ProFTPD Plugin for unRAID v6.8.x


SlrG

Recommended Posts

3 hours ago, SlrG said:

The user is defined correctly but did you really restart proftpd (in the plugins settings) afterwards? An user defined as ftp user should have no shell and should not be able to login using telnet. The jail will only work when accessing from an ftp client.

I am sitll able to telnet into my unraid server using the ftpuser I've created and looks like it behaves the same as if I'm using ssh or an ftp client...

This was just done with telnet through putty.

image.png.8cc7aabc62f2f5bb0fa5a417499e2397.png

 

 

On the ProFTPd webgui Settings page I've Stopped, Started and Restarted multiple times.  Unraid server has been rebooted multiple times too.

 

I was hoping if was something simple I was missing but maybe I should have provided additional infomation from the beginning...

I had tried to setup an ftp server not using the ProFTPd plugin a while ago, maybe a year or two.   Never got that working.  I can't remember what all I tried or did, but never even got a user created to login...  Is it possible there is multiple ftp or ssh server configurations files or something that are conflicting with each other?  I've uninstalled plugin and reinstalled before too... But by just clicking the Uninstall Plugin button on webgui page.

Edited by abc789987
Link to comment

Please post the line of the user test1 from the file /etc/passwd. It should look like this:

michael:x:1000:100:ftpuser /mnt/cache/FTP:/mnt/cache/FTP:/bin/false

The fifth field, ftpuser /mnt/cache/FTP is the comment field, which on restart gets scanned and the path is put as the users home directory in the sixth field. Also the users shell is set to /bin/false, which should result in this users no longer being able to login other than using ftp. edit: It might be, that logging in using ssh is still possible. I have no tried that yet.

 

Also all users without the keyword ftpuser will be added to the file /etc/ftpusers, which should prevent them from logging in via ftp.

 

The jail will only work if using ftp access however. If the passwd line is correct, we will have to check further.

Edited by SlrG
Link to comment

Well let's try to solve the ftp part now. :) What does the syslog of your unRAID and what does the FTP client say, when you try to connect? Which ftp client do you try to use? Please make sure to have a simple starting password when trying to connect. (no special chars please) There was a user, who reported problems with complicated passwords some time ago.

Link to comment

From Syslog

Feb 10 17:39:55 NAS sshd[15918]: Accepted password for test1 from 192.168.1.210 port 57802 ssh2

 

