extensions: check-file, copy-file, vendor-id, version-select, posix-rename@openssh.com, statvfs@openssh.com, fstatvfs@openssh.com, hardlink@openssh.com

The mod_sftp module does not currently support:

• <Anonymous>
• ListOptions
• MaxRetrieveFileSize

The mod_sftp module is contained in the mod_sftp/ directory, is intended for ProFTPD 1.3.3rc1 and later, and is not compiled by default. Installation instructions are discussed here.

The most current version of mod_sftp is distributed with the ProFTPD source code.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).

Author

Please contact TJ Saunders <tj at castaglia.org> with any questions, concerns, or suggestions regarding this module.

Directives

• SFTPAcceptEnv
• SFTPAuthMethods
• SFTPAuthorizedHostKeys
• SFTPAuthorizedUserKeys
• SFTPCiphers
• SFTPClientAlive
• SFTPClientMatch
• SFTPCompression
• SFTPCryptoDevice
• SFTPDHParamFile
• SFTPDigests
• SFTPDisplayBanner
• SFTPEngine
• SFTPExtensions
• SFTPHostKey
• SFTPHostKeys
• SFTPKeyBlacklist
• SFTPKeyExchanges
• SFTPKeyLimits
• SFTPLog
• SFTPMaxChannels
• SFTPOptions
• SFTPPassPhraseProvider
• SFTPRekey
• SFTPTrafficPolicy

SFTPAcceptEnv

The SFTPAcceptEnv directive specifies which environment variables sent by the client, if any, will be used in the session environment. Environment variables are specified by name, and may contain the '*' and '?' wildcard characters. Multiple environment variables may be configured, either separated by whitespace or spread across multiple SFTPAcceptEnv directives.

Be warned that some environment variables may have special meaning to underlying libraries; care should be taken in the use of this directive.

SFTPAuthMethods

The SFTPAuthMethods directive configures the list of available authentication methods presented to connecting clients. The list of currently supported methods is:

• hostbased
• keyboard-interactive
• password
• publickey

  # Offer publickey and keyboard-interactive authentication only
  SFTPAuthMethods publickey keyboard-interactive

The hostbased authentication method is only offered to clients if the SFTPAuthorizedHostKeys directive is configured.

The publickey authentication method is only offered to clients if the SFTPAuthorizedUserKeys directive is configured.

The keyboard-interactive authentication method is only offered to clients if the mod_sftp_pam or mod_auth_otp module is present.

As of proftpd-1.3.6rc2 and later, you can use the SFTPAuthMethods directive to configure chains of methods. An authentication chain is a list of authentication methods, all of which must succeed in order for login to succeed. For example, using:

  # Require both publickey and password authentication
  SFTPAuthMethods publickey+password

  # Require both publickey and password authentication, in any order
  SFTPAuthMethods publickey+password password+publickey

You can even require that multiple different keys be used (e.g. a RSA and a DSA public key, or multiple different RSA/DSA keys) using:

  # Require different keys for publickey authentication
  SFTPAuthMethods publickey+publickey

SFTPAuthorizedHostKeys

The SFTPAuthorizedHostKeys directive configures the file that mod_sftp will use during the handling of hostbased authentication of users. The configured file may contain several public keys in RFC4716 format, in no particular order.

Note that a SFTPAuthorizedHostKeys directive is required for mod_sftp to handle sessions which want to use hostbased authentication properly.

Note: In order to use OpenSSH public keys in a SFTPAuthorizedHostKeys, you must convert them to the RFC4716 format (see the Usage section). This is done using OpenSSH's ssh-keygen tool:

  $ ssh-keygen -e -f /path/to/file

SFTPAuthorizedUserKeys

The SFTPAuthorizedUserKeys directive configures the file that mod_sftp will use during the handling of publickey authentication of users. The configured file may contain several public keys in RFC4716 format, in no particular order.

Example:

  SFTPAuthorizedUserKeys file:~/.sftp/authorized_keys

Note: In order to use OpenSSH public keys in a SFTPAuthorizedUserKeys, you must convert them to the RFC4716 format (see the Usage section). This is done using OpenSSH's ssh-keygen tool:

  $ ssh-keygen -e -f ~/.ssh/id_rsa.pub

The configured path for a file containing authorized keys can use the %u variable, which will be interpolated with the name of the user being authenticated. This feature supports having per-user files of authorized keys that reside in a central location, rather than requiring (or allowing) users to manage their own authorized keys. For example:

  SFTPAuthorizedUserKeys file:/etc/sftp/authorized_keys/%u

SFTPCiphers

The SFTPCiphers directive is used to specify the list of cipher algorithms that mod_sftp should use. The current list of supported cipher algorithms is, in the default order of preference:

• aes256-ctr
• aes192-ctr
• aes128-ctr
• aes256-gcm@openssh.com
• aes128-gcm@openssh.com
• aes256-cbc
• aes192-cbc
• aes128-cbc
• cast128-cbc
• 3des-ctr
• 3des-cbc

In ProFTPD 1.3.7rc1 and later, the following list of algorithms are supported, but not presented to clients by default. These algorithms must be explicitly configured via SFTPCiphers to be available for use by clients:

• blowfish-ctr
• blowfish-cbc
• arcfour256
• arcfour128

The "none" cipher (i.e. no encryption) will not be presented to the client by default; any sites which wish to use "none" will have to explicitly configure it via SFTPCiphers.

Note that CTR mode ciphers (e.g. the aes128-ctr, aes192-ctr, and aes256-ctr ciphers) are recommended. Any CBC mode cipher allows for the possibility of an attack which causes several bits of plaintext to be leaked; the attack is described here. This attack is on the SSH2 protocol design itself; any SSH2 implementation which conforms to the RFCs will have this weakness.

In general, there is no need to use this directive unless only one specific cipher must be used.

For comparison, the cipher algorithms used by OpenSSH by default are:

• aes128-cbc
• 3des-cbc
• blowfish-cbc
• cast128-cbc
• arcfour128
• arcfour256
• aes192-cbc
• aes256-cbc
• aes128-ctr
• aes192-ctr
• aes256-ctr
• aes128-gcm@openssh.com
• aes256-gcm@openssh.com

  # Make mod_sftp present the same ciphers as OpenSSH
  SFTPCiphers aes128-cbc 3des-cbc blowfish-cbc cast128-cbc arcfour128 \
              arcfour256 aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr \
              aes128-gcm@openssh.com aes256-gcm@openssh.com

SFTPClientAlive

The SFTPClientAlive directive configured mod_sftp to send messages to a client, through the encrypted channel, to request a response from the client. If count client alive messages are sent without receiving any response messages from the client, the client will be disconnected. The interval indicates how much time, in seconds, that mod_sftp waits for data from the client before sending a client alive message.

For example, using:

  SFTPClientAlive 3 15

SFTPClientMatch

The SFTPClientMatch directive is used to tune some of the SSH2/SFTP values based on the connecting client, for better interoperability with those clients. The pattern parameter specifies a POSIX regular expression which will be matched against the connecting client's SSH version banner. If the client's banner version matches pattern, then the configured keys/values are used for that session.

The currently supported SSH2/SFTP keys which can be tuned via SFTPClientMatch are:

• channelPacketSize
  The value for this key can be a number, with an optional "KB" (kilobytes) suffix.

  The default mod_sftp channel packet size is 32KB.

