Ever wanted to share your media collection, photos, (insert media type here) with friends or family securely, but unsure how to do it? Well, there's this commonly known service as SFTP, also known as SSH File Transfer Protocol. If you use Linux, FreeBSD or some other kind of *NIX based system, you've probably already used commands like scp or sftp before.
Now, it's best not to confuse SFTP with FTPS, both of which are two very different protocols. FTPS is FTP over SSL for security. It uses a control channel and opens new connections for the data transfer, it also requires a SSL certificate.
SFTP (SSH File Transfer Protocol) was designed as an extension of SSH to provide file transfer capability, so it usually uses only the SSH port for both data and control. This is the one we're going to be focusing on in this post.
For this how-to, we're not going to use the built-in OpenSSH SFTP server, instead we're going to use ProFTPd with the SFTP module. This is typically more secure as does not allow terminal sessions, TCP port forwarding or X forwarding. ProFTPd will also be listening on a different port than OpenSSH allowing you to run both.
So, to begin you must first create a new jail.
For complete instructions on how to configure Jails, please refer to the FreeNAS documentation at http://doc.freenas.org/9.3/freenas_jails.html#adding-jails
If you already have existing media, you may want to add storage to your jail, such as your media collection. To add storage, go to Jails > Storage and click Add Storage.
Once your jail is created and storage attached, you need to access it's shell. You can do this from either the FreeNAS GUI by going to Jails > Select the jail sftpserver > Shell (icon at the bottom of the screen) or SSH in to your FreeNAS box and run the command:
# jexec sftpserver csh
Once you have the shell, you can start installing ProFTPd. We're going to be using the ports tree for installing. Why aren't you using pkg? I hear you ask. Well, there's an issue with the pre-compiled ProFTPd SFTP module which in some cases can cause it to not to respond to requests. Building from ports ensures the SFTP module is built against the latest version of OpenSSL.
So, at the prompt, run the portsnap command to pull down the latest copy of the ports tree (this may take some time):
# portsnap fetch extract
Once portsnap has finished, you will find ProFTPd in /usr/ports/ftp/proftpd, change into that directory:
# cd /usr/ports/ftp/proftpd
Once in the proftpd directory, you first need to create the make configuration, this allows you to enable/disable various features of ProFTPd and it's dependencies. In most cases, you will only need the defaults, so you can simply press enter on each prompt. I'm not going to go into each and every option, since defaults will suite 99% of use cases for ProFTPd. You don't need to explicitly select the SFTP module in the configuration, since it's a default module.
To create the make configuration:
# make config-recursive
Once the make configuration has been created, you're ready to build ProFTPd and it's dependencies. You can then perform an install and clean. This will compile ProFTPd, install it in /usr/local, then clean up any temporary files that were left over from the compile.
# make install clean
If you don't see any error messages, congratulations! You have successfully compiled ProFTPd and are ready to start configuring it. If you see a make error, please refer to the ProFTPd documentation.
Okay, now on to the good stuff!
The ProFTPd configuration file can be found under /usr/local/etc/proftpd.conf, and auxillary configuration can be found in the directory /usr/local/etc/proftpd
I'm going to use the VIM editor in this example, if you're more comfortable in something else, such as nano, feel free to install it from pkg or ports. I'm not going to explain how to install this, as it's outside the scope of this how-to.
Before we start to configure ProFTPd, we need to generate the SSH server keys and dhparams (Diffie–Hellman) files. To generate the SSH server keys, you can simply run:
# ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa
# ssh-keygen -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa
To generate the dhparams file, run:
# openssl dhparam -out /usr/local/etc/proftpd/dhparams.pem 2048
So what is the dhparams file for anyway? It's known as Perfect Forward Secrecy, or Diffie-Hellman key exchange. It's basically just a prime number for the SSH key exchange. You don't really need it, but it does add an extra bit of security. I'm going to use it in this configuration.
