abc789987 Posted February 10, 2019 Share Posted February 10, 2019 (edited) 3 hours ago, SlrG said: The user is defined correctly but did you really restart proftpd (in the plugins settings) afterwards? An user defined as ftp user should have no shell and should not be able to login using telnet. The jail will only work when accessing from an ftp client. I am sitll able to telnet into my unraid server using the ftpuser I've created and looks like it behaves the same as if I'm using ssh or an ftp client... This was just done with telnet through putty. On the ProFTPd webgui Settings page I've Stopped, Started and Restarted multiple times. Unraid server has been rebooted multiple times too. I was hoping if was something simple I was missing but maybe I should have provided additional infomation from the beginning... I had tried to setup an ftp server not using the ProFTPd plugin a while ago, maybe a year or two. Never got that working. I can't remember what all I tried or did, but never even got a user created to login... Is it possible there is multiple ftp or ssh server configurations files or something that are conflicting with each other? I've uninstalled plugin and reinstalled before too... But by just clicking the Uninstall Plugin button on webgui page. Edited February 10, 2019 by abc789987 Quote Link to comment
SlrG Posted February 10, 2019 Author Share Posted February 10, 2019 (edited) Please post the line of the user test1 from the file /etc/passwd. It should look like this: michael:x:1000:100:ftpuser /mnt/cache/FTP:/mnt/cache/FTP:/bin/false The fifth field, ftpuser /mnt/cache/FTP is the comment field, which on restart gets scanned and the path is put as the users home directory in the sixth field. Also the users shell is set to /bin/false, which should result in this users no longer being able to login other than using ftp. edit: It might be, that logging in using ssh is still possible. I have no tried that yet. Also all users without the keyword ftpuser will be added to the file /etc/ftpusers, which should prevent them from logging in via ftp. The jail will only work if using ftp access however. If the passwd line is correct, we will have to check further. Edited February 10, 2019 by SlrG Quote Link to comment
abc789987 Posted February 10, 2019 Share Posted February 10, 2019 (edited) Quote test1:x:1006:100:ftpuser /mnt/user/dup/test1:/mnt/user/dup/test1:/bin/bash I just tried to edit last field to /bin/false and now cannot login via ftp or ssh or telnet. Edited February 10, 2019 by abc789987 Quote Link to comment
SlrG Posted February 10, 2019 Author Share Posted February 10, 2019 I would recommend to delete the user restart, make sure it is gone from the /etc/passwd file and recreate the user, then restart the plugin and check if the line looks correct now. Quote Link to comment
abc789987 Posted February 10, 2019 Share Posted February 10, 2019 Okay, did all that. user disapeared from passwd file. Have recreated it and now it looks like you said it should... test1:x:1006:100:ftpuser mnt/user/dup/test1:mnt/user/dup/test1:/bin/false But now I cannot connect via ftp or ssh. Telnet also does not work. Quote Link to comment
SlrG Posted February 10, 2019 Author Share Posted February 10, 2019 Well let's try to solve the ftp part now. What does the syslog of your unRAID and what does the FTP client say, when you try to connect? Which ftp client do you try to use? Please make sure to have a simple starting password when trying to connect. (no special chars please) There was a user, who reported problems with complicated passwords some time ago. Quote Link to comment