• channelWindowSize
  The value for this key can be a number, with an optional "GB" (gigabytes), "MB" (megabytes), or "KB" (kilobytes) suffix.

  The default mod_sftp channel window size is 4GB. Using smaller window sizes may be necessary for some clients; larger window sizes can help reduce latency for bulk data transfers.

• sftpCiphers
  The value for this key should be a comma-separated list of cipher algorithms, as for the SFTPDigests directive. Use of this key automatically enables the PessimisticKexinit SFTPOption as well.

  Note that this option first appeared in proftpd-1.3.8rc4.

• sftpHostKeys
  The value for this key should be a comma-separated list of host key algorithms, as for the SFTPKeyExchanges directive. Use of this key automatically enables the PessimisticKexinit SFTPOption as well.

  Note that this option first appeared in proftpd-1.3.8rc4.

• sftpProtocolVersion
  The value for this key can be a specific version number, e.g. "3", or it can be a range such as "1-3". The mod_sftp module supports SFTP protocol versions 1-6; using any other protocol versions will result in bad configuration.
• sftpUTF8ProtocolVersion
  The value for this key is a specific version number, e.g. "3". The mod_sftp module uses UTF8 encoding for handling paths/strings in SFTP messages for protocol version 4 and above by default; this key can be used to change the protocol versions for which UTF8 encoding is used.

  For example, if you set:

      SFTPClientMatch .* sftpUTF8ProtocolVersion 1
  

  then mod_sftp will try to use UTF8 for all SFTP protocol versions, all clients.

  Note: the sftpUTF8ProtocolVersion key requires NLS support (i.e. the --enable-nls configure option).

For example, to make mod_sftp only allow SFTP protocol version 3 to WinSCP clients, you would use:

  SFTPClientMatch ".*WinSCP.*" sftpProtocolVersion 3

  SFTPClientMatch "^OpenSSH_3\\.*" channelWindowSize 8MB

SFTPCompression

The SFTPCompression directive enables the use of zlib compression of the payload of SSH2 packets. This can make for smaller packets, but require more CPU time to compress/uncompress the data.

The delayed parameter tells mod_sftp to support a custom extension used by OpenSSH, where compression is not actually enabled until after the client has successfully authenticated.

SFTPCryptoDevice

The SFTPCryptoDevice directive is used to configure mod_sftp to use an OpenSSL "engine", a cryptographic module that OpenSSL library can use for accelerated cryptographic support, or HSM keys, etc.

To use all of the engines compiled into OpenSSL, use:

  SFTPCryptoDevice all

  SFTPCryptoDevice chil

The OpenSSL command

  openssl engine

SFTPDHParamFile

The SFTPDHParamFile directive is used to configure the path to a file containing pre-computed Diffie-Hellman (DH) group parameters. These parameters will be used by mod_sftp when handling the Diffie-Hellman group exchange (see RFC 4419) portion of the key exchange.

The SFTPDHParamFile is produced using OpenSSL, which uses PEM encodings of PKCS#3 DHparam structures. It is similar in nature to OpenSSH's moduli(5) file.

The mod_sftp source code comes with a dhparams.pem file which should be sufficient. If for any reason you find that you need to generate your own SFTPDHParamFile, use one of the following OpenSSL commands to create this file:

  # openssl dhparam -outform PEM -2 nbits >> dhparams.pem
  # openssl dhparam -outform PEM -5 nbits >> dhparams.pem

SFTPDigests

The SFTPDigests directive is used to specify the list of MAC digest algorithms that mod_sftp should use. The current list of supported MAC algorithms is:

• hmac-sha2-256
• hmac-sha2-256-etm@openssh.com
• hmac-sha2-512
• hmac-sha2-512-etm@openssh.com
• hmac-sha1
• hmac-sha1-etm@openssh.com
• hmac-sha1-96
• hmac-sha1-96-etm@openssh.com
• umac-64@openssh.com
• umac-64-etm@openssh.com
• umac-128@openssh.com
• umac-128-etm@openssh.com

The following list of algorithms are supported, but not presented to clients by default. These algorithms must be explicitly configured via SFTPDigests to be available for use by clients:

• hmac-md5
• hmac-md5-etm@openssh.com
• hmac-md5-96
• hmac-ripemd160

The "none" MAC (i.e. no MAC) will not be presented to the client by default; any sites which wish to use "none" will have to explicitly configure it via SFTPDigests.

In general, there is no need to use this directive unless only one specific MAC algorithm must be used.

For comparison, the MAC algorithms used by OpenSSH (depending on the version) by default are:

• hmac-md5
• hmac-md5-etm@openssh.com
• hmac-sha1
• hmac-sha1-etm@openssh.com
• hmac-sha2-256
• hmac-sha2-256-etm@openssh.com
• hmac-sha2-512
• hmac-sha2-512-etm@openssh.com
• hmac-ripemd160
• hmac-sha1-96
• hmac-md5-96
• umac-64@openssh.com
• umac-64-etm@openssh.com
• umac-128@openssh.com
• umac-128-etm@openssh.com

  # Make mod_sftp present the MAC ciphers as OpenSSH
  SFTPDigests hmac-md5 hmac-sha1 hmac-sha2-256 hmac-sha2-512 \
    hmac-ripemd160 hmac-sha1-96 hmac-md5-96 umac-64@openssh.com \
    umac-128@openssh.com

SFTPDisplayBanner

The SFTPDisplayBanner directive is used to configure the path of a file which will be sent to the client prior to authentication. Such files are often used to sent terms of use or other such policy terms to connecting clients.

See the Display files howto for more information on the variables that can be used in an SFTPDisplayBanner file.

SFTPEngine

The SFTPEngine directive toggles the use of the SSH2/SFTP protocols engine (e.g. mod_sftp). This is usually used inside a <VirtualHost> section to enable SFTP sessions for a particular virtual host. By default mod_sftp is disabled for both the main server and all configured virtual hosts.

SFTPExtensions

The SFTPExtensions directive can be used to enable/disable support for the various SFTP extensions supported by mod_sftp. The extension names used for the SFTPExtensions directive are:

• checkFile
• copyFile
• fsync
• hardlink
• homeDirectory
• posixRename
• spaceAvailable
• statvfs
• vendorID
• versionSelect
• xattr

To enable an extension, preface the extension name with a '+' (plus) character; to disable the extension, use a '-' (minus) character prefix. For example:

  # Allow the copy-file extension, but not version-select
  SFTPExtensions +copyFile -versionSelect

SFTPHostKey

The SFTPHostKey directive configures the path to a host key file. The mod_sftp module uses the keys thus configured as part of the SSH2 key exchange process.