From WinSCP log file

. 2019-02-10 17:39:56.865 --------------------------------------------------------------------------
. 2019-02-10 17:39:56.866 WinSCP Version 5.13.6 (Build 9061) (OS 10.0.17134 - Windows 10 Enterprise)
. 2019-02-10 17:39:56.866 Configuration: HKCU\Software\Martin Prikryl\WinSCP 2\
. 2019-02-10 17:39:56.866 Log level: Normal
. 2019-02-10 17:39:56.866 Local account: DESKTOP-MFBL235\mikej
. 2019-02-10 17:39:56.866 Working directory: C:\Program Files (x86)\WinSCP
. 2019-02-10 17:39:56.867 Process ID: 21004
. 2019-02-10 17:39:56.869 Command-line: "C:\Program Files (x86)\WinSCP\WinSCP.exe" 
. 2019-02-10 17:39:56.869 Time zone: Current: GMT-5, Standard: GMT-5 (US Eastern Standard Time), DST: GMT-4 (US Eastern Daylight Time), DST Start: 3/10/2019, DST End: 11/3/2019
. 2019-02-10 17:39:56.869 Login time: Sunday, February 10, 2019 5:39:56 PM
. 2019-02-10 17:39:56.869 --------------------------------------------------------------------------
. 2019-02-10 17:39:56.870 Session name: [email protected] (Site)
. 2019-02-10 17:39:56.870 Host name: 192.168.1.112 (Port: 198)
. 2019-02-10 17:39:56.870 User name: test1 (Password: Yes, Key file: No, Passphrase: No)
. 2019-02-10 17:39:56.870 Tunnel: No
. 2019-02-10 17:39:56.870 Transfer Protocol: SFTP (SCP)
. 2019-02-10 17:39:56.870 Ping type: Off, Ping interval: 30 sec; Timeout: 15 sec
. 2019-02-10 17:39:56.870 Disable Nagle: No
. 2019-02-10 17:39:56.870 Proxy: None
. 2019-02-10 17:39:56.870 Send buffer: 262144
. 2019-02-10 17:39:56.870 SSH protocol version: 2; Compression: No
. 2019-02-10 17:39:56.870 Bypass authentication: No
. 2019-02-10 17:39:56.870 Try agent: Yes; Agent forwarding: No; TIS/CryptoCard: No; KI: Yes; GSSAPI: Yes
. 2019-02-10 17:39:56.870 GSSAPI: Forwarding: No; Libs: gssapi32,sspi,custom; Custom: 
. 2019-02-10 17:39:56.870 Ciphers: aes,chacha20,blowfish,3des,WARN,arcfour,des; Ssh2DES: No
. 2019-02-10 17:39:56.870 KEX: ecdh,dh-gex-sha1,dh-group14-sha1,rsa,WARN,dh-group1-sha1
. 2019-02-10 17:39:56.870 SSH Bugs: Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto
. 2019-02-10 17:39:56.870 Simple channel: Yes
. 2019-02-10 17:39:56.870 Return code variable: Autodetect; Lookup user groups: Auto
. 2019-02-10 17:39:56.870 Shell: default
. 2019-02-10 17:39:56.870 EOL: LF, UTF: Auto
. 2019-02-10 17:39:56.870 Clear aliases: Yes, Unset nat.vars: Yes, Resolve symlinks: Yes; Follow directory symlinks: No
. 2019-02-10 17:39:56.870 LS: ls -la, Ign LS warn: Yes, Scp1 Comp: No
. 2019-02-10 17:39:56.870 SFTP Bugs: Auto,Auto
. 2019-02-10 17:39:56.870 SFTP Server: default
. 2019-02-10 17:39:56.870 Local directory: C:\Users\mikej\OneDrive\Documents, Remote directory: /mnt/user/dup/test1, Update: Yes, Cache: Yes
. 2019-02-10 17:39:56.870 Cache directory changes: Yes, Permanent: Yes
. 2019-02-10 17:39:56.870 Recycle bin: Delete to: No, Overwritten to: No, Bin path: 
. 2019-02-10 17:39:56.870 DST mode: Unix
. 2019-02-10 17:39:56.870 --------------------------------------------------------------------------
. 2019-02-10 17:39:56.896 Looking up host "192.168.1.112" for SSH connection
. 2019-02-10 17:39:56.896 Connecting to 192.168.1.112 port 198
. 2019-02-10 17:39:56.897 We claim version: SSH-2.0-WinSCP_release_5.13.6
. 2019-02-10 17:39:56.919 Server version: SSH-2.0-OpenSSH_7.9
. 2019-02-10 17:39:56.919 Using SSH protocol version 2
. 2019-02-10 17:39:56.919 Have a known host key of type ssh-ed25519
. 2019-02-10 17:39:56.920 Doing ECDH key exchange with curve Curve25519 and hash SHA-256
. 2019-02-10 17:39:57.530 Server also has ecdsa-sha2-nistp256/ssh-rsa host keys, but we don't know any of them
. 2019-02-10 17:39:57.531 Host key fingerprint is:
. 2019-02-10 17:39:57.531 ssh-ed25519 256 1b:ac:e8:ff:be:74:a2:5c:b1:4f:ae:d7:c3:96:ab:c6 e65XSS0Ayo8BmglJWqdxYwIWCVifRKR1pAhpR56itzw=
. 2019-02-10 17:39:57.582 Host key matches cached key
. 2019-02-10 17:39:57.583 Initialised AES-256 SDCTR client->server encryption
. 2019-02-10 17:39:57.583 Initialised HMAC-SHA-256 client->server MAC algorithm
. 2019-02-10 17:39:57.583 Initialised AES-256 SDCTR server->client encryption
. 2019-02-10 17:39:57.583 Initialised HMAC-SHA-256 server->client MAC algorithm
! 2019-02-10 17:39:57.623 Using username "test1".
. 2019-02-10 17:39:57.654 Server offered these authentication methods: publickey,password,keyboard-interactive
. 2019-02-10 17:39:57.654 Attempting keyboard-interactive authentication
. 2019-02-10 17:39:57.660 Server refused keyboard-interactive authentication
. 2019-02-10 17:39:57.660 Server offered these authentication methods: publickey,password,keyboard-interactive
. 2019-02-10 17:39:57.660 Prompt (password, "SSH password", <no instructions>, "&Password: ")
. 2019-02-10 17:39:57.660 Using stored password.
. 2019-02-10 17:39:57.683 Sent password
. 2019-02-10 17:39:57.695 Access granted
. 2019-02-10 17:39:57.695 Opening session as main channel
. 2019-02-10 17:39:57.739 Opened main channel
. 2019-02-10 17:39:57.780 Started a shell/command
. 2019-02-10 17:39:57.791 --------------------------------------------------------------------------
. 2019-02-10 17:39:57.791 Using SFTP protocol.
. 2019-02-10 17:39:57.791 Doing startup conversation with host.
. 2019-02-10 17:39:57.791 Server sent command exit status 1
. 2019-02-10 17:39:57.792 Disconnected: All channels closed
* 2019-02-10 17:39:57.827 (EFatal) **Connection has been unexpectedly closed.** Server sent command exit status 1.

