My workaround was setting up OpenSSH to listen on a second port and force sftp on that, i.e. in /etc/ssh/sshd_config
Port 22
Port 2200
...
Match LocalPort 2200
AllowGroups ftpusers
ChrootDirectory /srv/ftp
ForceCommand internal-sftp
AllowTCPForwarding no
AllowAgentForwarding no
X11Forwarding no
For compatibility with older clients you may have to set
Only do that as a last resort, though! OpenSSH has removed support for the old SHA1-based key exchange algorithms, which is a good thing security-wise but has tripped up some clients that worked with my previous proftpd config.
My workaround was setting up OpenSSH to listen on a second port and force sftp on that, i.e. in /etc/ssh/ sshd_config
Port 22
Port 2200
...
Match LocalPort 2200 warding no orwarding no
AllowGroups ftpusers
ChrootDirectory /srv/ftp
ForceCommand internal-sftp
AllowTCPFor
AllowAgentF
X11Forwarding no
For compatibility with older clients you may have to set
HostKeyAlgorithms +ssh-rsa lgorithms +ssh-rsa
PubkeyAcceptedA
And for extremely old clients possibly (but hopefully not) extend the KexAlgorithms with
KexAlgorithms +diffie- hellman- group-exchange- sha1,diffie- hellman- group14- sha1,diffie- hellman- group1- sha1
Only do that as a last resort, though! OpenSSH has removed support for the old SHA1-based key exchange algorithms, which is a good thing security-wise but has tripped up some clients that worked with my previous proftpd config.