abc789987 Posted February 10, 2019 Share Posted February 10, 2019 From Syslog Feb 10 17:39:55 NAS sshd[15918]: Accepted password for test1 from 192.168.1.210 port 57802 ssh2 From WinSCP log file . 2019-02-10 17:39:56.865 -------------------------------------------------------------------------- . 2019-02-10 17:39:56.866 WinSCP Version 5.13.6 (Build 9061) (OS 10.0.17134 - Windows 10 Enterprise) . 2019-02-10 17:39:56.866 Configuration: HKCU\Software\Martin Prikryl\WinSCP 2\ . 2019-02-10 17:39:56.866 Log level: Normal . 2019-02-10 17:39:56.866 Local account: DESKTOP-MFBL235\mikej . 2019-02-10 17:39:56.866 Working directory: C:\Program Files (x86)\WinSCP . 2019-02-10 17:39:56.867 Process ID: 21004 . 2019-02-10 17:39:56.869 Command-line: "C:\Program Files (x86)\WinSCP\WinSCP.exe" . 2019-02-10 17:39:56.869 Time zone: Current: GMT-5, Standard: GMT-5 (US Eastern Standard Time), DST: GMT-4 (US Eastern Daylight Time), DST Start: 3/10/2019, DST End: 11/3/2019 . 2019-02-10 17:39:56.869 Login time: Sunday, February 10, 2019 5:39:56 PM . 2019-02-10 17:39:56.869 -------------------------------------------------------------------------- . 2019-02-10 17:39:56.870 Session name: [email protected] (Site) . 2019-02-10 17:39:56.870 Host name: 192.168.1.112 (Port: 198) . 2019-02-10 17:39:56.870 User name: test1 (Password: Yes, Key file: No, Passphrase: No) . 2019-02-10 17:39:56.870 Tunnel: No . 2019-02-10 17:39:56.870 Transfer Protocol: SFTP (SCP) . 2019-02-10 17:39:56.870 Ping type: Off, Ping interval: 30 sec; Timeout: 15 sec . 2019-02-10 17:39:56.870 Disable Nagle: No . 2019-02-10 17:39:56.870 Proxy: None . 2019-02-10 17:39:56.870 Send buffer: 262144 . 2019-02-10 17:39:56.870 SSH protocol version: 2; Compression: No . 2019-02-10 17:39:56.870 Bypass authentication: No . 2019-02-10 17:39:56.870 Try agent: Yes; Agent forwarding: No; TIS/CryptoCard: No; KI: Yes; GSSAPI: Yes . 2019-02-10 17:39:56.870 GSSAPI: Forwarding: No; Libs: gssapi32,sspi,custom; Custom: . 2019-02-10 17:39:56.870 Ciphers: aes,chacha20,blowfish,3des,WARN,arcfour,des; Ssh2DES: No . 2019-02-10 17:39:56.870 KEX: ecdh,dh-gex-sha1,dh-group14-sha1,rsa,WARN,dh-group1-sha1 . 2019-02-10 17:39:56.870 SSH Bugs: Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto . 2019-02-10 17:39:56.870 Simple channel: Yes . 2019-02-10 17:39:56.870 Return code variable: Autodetect; Lookup user groups: Auto . 2019-02-10 17:39:56.870 Shell: default . 2019-02-10 17:39:56.870 EOL: LF, UTF: Auto . 2019-02-10 17:39:56.870 Clear aliases: Yes, Unset nat.vars: Yes, Resolve symlinks: Yes; Follow directory symlinks: No . 2019-02-10 17:39:56.870 LS: ls -la, Ign LS warn: Yes, Scp1 Comp: No . 2019-02-10 17:39:56.870 SFTP Bugs: Auto,Auto . 2019-02-10 17:39:56.870 SFTP Server: default . 2019-02-10 17:39:56.870 Local directory: C:\Users\mikej\OneDrive\Documents, Remote directory: /mnt/user/dup/test1, Update: Yes, Cache: Yes . 2019-02-10 17:39:56.870 Cache directory changes: Yes, Permanent: Yes . 2019-02-10 17:39:56.870 Recycle bin: Delete to: No, Overwritten to: No, Bin path: . 2019-02-10 17:39:56.870 DST mode: Unix . 2019-02-10 17:39:56.870 -------------------------------------------------------------------------- . 2019-02-10 17:39:56.896 Looking up host "192.168.1.112" for SSH connection . 2019-02-10 17:39:56.896 Connecting to 192.168.1.112 port 198 . 2019-02-10 17:39:56.897 We claim version: SSH-2.0-WinSCP_release_5.13.6 . 2019-02-10 17:39:56.919 Server version: SSH-2.0-OpenSSH_7.9 . 2019-02-10 17:39:56.919 Using SSH protocol version 2 . 2019-02-10 17:39:56.919 Have a known host key of type ssh-ed25519 . 2019-02-10 17:39:56.920 Doing ECDH key exchange with curve Curve25519 and hash SHA-256 . 2019-02-10 17:39:57.530 Server also has ecdsa-sha2-nistp256/ssh-rsa host keys, but we don't know any of them . 2019-02-10 17:39:57.531 Host key fingerprint is: . 2019-02-10 17:39:57.531 ssh-ed25519 256 1b:ac:e8:ff:be:74:a2:5c:b1:4f:ae:d7:c3:96:ab:c6 e65XSS0Ayo8BmglJWqdxYwIWCVifRKR1pAhpR56itzw= . 2019-02-10 17:39:57.582 Host key matches cached key . 