Menu
▾
▴
[Proftpd-docs] CVS: www.proftpd.org/docs/contrib mod_sftp.html, 1.1, 1.2
|
From: TJ S. <cas...@us...> - 2010-04-21 18:16:40
|
Update of /cvsroot/pdd/www.proftpd.org/docs/contrib In directory sfp-cvsdas-2.v30.ch3.sourceforge.com:/tmp/cvs-serv24823 Modified Files: mod_sftp.html Log Message: Update the mod_sftp docs on the website. Index: mod_sftp.html =================================================================== RCS file: /cvsroot/pdd/www.proftpd.org/docs/contrib/mod_sftp.html,v retrieving revision 1.1 retrieving revision 1.2 diff -C2 -r1.1 -r1.2 *** mod_sftp.html 24 Feb 2010 19:08:55 -0000 1.1 --- mod_sftp.html 21 Apr 2010 18:16:28 -0000 1.2 *************** *** 93,99 **** <ul> <li><code><Anonymous></code> - <li><code>DirFakeUser/DirFakeGroup</code> <li><code>MaxRetrieveFileSize/MaxStoreFileSize</code> - <li><code>UserOwner</code>, <code>GroupOwner</code> </ul> --- 93,97 ---- *************** *** 751,754 **** --- 749,761 ---- have <code>mod_sftp</code> silently ignore any permissions sent by the SCP client, use this option. + + <p> + <li><code>PessimisticKexinit</code><br> + <p> + As described <a href="#SFTPTelnetBanner">here</a>, the <code>mod_sftp</code> + module tries to reduce the connection latency by optimistically sending + the <code>KEXINIT</code> key exchange message. However, some SSH clients + cannot handle this behavior. Use this option to disable the optimistic + sending of the <code>KEXINIT</code> message. </ul> *************** *** 1145,1148 **** --- 1152,1205 ---- that are used for authentication. + <p><a name="ClientIssues"></a> + <b>Known Client Issues</b><br> + The following lists some of the various client interoperability issues that + have been encountered, and how to address them. + + <p> + <i>SSH Channel Window Sizes</i><br> + Some SFTP client implementations do not support the large SSH channel window + size that the <code>mod_sftp</code> module uses by default. These clients + include: + <ul> + <li><a href="http://www.ipswitch.com/WS_FTP">WS_FTP Pro</a> + <li>OpenSSH 3.0 and older + </ul> + This <a href="#SFTPBadWindowSize">FAQ</a> describes the configuration to use + for such clients. + + <p> + <i>SFTP Protocol Versions</i><br> + Some SFTP clients do not properly handle some of the newer SFTP protocol + versions. These clients include: + <ul> + <li><a href="http://winscp.net/">WinSCP</a> + <li><a href="http://www.cuteftp.com/products/ftp_clients.aspx">CuteFTP</a> + </ul> + For these clients, use a + <a href="#SFTPClientMatch"><code>SFTPClientMatch</code></a> rule to restrict + the SFTP protocol versions offered by the <code>mod_sftp</code> module, + <i>e.g.</i>: + <pre> + <font color=green># Only support SFTP protocol version 1 through 3 for WinSCP and CuteFTP</font> + SFTPClientMatch WinSCP|ClientSftp sftpProtocolVersion 1-3 + </pre> + + <p> + <i><code>KEXINIT</code> Optimization</i><br> + Some SFTP clients do not like this + <a href="#SFTPTelnetBanner">KEXINIT optimization</a> that the + <code>mod_sftp</code> module uses. These clients include: + <ul> + <li><code>Net::SSH::Perl</code>, <code>Net::SFTP</code> Perl modules + <li><a href="http://www.enterprisedt.com/products/edtftpj/">edtFTPj</a> + </ul> + For these clients, use this configuration (supported in ProFTPD 1.3.4rc1 and + later) to disable the optimization: + <pre> + <font color=green># Disable the KEXINIT optimization at the cost of latency</font> + SFTPOptions PessimisticKexinit + </pre> + <p> <b>FIPS Compliance</b><br> *************** *** 1357,1361 **** </pre> <font color=blue>Answer</font>: The issue, in short, involves that "-1" value ! you see, and the particular client implementation in question. <p> --- 1414,1419 ---- </pre> <font color=blue>Answer</font>: The issue, in short, involves that "-1" value ! you see, and the particular client implementation in question. (The example ! error above is from an old OpenSSH client.) <p> *************** *** 1370,1373 **** --- 1428,1442 ---- <p> + As another example, the <a href="http://www.ipswitch.com/WS_FTP">WS_FTP Pro</a> + client has this same problem; in the client, you will see something like + the following error: + <pre> + Started subsystem "sftp" on channel 0760a2ce + error 84350000 initializing sftp protocol + Sending channel close message for channel 0760a2ce + SSH Transport closed. + </pre> + + <p> There are two approaches for handling such cases. You can use the <a href="#SFTPClientMatch"><code>SFTPClientMatch</code></a> directive to *************** *** 1411,1414 **** --- 1480,1505 ---- used for the SFTP/SCP sessions, <i>etc</i>. + <p><a name="SFTPAndFTP"> + <font color=red>Question</font>: How can I configure <code>proftpd</code> + so that it can handle both FTP and SFTP at the same time?<br> + <font color=blue>Answer</font>: The key to doing this is to create a + <code><VirtualHost></code> section just for the <code>mod_sftp</code> + configuration, listening on the address and port that you wish, <i>e.g.</i>: + <pre> + # The FTP configuration + DefaultAddress <i>a.b.c.d</i> + Port 21 + + <IfModule mod_sftp.c> + <VirtualHost <i>a.b.c.d</i>> + # The SFTP configuration + Port 22 + + SFTPEngine on + ... + </VirtualHost> + </IfModule> + </pre> + <p><a name="SFTPOnly"> <font color=red>Question</font>: How can I configure <code>proftpd</code> *************** *** 1488,1491 **** --- 1579,1607 ---- in your <code>mod_sftp</code> configuration. + <p><a name="SFTPOwner"> + <font color=red>Question</font>: I use <code>UserOwner</code> and + <code>GroupOwner</code> in my <code>mod_sftp</code> configuration, but they + are not being applied properly. Is this a bug?<br> + <font color=blue>Answer</font>: No. + + <p> + By default, the <code>mod_sftp</code> module drops root privileges as soon + as it can, which is just after the user has been authenticated. Without + root privileges, <code>mod_sftp</code> cannot change the ownership of files + uploaded via SFTP/SCP as per <code>UserOwner</code>/<code>GroupOwner</code> + settings. + + <p> + In ProFTPD 1.3.4rc1, honoring of the <code>UserOwner</code> and + <code>GroupOwner</code> directives was added to the <code>mod_sftp</code> + module. <b>However</b>, you will <i>also</i> need to add the following to your + <code>mod_sftp</code> configuration to make them work properly: + <pre> + RootRevoke off + </pre> + This explicitly tells the <code>mod_sftp</code> to <b>not</b> drop root + privileges after authentication, and instead to keep them for the duration + of the session. + <p> <hr><br> |
