SFTP server: better to use SSH internal sftp subsystem or ProFTPD plugin?

ssh ftp sftp proftpd

I've been tasked to install a new SFTP server. Per-se, this is a very simple operation: simply using the internal-sftp role of the ubiquitous SSH service (with chrooting) is sufficient to have a reliable SFTP server.

However it's in my nature to always try at least two different approach for the same problem, and I realized I can use ProFTPD with a sftp plugin to do the same thing, with the added benefit of more granular filetransfer-related options (eg: bandwidth throttling). On the other hand, this plugin is not compiled (and bundled) by default, and I would like to avoid (perhaps) "less tested" solution.

At the moment, the only required service is SFTP; however, I'm playing in advance and I would like to implement a solution which can not only work with SFTP, but with FTP/S also.

Considering that I am going to chroot users inside their homes, what do you feel is a better solution?

  1. use SSH internal-sftp and a standalone FTP server (vsftpd or proftpd) for FTP/S services
  2. only use the ProFTPD service with the relevant plugin

Solution 1:

SSH's sftp server has some additional requirements for chroot directories, ie. user cant have write access to chroot dir in some enviroments this might be a problem.

If You also need ftp/ftps I would suggest giving mod_sftp a go. We are using it in production on about 20 servers with over 10k accounts with almost nil problems (sftp is the least used protocol). The downside might be that it doesn't support password authentication method, but it supports rsa key and keyboard-interactive so it is only a problem for very old clients.

Solution 2:

This is an older thread but I'd just like to add for future readers that we've been configuring servers to use proftpd with mod_sftp for years with no problems at all. I like very much that the separation of services gives fine-grained control over security, the service itself, and user management.

You can configure proftpd to support either or both passwords/keys with mod_sftp if you also include the sftp_pam module. Here's example config that enables both:

# Include all available modules
Include /etc/proftpd/modules.conf

<Global>
  <IfModule mod_sftp.c>
    <IfModule mod_sftp_pam.c>
      SFTPPAMEngine on
      SFTPPAMServiceName sftp
    </IfModule>

    SFTPEngine on
    SFTPLog /var/log/proftpd/sftp.log

    # Configure both the host keys
    SFTPHostKey /etc/ssh/ssh_host_rsa_key
    SFTPHostKey /etc/ssh/ssh_host_dsa_key

    SFTPAuthMethods publickey password keyboard-interactive
    SFTPAuthorizedUserKeys file:/etc/proftpd/authorized_keys/%u

    # Enable compression
    SFTPCompression delayed
  </IfModule>
</Global>

Related

Send all outgoing mail to /dev/null
Cronjob run every two weeks, on Saturday, starting on this saturday
Sharepoint 2007 Backup Solutions? [closed]
Can I overwrite a setting within sshd_config with a duplicate setting
Why is "AcceptEnv *" considered insecure?
PHP-FPM's chroot and chdir directory
How to resize RAID1 array with mdadm?
What are some pitfalls of hosting a website from home?
Port Forwarding from Host to Guest with libvirt 0.8.3 Using KVM on Ubuntu
How to automatically start VM created by virt-manager?
Deleting a UNIX directory with a hyphen in the name
Outlook security alert - The name on the security certificate is invalid or does not match the name of the site