Now that the keys are generated, change into the /usr/local/etc directory:
# cd /usr/local/etc
Now edit the proftpd.conf file:
# vim proftpd.conf
The configuration above is pretty basic. The configuration does the following:
- Loads SFTP module
- Listen on TCP port 2222
- Use the SSH server keys
- Use the dhparams.pem we created earlier
- Use the known bad SSH keys blacklist
- Set the authentication method to use both password and public keys (we'll get to this later)
- Enable compression
- The virtual user/group files for authentication
Now we must create both a user a group to access your SFTP server.
Create the ftp.users file:
# vim /usr/local/etc/proftpd/ftp.users
You've probably seen something like this before if you've worked with *NIX systems, it's basically a passwd file that contains your ProFTPd virtual users. We have two users, media and photos. The user media does not have a password set, instead we're going to use OpenSSH public keys. The user 'photos' has a salted and hashed password.
To generate a salted and hashed password, you can use the utility: ftpasswd
# ftpasswd --hash
Enter a password and you will be given output such as:
If you're going to use OpenSSH keys, you can set the second field to an asterisk (*) to indicate there is no password for this user.
Next, we must create a groups file:
# vim /usr/local/etc/proftpd/ftp.groups
If you want to know more about passwd files, nixCraft have a good FAQ covering it at http://www.cyberciti.biz/faq/understanding-etcpasswd-file-format
The ownership of the ftp.users and ftp.groups files need to be readable by ProFTPd only.
# chown nobody:nobody /usr/local/etc/proftpd/ftp.{users,groups}
# chmod 600 /usr/local/etc/proftpd/ftp.{users,groups}
At this point, your ProFTPd SFTP server is now ready to go. You can add ProFTPd to your rc.conf file and start the service:
# sysrc proftpd_enable=YES
# service proftpd start
Once the ProFTPd service has started, you may try to access your SFTP server using WinSCP or Filezilla, using the IP of your jail and TCP port 2222.
If you decided to not use passwords and use OpenSSH public keys, you will need to convert your public key to the OpenSSH RFC4716 format in order for it to work with ProFTPd. Details on how to convert existing SSH public key for use with ProFTPd, see http://www.proftpd.org/docs/contrib/mod_sftp.html#UsageRFC4716Format
Once you have generated your public key, you will want to put it in the directory /usr/local/etc/proftpd/authorized_keys. If you don't already have this directory, you will need to create it:
# mkdir /usr/local/etc/proftpd/authorized_keys
The public key file must be the same name as your user, in this example we're using media. Now you can copy/paste your OpenSSH RFC4716 format public key into your users authorized_keys file:
# vim /usr/local/etc/proftpd/authorized_keys/media
You can now attempt to login to your SFTP server using your private OpenSSH key using your favorite SFTP client.
Now, if you want your shiny new SFTP server to be accessible over the Internet, you'll most likely need to set-up a NAT on your router. You'll need to look into your routers documentation on how to do this. I highly recommend using a high TCP port number greater than 1024, and NAT it to your jail IP and TCP port 2222.
Now, it's best not to confuse SFTP with FTPS, both of which are two very different protocols. FTPS is FTP over SSL for security. It uses a control channel and opens new connections for the data transfer, it also requires a SSL certificate.
SFTP (SSH File Transfer Protocol) was designed as an extension of SSH to provide file transfer capability, so it usually uses only the SSH port for both data and control. This is the one we're going to be focusing on in this post.
For this how-to, we're not going to use the built-in OpenSSH SFTP server, instead we're going to use ProFTPd with the SFTP module. This is typically more secure as does not allow terminal sessions, TCP port forwarding or X forwarding. ProFTPd will also be listening on a different port than OpenSSH allowing you to run both.
So, to begin you must first create a new jail.
For complete instructions on how to configure Jails, please refer to the FreeNAS documentation at http://doc.freenas.org/9.3/freenas_jails.html#adding-jails
If you already have existing media, you may want to add storage to your jail, such as your media collection. To add storage, go to Jails > Storage and click Add Storage.
