I've been tasked to install a new SFTP server. Per-se, this is a very simple operation: simply using the internal-sftp
role of the ubiquitous SSH service (with chrooting) is sufficient to have a reliable SFTP server.
However it's in my nature to always try at least two different approach for the same problem, and I realized I can use ProFTPD
with a sftp plugin to do the same thing, with the added benefit of more granular filetransfer-related options (eg: bandwidth throttling). On the other hand, this plugin is not compiled (and bundled) by default, and I would like to avoid (perhaps) "less tested" solution.
At the moment, the only required service is SFTP; however, I'm playing in advance and I would like to implement a solution which can not only work with SFTP, but with FTP/S also.
Considering that I am going to chroot users inside their homes, what do you feel is a better solution?
- use SSH
internal-sftp
and a standalone FTP server (vsftpd
orproftpd
) for FTP/S services - only use the ProFTPD service with the relevant plugin
SSH's sftp server has some additional requirements for chroot directories, ie. user cant have write access to chroot dir in some enviroments this might be a problem.
If You also need ftp/ftps I would suggest giving mod_sftp a go. We are using it in production on about 20 servers with over 10k accounts with almost nil problems (sftp is the least used protocol). The downside might be that it doesn't support password authentication method, but it supports rsa key and keyboard-interactive so it is only a problem for very old clients.
This is an older thread but I'd just like to add for future readers that we've been configuring servers to use proftpd with mod_sftp for years with no problems at all. I like very much that the separation of services gives fine-grained control over security, the service itself, and user management.
You can configure proftpd to support either or both passwords/keys with mod_sftp if you also include the sftp_pam module. Here's example config that enables both: