How to use sftp for Sentora?

Very interestingly, Sentora seems not to care about ssl. You can not find a https url for its control panel like in Kloxo-MR. Neither can you use the sftp function of proftpd to transfer files securely. We talked about enabling sftp for zPanel. As the successor of zPanel, Sentora makes using sftp even more difficult. If you copy the configuration in the post “enable sftp for zPanel”, you cannot even start the proftpd service. I do not know how to debug proftpd. The first thing comes to my mind is that proftpd accompanied with Sentora does not compile the sftp module in. The output of the command ldd /usr/sbin/proftpd seems to support my judgment as I could not find mod_sftp.so. This may further mislead you to download the source code of proftpd to try to compile the sftp module in. But after some investigation, I find mod_sftp.so is already in the system. So it would not be the problem of lacking this module. The problem actually lies in the configuration: /etc/proftpd.conf(which is a symbolic link to /etc/sentora/configs/proftpd/proftpd-mysql.conf). It is very strange that Sentora removes the line LoadModule mod_sftp.c  from the configuration file(if you check the zPanel’s configuration, this line is there). This line tells Proftpd to load  mod_sftp.so at runtime( so you cannot find it using ldd).  Without mod_sftp.so loaded, the SSL related instructions as in “enable sftp for zPanel” won’t work so proftpd service could not be started. Adding this line and commenting the line “SFTPAuthMethods publickey”(as we won’t bother to use key files for authentication), proftpd can be started successfully.

On CentOS7, the above configuration file will make proftpd fail to start:

systemctl status proftpd.service -l

fatal: SFTPHostKey: unable to use ‘/etc/ssh/ssh_host_rsa_key’ as host key, as it is group- or world-accessible on line 101 of ‘/etc/proftpd.conf’

This is due to the permission for /etc/ssh/ssh_host_rsa_key changed from 600 on CentOS 6 to 640 on CentOS 7. Even you change it back to 600, ptoftpd still fails to start due to the missing /etc/ssh/ssh_host_dsa_key. So we’d better generate a new pair of keys that are only used for sftp:

ssh-keygen -f /etc/ssh/sftp_host_rsa_key -N ” -t rsa
ssh-keygen -f /etc/ssh/sftp_host_dsa_key -N ” -t dsa

Then change the lines in proftpd.conf to:

SFTPHostKey /etc/ssh/sftp_host_rsa_key
SFTPHostKey /etc/ssh/sftp_host_dsa_key

 

 

Posted in tips of hosting