2019-02-10 17:39:57.583 Initialised AES-256 SDCTR client->server encryption . 2019-02-10 17:39:57.583 Initialised HMAC-SHA-256 client->server MAC algorithm . 2019-02-10 17:39:57.583 Initialised AES-256 SDCTR server->client encryption . 2019-02-10 17:39:57.583 Initialised HMAC-SHA-256 server->client MAC algorithm ! 2019-02-10 17:39:57.623 Using username "test1". . 2019-02-10 17:39:57.654 Server offered these authentication methods: publickey,password,keyboard-interactive . 2019-02-10 17:39:57.654 Attempting keyboard-interactive authentication . 2019-02-10 17:39:57.660 Server refused keyboard-interactive authentication . 2019-02-10 17:39:57.660 Server offered these authentication methods: publickey,password,keyboard-interactive . 2019-02-10 17:39:57.660 Prompt (password, "SSH password", <no instructions>, "&Password: ") . 2019-02-10 17:39:57.660 Using stored password. . 2019-02-10 17:39:57.683 Sent password . 2019-02-10 17:39:57.695 Access granted . 2019-02-10 17:39:57.695 Opening session as main channel . 2019-02-10 17:39:57.739 Opened main channel . 2019-02-10 17:39:57.780 Started a shell/command . 2019-02-10 17:39:57.791 -------------------------------------------------------------------------- . 2019-02-10 17:39:57.791 Using SFTP protocol. . 2019-02-10 17:39:57.791 Doing startup conversation with host. . 2019-02-10 17:39:57.791 Server sent command exit status 1 . 2019-02-10 17:39:57.792 Disconnected: All channels closed * 2019-02-10 17:39:57.827 (EFatal) **Connection has been unexpectedly closed.** Server sent command exit status 1. Quote Link to comment
SlrG Posted February 10, 2019 Author Share Posted February 10, 2019 (edited) You are trying to use sftp. Which is a subtype of ssh and the proftpd is not configured to handle that, as you see the sshd responding in the syslog. An example ftp client is FileZilla but pure ftp connections are unencrypted. I recommend you never directly connect your unRAID server to the internet. Use a vpn to your home network and then there should be no problem using pure ftp. If you still need an encrypted connection, there are some examples of users setting up sftp or ftp with tls in this thread. This is however not very simple to setup. Edited February 10, 2019 by SlrG Quote Link to comment
abc789987 Posted February 11, 2019 Share Posted February 11, 2019 I'm trying to setup an sftp for Duplicati backups. I guess I'll have to read up more on how the users got sftp working correctly on here. Thank you for all your help. Quote Link to comment
SlrG Posted February 11, 2019 Author Share Posted February 11, 2019 Do you want this to support offsite backups? If you are only within your home network sftp would not be necessary IMHO. Proftpd can be setup to support sftp however. Here is an old post I did. Quote Link to comment
abc789987 Posted February 11, 2019 Share Posted February 11, 2019 The backups will be offsite. I'll have to check out that post later today. Thanks again. Quote Link to comment
SlrG Posted February 13, 2019 Author Share Posted February 13, 2019 @d2dyno Today I upgraded to 6.7.0-rc3 and other that after the upgrade I had to start the proftpd daemon manually after the installation I have no problems running the proftpd plugin. On reboot it starts automatically again and everything works, including sftp and tls, which should use openssl library. What exactly does not work for you? Quote Link to comment
kricker Posted February 13, 2019 Share Posted February 13, 2019 2 hours ago, SlrG said: @d2dyno Today I upgraded to 6.7.0-rc3 and other that after the upgrade I had to start the proftpd daemon manually after the installation I have no problems running the proftpd plugin. On reboot it starts automatically again and everything works, including sftp and tls, which should use openssl library. What exactly does not work for you? Based on that, I upgraded to 6.7.0-rc3 today as well. ProFTP seems to be working just fine for me as well. Quote Link to comment
abc789987 Posted February 13, 2019 Share Posted February 13, 2019 On 2/11/2019 at 3:21 AM, SlrG said: Do you want this to support offsite backups? If you are only within your home network sftp would not be necessary IMHO. Proftpd can be setup to support sftp however. Here is an old post I did. After looking into how duplicati works it has built in encryption so I think sftp is would be overkill. Just using the ftp and seems to be working perfectly. Thank you for great app and support. Quote Link to comment
H2OKing Posted February 17, 2019 Share Posted February 17, 2019 this won't start with RC4 Quote Link to comment
SlrG Posted February 18, 2019 Author Share Posted February 18, 2019 (edited) @H2O_King89 RC4 does not back up sftp certificates in /etc/ssh/ and only restores the unraid stock certificates. If you had a sftp setup, proftpd will fail to start as these files are missing now. The stock plugin without proftpd.conf modifications should start without problems and if you restore the certificate files, a sftp setup will work again, too. If you have no backups, you will need to create new ones. Edited February 18, 2019 by SlrG Quote Link to comment
H2OKing Posted February 18, 2019 Share Posted February 18, 2019 1 hour ago, SlrG said: @H2O_King89 RC4 does not back up sftp certificates in /etc/ssh/ and only restores the unraid stock certificates. If you had a sftp setup, proftpd will fail to start as these files are missing now. The stock plugin without proftpd.conf modifications should start without problems and if you restore the certificate files, a sftp setup will work again, too. If you have no backups, you will need to create new ones. Everything is stock. I tried removing and adding back and just wont start. 6.6.6 work. Quote Link to comment
SlrG Posted February 18, 2019 Author Share Posted February 18, 2019 Hmm... Thats puzzling. I did a complete uninstall on my system with RC4 and rebooted to remove all traces and did a clean reinstall of the plugin. It works without problems on my system. Anything in the log when installing the plugin or when trying to start in the plugins settings? What do you get, when you enter this in the shell?: sudo -u root /usr/local/SlrG-Common/usr/local/sbin/proftpd -c /etc/proftpd.conf Quote Link to comment
Cessquill Posted February 18, 2019 Share Posted February 18, 2019 /usr/local/SlrG-Common/usr/local/sbin/proftpd: error while loading shared libraries: libssl.so.1: cannot open shared object file: No such file or directory I'm in a similar boat - RC4 won't start, whereas 6.6.6 was fine. The above is the result of your command Quote Link to comment
Ruthalas Posted February 19, 2019 Share Posted February 19, 2019 (edited) On 5/7/2017 at 3:45 AM, SlrG said: To enable sftp: open a shell on your unraid server and issue the following commands cd /etc/ssh ssh-keygen Enter the name of the keyfile (sftp_rsa_key) and no passphrase. You will get two files sftp_rsa_key and sftp_rsa_key.pub. The public key needs to be converted to another format to make it usable by proftpd: ssh-keygen -e -f sftp_rsa_key.pub | sudo tee sftp_user_keys You will get a new file sftp_user_keys. Now the owner and permissions will need to be changed: chown nobody:users sftp_rsa_key sftp_rsa_key.pub sftp_user_keys chmod 600 sftp_rsa_key sftp_rsa_key.pub sftp_user_keys Now to make your system restore the correct permissions of this keys on boot you will need to modify the mountscript: nano /boot/config/plugins/ProFTPd/mountscript.sh Insert the following lines: chown nobody:users /etc/ssh/sftp_rsa_key /etc/ssh/sftp_rsa_key.pub /etc/ssh/sftp_user_keys chmod 600 /etc/ssh/sftp_rsa_key /etc/ssh/sftp_rsa_key.pub /etc/ssh/sftp_user_keys Now edit your proftpd.conf file