Note that the SFTPHostKey directive is required. You can use either an RSA key, a DSA key, and/or ECDSA keys. These should be the exact same host key files as used by your SSH2 server, e.g.:

  SFTPHostKey /etc/ssh_host_dsa_key
  SFTPHostKey /etc/ssh_host_rsa_key
  SFTPHostKey /etc/ssh_host_ecdsa_key
  SFTPHostKey /etc/ssh_host_ed25519_key

The SFTPHostKey directive, as of proftpd-1.3.5rc1 and later, can also be used to load host keys from an SSH agent such as OpenSSH's ssh-agent. For example:

  # Load all of the keys from the ssh-agent configured for server use
  SFTPHostKey agent:%{env:SSH_AUTH_SOCK}

The SFTPHostKey directive, as of proftpd-1.3.6rc1 and later, can be used to disable host keys configured via <Global>. For example, if you have a global RSA key that you wish to disable in all vhosts, you might use the "NoRSA" flag, e.g.:

  <Global>
    SFTPHostKey /path/to/ssh_rsa_host_key
    ...
  </Global>

  <VirtualHost a.b.c.d>
    ...
    # Configure our per-vhost DSA host key
    SFTPHostKey /path/to/ssh_dsa_host_key

    # ...and disable the global RSA host key
    SFTPHostKey NoRSA
    ...
  </VirtualHost>

OpenSSH started using an OpenSSH-specific private key format in version 7.8. ProFTPD did not support reading this OpenSSH-specific format until 1.3.7. Thus if you need to use SSH hostkeys in the OpenSSH-specific private key format with ProFTPD prior to 1.3.7, you will need to convert those private keys to the more conventional PEM format that mod_sftp supported. If your SFTPHostKey file starts with:

-----BEGIN OPENSSH PRIVATE KEY-----

$ cp /etc/ssh/ssh_host_rsa_key /etc/proftpd/ssh_host_rsa_key
$ ssh-keygen -p -f /etc/proftpd/ssh_host_rsa_key -m PEM

$ ssh-keygen -e -f /etc/ssh/ssh_host_rsa_key -m PEM > /etc/proftpd/ssh_host_rsa_key

SFTPHostKeys

The SFTPHostKeys directive is used to specify the list of host key algorithms that mod_sftp should use. The current list of supported host key algorithms is:

• ssh-ed448
• ssh-ed25519
• ecdsa-sha2-nistp256
• ecdsa-sha2-nistp384
• ecdsa-sha2-nistp521
• rsa-sha2-512
• rsa-sha2-256
• ssh-rsa
• ssh-dss

In general, there is no need to use this directive unless specific host keys algorithm must be used (or avoided).

SFTPKeyBlacklist

The SFTPKeyBlacklist directive configures the path to a specially formatted dictionary of known weak public keys. This key blacklist, and the code for using it, was primarily developed by Dmitry V. Levin under sponsorship by CivicActions. For the original posting, and further information, see:

  http://www.openwall.com/lists/oss-security/2008/05/27/3

These known weak public keys arose because of a vulnerability in the OpenSSL packages distributed by Debian:

  http://www.debian.org/security/2008/dsa-1571

The mod_sftp source code comes with a blacklist.dat file which should be sufficient. If for any reason you find that you need to generate your own SFTPDKeyBlacklist, use the blacklist-encode program mentioned in the above URLs.

SFTPKeyExchanges

The SFTPKeyExchanges directive is used to specify the list of key exchange algorithms that mod_sftp should use. The current list of supported key exchange algorithms is:

• curve448-sha512
• curve25519-sha256
• ecdh-sha2-nistp521
• ecdh-sha2-nistp384
• ecdh-sha2-nistp256
• diffie-hellman-group18-sha512
• diffie-hellman-group16-sha512
• diffie-hellman-group14-sha256
• diffie-hellman-group-exchange-sha256
• diffie-hellman-group-exchange-sha1
• diffie-hellman-group14-sha1
• diffie-hellman-group1-sha1
• rsa1024-sha1

Note that the diffie-hellman-group1-sha1 key exchange algorithm uses a weak hardcoded Diffie-Hellman group, and thus is not enabled by default. To enable this key exchange algorithm, you must configure the SFTPKeyExchanges list to explicitly include this algorithm, or use the following in your configuration:

  SFTPOptions AllowWeakDH

Note that the curve448-sha512 key exchange algorithm requires an Ed448 SSH host key. To generate such a key, use:

  openssl genpkey -out /etc/ssh/ssh_host_ed448_key -algorithm ED448

In general, there is no need to use this directive unless only one specific key exchange algorithm must be used.

SFTPKeyLimits

The SFTPKeyLimits directive is used to configure limits on the sizes of keys (in terms of bits), both host keys and user keys. The currently supported limits are:

• MinimumDSASize
• MinimumECSize
• MinimumRSASize

Examples:

  # Require at least 1024-bit RSA keys; leave other default limits alone
  SFTPKeyLimits MinimumRSASize 1024

  # Require at least 256-bit EC keys, and remove other default limits
  SFTPKeyLimits MinimumECSize 256 MinimumDSASize 0 MinimumRSASize 0

SFTPLog

The SFTPLog directive is used to specify a log file for mod_sftp's reporting on a per-server basis. The file parameter given must be the full path to the file to use for logging.

Note that this path must not be to a world-writable directory and, unless AllowLogSymlinks is explicitly set to on (generally a bad idea), the path must not be a symbolic link.

SFTPMaxChannels

The SFTPMaxChannels directive is used to configure the maximum number of simultaneously open channels permitted for a client. The default value is 10.

A malicious client might try to abuse the server's resources by opening an large number of SSH2 channels and then not using them. Most well-behaved SSH2 clients only ever open one channel.

SFTPOptions

The SFTPOptions directive is used to configure various optional behavior of mod_sftp.

For example:

  SFTPOptions IgnoreSFTPUploadPerms IgnoreSCPUploadPerms PessimisticKexinit

The currently implemented options are:

• AllowInsecureLogin
  

  By default, mod_sftp will not allow password or keyboard-interactive authentication if either the 'none' cipher or MAC/digest is selected. (These must be explicitly allowed via SFTPCiphers and SFTPDigests as well.) However, some sites may deliberately wish to allow such logins, as for e.g. performance testing. To allow such logins/sessions, then, use this option.

  Note that this option first appeared in proftpd-1.3.5.

• AllowWeakDH
  

  The mod_sftp will not use Diffie-Hellman groups of less than 2048 bits, due to weaknesses that can downgrade the security of an SSH session. If for any reason your SFTP/SCP clients require smaller Diffie-Hellman groups, then use this option.

  Note that this option first appeared in proftpd-1.3.6rc1.

• IgnoreFIFOs

  By default, mod_sftp allows uploading and downloading of FIFOs, just as if they were regular files. However, in some cases this can lead to "hangs" on the SFTP/SCP client end, especially when the FIFO reader/writer processes are not running at the time. Thus to tell mod_sftp to ignore/reject requests to read from/write to FIFOs, for both SFTP and SCP, use this option.

  Note that this option first appeared in proftpd-1.3.6rc3.

• IgnoreSCPUploadPerms
  

  When an SCP client uploads a file, the desired permissions on the file are sent to the server as part of the upload. (This is different from FTP, which does not include the file permissions in an upload.) If you need more FTP-like functionality for any reason and wish to have mod_sftp silently ignore any permissions sent by the SCP client, use this option.

• IgnoreSCPUploadTimes
  

  Use this option to have mod_sftp silently ignore any timestamps sent by SCP clients as part of the upload.

  Note that this option first appeared in proftpd-1.3.5rc4.

• IgnoreSFTPSetExtendedAttributes
  

  Use this option to have mod_sftp silently ignore any extended attributes sent by SFTP clients via the SETSTAT or FSETSTAT SFTP requests.

  Note that this option first appeared in proftpd-1.3.6rc3.

• IgnoreSFTPSetOwners
  

  Use this option to have mod_sftp silently ignore any ownership changes sent by SFTP clients via the SETSTAT or FSETSTAT SFTP requests; these are equivalent to an FTP SITE CHGRP command.

  Note that this option first appeared in proftpd-1.3.5rc1.

