PRIMO IT SolutionsJekyll2021-02-06T20:54:11+00:00http://www.primoitsolutions.uk/Mohan Balasundaramhttp://www.primoitsolutions.uk/mohan@primoitsolutions.comhttp://www.primoitsolutions.uk/proftpd-sftp-server-part22015-01-30T00:00:00+00:002015-01-30T00:00:00+00:00Mohan Balasundaramhttp://www.primoitsolutions.ukmohan@primoitsolutions.com<p>##SFTP server - shared folder access with restricted users</p>
<p>If you have followed <a href="http://www.primoitsolutions.uk/proftpd-sftp-server-part1/">part1 of this
article</a> you would have seen me mentioning about a virtual client named RMP. we are going to discuss that requirement here and look into how we can set it up.</p>
<p>##Our Requirements:</p>
<ul>
<li>4 Folders [ Data, Documents, Test, Logs ] exist in the top folder /sftp/home/rmp_inbound</li>
<li>4 internal users grouped as rmp_intgrp and they will have full access on the above mentioned folders</li>
<li>3 External users grouped as rmp_extgrp and they will have read access to the folder Data and Documents only and Test/Logs folder should be invisible</li>
<li>xferlog log format for file transactions and everyday log is kept under Logs folder for internal users access</li>
<li>Key based authentication</li>
</ul>
<p>##Setup</p>
<p>####Create the folders</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nb">mkdir</span> <span class="nt">-pv</span> /sftp/home/rmp_inbound/<span class="o">{</span>Data,Documents,Test,Logs<span class="o">}</span>
<span class="nb">chown </span>proftpd.ftpgroup <span class="nt">-R</span> /sftp/home/rmp_inbound
<span class="nb">chmod </span>770 <span class="nt">-R</span> /sftp/home/rmp_inbound
<span class="o">[</span>root@server02 rmp_inbound]# <span class="nb">pwd</span>
/sftp/home/rmp_inbound
<span class="o">[</span>root@server02 rmp_inbound]# <span class="nb">ls</span> <span class="nt">-1</span>
Data
Documents
Logs
Test</code></pre></figure>
<p>####Create Groups/Users:
We are going to create 2 groups and add the 7 users to thier respective groups as mentioned in our requirement</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="c">#Add Virtual Group rmp_intgrp for internal users</span>
sftpasswd <span class="nt">--group</span> <span class="nt">--gid</span><span class="o">=</span>2002 <span class="nt">--name</span><span class="o">=</span>rmp_intgrp
<span class="c">#Add Virtual Group rmp_extgrp for external users</span>
sftpasswd <span class="nt">--group</span> <span class="nt">--gid</span><span class="o">=</span>2003 <span class="nt">--name</span><span class="o">=</span>rmp_extgrp
<span class="c">#Add Internal users and add them to Internal group - will prompt for password.</span>
sftpasswd <span class="nt">--passwd</span> <span class="nt">--name</span><span class="o">=</span>rmp_intuser1 <span class="nt">--home</span><span class="o">=</span>/sftp/home/rmp_inbound <span class="nt">--shell</span><span class="o">=</span>/bin/false <span class="nt">--uid</span><span class="o">=</span>2001 <span class="nt">--gid</span><span class="o">=</span>2002 <span class="nt">--gecos</span> <span class="s2">"RMP Internal - User1"</span>
sftpasswd <span class="nt">--passwd</span> <span class="nt">--name</span><span class="o">=</span>rmp_intuser2 <span class="nt">--home</span><span class="o">=</span>/sftp/home/rmp_inbound <span class="nt">--shell</span><span class="o">=</span>/bin/false <span class="nt">--uid</span><span class="o">=</span>2001 <span class="nt">--gid</span><span class="o">=</span>2002 <span class="nt">--gecos</span> <span class="s2">"RMP Internal - User2"</span>
