ubtuntu Proftpd 同时支持SFTP和FTP

场景描述

简单说一下吧，有的客户习惯用FTP，但是也有一些客户考虑到安全，更倾向于SFTP，分开搭两个环境就太麻烦了，Proftpd就解决了这个问题呀，通过简单的配置就可以同时支持FTP和SFTP

注意事项

Proftpd默认配置是只支持FTP，如果我们想要启用SFTP，就需要用到 VirtualHost指令，详细解释直接看官网：

ProFTPD module mod_sftphttp://www.proftpd.org/docs/contrib/mod_sftp.html

VirtualHost directiveshttp://www.proftpd.org/docs/modules/mod_core.html#VirtualHost

<VirtualHost 172.17.37.93>...
</VirtualHost>

配置文件

配置文件（/etc/proftpd/proftpd.conf）参数就不详细介绍了，网上有很多，关键是没有对sftp的配置，下面<IfModule mod_sftp.c> ... </IfModule>就是对sftp的配置，端口可灵活设置

#
# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes, reload proftpd after modifications, if
# it runs in daemon mode. It is not required in inetd/xinetd mode.
## Includes DSO modules
Include /etc/proftpd/modules.conf# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
UseIPv6                         on
# If set on you can experience a longer connection delay in many cases.ServerName                      "Debian"
ServerType                      standalone
DeferWelcome                    offMultilineRFC2228                on
DefaultServer                   on
ShowSymlinks                    onTimeoutNoTransfer               600
TimeoutStalled                  600
TimeoutIdle                     1200DisplayLogin                    welcome.msg
DisplayChdir                    .message true
ListOptions                     "-l"DenyFilter                      \*.*/# Use this to jail all users in their homes
# DefaultRoot                   ~# Users require a valid shell listed in /etc/shells to login.
# Use this directive to release that constrain.
# RequireValidShell             off# Port 21 is the standard FTP port.
Port                            21# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
# PassivePorts                  49152 65534# If your host was NATted, this option is useful in order to
# allow passive tranfers to work. You have to use your public
# address and opening the passive ports used on your firewall as well.
# MasqueradeAddress             1.2.3.4# This is useful for masquerading address with dynamic IPs:
# refresh any configured MasqueradeAddress directives every 8 hours
<IfModule mod_dynmasq.c>
# DynMasqRefresh 28800
</IfModule># To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances                    30# Set the user and group that the server normally runs at.
User                            proftpd
Group                           nogroup# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask                           022  022
# Normally, we want files to be overwriteable.
AllowOverwrite                  on# Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords:
# PersistentPasswd              off
# This is required to use both PAM-based authentication and local passwords
# AuthOrder                     mod_auth_pam.c* mod_auth_unix.c# Be warned: use of this directive impacts CPU average load!
# Uncomment this if you like to see progress and transfer rate with ftpwho
# in downloads. That is not needed for uploads rates.
#
# UseSendFile                   offTransferLog /var/log/proftpd/xferlog
SystemLog   /var/log/proftpd/proftpd.log# Logging onto /var/log/lastlog is enabled but set to off by default
#UseLastlog on# In order to keep log file dates consistent after chroot, use timezone info
# from /etc/localtime.  If this is not set, and proftpd is configured to
# chroot (e.g. DefaultRoot or <Anonymous>), it will use the non-daylight
# savings timezone regardless of whether DST is in effect.
#SetEnv TZ :/etc/localtime<IfModule mod_quotatab.c>