• IgnoreSFTPSetPerms
  

  Use this option to have mod_sftp silently ignore any permissions sent by SFTP clients via the SETSTAT or FSETSTAT SFTP requests; these are equivalent to an FTP SITE CHMOD command.

  Note that this option first appeared in proftpd-1.3.4rc2.

• IgnoreSFTPSetTimes
  

  Use this option to have mod_sftp silently ignore any timestamps sent by SFTP clients via the SETSTAT or FSETSTAT SFTP requests; these are equivalent to an FTP SITE UTIMES command.

  Note that this option first appeared in proftpd-1.3.4rc4.

• IgnoreSFTPUploadExtendedAttributes
  

  When an SFTP client uploads a file or creates a directory, the desired extended attributes ("xattrs") on the path are sent to the server as part of the upload. (This is different from FTP, which does not include the file attributes in an upload.) If you need more FTP-like functionality for any reason and wish to have mod_sftp silently ignore any extended attributes sent by the SFTP client, use this option.

  Note that this option first appeared in proftpd-1.3.6rc3.

• IgnoreSFTPUploadPerms
  

  When an SFTP client uploads a file or creates a directory, the desired permissions on the path are sent to the server as part of the upload. (This is different from FTP, which does not include the file permissions in an upload.) If you need more FTP-like functionality for any reason and wish to have mod_sftp silently ignore any permissions sent by the SFTP client, use this option.

• IncludeSFTPTimes
  

  Some SFTP clients (e.g. the Rebex SFTP library) do not implement SFTP protocol versions 4+ well, and do not request the access/modify time attributes but expect/assume that those time attributes will be present in the STAT responses. Use this option to tell mod_sftp to always include the access and modify time attributes in STAT responses for clients using SFTP protocol version 4 and higher.

  Note that this option first appeared in proftpd-1.3.7rc1.

• InsecureHostKeyPerms
  

  When this option is used, mod_sftp will ignore insecure permissions (i.e. group- or world-readable) on SFTPHostKey files. This option should appear before any SFTPHostKey directives in the configuration, as hostkey permissions are checked at configuration parse time.

  Note that this option first appeared in proftpd-1.3.6rc1.

• MatchKeySubject
  

  When this option is used, if public key authentication is used, the mod_sftp module will check if the public key has a "Subject" header. If so, that the value of that header must match the name of the authenticating user/host.

  Note that this option first appeared in proftpd-1.3.4rc1.

• NoExtensionNegotiation
  

  By default, mod_sftp will offer/support the SSH extension negotiation, defined by RFC 8308. Use this option to disable support for extension negotiations.

  Note that this option first appeared in proftpd-1.3.7rc4.

• NoHostkeyRotation
  

  By default, mod_sftp will offer/support the OpenSSH hostkey rotation extensions, "hostkeys-00@openssh.com" and "hostkeys-prove-00@openssh.com". Use this option to disable support for these custom OpenSSH extensions.

  Note that this option first appeared in proftpd-1.3.8rc3.

• OldProtocolCompat
  

  Older clients identity their protocol versions as "1.99", rather than as "2.0". By default, mod_sftp will refuse to handle connections from such clients. To enable compatibility with these clients (which tend to be derived from ssh.com/Tectia code), use this option.

  Note that this option automatically enables the PessimisticKexinit SFTPOption as well.

  Note that this option first appeared in proftpd-1.3.4rc1.

• PessimisticKexinit
  

  As described here, the mod_sftp module tries to reduce the connection latency by optimistically sending the KEXINIT key exchange message. However, some SSH clients cannot handle this behavior. Use this option to disable the optimistic sending of the KEXINIT message.

  Note that this option first appeared in proftpd-1.3.4rc1.

SFTPPassPhraseProvider

The SFTPPassPhraseProvider directive is used to specify an external program which will be called, when mod_sftp starts up, for each encrypted host key file. The program will be invoked with two command-line arguments, passed on stdin to the program:

  servername:portnumber file

The intent is that this external program can perform any security checks necessary, to make sure that the system is not compromised by an attacker, and only when these checks pass successfully will the passphrase be provided. These security checks, and the way the passphrase is determined, can be as complex as you like.

Example:

  SFTPPassPhraseProvider /etc/ftpd/sftp/get-passphrase

SFTPRekey

The SFTPRekey directive configures the session rekey policy used by the mod_sftp module. When an SSH2 client connects, there is an initial exchange of hostkey, cipher, digest, and compression algorithms, followed by sharing of information which leads to the calculation of shared session keys. These keys are used in the various algorithms. The exchange of algorithms and calculation of new session keys can happen at any time during the SSH2 session; this is known as "rekeying".

By default, mod_sftp will only require rekeying when the packet sequence number (for sent or received SSH2 packets) reaches a rather high limit. The digest algorithm used, for example, might begin to leak cryptographically sensitive information if used for too many packets (see RFC 4344). Outside of these sequence number limits, however, mod_sftp will not attempt to initiate rekeying.

To prevent mod_sftp from attempting rekeying, use:

  SFTPRekey none

To require rekeying, simply use:

  SFTPRekey required

However, administrators wishing to use different rekey intervals or rekey byte limits can use the optional interval (in seconds) and bytes (in MB) parameters, e.g.:

  # Require rekeying after 30 minutes, or 4 GB
  SFTPRekey required 1800 4096

Finally, the paranoid administrator may wish to set a timeout, in seconds, in which a client must complete a session rekeying, otherwise the client will be disconnected. This would look like:

  # Require rekeying after 30 minutes, or 4 GB.  If the rekeying is not
  # completed within 5 minutes of a rekey request, disconnect the client.
  SFTPRekey required 1800 4096 300

SFTPTrafficPolicy

The SFTPTrafficPolicy directive is used to configure a measure of protection against traffic analysis attacks. Such attacks use the number of packets sent, the size of the packets, and the timing of the packets to try to gain information about the nature of the data being transmitted.

The SSH2 protocol includes a particular message, SSH_MSG_IGNORE, which all implementations (both clients and servers) must handle by dropping on the floor. Implementations, like mod_sftp, can use these messages to add random data to the session in the hopes of making such traffic analyses more difficult.

The SFTPTrafficPolicy directive supports the following range of policies; the chances columns list the probability that mod_sftp will send an SSH_MSG_IGNORE message.

The default SFTPTrafficPolicy setting is "none".

However, if a client negotiates the use of a CBC cipher, then a defensive traffic policy will automatically be used. RFC 4251, Section 9.3.1, specifically mentions the insertion of SSH_MSG_IGNORE messages as a way of mitigating the "Rogaway" attack on CBC ciphers. In order to disable this automatic mitigation behavior, you must explicitly configure a SFTPTrafficPolicy setting in your configuration, e.g.

  # Disable any automatic protection when CBC ciphers are used
  SFTPTrafficPolicy none

Installation

  $ ./configure --enable-openssl --with-modules=mod_sftp ...

  $ ./configure --enable-dso --enable-openssl --with-shared=mod_sftp ...

  $ make
  $ make install

  $ ./configure --enable-openssl --with-modules=mod_sftp ... \
    --with-includes=/path/to/libsodium/include \
    --with-libraries=/path/to/libsodium/lib

Usage

Access Controls for SFTP Requests
Some of the requests supported by SFTP have FTP command equivalents. Other requests in SFTP have no FTP command equivalent. This makes the use of <Limit> sections for access controls in mod_sftp a little interesting.