sftpasswd <span class="nt">--passwd</span> <span class="nt">--name</span><span class="o">=</span>rmp_intuser3 <span class="nt">--home</span><span class="o">=</span>/sftp/home/rmp_inbound <span class="nt">--shell</span><span class="o">=</span>/bin/false <span class="nt">--uid</span><span class="o">=</span>2001 <span class="nt">--gid</span><span class="o">=</span>2002 <span class="nt">--gecos</span> <span class="s2">"RMP Internal - User3"</span>
sftpasswd <span class="nt">--passwd</span> <span class="nt">--name</span><span class="o">=</span>rmp_intuser4 <span class="nt">--home</span><span class="o">=</span>/sftp/home/rmp_inbound <span class="nt">--shell</span><span class="o">=</span>/bin/false <span class="nt">--uid</span><span class="o">=</span>2001 <span class="nt">--gid</span><span class="o">=</span>2002 <span class="nt">--gecos</span> <span class="s2">"RMP Internal - User4"</span>
NOTE: we have reused the userid of proftpd daemon mentioned <span class="k">in </span>part1 as they are virtual <span class="nb">users </span>and proftpd can have full access to them when it comes to unix permissions
<span class="c">#Add External users and add them to External group - will prompt for password.</span>
sftpasswd <span class="nt">--passwd</span> <span class="nt">--name</span><span class="o">=</span>rmp_extuser1 <span class="nt">--home</span><span class="o">=</span>/sftp/home/rmp_inbound <span class="nt">--shell</span><span class="o">=</span>/bin/false <span class="nt">--uid</span><span class="o">=</span>2001 <span class="nt">--gid</span><span class="o">=</span>2003 <span class="nt">--gecos</span> <span class="s2">"RMP External - User1"</span>
sftpasswd <span class="nt">--passwd</span> <span class="nt">--name</span><span class="o">=</span>rmp_extuser2 <span class="nt">--home</span><span class="o">=</span>/sftp/home/rmp_inbound <span class="nt">--shell</span><span class="o">=</span>/bin/false <span class="nt">--uid</span><span class="o">=</span>2001 <span class="nt">--gid</span><span class="o">=</span>2003 <span class="nt">--gecos</span> <span class="s2">"RMP External - User2"</span>
sftpasswd <span class="nt">--passwd</span> <span class="nt">--name</span><span class="o">=</span>rmp_extuser3 <span class="nt">--home</span><span class="o">=</span>/sftp/home/rmp_inbound <span class="nt">--shell</span><span class="o">=</span>/bin/false <span class="nt">--uid</span><span class="o">=</span>2001 <span class="nt">--gid</span><span class="o">=</span>2003 <span class="nt">--gecos</span> <span class="s2">"RMP External - User3"</span>
NOTE: All the above 7 <span class="nb">users </span>share the same home folder.
<span class="c">#we should see something similar in /etc/proftpd/sftp.group</span>
<span class="o">[</span>root@server02 proftpd]# <span class="nb">cat</span> /etc/proftpd/sftpd.group
ftpgroup:x:2001:user1,user2,user3
rmp_intgrp:x:2002:rmp_intuser1,rmp_intuser2,rmp_intuser3,rmp_intuser4
rmp_extgrp:x:2003:rmp_extuser1,rmp_extuser2,rmp_extuser3
<span class="c">#we should see something similar in /etc/proftpd/sftp.passwd</span>
<span class="o">[</span>root@server02 proftpd]# <span class="nb">cat</span> /etc/proftpd/sftpd.passwd
user1:<span class="nv">$1$sFbAFURA$W6ySumztKRZXQ1Cn7Xg5y</span>.:2001:2001::/sftp/home/user1:/bin/bash
user2:<span class="nv">$1$Vhafg9lR$EHP</span>.S79aeXRRlvwMb5MVM1:2001:2001::/sftp/home/user2:/bin/false