QuotaEngine off
</IfModule><IfModule mod_ratio.c>
Ratios off
</IfModule># Delay engine reduces impact of the so-called Timing Attack described in
# http://www.securityfocus.com/bid/11430/discuss
# It is on by default.
<IfModule mod_delay.c>
DelayEngine on
</IfModule><IfModule mod_ctrls.c>
ControlsEngine        off
ControlsMaxClients    2
ControlsLog           /var/log/proftpd/controls.log
ControlsInterval      5
ControlsSocket        /var/run/proftpd/proftpd.sock
</IfModule><IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>#
# Alternative authentication frameworks
#
#Include /etc/proftpd/ldap.conf
#Include /etc/proftpd/sql.conf#
# This is used for FTPS connections
#
#Include /etc/proftpd/tls.conf#
# Useful to keep VirtualHost/VirtualRoot directives separated
#
#Include /etc/proftpd/virtuals.conf# A basic anonymous configuration, no upload directories.# <Anonymous ~ftp>
#   User                                ftp
#   Group                               nogroup
#   # We want clients to be able to login with "anonymous" as well as "ftp"
#   UserAlias                   anonymous ftp
#   # Cosmetic changes, all files belongs to ftp user
#   DirFakeUser on ftp
#   DirFakeGroup on ftp
#
#   RequireValidShell           off
#
#   # Limit the maximum number of anonymous logins
#   MaxClients                  10
#
#   # We want 'welcome.msg' displayed at login, and '.message' displayed
#   # in each newly chdired directory.
#   DisplayLogin                        welcome.msg
#   DisplayChdir                .message
#
#   # Limit WRITE everywhere in the anonymous chroot
#   <Directory *>
#     <Limit WRITE>
#       DenyAll
#     </Limit>
#   </Directory>
#
#   # Uncomment this if you're brave.
#   # <Directory incoming>
#   #   # Umask 022 is a good standard umask to prevent new files and dirs
#   #   # (second parm) from being group and world writable.
#   #   Umask                           022  022
#   #            <Limit READ WRITE>
#   #            DenyAll
#   #            </Limit>
#   #            <Limit STOR>
#   #            AllowAll
#   #            </Limit>
#   # </Directory>
#
# </Anonymous># Include other custom configuration files
Include /etc/proftpd/conf.d/
DefaultRoot ~
AllowForeignAddress OFF
AuthUserFile /etc/ftpd.passwd<IfModule mod_rlimit.c>RLimitMemory session 4G
</IfModule><IfModule mod_sftp.c><VirtualHost 0.0.0.0>ServerName "SFTP Server"DefaultRoot ~SFTPEngine onPort 2223SFTPLog /var/log/proftpd/sftp.log# Configure both the RSA and DSA host keys, using the same host key# files that OpenSSH uses.SFTPHostKey /etc/ssh/ssh_host_rsa_keySFTPHostKey /etc/ssh/ssh_host_dsa_key# SFTPAuthMethods publickeySFTPAuthMethods passwordSFTPAuthorizedUserKeys file:/etc/proftpd/authorized_keys/%uAuthUserFile /etc/sftpd.passwd# Enable compressionSFTPCompression delayed</VirtualHost>
</IfModule><Directory "/vol/SFF"><Limit WRITE></Limit>
</Directory><Directory "/vol/SF"><Limit WRITE></Limit>
</Directory>

如果FTP跟SFTP是同一个用户，需要注意：

1. 密码文件最好分开（例如：FTP -- /etc/ftpd/passwd，SFTP -- /etc/sftpd.passwd）

2. 密码可以相同，但是需要使用ftpasswd两次，分别生成自己的密钥

echo 1 | ftpasswd --passwd --stdin --file /etc/ftpd.passwd --gid 2005 --uid 2005 --shell /bin/bash --name china --home /vol/ss3echo 1 | ftpasswd --passwd --stdin --file /etc/sftpd.passwd --gid 2005 --uid 2005 --shell /bin/bash --name china --home /vol/ss3

可以看到密钥是不一样的

比较奇怪的现象：

如果我们SFTP和FTP的用户使用的校验文件是同一个（例如都是/etc/ftpd.passwd），那么如果启用了SFTP，通过设定的账号密码是可以正常访问的，但是访问FTP时就会提示密码错误，个人猜想，这里可能是SFTP校验时会通过ssh将密钥编码，那FTP再次使用这个账号密码登录时自然就是不对的（只是个人看法~）

日志报错如下：