Contents
ProFTPD is a highly configurable GPL-licensed FTP server software.
This post describes one way of installing ProFTPD as a sftp only server on RHEL5.
Only members of the sftponly group can connect to the sftp only server.
Install the software
# yum install proftpd # chkconfig proftpd on # yum install openssl-devel # wget ftp://ftp35.us.proftpd.org/distrib/source/proftpd-1.3.4b.tar.gz # tar zxf proftpd-1.3.4b.tar.gz # cd proftpd-1.3.4b # ./configure --enable-openssl --with-modules=mod_ratio:mod_readme:mod_rewrite:mod_wrap2:mod_ifsession:mod_sftp # make clean all install # wget http://downloads.laffeycomputer.com/current_builds/rpl-1.4.1.tar.gz # tar zxf rpl-1.4.1.tar.gz # cd rpl-1.4.1 # ./configure # make # make install # rpl /usr/sbin /usr/local/sbin /etc/init.d/proftpd # rpl /var/run/proftpd/proftpd.pid /usr/local/var/proftpd.pid /etc/init.d/proftpd # vi /etc/rc.d/init.d/proftpd ------------------------------ cut here ------------------------------ export PATH=/usr/local/sbin:/sbin:/bin:/usr/bin:/usr/sbin ------------------------------ cut here ------------------------------
Prepare the ProFTPD environment
# mkdir /home/proftpd # mkdir /home/proftpd/conf # mkdir /home/proftpd/log # mkdir /home/proftpd/root # cp /usr/local/etc/proftpd.conf /usr/local/etc/proftpd.conf.orig # rpl '#DefaultRoot ~' 'DefaultRoot ~' /usr/local/etc/proftpd.conf # vi /home/proftpd/conf/connect.msg ------------------------------ cut here ------------------------------ This system is for authorized use only. ------------------------------ cut here ------------------------------ # vi /usr/local/etc/proftpd.conf
------------------------------ cut here ------------------------------ Port 22 SFTPEngine on SFTPLog /home/proftpd/log/sftp.log SFTPHostKey /etc/ssh/ssh_host_rsa_key SFTPHostKey /etc/ssh/ssh_host_dsa_key SFTPCompression delayed SFTPDisplayBanner /home/proftpd/conf/connect.msg SFTPOptions IgnoreSFTPUploadPerms User ftp Group ftp DisplayConnect /home/proftpd/conf/connect.msg ExtendedLog /home/proftpd/log/extended IdentLookups off MultilineRFC2228 on RequireValidShell off ServerLog /home/proftpd/log/server SystemLog /home/proftpd/log/system TransferLog /home/proftpd/log/transfer UseReverseDNS off <Limit LOGIN> AllowGroup sftponly DenyAll </Limit> # A basic anonymous configuration, no upload directories. If you do not # want anonymous users, simply delete this entire <Anonymous> section. ------------------------------ cut here ------------------------------
Do not forget to delete the Anonymous section.
Change the listening port of the sshd server and start proftpd
# vi /etc/ssh/sshd_config ------------------------------ cut here ------------------------------ Port 222 ------------------------------ cut here ------------------------------ # service sshd restart # service proftpd start
Create a sftponly group and a sftp user without a shell
# vipw ------------------------------ cut here ------------------------------ sftpuser:*:2001:2001::0:0:SFTP user:/home/sftpuser:/usr/sbin/nologin ------------------------------ cut here ------------------------------ # vi /etc/group ------------------------------ cut here ------------------------------ sftponly:x:52:sftpuser sftpuser:x:2001: ------------------------------ cut here ------------------------------ # mkdir /home/sftpuser # chown sftpuser:sftpuser /home/sftpuser