Tutorial
How To Configure ProFTPd To Use SFTP Instead of FTP
Status: Deprecated
This article covers a version of Ubuntu that is no longer supported. If you are currently operate a server running Ubuntu 12.04, we highly recommend upgrading or migrating to a supported version of Ubuntu:
- Upgrade to Ubuntu 14.04.
- Upgrade from Ubuntu 14.04 to Ubuntu 16.04
- Migrate the server data to a supported version
Reason: Ubuntu 12.04 reached end of life (EOL) on April 28, 2017 and no longer receives security patches or updates. This guide is no longer maintained.
See Instead: This guide might still be useful as a reference, but may not work on other Ubuntu releases. If available, we strongly recommend using a guide written for the version of Ubuntu you are using. You can use the search functionality at the top of the page to find a more recent version.
Introduction
FTP, or file transfer protocol, is a popular way to transfer files between local and remote servers. While FTP was a preferred method of transfer in the past, it authenticates in plain text, making it insecure.
ProFTPd is a popular FTP server that can be configured to use the SFTP protocol, a secure FTP alternative, instead of FTP. This article will show you how to configure ProFTPd to use this protocol to avoid the insecurity of FTP.
We will show you how to configure this on an Ubuntu 12.04 VPS, but most distributions should operate in a similar way.
Install ProFTPd
The ProFTPd software is in Ubuntu’s default repositories. We can install it by typing:
sudo apt-get update && sudo apt-get install proftpd
Choose “stand alone” when prompted during installation.
After it has been installed, we need to edit some basic configuration variables. Open the ProFTPd configuration file with root privileges with your text editor:
sudo nano /etc/proftpd/proftpd.conf
Change the ServerName parameter to match your domain name or IP address.
ServerName "yourDomainOrIPAddress"
Remove the # from in front of the DefaultRoot parameter to uncomment it:
DefaultRoot ~
Save and close the file.
Configure SFTP Access with ProFTPd
Now, we need to configure the service to use SFTP.
The default file looks in the conf.d subdirectory for additional configuration. We will create a file there to enable the use of SFTP:
sudo nano /etc/proftpd/conf.d/sftp.conf
ProFTPd can take configuration with the same formatting as Apache. If you are familiar with Apache, this should look familiar. If you are not familiar, it’s easy to figure out.
Copy and paste the following into the file:
<IfModule mod_sftp.c>
SFTPEngine on
Port 2222
SFTPLog /var/log/proftpd/sftp.log
# Configure both the RSA and DSA host keys, using the same host key
# files that OpenSSH uses.
SFTPHostKey /etc/ssh/ssh_host_rsa_key
SFTPHostKey /etc/ssh/ssh_host_dsa_key
SFTPAuthMethods publickey
SFTPAuthorizedUserKeys file:/etc/proftpd/authorized_keys/%u
# Enable compression
SFTPCompression delayed
</IfModule>
Deconstructing the SFTP Configuration
Let’s break the file down into its component pieces so that we can understand it better.
The entire section is wrapped in IfModule tags to make sure that the configuration options are only applied if the SFTP module is available (which it is).
-
SFTPEngine on: Enables the SFTP ability for the server
-
Port 2222: Specifies the port where the SFTP connections will be accepted. Since SSH already is looking for connections on port 22, we want a different port.
-
SFTPLog: Configures the location of the log file that will be created.
-
SFTPHostKey: These two lines point to the SSH host keys. This is how the server identifies itself to clients. For the most part, the lines we used should be correct.
-
SFTPAuthMethods: This line configures the server to only accept connections with SSH keys.
-
SFTPAuthorizedUserKeys: This parameter names the location of the SFTP keys that can be used to authenticate someone. The
%uportion will substitute the authenticating user’s name. -
SFTPCompression delayed: This sets the compression mechanism that will be utilized during file transfers.
Configure Key Based Authentication
The ProFTPd can use SSH keys to authenticate users, but the keys must be converted to use the RFC4716 format. Luckily, the SSH suite has the ability to convert these files natively.
Begin by creating a directory to house these files:
sudo mkdir /etc/proftpd/authorized_keys
Now, we need to convert the public keys that are currently used to log into the server. If you only have one user, you can use this command:
<pre> sudo ssh-keygen -e -f ~<span class=“highlight”>username</span>/.ssh/authorized_keys | sudo tee /etc/proftpd/authorized_keys/<span class=“highlight”>username</span> </pre>
If you have multiple users and you need to separate their log in credentials, you will have to use the actual public key instead of the authorized_keys file, like this:
<pre> sudo ssh-keygen -e -f <span class=“highlight”>/path/to/id_rsa.pub</span> | sudo tee /etc/proftpd/authorized_keys/<span class=“highlight”>username_who_owns_key</span> </pre>
You can add as many keys as you would like.
When you are finished, restart the ProFTPd server:
sudo service proftpd restart
Disable SFTP Access on the SSH Port
Now that we have enabled SFTP through ProFTPd, we can disable it on the normal SSH port. This will allow us to configure user access and lock down what each user can see and manipulate through ProFTPd, without worrying about people being able to leave their home directories.