user3:<span class="nv">$1$oNjFuN8M$TOgga</span>.Gl.2o2tqrxMNr2g1:2001:2001::/sftp/home/user3:/bin/false
rmp_intuser1:<span class="nv">$1$oNjFuN8M$TOgga</span>.Gl.2o2tqrxMNr2g1:2001:2002:RMP Internal - User1:/sftp/home/rmp_inbound:/bin/false
rmp_intuser2:<span class="nv">$1$oNjFuN8M$TOgga</span>.Gl.3o2tqrxMNr2g2:2001:2002:RMP Internal - User2:/sftp/home/rmp_inbound:/bin/false
rmp_intuser3:<span class="nv">$1$oNjFuN8M$TOgga</span>.Gl.4o2tqrxMNr2g3:2001:2002:RMP Internal - User3:/sftp/home/rmp_inbound:/bin/false
rmp_intuser4:<span class="nv">$1$oNjFuN8M$TOgga</span>.Gl.2o5tqrxMNr2g4:2001:2002:RMP Internal - User4:/sftp/home/rmp_inbound:/bin/false
rmp_extuser1:<span class="nv">$1$oNjFuN8M$TOgga</span>.Gl.2o2tqrxMNr4g1:2001:2003:RMP External - User1:/sftp/home/rmp_inbound:/bin/false
rmp_extuser2:<span class="nv">$1$oNjFuN8M$TOgga</span>.Gl.2o2tqrxMNr6g2:2001:2003:RMP External - User2:/sftp/home/rmp_inbound:/bin/false
rmp_extuser3:<span class="nv">$1$oNjFuN8M$TOgga</span>.Gl.2o2tqrxMNr8g3:2001:2003:RMP External - User3:/sftp/home/rmp_inbound:/bin/false</code></pre></figure>
<p>##Configuration:
If you are following the article in part1 <a href="https://gist.githubusercontent.com/tuxfight3r/b62dc3351732615f9e86/raw/proftpd.conf">proftpd.conf</a> you would see that there is a reference to home folder configuration which jails the users to thier home folder.</p>
<p>####Jailed Home Folders
please take a look at the above link to look at the full config file, but the below bits are the important ones for this shared folder setup.</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="c">#Main config file:</span>
<span class="o">[</span>root@server02 ~]# <span class="nb">ls</span> <span class="nt">-lh</span> /etc/proftpd.conf
<span class="nt">-rw-r-----</span><span class="nb">.</span> 1 root root 11K Jan 8 15:41 /etc/proftpd.conf
<span class="c">#NOTE: The below config should be placed above the default configuration as shown below</span>
<span class="c">#Jailed users/Chroot home is achieved by the below line in proftpd.conf</span>
<span class="c">#RMP HOME folder configuration</span>
DefaultRoot /sftp/home/rmp_inbound rmp_intgrp,rmp_extgrp
<span class="c">#Everyone Else mapped to thier home directory</span>
DefaultRoot ~ <span class="o">!</span>adm
<span class="c">#LOAD CLIENT FOLDER PERMISSION FROM EXTERNAL CONF FILES</span>
Include /etc/proftpd/clients/<span class="k">*</span>.conf</code></pre></figure>
<p>####Shared Folders Special ACL Enforcement.
If this little snippet is not included, both the internal/external users will have admin access</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="o">[</span>root@server02 clients]# <span class="nb">pwd</span>
/etc/proftpd/clients
<span class="o">[</span>root@server02 clients]# <span class="nb">ls
</span>rmp.conf
<span class="o">[</span>root@server02 clients]# <span class="nb">cat </span>rmp.conf</code></pre></figure>
<script src="https://gist.github.com/tuxfight3r/f4945395605b25177789.js"> </script>
<p>####Verify Configs and restart Service</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="c">#Check Syntax</span>
<span class="o">[</span>root@server02 bin]# proftpd <span class="nt">-t</span>
Checking syntax of configuration file
2015-01-12 23:39:14,269 server02.test.local proftpd[9182]: processing configuration directory <span class="s1">'/etc/proftpd/clients'</span>
Syntax check complete.