 

Link to comment

You are trying to use sftp. Which is a subtype of ssh and the proftpd is not configured to handle that, as you see the sshd responding in the syslog. An example ftp client is FileZilla but pure ftp connections are unencrypted. I recommend you never directly connect your unRAID server to the internet. Use a vpn to your home network and then there should be no problem using pure ftp. If you still need an encrypted connection, there are some examples of users setting up sftp or ftp with tls in this thread. This is however not very simple to setup.

Edited by SlrG
Link to comment

@d2dyno

Today I upgraded to 6.7.0-rc3 and other that after the upgrade I had to start the proftpd daemon manually after the installation I have no problems running the proftpd plugin. On reboot it starts automatically again and everything works, including sftp and tls, which should use openssl library. What exactly does not work for you?

Link to comment
2 hours ago, SlrG said:

@d2dyno

Today I upgraded to 6.7.0-rc3 and other that after the upgrade I had to start the proftpd daemon manually after the installation I have no problems running the proftpd plugin. On reboot it starts automatically again and everything works, including sftp and tls, which should use openssl library. What exactly does not work for you?

Based on that, I upgraded to 6.7.0-rc3 today as well. ProFTP seems to be working just fine for me as well.

Link to comment
On 2/11/2019 at 3:21 AM, SlrG said:

Do you want this to support offsite backups? If you are only within your home network sftp would not be necessary IMHO. Proftpd can be setup to support sftp however. Here is an old post I did.

After looking into how duplicati works it has built in encryption so I think sftp is would be overkill.  Just using the ftp and seems to be working perfectly.  Thank you for great app and support.

Link to comment

@H2O_King89

RC4 does not back up sftp certificates in /etc/ssh/ and only restores the unraid stock certificates. If you had a sftp setup, proftpd will fail to start as these files are missing now. The stock plugin without proftpd.conf modifications should start without problems and if you restore the certificate files, a sftp setup will work again, too. If you have no backups, you will need to create new ones.

Edited by SlrG
Link to comment
1 hour ago, SlrG said:

@H2O_King89

RC4 does not back up sftp certificates in /etc/ssh/ and only restores the unraid stock certificates. If you had a sftp setup, proftpd will fail to start as these files are missing now. The stock plugin without proftpd.conf modifications should start without problems and if you restore the certificate files, a sftp setup will work again, too. If you have no backups, you will need to create new ones.

Everything is stock. I tried removing and adding back and just wont start. 6.6.6 work.

Link to comment

Hmm... Thats puzzling. I did a complete uninstall on my system with RC4 and rebooted to remove all traces and did a clean reinstall of the plugin. It works without problems on my system. Anything in the log when installing the plugin or when trying to start in the plugins settings? What do you get, when you enter this in the shell?:

sudo -u root /usr/local/SlrG-Common/usr/local/sbin/proftpd -c /etc/proftpd.conf

 

Link to comment
On 5/7/2017 at 3:45 AM, SlrG said:

To enable sftp:

open a shell on your unraid server and issue the following commands


cd /etc/ssh
ssh-keygen

Enter the name of the keyfile (sftp_rsa_key) and no passphrase.