Once your jail is created and storage attached, you need to access it's shell. You can do this from either the FreeNAS GUI by going to Jails > Select the jail sftpserver > Shell (icon at the bottom of the screen) or SSH in to your FreeNAS box and run the command:
# jexec sftpserver csh
Once you have the shell, you can start installing ProFTPd. We're going to be using the ports tree for installing. Why aren't you using pkg? I hear you ask. Well, there's an issue with the pre-compiled ProFTPd SFTP module which in some cases can cause it to not to respond to requests. Building from ports ensures the SFTP module is built against the latest version of OpenSSL.
So, at the prompt, run the portsnap command to pull down the latest copy of the ports tree (this may take some time):
# portsnap fetch extract
Once portsnap has finished, you will find ProFTPd in /usr/ports/ftp/proftpd, change into that directory:
# cd /usr/ports/ftp/proftpd
Once in the proftpd directory, you first need to create the make configuration, this allows you to enable/disable various features of ProFTPd and it's dependencies. In most cases, you will only need the defaults, so you can simply press enter on each prompt. I'm not going to go into each and every option, since defaults will suite 99% of use cases for ProFTPd. You don't need to explicitly select the SFTP module in the configuration, since it's a default module.
To create the make configuration:
# make config-recursive
Once the make configuration has been created, you're ready to build ProFTPd and it's dependencies. You can then perform an install and clean. This will compile ProFTPd, install it in /usr/local, then clean up any temporary files that were left over from the compile.
# make install clean
If you don't see any error messages, congratulations! You have successfully compiled ProFTPd and are ready to start configuring it. If you see a make error, please refer to the ProFTPd documentation.
Okay, now on to the good stuff!
The ProFTPd configuration file can be found under /usr/local/etc/proftpd.conf, and auxillary configuration can be found in the directory /usr/local/etc/proftpd
I'm going to use the VIM editor in this example, if you're more comfortable in something else, such as nano, feel free to install it from pkg or ports. I'm not going to explain how to install this, as it's outside the scope of this how-to.
Before we start to configure ProFTPd, we need to generate the SSH server keys and dhparams (Diffie–Hellman) files. To generate the SSH server keys, you can simply run:
# ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa
# ssh-keygen -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa
To generate the dhparams file, run:
# openssl dhparam -out /usr/local/etc/proftpd/dhparams.pem 2048
So what is the dhparams file for anyway? It's known as Perfect Forward Secrecy, or Diffie-Hellman key exchange. It's basically just a prime number for the SSH key exchange. You don't really need it, but it does add an extra bit of security. I'm going to use it in this configuration.
Now that the keys are generated, change into the /usr/local/etc directory:
# cd /usr/local/etc
Now edit the proftpd.conf file:
# vim proftpd.conf
Code:
ServerName "SFTP Server" ServerType standalone DefaultServer on ScoreboardFile /var/run/proftpd/proftpd.scoreboard LoadModule mod_sftp.c UseIPv6 off Umask 022 MaxInstances 30 CommandBufferSize 512 # Set the user and group under which the server will run. User nobody Group nogroup AllowOverwrite on # Bar use of SITE CHMOD by default <Limit SITE_CHMOD> DenyAll </Limit> <IfModule mod_sftp.c> SFTPEngine on Port 2222 SFTPLog /var/log/proftpd/sftp.log # Configure both the RSA and DSA host keys, using the same host key # files that OpenSSH uses. SFTPHostKey /etc/ssh/ssh_host_rsa_key SFTPHostKey /etc/ssh/ssh_host_dsa_key SFTPDHParamFile /usr/local/etc/proftpd/dhparams.pem SFTPKeyBlacklist /usr/local/etc/proftpd/blacklist.dat SFTPAuthMethods publickey password SFTPAuthorizedUserKeys file:/usr/local/etc/proftpd/authorized_keys/%u # Enable compression SFTPCompression delayed RequireValidShell off AuthUserFile /usr/local/etc/proftpd/ftp.users AuthGroupFile /usr/local/etc/proftpd/ftp.groups DirFakeUser on ~ DirFakeGroup on ~ DefaultRoot ~ </IfModule>
The configuration above is pretty basic. The configuration does the following:
- Loads SFTP module
- Listen on TCP port 2222
- Use the SSH server keys
- Use the dhparams.pem we created earlier
- Use the known bad SSH keys blacklist
- Set the authentication method to use both password and public keys (we'll get to this later)
- Enable compression
- The virtual user/group files for authentication
Now we must create both a user a group to access your SFTP server.
