Proftpd ssh key-based authentication not working

proftpdsftp

I've setup a new proftpd server with mod_sftp for SSH support, that I'm able to login to when I use a password. But when I try to use my SSH key, I'm unable to connect.

Here's the full proftpd.conf file:

[root@myers log]# cat /usr/etc/proftpd.conf
ServerName                      "Develop CENTS"
ServerType                      standalone
DefaultServer                   on

Port                            2215

UseIPv6                         off

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask                           022

MaxInstances                    15

User                            nobody
Group                           nobody

DefaultRoot ~

AllowOverwrite          on

# Bar use of SITE CHMOD by default
<Limit SITE_CHMOD>
  DenyAll
</Limit>

<IfModule mod_auth_pam.c>
    AuthPAM off
</IfModule>

<IfModule mod_sftp.c>
SFTPEngine on
SFTPHostKey /usr/etc/proftpd/rsa_key
SFTPHostKey /usr/etc/proftpd/dsa_key
Port 2216
SFTPAuthMethods publickey      
MaxLoginAttempts 4
SFTPCompression delayed

        <VirtualHost www.mydomain.com>
        SFTPAuthorizedUserKeys file:/home/mydomain.com/.ssh/authorized_keys
        DefaultRoot ~
        </VirtualHost>
</IfModule>

Here's a line I see in /var/log/messages regardless of the authentication method used:

Mar 19 10:41:51 myers proftpd[29675]: myhost.com - unable to create namebind for 'www.mydomain.com' to IPAddress#21: No such file or directory

Other than that, the only thing appearing in the log file when I attempt to connect with a SSH key, is that the client does reach the server and a SSH2 session is opened, but the very next line indicates the SSH2 session is closed.

Any ideas?

Best Answer

From your configuration, it looks like you'd like a normal FTP server on port 2215, and the SFTP server on port 2216. In order to do this, you would need the mod_sftp configuration in its own <VirtualHost> section. As your configuration stands, both Port directives appear in the same "vhost" context, and thus ProFTPD, when parsing the configuration, may not do what you expect. I would recommend using something like:

# ... previous config ...
<IfModule mod_auth_pam.c>
    AuthPAM off
</IfModule>

<IfModule mod_sftp.c>
  # Here we give mod_sftp its own explicit vhost, and put all of
  # of the mod_sftp configuration within that <VirtualHost> section.
  <VirtualHost www.mydomain.com>
    Port 2216

    SFTPEngine on
    SFTPHostKey /usr/etc/proftpd/rsa_key
    SFTPHostKey /usr/etc/proftpd/dsa_key
    SFTPAuthMethods publickey      
    MaxLoginAttempts 4
    SFTPCompression delayed
    SFTPAuthorizedUserKeys file:/home/mydomain.com/.ssh/authorized_keys
    DefaultRoot ~
  </VirtualHost>
</IfModule>

Hope this helps!

Related Solutions

Ftp – ProFTPD pub key authentication, still asks for password

I experienced this, and it was caused by what looks like a bug in ssh-keygen that manifests when you convert the ssh-rsa format key into the RFC-4716 key format: the Comment header is too long.

To confirm that this is happening to you, enable the SFTPLog option in your proftpd.conf file, then in the SFTP log file you'll see lines like the following, specifically the "line too long" part:

Jul 25 19:11:25 mod_sftp/0.9.7[16355]: public key fingerprint: 77:fa:c7:d6:da:b9:99:6f:9d:5f:74:30:ba:09:4f:e9
Jul 25 19:11:25 mod_sftp/0.9.7[16355]: line too long (74) on line 1 of '/etc/proftpd.d/authorized_keys/myusername'
Jul 25 19:11:25 mod_sftp/0.9.7[16355]: Make sure that '/etc/proftpd.d/authorized_keys/myusername' is a RFC4716 formatted key
Jul 25 19:11:25 mod_sftp/0.9.7[16355]: error base64-decoding key data in '/etc/proftpd.d/authorized_keys/myusername'
Jul 25 19:11:25 mod_sftp/0.9.7[16355]: error comparing keys from '/etc/proftpd.d/authorized_keys/myusername': Invalid argument
Jul 25 19:11:25 mod_sftp/0.9.7[16355]: sending userauth failure; remaining userauth methods: publickey,password
Jul 25 19:11:29 mod_sftp/0.9.7[16355]: disconnecting client (received EOF)

Take a look at the offending key, and you'll see how it sticks out:

Trim that off with your text editor of choice, and key auth should start working. Using bash it looks like this, where user.pub is your key file:

cut -c 1-72 user.pub | sed '/^Comment: "[^"]*$/ s/$/"/' > user.pub

If you instead want to keep the whole comment, you'll need to escape the end of the line and put it on the next one. See the example section of RFC 4716 for how you can re-format comments.

Finally, I ran into this problem using ssh-keygen on CentOS 6.9. The version I have on Mac OS Sierra truncates the key comments properly to avoid this problem.

Centos – Proftpd with TLS not working on CentOS

The latest available version for Centos (1.3.3g), as Spectre already said, seems to not work correctly with TLS 1.1/1.2

See the following link for having at least some notes about a potential fix for those issues beeing in Version 1.3.5

http://www.proftpd.org/docs/RELEASE_NOTES-1.3.5a

Qoute: TLS 1.1/1.2 configuration now works properly.

So it seems your option is to compile the new version yourself.

Best Answer

Related Solutions

Ftp – ProFTPD pub key authentication, still asks for password

Centos – Proftpd with TLS not working on CentOS

Related Topic