First, the familiar territory. The following shows the <Limit> sections for FTP commands (just as for normal FTP sessions) which are honored by mod_sftp:

• <Limit DELE>
  Applies to the REMOVE SFTP request
• <Limit MKD XMKD>
  Applies to the MKDIR SFTP request
• <Limit MLSD>
  Applies to the OPENDIR SFTP request
• <Limit LIST NLST>
  Applies to the READDIR SFTP request, resulting in an empty directory listing.
• <Limit RETR>
  Applies to the READ SFTP request
• <Limit RNFR RNTO>
  Applies to the RENAME SFTP request
• <Limit RMD XRMD>
  Applies to the RMDIR SFTP request
• <Limit STOR>
  Applies to the WRITE SFTP request
• <Limit SITE_CHGRP>
  Applies to the SETSTAT and FSETSTAT SFTP requests when they change file ownership
• <Limit SITE_CHMOD>
  Applies to the SETSTAT and FSETSTAT SFTP requests when they change file permissions

For those SFTP requests which have no direct FTP equivalents elsewhere in proftpd, the mod_sftp module supports some slightly different <Limit> sections. Note that the following does not apply to FTP sessions, nor does it imply that FTP supports these commands:

• <Limit FSTAT>
  Applies to the FSTAT SFTP request
• <Limit LSTAT>
  Applies to the LSTAT SFTP request
• <Limit LOCK>
  Applies to the LOCK and UNLOCK SFTP requests
• <Limit OPEN>
  Applies to the OPEN SFTP request
• <Limit READLINK>
  Applies to the READLINK SFTP request
• <Limit SETSTAT>
  Applies to the FSETSTAT and SETSTAT SFTP requests
• <Limit STAT>
  Applies to the STAT SFTP request
• <Limit SYMLINK>
  Applies to the LINK and SYMLINK SFTP requests

What about the READ and WRITE command groups?

• <Limit READ>
  Applies to the SYMLINK and READ SFTP requests
• <Limit WRITE>
  Applies to the LOCK, SETSTAT, SYMLINK, and WRITE SFTP requests

Environment Variables
The mod_sftp module will set the following environment variables whenever an SSH2 client connects:

• SFTP
• SFTP_LIBRARY_VERSION
• SSH_CONNECTION

SSH2 Public Key Formats
SSH2 uses public keys for authentication and message protection. The very popular OpenSSH server uses a particular file format for storing public keys in files. However, that format is not portable; it uses a format very specific to OpenSSH. Thus the mod_sftp module uses a different format for public keys, specifically, the format specified in RFC 4716. The hope is that this format is more interoperable with other SSH2/SFTP implementations.

This means that if you wish to use your OpenSSH public keys with the mod_sftp module, you will need to convert them from OpenSSH's format to the RFC4716 format. Fortunately, this is supported by OpenSSH's ssh-keygen utility, e.g.:

  $ ssh-keygen -e -f ~/.ssh/id_rsa.pub

Note that the RFC4716 format is not to be used with the SFTPHostKey directive. Even though OpenSSH's host keys have ".pub" public equivalents, host keys are different from the per-user keys that are used for authentication.

Known Client Issues
The following lists some of the various client interoperability issues that have been encountered, and how to address them.

SSH Channel Window Sizes
Some SFTP client implementations do not support the large SSH channel window size that the mod_sftp module uses by default. These clients include:

• WS_FTP Pro
• OpenSSH 3.0 and older
• Axway

SSH Protocol Version
If you are using an old ssh.com client, or perhaps a client which derives from the ssh.com (or Tectia) code, you may see the following error in the SFTPLog when trying to connect to mod_sftp:

  Bad protocol version 'SSH-1.99-3.2.9.1 SSH Secure Shell (non-commercial)' from x.x.x.x

  # Support old ssh.com/Tectia clients
  SFTPOptions OldProtocolCompat

SFTP Protocol Versions
Some SFTP clients do not properly handle some of the newer SFTP protocol versions. These clients include:

• WinSCP
• CuteFTP

  # Only support SFTP protocol version 1 through 3 for WinSCP and CuteFTP
  SFTPClientMatch WinSCP|ClientSftp sftpProtocolVersion 1-3

KEXINIT Optimization
Some SFTP clients do not like this KEXINIT optimization that the mod_sftp module uses. These clients include:

• Net::SSH::Perl, Net::SFTP Perl modules
• edtFTPj

  # Disable the KEXINIT optimization at the cost of latency
  SFTPOptions PessimisticKexinit

Cipher Implementations
Some SFTP clients (most notably the SecureBlackBox libraries) do not implement the blowfish-ctr cipher correctly. If your site needs to support such clients, then you will need to use the SFTPCiphers directive to configure a list of ciphers which does not include blowfish-ctr. Clients with this bug will show up in the SFTPLog with this log message:

  client sent buggy/malicious packet payload length, ignoring

Recommended SFTPClientMatch Settings
Based on the above client issues, the following is the recommended list of configurations -- contributed by the ProFTPD community -- to use as workarounds for all of the clients' known issues:

<IfModule mod_sftp.c>
  <Global>
    # The default values used by mod_sftp are:
    #   channelPacketSize 32KB
    #   channelWindowSize 4GB
    #   sftpProtocolVersion 1-6

    # Axway (SSH-2.0-XFB.Gateway Unix)
    SFTPClientMatch .*Axway channelWindowSize 1GB
    SFTPClientMatch ".*XFB.*" channelWindowSize 1GB

    # CoreFTP LE (free version 2.2)
    SFTPClientMatch CoreFTP channelWindowSize 1GB

    # CuteFTPPro8
    SFTPClientMatch ".*ClientSftp" sftpProtocolVersion 3

    # Network Automation (SSH-2.0-EldoS.SSHBlackbox.3)
    # http://www.networkautomation.com/
    SFTPClientMatch ".*EldoS.SSHBlackbox.3.*" channelWindowSize 1GB sftpProtocolVersion 3

    # GlobalScape FTP application (SSH2 client 'GSSFTP1.0') - (needs v2)
    # http://www.globalscape.com/downloads/
    # GoAnywhere (SSH-2.0-1.0)
    # http://www.goanywheremft.com/products
    SFTPClientMatch "1.0" channelWindowSize 1GB sftpProtocolVersion 2

    # JaSFtp (SSH-2.0-J2SSH_Maverick_1.2.10_Sterling Commerce)
    # http://www.hiteksoftware.com/jasf/
    SFTPClientMatch ".*J2SSH_Maverick.*" channelWindowSize 1GB

    # JSch - Java Secure Channel (SSH-2.0-JSCH-0.1.39)
    # http://www.jcraft.com/jsch/
    SFTPClientMatch "JSCH.*" channelWindowSize 1GB

    # Robo-FTP (SSH-2.0-WeOnlyDo)
    # http://www.robo-ftp.com/
    SFTPClientMatch ".*WeOnlyDo.*" channelWindowSize 1GB sftpProtocolVersion 3

    # SecureBlackbox (SSH-2.0-SecureBlackbox.7)
    # http://www.eldos.com/sbb/download-release.php
    SFTPClientMatch ".*SecureBlackbox.*" sftpProtocolVersion 3

    # SecureFX - SSH2 client 'SecureFX_2_2_5_225 SecureFX'
    # http://www.vandyke.com/products/securefx/
    SFTPClientMatch "SecureFX.*" sftpProtocolVersion 3