<span class="c">#Reload the sftp server</span>
<span class="o">[</span>root@server02 bin]# service proftpd restart
Shutting down proftpd: <span class="o">[</span> OK <span class="o">]</span>
Starting proftpd: <span class="o">[</span> OK <span class="o">]</span></code></pre></figure>
<p>The above setup will provide you a sftp server running on port 2022 with password based authentication, for which ever client if you prefer to enable key based authentication please drop the users key in /etc/proftpd/authorized_keys/ folder with <client_username> as file name</client_username></p>
<p>####Key Based Authentication:</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="c">#Generate ssh keys </span>
<span class="o">[</span>root@server02 .ssh]# ssh-keygen <span class="nt">-b</span> 2048
<span class="c"># it should create a file under .ssh as id_rsa.pub</span>
<span class="c">#convert the key from openssh format to SSH2 format.</span>
<span class="o">[</span>root@server02 .ssh]# ssh-keygen <span class="nt">-e</span> <span class="nt">-f</span> id_rsa.pub <span class="o">></span> rmp_intuser1
<span class="c">#please makesure that the comment is not too longer than the key as it may cause issues sometimes</span>
<span class="o">[</span>root@server02 .ssh]# <span class="nb">cat </span>rmp_intuser1
<span class="nt">----</span> BEGIN SSH2 PUBLIC KEY <span class="nt">----</span>
Comment: <span class="s2">"2048-bit RSA, root@server02.test.local"</span>
AAAAB3NzaC1yc2EAAAABIwAAAQEAqgt6I0nsIqEEXQ9GKRvUp9AuNHuWXjCWM7pUeXfq0+
axidUqkSjiKKjJ1zh5i0oIo208AYcbLieWzRsSL4hOB8a1kYCq2foTokTuAVbowP3r9FVh
WZnQGvsu16DztuWP9CAF04DxCNp2Tzko6PVx8f6qt4HNS6lKRAn31oakROiBKM0807mGIj
rB/25LHikYHr7ifSazd0zEc+t7Tx1k1G3+7v1Stwch8W3oOsTzc6u1IfWo1zML2q3LUxIm
odGrwsjEMV5jS5Aq8ouwqKLbflwwpk2aliXj3SrG3LH4yyaRvogGGjIjWKsR/qOKcOqNPy
4exQ8iDos2/3zIX35xoQ<span class="o">==</span>
<span class="nt">----</span> END SSH2 PUBLIC KEY <span class="nt">----</span></code></pre></figure>
<p>Drop the above key in <code class="language-plaintext highlighter-rouge">/etc/proftpd/authorized_keys/</code> folder as rmp_intuser1 and rmp_intuser1 should now be able to login using key based authentication. Drop the keys for other users to enable login via key based authentication</p>
<p>NOTE: The above key generation is shown for example only and the clients should provide thier public key themselves</p>
<p>##Logging</p>
<p>####xferlog daily log requirement.
Since the logrotate for the whole sftp server logs is rotated weekly, we are going to use a script to give us daily logs just for the RMP client. The script can be placed under /opt/scripts and run daily at 01:00 hours
<script src="https://gist.github.com/tuxfight3r/0f11e936b4cfe1e7e45b.js"> </script></p>
<p><a href="http://www.primoitsolutions.uk/proftpd-sftp-server-part2/">SFTP Server - Proftpd Setup Part2</a> was originally published by Mohan Balasundaram at <a href="http://www.primoitsolutions.uk">PRIMO IT Solutions</a> on January 30, 2015.</p>http://www.primoitsolutions.uk/proftpd-sftp-server-part12015-01-19T00:00:00+00:002015-01-19T00:00:00+00:00Mohan Balasundaramhttp://www.primoitsolutions.ukmohan@primoitsolutions.com<p>##SFTP server setup using Proftpd server with xferlog</p>
<p>Lately I have been tasked with setting up a new sftp server, due to openssh’s inability to log all file transactions properly. so we explored all the options available and settled with the proftpd as that seems the most popular one and has a widely accepted sftp user base. Proftpd has a learning curve,like every other piece of software so please bare with me with this long article.</p>
<p><br />
NOTE: Special Requirement Setup for an example client named RMP will be discussed on part2 of this article so anything refering to rmp in the config is to address that requirement.</p>