and insert: <IfModule mod_sftp.c> SFTPEngine on Port 2222 SFTPLog /var/log/sftp.log SFTPHostKey /etc/ssh/sftp_rsa_key SFTPAuthorizedUserKeys file:/etc/ssh/sftp_user_keys SFTPAuthMethods publickey SFTPKeyBlacklist none SFTPDHParamFile /usr/local/SlrG-Common/usr/local/etc/dhparams.pem </IfModule> Don't forget to restart the proftpd server to enable the changes. You need to copy the sftp_rsa_key and take it with you, to access your server. If you are using FileZilla to connect, the file needs to be converted to a usable format and stored in FileZillas settings. Good afternoon Slrg, I am trying to get sftp up and running on my unRAID box. I have followed the above steps, but still get the following when I attempt to start ProFTPd: /usr/local/SlrG-Common/usr/local/sbin/proftpd -c /etc/proftpd.conf 2019-02-18 22:43:37,864 Example-Server proftpd[26662]: mod_ctrls/0.9.5: error: unable to bind to local socket: Address already in use 2019-02-18 22:43:37,866 Example-Server proftpd[26662]: warning: config file '/etc/proftpd.conf' is world-writable Wrong passphrase for this key. Please try again. Wrong passphrase for this key. Please try again. Wrong passphrase for this key. Please try again. 2019-02-18 22:43:37,954 Example-Server proftpd[26662] 127.0.0.1: mod_sftp/1.0.0: error reading passphrase for SFTPHostKey '/etc/ssh/sftp_rsa_key': (unknown) 2019-02-18 22:43:37,954 Example-Server proftpd[26662] 127.0.0.1: mod_sftp/1.0.0: unable to use key in SFTPHostKey '/etc/ssh/sftp_rsa_key', exiting From a previous post of yours, it seems the bind error is expected (and netstat shows nothing using my ports), as is the world-editable warning. When creating the key I was careful to enter anything when prompted by ssh-keygen (I hit enter without typing anything). Can you provide some guidance? (I am using unRAID 6.6.6- the plugin works fine when not configured for sftp.) Edited February 19, 2019 by Ruthalas Spelling, added bottom note Quote Link to comment
SlrG Posted February 19, 2019 Author Share Posted February 19, 2019 @Ruthalas Do you have access to another linux system or vm? When I did a complete wipe of the plugin on my system yesterday I had to generate new certificates too and got the same error. Then I created them not on unRAID but on another system and they worked without password. I had not the time yet to investigate further. Quote Link to comment
SlrG Posted February 19, 2019 Author Share Posted February 19, 2019 (edited) @Cessquill I'll have to check again. Do you have a stock proftpd.conf or a modified one? Can you please pm me the content if it is the latter? Edited February 19, 2019 by SlrG Quote Link to comment
Ruthalas Posted February 19, 2019 Share Posted February 19, 2019 (edited) Generating the key on another machine worked. My conf file is stock aside from the addition of the <IfModule mod_sftp.c></> section you describe in the post I quoted above (and alternate port numbers). I hope that is helpful! (If you have a moment to provide guidance on converting the keys for use with FileZilla, I'd appreciate that as well. That's my next step.) Edited February 19, 2019 by Ruthalas Added issue + removed issue Quote Link to comment
SlrG Posted February 19, 2019 Author Share Posted February 19, 2019 @Ruthalas I think FileZilla does this automatically. Just open Settings and there is a SFTP item where you can import the private key. Quote Link to comment
Kewjoe Posted February 19, 2019 Share Posted February 19, 2019 8 hours ago, SlrG said: @Cessquill I'll have to check again. Do you have a stock proftpd.conf or a modified one? Can you please pm me the content if it is the latter? I did a fresh install on 6.7.0-RC4 and got the exact same error as @Cessquill. I have a stock proftpd.conf. All i did was install and try to run. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.