    # SSH-2.0-1.30
    SFTPClientMatch "1.30" channelPacketSize 16KB channelWindowSize 256MB

    # SSH-2.0-Sun_SSH_1.0.1
    SFTPClientMatch ".*Sun_SSH.*" channelWindowSize 1GB

    # SSH-2.0-SharpSSH-1.1.1.13-JSCH-0.1.28
    SFTPClientMatch ".*SharpSSH.*" channelWindowSize 256MB

    # WinSCP
    SFTPClientMatch ".*WinSCP.*" sftpProtocolVersion 3

    # WS_FTP
    SFTPClientMatch ".*WS_FTP.*" channelWindowSize 1GB

    # /n Software BizTalk SFTP Receive (SSH-2.0-IP*Works! SSH Client v8.0)
    # http://www.nsoftware.com/products/biztalk/adapters/sftp.aspx
    SFTPClientMatch ".*IP.Works.*" channelWindowSize 1GB
  </Global>
</IfModule>

FIPS Compliance
FIPS stands for "Federal Information Processing Standard", and refers to a series of information processing standards issued and used by the US government. When speaking of FIPS and cryptographic software, the pertinent standard in particular is FIPS-140.

How then would you build OpenSSL and mod_sftp, and use them such that mod_sftp would be FIPS-compliant? Using OpenSSL in FIPS mode requires quite a few steps. First, you would configure proftpd to use the mod_sftp module as normal, assuming your OpenSSL installation has been compiled with FIPS support:

  ./configure --enable-openssl --with-modules=mod_sftp ...

Compiling proftpd requires the following, for FIPS support to work properly:

  make CC=/path/to/openssl/bin/fipsld FIPSLD_CC=gcc

  - mod_sftp/0.0: unable to use FIPS mode: (unknown)
  - Fatal: unable to load module 'mod_sftp.c': Operation not permitted

Now, assuming you have compiled and installed your proftpd properly, e.g.:

  make CC=/path/to/openssl/bin/fipsld FIPSLD_CC=gcc
  make CC=/path/to/openssl/bin/fipsld FIPSLD_CC=gcc install

In order for FIPS mode to be effective, OpenSSL must be told to run in FIPS mode from the very beginning. The mod_sftp module initializes the OpenSSL library when the mod_sftp module is loaded, before the proftpd.conf file is parsed. Thus the requesting of FIPS mode cannot be done via a setting in proftpd.conf. (Annoying, I know.)

Instead, you must use the -D command-line parameter when starting proftpd (see the docs for the <IfDefine> and Define directives) to define a specific variable, which the mod_sftp module will look for. Specifically, you will need to start proftpd like thus:

  /path/to/proftpd -DSFTP_USE_FIPS ...

  - mod_sftp/0.0: FIPS mode enabled

When mod_sftp detects that OpenSSL has been configured for FIPS mode, it will refuse to advertise support for the following cipher algorithms:

• arcfour128
• arcfour256
• blowfish-cbc
• blowfish-ctr
• cast128-cbc

• hmac-md5
• hmac-md5-96
• hmac-ripemd160

For additional reading on OpenSSL and FIPS, see:

  http://www.openssl.org/docs/fips/SecurityPolicy-1.1.1.pdf
  http://www.openssl.org/docs/fips/UserGuide-1.1.1.pdf

Example Configuration
When using mod_sftp to handle SFTP connections, you will want to create a separate <VirtualHost> section for the mod_sftp configuration. SSH2 (and thus SFTP) requires a different port than FTP; in order to listen on different ports, proftpd requires different <VirtualHost> sections. You can have multiple <VirtualHost> sections for the same address (IP address or DNS name), just different Port directives.

  <IfModule mod_sftp.c>
    <VirtualHost a.b.c.d>
      SFTPEngine on
      SFTPLog /etc/proftpd/sftp/sftp.log

      # Configure the server to listen on the normal SSH2 port, port 22
      Port 22

      # Configure the RSA, DSA, and ECDSA host keys, using the same host key
      # files that OpenSSH uses. 
      SFTPHostKey /etc/ssh_host_rsa_key
      SFTPHostKey /etc/ssh_host_dsa_key
      SFTPHostKey /etc/ssh_host_ecdsa_key

      # Configure the file used for comparing authorized public keys of users.
      SFTPAuthorizedUserKeys file:~/.sftp/authorized_keys

      # Enable compression
      SFTPCompression delayed

      # Allow the same number of authentication attempts as OpenSSH.
      #
      # It is recommended that you explicitly configure MaxLoginAttempts
      # for your SSH2/SFTP instance to be higher than the normal
      # MaxLoginAttempts value for FTP, as there are more ways to authenticate
      # using SSH2.
      MaxLoginAttempts 6

    </VirtualHost>
  </IfModule>

Logging
The mod_sftp module supports different forms of logging. The main module logging is done via the SFTPLog directive. For debugging purposes, the module also uses trace logging, via the module-specific log channels:

• ssh2
• sftp
• scp

  TraceLog /path/to/sftp-trace.log
  Trace scp:20 sftp:20 ssh2:20

Suggested Future Features
The following lists the features I hope to add to mod_sftp, according to need, demand, inclination, and time:

• Look up authorized public keys from LDAP directories
• Honor the MaxTransferPerHost, MaxTransfersPerUser, MaxRetrieveFileSize directives

Frequently Asked Questions

Question: When I telnet to port 22 of other SSH2 servers, I see the SSH2 version banner displayed, e.g.:

  # telnet example.com 22
  Trying 1.2.3.4...
  Connected to example.com.
  Escape character is '^]'.
  SSH-1.99-OpenSSH_5.1

 (1) client ------------ connect -------------> server
 (2) client <-------- version banner ---------- server
 (3) client --- client's first key exchange --> server
 (4) client <-- server's first key exchange --- server

 (1) client ------------ connect -------------> server
 (2) client <-- version banner/1st key exch---- server
 (3) client --- client's first key exchange --> server

  Performance Characteristics of Application-level Security Protocols

Question: My SSH2/SFTP client dies when trying to connect to mod_sftp. The login succeeds, but then the client is disconnected. The client logs show something like:

  ServerMaxPacket(32768) ServerWindow(-1) (from WS_FTP)

  debug1: channel 0: open confirm rwindow -1 rmax 32768 (from OpenSSH_3.0.2p1)

As another example, the WS_FTP Pro client has this same problem; in the client, you will see something like the following error:

  Started subsystem "sftp" on channel 0760a2ce
  error 84350000 initializing sftp protocol
  Sending channel close message for channel 0760a2ce
  SSH Transport closed.

There are two approaches for handling such cases. You can use the SFTPClientMatch directive to set a smaller channel window size for that particular client, e.g.:

  SFTPClientMatch ".*WS_FTP.*" channelWindowSize 256MB
  SFTPClientMatch ".*Axway" channelWindowSize 256MB

  SFTPClientMatch .* channelWindowSize 256MB

The larger the channel window size, the better. (Note that the SSH2 channel window size has absolutely no relation to the TCP window size.) The smaller this SSH2 channel window size, the more frequently the peer needs to send a "window size adjustment" SSH2 request (which entails its own TCP packet and ACK) in order to keep the window size open. The larger the channel window size, the fewer "window size adjustment" requests the peer has to send, and thus the fewer TCP packets/ACKs are needed. Since each TCP packet adds latency, the smaller channel window sizes can increase the latency for data transfers.