<p>##Our Requirements:</p>
<ul>
<li>Multiple Nested folder Access control for specific users ( jailed home folders / shared folder access/ read only access / hide folders which users don’t have permission etc..)</li>
<li>Key / Password based authentication</li>
<li>xferlog log format for file transactions</li>
<li>Simple to setup and Maintain</li>
<li>Use only virtual users and not system accounts</li>
</ul>
<p>##Installation:
We are going to use Centos6.6 Server patched to the latest update & Proftpd (version 1.3.5-4.0) avialable at the time of writing this article. To keep the installation simple and consistent we are going to grab the rpms from <a href="http://www.city-fan.org/ftp/contrib/yum-repo/rhel6/x86_64/">city-fan repository</a> (proftpd-1.3.5-4.0.cf.rhel6.x86_64.rpm, proftpd-utils-1.3.5-4.0.cf.rhel6.x86_64.rpm) as the rpms are not available in epel repos.</p>
<p><br /></p>
<p>####Install the packages:</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash">yum <span class="nt">-y</span> localinstall proftpd-1.3.5-4.0.cf.rhel6.x86_64.rpm <span class="se">\</span>
proftpd-utils-1.3.5-4.0.cf.rhel6.x86_64.rpm</code></pre></figure>
<p>##Configuration:
we are going to run the proftpd server with user ‘proftpd’ and group ‘ftpgroup’. so please add the relevant user/group.</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="c">#add group - choose a high number for groupid/userid</span>
groupadd <span class="nt">-g</span> 2001 ftpgroup
<span class="c">#add user</span>
useradd <span class="nt">-g</span> ftpgroup <span class="nt">-u</span> 2001 <span class="nt">-C</span> <span class="s2">"Proftpd System Account"</span> <span class="nt">-r</span> proftpd</code></pre></figure>
<p>####Config Files/Directory Structure:
(Note: We have a special requirement of a shared folder setup for example client RMP which will be discussed in the part2 section of this article)</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="c">#Main config file:</span>
<span class="o">[</span>root@server02 ~]# <span class="nb">ls</span> <span class="nt">-lh</span> /etc/proftpd.conf
<span class="nt">-rw-r-----</span><span class="nb">.</span> 1 root root 11K Jan 8 15:41 /etc/proftpd.conf
<span class="c">#Backup original config file before editing for reference</span>
<span class="o">[</span>root@server02 ~]# <span class="nb">cp</span> <span class="nt">-v</span> /etc/proftpd.conf<span class="o">{</span>,.original<span class="o">}</span>
<span class="c">#Folder Layout and corresponding permissions</span>
<span class="c">#please create the folders/files with the corresponding permissions.</span>
<span class="o">[</span>root@server02 ~]# <span class="nb">ls</span> <span class="nt">-lh</span> /etc/proftpd
total 16K
drwx------. 2 proftpd ftpgroup 4.0K Dec 18 16:31 authorized_keys
drwxr-x---. 2 proftpd ftpgroup 4.0K Jan 8 11:50 clients
<span class="nt">-r--------</span><span class="nb">.</span> 1 proftpd ftpgroup 151 Dec 22 16:26 sftpd.group
<span class="nt">-r--------</span><span class="nb">.</span> 1 proftpd ftpgroup 1.1K Dec 24 12:33 sftpd.passwd
<span class="c">#Note: sftpd.passwd, sftpd.group will be created when virtual users/groups are added below.</span>
<span class="c">#Key Based Authentication keys folder</span>
<span class="o">[</span>root@server02 ~]# <span class="nb">ls</span> <span class="nt">-lh</span> /etc/proftpd/authorized_keys/
total 8.0K
<span class="nt">-rw-r--r--</span><span class="nb">.</span> 1 root root 468 Dec 18 15:31 user2
<span class="nt">-rw-r--r--</span><span class="nb">.</span> 1 root root 468 Dec 18 16:31 user3
<span class="c">#Modular clients ACL Requirements config folder</span>
