ProFTPD is a highly configurable GPL-licensed FTP server software.

This post describes one way of installing ProFTPD as a sftp only server on RHEL5.

Only members of the sftponly group can connect to the sftp only server.

Install the software

# yum install proftpd
# chkconfig proftpd on

# yum install openssl-devel

# wget ftp://ftp35.us.proftpd.org/distrib/source/proftpd-1.3.4b.tar.gz
# tar zxf proftpd-1.3.4b.tar.gz
# cd proftpd-1.3.4b
# ./configure --enable-openssl --with-modules=mod_ratio:mod_readme:mod_rewrite:mod_wrap2:mod_ifsession:mod_sftp
# make clean all install

# wget http://downloads.laffeycomputer.com/current_builds/rpl-1.4.1.tar.gz
# tar zxf rpl-1.4.1.tar.gz
# cd rpl-1.4.1
# ./configure
# make
# make install

# rpl /usr/sbin /usr/local/sbin /etc/init.d/proftpd
# rpl /var/run/proftpd/proftpd.pid /usr/local/var/proftpd.pid /etc/init.d/proftpd

# vi /etc/rc.d/init.d/proftpd
------------------------------ cut here ------------------------------
export PATH=/usr/local/sbin:/sbin:/bin:/usr/bin:/usr/sbin
------------------------------ cut here ------------------------------

Prepare the ProFTPD environment

# mkdir /home/proftpd
# mkdir /home/proftpd/conf
# mkdir /home/proftpd/log
# mkdir /home/proftpd/root

# cp /usr/local/etc/proftpd.conf /usr/local/etc/proftpd.conf.orig
# rpl '#DefaultRoot ~' 'DefaultRoot ~' /usr/local/etc/proftpd.conf

# vi /home/proftpd/conf/connect.msg
------------------------------ cut here ------------------------------
This system is for authorized use only.

------------------------------ cut here ------------------------------

# vi /usr/local/etc/proftpd.conf
------------------------------ cut here ------------------------------
Port                    22
SFTPEngine              on
SFTPLog                 /home/proftpd/log/sftp.log
SFTPHostKey             /etc/ssh/ssh_host_rsa_key
SFTPHostKey             /etc/ssh/ssh_host_dsa_key
SFTPCompression         delayed
SFTPDisplayBanner       /home/proftpd/conf/connect.msg
SFTPOptions             IgnoreSFTPUploadPerms
User                    ftp
Group                   ftp
DisplayConnect          /home/proftpd/conf/connect.msg
ExtendedLog             /home/proftpd/log/extended
IdentLookups            off
MultilineRFC2228        on
RequireValidShell       off
ServerLog               /home/proftpd/log/server
SystemLog               /home/proftpd/log/system
TransferLog             /home/proftpd/log/transfer
UseReverseDNS           off

<Limit LOGIN>
    AllowGroup sftponly
    DenyAll
</Limit>

# A basic anonymous configuration, no upload directories.  If you do not
# want anonymous users, simply delete this entire <Anonymous> section.
------------------------------ cut here ------------------------------

Do not forget to delete the Anonymous section.

Change the listening port of the sshd server and start proftpd

# vi /etc/ssh/sshd_config
------------------------------ cut here ------------------------------
Port 222
------------------------------ cut here ------------------------------

# service sshd restart
# service proftpd start

Create a sftponly group and a sftp user without a shell

# vipw
------------------------------ cut here ------------------------------
sftpuser:*:2001:2001::0:0:SFTP user:/home/sftpuser:/usr/sbin/nologin
------------------------------ cut here ------------------------------

# vi /etc/group
------------------------------ cut here ------------------------------
sftponly:x:52:sftpuser
sftpuser:x:2001:
------------------------------ cut here ------------------------------

# mkdir /home/sftpuser
# chown sftpuser:sftpuser /home/sftpuser

Leave a reply

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> 

required