Ubuntu
proftpd-dfsg package

  1. Bug #1975567
  2. Comment #10

Comment 10 for bug 1975567

Revision history for this message
Florian Knauf (f-knauf) wrote :

My workaround was setting up OpenSSH to listen on a second port and force sftp on that, i.e. in /etc/ssh/sshd_config

Port 22
Port 2200

...

Match LocalPort 2200
    AllowGroups ftpusers
    ChrootDirectory /srv/ftp
    ForceCommand internal-sftp
    AllowTCPForwarding no
    AllowAgentForwarding no
    X11Forwarding no

For compatibility with older clients you may have to set

HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa

And for extremely old clients possibly (but hopefully not) extend the KexAlgorithms with

KexAlgorithms +diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

Only do that as a last resort, though! OpenSSH has removed support for the old SHA1-based key exchange algorithms, which is a good thing security-wise but has tripped up some clients that worked with my previous proftpd config.