For this reason, my personal recommendation is to only set smaller channel window sizes for those SSH2/SFTP clients which need it; no need to incur the additional latency if the client supports the larger window sizes.

Question: Can I configure mod_sftp to be an OpenSSH subsystem, e.g. by using the following in my sshd_config file:

  Subsystem  sftp  /usr/local/sbin/proftpd

Question: How can I configure proftpd so that it can handle both FTP and SFTP at the same time?
Answer: The key to doing this is to create a <VirtualHost> section just for the mod_sftp configuration, listening on the address and port that you wish, e.g.:

  # The FTP configuration
  DefaultAddress a.b.c.d
  Port 21

  <IfModule mod_sftp.c>
    <VirtualHost a.b.c.d>
      # The SFTP configuration
      Port 22

      SFTPEngine on
      ...
    </VirtualHost>
  </IfModule>

Question: How can I configure proftpd so that it only accepts SFTP connections (via mod_sftp), and no FTP connections?
Answer: Use the following in your proftpd.conf:

  <Limit LOGIN>
    DenyAll
  </Limit>

  <VirtualHost a.b.c.d>
    <Limit LOGIN>
      AllowAll
    </Limit>

    SFTPEngine on
    ...
  </VirtualHost>

Question: I followed the instructions to convert my authorized keys from OpenSSH to RFC4716 format, yet I see the following error in my SFTPLog:

  mod_sftp/0.9.7[31050]: line too long (74) on line 1 of 'authorized_keys'

Chances are that the offending line in the RFC4716 key is a "Comment: " header that is too long. Simply delete that "Comment: " line; the mod_sftp ignores this header.

Question: I generated an SSH key using ssh-keygen, then added it to my authorized_keys file using:

  $ cat id_rsa.pub >> authorized_keys

  ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN1tCK5uHUGl....

  ---- BEGIN SSH2 PUBLIC KEY ----
  AAAAB3NzaC1yc2EAAAADAQABAAABAQDN1tCK5uHUGlpxye+KEmB0EIr9zqvMmgyNdWvJBW
  ...
  PZ1+hOi5QECWQYD0BpiWvj
  ---- END SSH2 PUBLIC KEY ----

  $ ssh-keygen -e -f ~/.ssh/id_rsa.pub >> authorized_keys

Question: I'm using the MaxStoreFileSize directive in my mod_sftp configuration, but when I upload a file using e.g. OpenSSH's sftp client, I see the file uploaded past my configured limit. Is this a bug?
Answer: No. The mod_sftp module honors a configured MaxStoreFileSize limit properly. However, what you see in the SFTP client may not reflect this as you would expect. Some SFTP clients, like that from OpenSSH, will only reflect the failure after the entire file has been uploaded:

  sftp> put /path/to/file.dat
  Uploading /path/to/file.dat to /file.dat
  /path/to/file.dat                           100%  704KB 704.1KB/s   00:00
  Couldn't write to remote file "/file.dat": Failure

  mod_sftp/0.9.9[32297]: error writing 32768 bytes to '/file.dat': File too large (MaxStoreFileSize 204800 exceeded)
  mod_sftp/0.9.9[32297]: error writing 32768 bytes to '/file.dat': File too large (MaxStoreFileSize 204800 exceeded)

There is a discrepancy between what the client shows the user, and what the server is actually doing. The mod_sftp module, when handling SFTP uploads, checks the size of the file on disk, after receiving the buffer of data from the network, but before writing that data to disk. If the size of the file on disk exceeds the MaxStoreFileSize limit, then that SFTP WRITE request is denied.

Many SFTP clients will send multiple SFTP WRITE requests concurrently, optimistically hoping that they will succeed; this makes for faster SFTP uploads. This is why you might see multiple "File too large" messages logged by mod_sftp. And it also means that the client thinks it has sent more data to the server than has actually been written to disk.

Now, this may lead you to ask "Due to SFTP protocol itself, there is no way to control the file size uploaded by a client, right?" This is not quite correct.

There's no way for an SFTP server to control how much data the SFTP client will send. But there is a way to control how much data is written to disk by the SFTP server; that is what MaxStoreFileSize does. But this means that the SFTP client may report how much data it sent over the network, which is not the same as how much data was actually stored by the SFTP server. Believing what your client shows you, though, is always suspect, since what the client shows may not actually reflect the reality of things on the server side of things.

Question: Is it true that using CBC mode ciphers in SSH is insecure?
Answer: It is true that there are a couple of published theoretical attacks against the SSH protocol when CBC ciphers are used, including Rogaway, Wai, and Bellare (see RFC 4251, Section 9.3.1) and "Plaintext Recovery Attacks Against SSH" (CPNI-957037).

However, these attacks can be mitigated by countermeasures in the SSH implementation. The use of SSH_MSG_IGNORE messages for the Rogaway attack, and the delayed checking of packet length fields until the MAC check has passed (and then reading in a random amount of additional data from the network) to migitate CPNI-957037, are both implemented within the mod_sftp module as security measures.

Question: I am trying to use ListOptions to change what is displayed for files in my SFTP clients, but it is not working. Why?
Answer: Unlike FTP, in SFTP it is the client, not the server, which determines what to display to the end user. Thus the ListOptions directive is not honored by mod_sftp.

Question: If I use a configuration like this:

  <Directory /path/to/upload>
    <Limit WRITE>
      AllowAll
    </Limit>

    <Limit SITE_CHMOD>
      DenyAll
    </Limit>
  </Directory>

  SFTPOptions IgnoreSFTPUploadPerms

Question: I use UserOwner and GroupOwner in my mod_sftp configuration, but they are not being applied properly. Is this a bug?
Answer: No.

By default, the mod_sftp module drops root privileges as soon as it can, which is just after the user has been authenticated. Without root privileges, mod_sftp cannot change the ownership of files uploaded via SFTP/SCP as per UserOwner/GroupOwner settings.

In ProFTPD 1.3.4rc1, honoring of the UserOwner and GroupOwner directives was added to the mod_sftp module. However, you will also need to add the following to your mod_sftp configuration to make them work properly:

  RootRevoke off

In addition, if you are on a Linux machine, you may also need to disable the mod_cap module, as that can also restrict what can be done with root privileges:

  <IfModule mod_cap.c>
    CapabilitiesEngine off
  </IfModule>

Question: Why can't I use ssh to connect to my proftpd+mod_sftp server? When I try, I see:

  # ssh user@host
  Enter passphrase for key '/home/user/.ssh/id_rsa': 
  PTY allocation request failed on channel 0
  shell request failed on channel 0

Question: I am using DirFakeUser and DirFakeGroup in my mod_sftp configuration, but they do not work when I run the ls -lh command in the sftp command-line client. Is this a bug?

Answer: This is unfortunately an issue with OpenSSH's sftp command-line client.

The mod_sftp module always sends the same information for an SFTP directory listing, assuming SFTP protocol version 3 or lower (which is what OpenSSH uses); see here. The DirFakeUser and DirFakeGroup directives will affect the user/group names in that "longname" string, which is defined for the SSH_FXP_NAME packet described in draft-ietf-secsh-filexfer-02.

In looking at the OpenSSH 7.9p1 implementation, we can see the issue in its code. When ls -l is used, the sftp command-line client will display the "longname" sent by mod_sftp as-is. But when ls -lh is used, that -h flag causes sftp to ignore the "longname", and try to use only the UID/GID numeric values (which are not affected by the DirFakeUser/DirFakeGroup directives).