<span class="o">[</span>root@server02 ~]# <span class="nb">ls</span> <span class="nt">-lh</span> /etc/proftpd/clients/
total 4.0K
<span class="nt">-rwxr-x---</span><span class="nb">.</span> 1 proftpd ftpgroup 993 Jan 8 11:50 rmp.conf</code></pre></figure>
<p>Update the config file as per the following link. <a href="https://gist.githubusercontent.com/tuxfight3r/b62dc3351732615f9e86/raw/proftpd.conf">proftpd.conf</a>. please go through the config file as most of the bits are self explanatory. <br /></p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="c">#Jailed users/Chroot home is achieved by the below line in proftpd.conf</span>
<span class="c">#Everyone Else mapped to thier home directory</span>
DefaultRoot ~ <span class="o">!</span>adm
</code></pre></figure>
<p>####Enable the mod_ban for blocking repeated failed logins.</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="c">#NOTE: To optimize mod_ban check the mod_ban section in proftpd.conf</span>
<span class="o">[</span>root@server02 ~]# <span class="nb">cat</span> /etc/sysconfig/proftpd
<span class="c"># Set PROFTPD_OPTIONS to add command-line options for proftpd.</span>
<span class="c"># See proftpd(8) for a comprehensive list of what can be used.</span>
<span class="c">#</span>
<span class="c"># The following "Defines" can be used with the default configuration file:</span>
<span class="c"># -DANONYMOUS_FTP : Enable anonymous FTP</span>
<span class="c"># -DDYNAMIC_BAN_LISTS : Enable dynamic ban lists (mod_ban)</span>
<span class="c"># -DQOS : Enable QoS bits on server traffic (mod_qos)</span>
<span class="c"># -DTLS : Enable TLS (mod_tls)</span>
<span class="c">#</span>
<span class="c"># For example, for anonymous FTP and dynamic ban list support:</span>
<span class="c"># PROFTPD_OPTIONS="-DANONYMOUS_FTP -DDYNAMIC_BAN_LISTS"</span>
<span class="nv">PROFTPD_OPTIONS</span><span class="o">=</span><span class="s2">"-DDYNAMIC_BAN_LISTS"</span></code></pre></figure>
<p>####Update sftpasswd script to reflect your setup to manage sftp virtual users</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="c">#copy the existing ftpasswd script as sftpasswd</span>
<span class="nb">cp</span> /usr/bin/ftpasswd /usr/bin/sftpasswd
<span class="c">#Edit the file and update the code as below.</span>
vi /usr/bin/sftpasswd
<span class="c">#replace from line 37 from the below:</span>
my <span class="nv">$default_passwd_file</span> <span class="o">=</span> <span class="s2">"./ftpd.passwd"</span><span class="p">;</span>
my <span class="nv">$default_group_file</span> <span class="o">=</span> <span class="s2">"./ftpd.group"</span><span class="p">;</span>
<span class="c">#replace to</span>
my <span class="nv">$base_folder</span> <span class="o">=</span> <span class="s2">"/etc/proftpd"</span><span class="p">;</span>
my <span class="nv">$default_passwd_file</span> <span class="o">=</span> <span class="nv">$base_folder</span>.<span class="s2">"/sftpd.passwd"</span><span class="p">;</span>
my <span class="nv">$default_group_file</span> <span class="o">=</span> <span class="nv">$base_folder</span>.<span class="s2">"/sftpd.group"</span><span class="p">;</span>
<span class="c">#Verify Syntax of that script</span>
<span class="o">[</span>root@server02 bin]# perl <span class="nt">-c</span> /usr/bin/sftpasswd
/usr/bin/sftpasswd syntax OK</code></pre></figure>
<p>####Verify Configs and start Service</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="c">#Check Syntax</span>
<span class="o">[</span>root@server02 bin]# proftpd <span class="nt">-t</span>
Checking syntax of configuration file
2015-01-12 23:39:14,269 server02.test.local proftpd[9182]: processing configuration directory <span class="s1">'/etc/proftpd/clients'</span>
Syntax check complete.