Create the ftp.users file:
# vim /usr/local/etc/proftpd/ftp.users
Code:
media:*:1000:1000::/mnt/media:/sbin/nologin photos:$1$8Vex0vR9$Qt5rA51UDxOj/GnmIXjwL1:1001:1000::/mnt/media/photos:/sbin/nologin
You've probably seen something like this before if you've worked with *NIX systems, it's basically a passwd file that contains your ProFTPd virtual users. We have two users, media and photos. The user media does not have a password set, instead we're going to use OpenSSH public keys. The user 'photos' has a salted and hashed password.
To generate a salted and hashed password, you can use the utility: ftpasswd
# ftpasswd --hash
Enter a password and you will be given output such as:
Code:
ftpasswd: $1$bil8yaQC$uygCkBCLjfZ5NZzREMpBL1
If you're going to use OpenSSH keys, you can set the second field to an asterisk (*) to indicate there is no password for this user.
Next, we must create a groups file:
# vim /usr/local/etc/proftpd/ftp.groups
Code:
media:*:1000:media
If you want to know more about passwd files, nixCraft have a good FAQ covering it at http://www.cyberciti.biz/faq/understanding-etcpasswd-file-format
The ownership of the ftp.users and ftp.groups files need to be readable by ProFTPd only.
# chown nobody:nobody /usr/local/etc/proftpd/ftp.{users,groups}
# chmod 600 /usr/local/etc/proftpd/ftp.{users,groups}
At this point, your ProFTPd SFTP server is now ready to go. You can add ProFTPd to your rc.conf file and start the service:
# sysrc proftpd_enable=YES
# service proftpd start
Once the ProFTPd service has started, you may try to access your SFTP server using WinSCP or Filezilla, using the IP of your jail and TCP port 2222.
If you decided to not use passwords and use OpenSSH public keys, you will need to convert your public key to the OpenSSH RFC4716 format in order for it to work with ProFTPd. Details on how to convert existing SSH public key for use with ProFTPd, see http://www.proftpd.org/docs/contrib/mod_sftp.html#UsageRFC4716Format
Once you have generated your public key, you will want to put it in the directory /usr/local/etc/proftpd/authorized_keys. If you don't already have this directory, you will need to create it:
# mkdir /usr/local/etc/proftpd/authorized_keys
The public key file must be the same name as your user, in this example we're using media. Now you can copy/paste your OpenSSH RFC4716 format public key into your users authorized_keys file:
# vim /usr/local/etc/proftpd/authorized_keys/media
Code:
---- BEGIN SSH2 PUBLIC KEY ---- Comment: "2048-bit RSA, converted by User@HOST from OpenSSH" AAAAB3NzaC1yc2EAAAADAQABAAABAQDS2ZccowxmzPra+/gtc239vq9NmOiMUc2playE+G Epu8mVt7jB0sbA7os5jSlT1C0H+4I/wXqx6BHsLeXyMws0v5tUlWcxREoSGvOpI4cIuWSr phZliK9ywJDMYNNhnhBWfKLnn0pR4LMs2NJTUl6BovhSH+cKHYRA5VRj6tZyMHVj7KRQS3 yDLIpkRRZ7kx71a6DNluzpNC2yeh18Ia+b7PsjlJmr0+7757OSxwdJq/PmOS1FFW1i0BlV kIksjpT1Iga/ngVRUhNvhNPjOEOQRyFLQBXLueGPKmX48ggU9Tk44T4GR4Kuh8089jDmY2 pfa6muFOqGScCGy2AzcHVT ---- END SSH2 PUBLIC KEY ----
You can now attempt to login to your SFTP server using your private OpenSSH key using your favorite SFTP client.
Now, if you want your shiny new SFTP server to be accessible over the Internet, you'll most likely need to set-up a NAT on your router. You'll need to look into your routers documentation on how to do this. I highly recommend using a high TCP port number greater than 1024, and NAT it to your jail IP and TCP port 2222.