Question: When I try to start proftpd with mod_sftp configured to use my existing host key, it fails with one of the following error messages:

  error reading passphrase for SFTPHostKey 'hostkey': Invalid argument
  error reading passphrase for SFTPHostKey 'hostkey': (unknown)

  # grep BEGIN hostkey

  -----BEGIN RSA PRIVATE KEY-----
  -----BEGIN DSA PRIVATE KEY-----

  ---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----

  # ssh-keygen -i -f hostkey > /path/to/new-file

Question: When I start proftpd, I see warnings that look like this:

  - mod_sftp/0.9.7: compiled using OpenSSL version 'OpenSSL 0.9.8n 24 Mar 2010' headers, but linked to OpenSSL version 'OpenSSL 0.9.8q 2 Dec 2010' library

Question: When a client first connects to mod_sftp and starts the SSH handshake, the client sees that mod_sftp provides an SSH version identifier like "SSH-2.0-mod_sftp/0.9.8". Is there any way I can tell mod_sftp to hide/change that version?
Answer: Yes. As of proftpd-1.3.5rc1, the mod_sftp module will honor the ServerIdent directive.

For example, to see just "SSH-2.0-mod_sftp", without any mod_sftp version suffix, use the following within your mod_sftp <VirtualHost>:

  # Tell mod_sftp to not reveal its module version in the SSH version
  # identification
  ServerIdent off

  # Tell mod_sftp to advertise itself as an OpenSSH server
  ServerIdent on "OpenSSH_5.6p1"

Question: I notice that when I use some SFTP clients (e.g. DreamWeaver) with mod_sftp, the network performance is 5-6 times slower than with other SFTP clients. Using the same SFTP client against OpenSSH doesn't show the same slowdown. Network tools such as Wireshark show that mod_sftp is sending 2 TCP packets for each SFTP request, whereas OpenSSH only sends 1 TCP packet for each SFTP request. Why is mod_sftp so much slower than OpenSSH, but only for some SFTP clients?
Answer: Investigations into this mod_sftp behavior have shown it to be caused by the SFTPTrafficPolicy behavior, particularly when the SFTP client negotiates the use of a CBC cipher.

The recommended action to take is to disable the use of CBC ciphers, which will cause the SFTPTrafficPolicy mitigation to not go into effect, which keeps the number of SSH messages lower, thus improving network latency. Thus the change to make for your mod_sftp configuration is:

  # Remove the CBC ciphers from the ciphers we advertise
  SFTPCiphers aes256-ctr aes192-ctr aes128-ctr blowfish-ctr arcfour256 arcfour128 3des-ctr

Question: When I use mod_sftp and get a directory listing, I notice that the timestamps on the files are localised (e.g. are in French). When I use OpenSSH, the timestamps are always in English. How I get get mod_sftp to behave like OpenSSH, and not localise the timestamps?
Answer: This happens when your proftpd has been built with the --enable-nls configure option. To check, use `proftpd -V':

  ...
  Features:
    ...
    + NLS support
    ...

  Unsetenv LANG

Question: My SFTP client wants to use SFTP protocol version 6, but mod_sftp only accepts protocol version 3. These docs say that protocol versions 1-6 are supported. Is this a bug?
Answer: The most likely cause of this behavior is that your proftpd installation was not compiled with the --enable-nls configure option. The --enable-nls configure option is required to enable NLS support, which includes support for UTF8. SFTP protocol versions 4-6 require UTF8 support, which is why the --enable-nls configure option is needed.

Question: Why is my SFTPLog often spammed with lots of messages that look like:

  requested read offset (20480 bytes) greater than size of '/some/path/to.file' (20307 bytes)

Question: When I use my SFTP client, I see something like this when I try to connect to proftpd with mod_sftp:

  500 SSH-2.0-OPENSSH 6.2 not understood

Question: I try to connect to proftpd with mod_sftp and the connection fails with an error messages like "PTY allocation request failed on channel 0" or "Server refused to allocate pty". What is going wrong?
Answer: This error message happens when you try to connect to mod_sftp using an SSH client which wants a shell session, rather than an SFTP session or an SCP transfer. The mod_sftp module does not support shell sessions (unlike OpenSSH). In the SFTPLog, you would see such connection attempts logged like so:

  mod_sftp/0.9.9[6304]: unsupported 'pty-req' channel requested, ignoring
  mod_sftp/0.9.9[6304]: unsupported 'shell' channel requested, ignoring

Question: When I create a directory via SFTP, in a directory with the SGID bit set, the created directory does not have the SGID bit set as expected. How do I fix this?
Answer: Preserving the SGID bit for a created directory usually require root privs; the mod_sftp module automatically drops all root privs. So to get the directory SGID bit functionality, you will need to use the following in your mod_sftp <VirtualHost> section:

  RootRevoke off

Question: I see that Ed25519 SSH keys are supported as of ProFTPD 1.3.7rc3 (see Bug #4221), but when I try to use one with mod_sftp, my login fails. The SFTPLog shows this error; why?

  USER user1 (Login failed): unsupported public key algorithm 'ssh-ed25519' requested

Question: In my SFTP logs, I see these warnings:

  WARNING: unable to read SFTPDHParamFile 'path': Permission denied
  unable to open SFTPKeyBlacklist 'path': Permission denied

Question: I see that many sites are phasing out their use of the SHA-1 algorithm as it is felt to be unsafe. How can I configure mod_sftp to no longer use SHA-1?
Answer: The main uses of SHA-1 in mod_sftp are in the algorithms for MACs (the SFTPDigests directive) and key exchanges (the SFTPKeyExchanges directive).

For SFTPDigests, the algorithms that use SHA-1, and thus the ones to avoid are:

• hmac-sha1
• hmac-sha1-96
• hmac-md5
• hmac-md5-96

  SFTPDigests \
    umac-128@openssh.com \
    umac-64@openssh.com \
    hmac-sha2-256 \
    hmac-sha2-512

Similarly, for key exchanges, the algorithms to avoid because they use SHA-1 are:

• diffie-hellman-group-exchange-sha1
• diffie-hellman-group14-sha1
• diffie-hellman-group1-sha1
rsa1024-sha1

  SFTPKeyExchanges \
    curve448-sha512 \
    curve25519-sha256 \
    ecdh-sha2-nistp521 \
    ecdh-sha2-nistp384 \
    ecdh-sha2-nistp256 \
    diffie-hellman-group18-sha512 \
    diffie-hellman-group16-sha512 \
    diffie-hellman-group14-sha256 \
    diffie-hellman-group-exchange-sha256 \

Question: I am using ProFTPD 1.3.5, and I am unable to use mod_sftp. When I connect, I see these errors in my SFTPLog:

  2017-07-28 22:38:13,904 mod_sftp/0.9.9[24363]: error setting key/IV for aes256-ctr cipher for decryption:
    (1) error:0906D06C:PEM routines:PEM_read_bio:no start line
    (2) error:0607B083:digital envelope routines:EVP_CipherInit_ex:no cipher set

The OpenSSL APIs changed from OpenSSL 1.0.x to OpenSSL 1.1.x, requiring changes in the applications that use OpenSSL (see Bug#4240). To deal with this issue, then, you can hopefully upgrade to ProFTPD 1.3.6 or later, or downgrade your OpenSSL version to 1.0.x.