<span class="c">#start the service</span>
<span class="o">[</span>root@server02 bin]# service proftpd start
Starting proftpd: <span class="o">[</span> OK <span class="o">]</span>
<span class="c">#Enable auto start</span>
<span class="o">[</span>root@server02 bin]# chkconfig proftpd on</code></pre></figure>
<p>####Create Virtual SFTP Users/Group</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="c">#Add Virtual Group - will create sftpd.group file if it didnt exist</span>
sftpasswd <span class="nt">--group</span> <span class="nt">--gid</span><span class="o">=</span>2001 <span class="nt">--name</span><span class="o">=</span>sftpgroup
<span class="c">#Add Virtual Users - will prompt for password for each user separately - will create sftpd.passwd file if it didnt exist</span>
sftpasswd <span class="nt">--passwd</span> <span class="nt">--name</span><span class="o">=</span>user1 <span class="nt">--home</span><span class="o">=</span>/sftp/home/user1 <span class="nt">--shell</span><span class="o">=</span>/bin/false <span class="nt">--uid</span><span class="o">=</span>2001 <span class="nt">--gid</span><span class="o">=</span>2001
sftpasswd <span class="nt">--passwd</span> <span class="nt">--name</span><span class="o">=</span>user2 <span class="nt">--home</span><span class="o">=</span>/sftp/home/user2 <span class="nt">--shell</span><span class="o">=</span>/bin/false <span class="nt">--uid</span><span class="o">=</span>2001 <span class="nt">--gid</span><span class="o">=</span>2001
sftpasswd <span class="nt">--passwd</span> <span class="nt">--name</span><span class="o">=</span>user3 <span class="nt">--home</span><span class="o">=</span>/sftp/home/user3 <span class="nt">--shell</span><span class="o">=</span>/bin/false <span class="nt">--uid</span><span class="o">=</span>2001 <span class="nt">--gid</span><span class="o">=</span>2001
<span class="c">#check if /etc/proftpd/sftpd.{group,passwd} are updated properly. Note: system user/group id doesnt have to match virtual user/group id.</span>
<span class="o">[</span>root@server02 proftpd]# <span class="nb">cat</span> /etc/proftpd/sftpd.group
ftpgroup:x:2001:user1,user2,user3
<span class="o">[</span>root@server02 proftpd]# <span class="nb">cat</span> /etc/proftpd/sftpd.passwd
user1:<span class="nv">$1$sFbAFURA$W6ySumztKRZXQ1Cn7Xg5y</span>.:2001:2001::/sftp/home/user1:/bin/bash
user2:<span class="nv">$1$Vhafg9lR$EHP</span>.S79aeXRRlvwMb5MVM1:2001:2001::/sftp/home/user2:/bin/false
user3:<span class="nv">$1$oNjFuN8M$TOgga</span>.Gl.2o2tqrxMNr2g1:2001:2001::/sftp/home/user3:/bin/false
<span class="c">#Clients Home Folder Layouts (create the folders as below and set it to be owned by system proftpd.ftpgroup)</span>
<span class="o">[</span>root@server02 ~]# <span class="nb">ls</span> <span class="nt">-lh</span> /sftp/home/
drwxr-xr-x. 2 proftpd ftpgroup 4.0K Dec 17 18:10 user1
drwxr-xr-x. 2 proftpd ftpgroup 4.0K Dec 17 18:11 user2
drwxr-xr-x. 2 proftpd ftpgroup 4.0K Dec 18 16:59 user3
<span class="c">#Reload the sftp server</span>
<span class="o">[</span>root@server02 bin]# service proftpd restart
Shutting down proftpd: <span class="o">[</span> OK <span class="o">]</span>
Starting proftpd: <span class="o">[</span> OK <span class="o">]</span></code></pre></figure>