You will get two files sftp_rsa_key and sftp_rsa_key.pub. The public key needs to be converted to another format to make it usable by proftpd:


ssh-keygen -e -f sftp_rsa_key.pub | sudo tee sftp_user_keys

You will get a new file sftp_user_keys. Now the owner and permissions will need to be changed:


chown nobody:users sftp_rsa_key sftp_rsa_key.pub sftp_user_keys
chmod 600 sftp_rsa_key sftp_rsa_key.pub sftp_user_keys 

Now to make your system restore the correct permissions of this keys on boot you will need to modify the mountscript:


nano /boot/config/plugins/ProFTPd/mountscript.sh

Insert the following lines:


chown nobody:users /etc/ssh/sftp_rsa_key /etc/ssh/sftp_rsa_key.pub /etc/ssh/sftp_user_keys
chmod 600 /etc/ssh/sftp_rsa_key /etc/ssh/sftp_rsa_key.pub /etc/ssh/sftp_user_keys

Now edit your proftpd.conf file and insert:


<IfModule mod_sftp.c>
        SFTPEngine on
        Port 2222
        SFTPLog /var/log/sftp.log

        SFTPHostKey /etc/ssh/sftp_rsa_key
        SFTPAuthorizedUserKeys file:/etc/ssh/sftp_user_keys

        SFTPAuthMethods publickey

        SFTPKeyBlacklist none
        SFTPDHParamFile /usr/local/SlrG-Common/usr/local/etc/dhparams.pem
</IfModule>

Don't forget to restart the proftpd server to enable the changes.

 

You need to copy the sftp_rsa_key and take it with you, to access your server. If you are using FileZilla to connect, the file needs to be converted to a usable format and stored in FileZillas settings.

Good afternoon Slrg, I am trying to get sftp up and running on my unRAID box.

 

I have followed the above steps, but still get the following when I attempt to start ProFTPd:

/usr/local/SlrG-Common/usr/local/sbin/proftpd -c /etc/proftpd.conf
2019-02-18 22:43:37,864 Example-Server proftpd[26662]: mod_ctrls/0.9.5: error: unable to bind to local socket: Address already in use
2019-02-18 22:43:37,866 Example-Server proftpd[26662]: warning: config file '/etc/proftpd.conf' is world-writable

Wrong passphrase for this key.  Please try again.

Wrong passphrase for this key.  Please try again.

Wrong passphrase for this key.  Please try again.
2019-02-18 22:43:37,954 Example-Server proftpd[26662] 127.0.0.1: mod_sftp/1.0.0: error reading passphrase for SFTPHostKey '/etc/ssh/sftp_rsa_key': (unknown)
2019-02-18 22:43:37,954 Example-Server proftpd[26662] 127.0.0.1: mod_sftp/1.0.0: unable to use key in SFTPHostKey '/etc/ssh/sftp_rsa_key', exiting

From a previous post of yours, it seems the bind error is expected (and netstat shows nothing using my ports), as is the world-editable warning.

When creating the key I was careful to enter anything when prompted by ssh-keygen (I hit enter without typing anything).

 

Can you provide some guidance?

 

(I am using unRAID 6.6.6- the plugin works fine when not configured for sftp.)

Edited by Ruthalas
Spelling, added bottom note
Link to comment

@Ruthalas

Do you have access to another linux system or vm? When I did a complete wipe of the plugin on my system yesterday I had to generate new certificates too and got the same error. Then I created them not on unRAID but on another system and they worked without password. I had not the time yet to investigate further.

Link to comment

Generating the key on another machine worked.

 

My conf file is stock aside from the addition of the <IfModule mod_sftp.c></> section you describe in the post I quoted above (and alternate port numbers).

 

I hope that is helpful!

(If you have a moment to provide guidance on converting the keys for use with FileZilla, I'd appreciate that as well. That's my next step.)

Edited by Ruthalas
Added issue + removed issue
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.