<p>The above setup will provide you a sftp server running on port 2022 with password based authentication, for which ever client if you prefer to enable key based authentication please drop the users key in /etc/proftpd/authorized_keys/ folder with <client_username> as file name</client_username></p>
<p>####Key Based Authentication:</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="c">#Generate ssh keys </span>
<span class="o">[</span>root@server02 .ssh]# ssh-keygen <span class="nt">-b</span> 2048
<span class="c"># it should create a file under .ssh as id_rsa.pub</span>
<span class="c">#convert the key from openssh format to SSH2 format.</span>
<span class="o">[</span>root@server02 .ssh]# ssh-keygen <span class="nt">-e</span> <span class="nt">-f</span> id_rsa.pub <span class="o">></span> user2
<span class="c">#please makesure that the comment is not too longer than the key as it may cause issues sometimes</span>
<span class="o">[</span>root@server02 .ssh]# <span class="nb">cat </span>user2
<span class="nt">----</span> BEGIN SSH2 PUBLIC KEY <span class="nt">----</span>
Comment: <span class="s2">"2048-bit RSA, root@server02.test.local"</span>
AAAAB3NzaC1yc2EAAAABIwAAAQEAqgt6I0nsIqEEXQ9GKRvUp9AuNHuWXjCWM7pUeXfq0+
axidUqkSjiKKjJ1zh5i0oIo208AYcbLieWzRsSL4hOB8a1kYCq2foTokTuAVbowP3r9FVh
WZnQGvsu16DztuWP9CAF04DxCNp2Tzko6PVx8f6qt4HNS6lKRAn31oakROiBKM0807mGIj
rB/25LHikYHr7ifSazd0zEc+t7Tx1k1G3+7v1Stwch8W3oOsTzc6u1IfWo1zML2q3LUxIm
odGrwsjEMV5jS5Aq8ouwqKLbflwwpk2aliXj3SrG3LH4yyaRvogGGjIjWKsR/qOKcOqNPy
4exQ8iDos2/3zIX35xoQ<span class="o">==</span>
<span class="nt">----</span> END SSH2 PUBLIC KEY <span class="nt">----</span></code></pre></figure>
<p>Drop the above key in <code class="language-plaintext highlighter-rouge">/etc/proftpd/authorized_keys/</code> folder as user2 and user2 should now be able to login using key based authentication. As this article is already too long special requirements are to be discussed in the part2 of this article.</p>
<p><a href="http://www.primoitsolutions.uk/proftpd-sftp-server-part1/">SFTP Server - Proftpd Setup Part1</a> was originally published by Mohan Balasundaram at <a href="http://www.primoitsolutions.uk">PRIMO IT Solutions</a> on January 19, 2015.</p>http://www.primoitsolutions.uk/vim-shortcuts2015-01-10T00:00:00+00:002015-01-10T00:00:00+00:00Mohan Balasundaramhttp://www.primoitsolutions.ukmohan@primoitsolutions.com<p>##VIM KEYBOARD SHORTCUTS</p>
<p>The following are my notes on vim keyboard shortcuts which I have noted down over the years. For some of these shortcuts to work properly you need some of the plugins as well. All the plugins I have used here can be found in my <a href="https://github.com/tuxfight3r/myvimrc">.vimrc</a> github repository</p>
<script src="https://gist.github.com/tuxfight3r/0dca25825d9f2608714b.js"> </script>
<p><a href="http://www.primoitsolutions.uk/vim-shortcuts/">Vim Shortcuts</a> was originally published by Mohan Balasundaram at <a href="http://www.primoitsolutions.uk">PRIMO IT Solutions</a> on January 10, 2015.</p>http://www.primoitsolutions.uk/hello2015-01-09T00:00:00+00:002015-01-09T00:00:00+00:00Mohan Balasundaramhttp://www.primoitsolutions.ukmohan@primoitsolutions.com<p>###Hello!</p>
<p><strong>PRIMO IT SOLUTIONS Limited</strong> Hello Post</p>
<p><a href="http://www.primoitsolutions.uk/hello/">Hello</a> was originally published by Mohan Balasundaram at <a href="http://www.primoitsolutions.uk">PRIMO IT Solutions</a> on January 09, 2015.</p>