Open the SSHD configuration file:
sudo nano /etc/ssh/sshd_config
Towards the bottom of the file, you should see a line that looks like this:
Subsystem sftp /usr/lib/openssh/sftp-server
Put a hash (#) in front of it to comment out the line:
# Subsystem sftp /usr/lib/openssh/sftp-server
Save and close the file.
Now, restart the SSH server so to enable your changes:
sudo service ssh restart
Connecting with a Client
There are plenty of FTP clients that we can use to connect with our server. The good ones implement SFTP capabilities as well. We will demonstrate how to connect through FileZilla, which is available on all major platforms.
Open FileZilla’s preferences. Find the "SFTP section in the left-hand menu.
Click on “Add keyfile”, and navigate to the location of your private key. Usually, this will be in ~/.ssh/id_rsa. You will probably get a message saying that FileZilla will convert it to a supported format.
Press “Okay” to exit the preferences.
In the main interface, type sftp:// followed by the domain name or IP address of your server in the “Host” field. Place your username in the “Username” field and fill in the port you chose for the “Port” field:
Click “Quickconnect” and FileZilla should connect automatically using your SSH keys.
Conclusion
Your server should now be configured to accept SFTP connections managed by ProFTPd. You can configure the software to manage users and what areas are restricted. In general, FTP should be avoided at all costs due to its lack of proper security.
<div class=“author”>By Justin Ellingwood</div>
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
About the author(s)
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
Get our newsletter
Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.
New accounts only. By submitting your email you agree to our Privacy Policy
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.
Did all the steps as mentioned, but I get this message on Fillezila (mac):
Error: Disconnected: No supported authentication methods available (server sent: publickey) Error: Could not connect to server
Any idea on how I can debug this?
I’ve got the same issue, did you manage to figure it out?
I would always get the same error and I changed port from 2222 back to 22 and it worked. For now I have left it as that until I see a solution that works.
@fabianoarruda: Did you add your SSH key to Filezilla?
when i try to convert the keys via
"Now, we need to convert the public keys that are currently used to log into the server. If you only have one user, you can use this command:
sudo ssh-keygen -e -f ~username/.ssh/authorized_keys | sudo tee /etc/proftpd/authorized_keys/username"
i get “ssh-keygen: /home/main/.ssh/authorized_keys: No such file or directory”
I have followed all the steps mentioned but get this error. what am i doing wrong ?
@karambahosting: Add the SSH key you want to use to ~username/.ssh/authorized_keys (each one on its own line, usually starting with “ssh-rsa”) and then run that command.
Somewhat new to this but have implemented the above. What I need is to be able to create accounts that are upload only with each account pointing to one file directory only (unique). This while still having admin access through the root account to all folders. How would I go about doing this? Any direction would help me out a lot. Thanks
@Josh: <blockquote>This while still having admin access through the root account to all folders.</blockquote> root has access to everything all the time, no matter what. <blockquote>What I need is to be able to create accounts that are upload only with each account pointing to one file directory only (unique).</blockquote> Check out <a href=“https://www.digitalocean.com/community/articles/how-to-add-and-delete-users-on-ubuntu-12-04-and-centos-6”>https://www.digitalocean.com/community/articles/how-to-add-and-delete-users-on-ubuntu-12-04-and-centos-6</a>.
Hello, while filezilla is trying to connect it gives me an error: Disconnected: No supported authentication methods available (server sent: public key) why it can be? thanks
@foykes: You need to configure filezilla to use your SSH key that you configured PuTTy to use.
After this step: sudo ssh-keygen -e -f ~username/.ssh/authorized_keys | sudo tee /etc/proftpd/authorized_keys/username
I get prompted for my passphrase. Once I enter the password, I get this response: load failed
This is on a brand-new vanilla installation of ubuntu+LAMP
@magness.richard: Try the following command instead: <pre>sudo ssh-keygen -e -f /home/username/.ssh/authorized_keys | sudo tee /etc/proftpd/authorized_keys/username </pre>
hi,
service proftpd start always fails. I am running a CentOS 6.5 & ProFTPD Version is 1.3.3g. mod_sftp.c is missing from:
proftpd -l
Compiled-in modules: mod_core.c mod_xfer.c mod_auth_unix.c mod_auth_file.c mod_auth.c mod_ls.c mod_log.c mod_site.c mod_delay.c mod_facts.c mod_dso.c mod_ident.c mod_readme.c mod_auth_pam.c mod_tls.c mod_vroot.c mod_cap.c mod_ctrls.c mod_lang.c
Is this the problem? If so, how do I fix it?
Thanks!
ProFtpd starts using “/usr/sbin/proftpd” but fails using “service proftpd start”. Is there any reason for this? Here is an output from “/usr/sbin/proftpd -td10” (I have masked the server IP)
Checking syntax of configuration file
Note: ProFTPd was installed using “yum install”.
Any pointers would be a great help!
“Now, we need to convert the public keys that are currently used to log into the server. If you only have one user, you can use this command:”
There are no public keys on a server I believe if you’re doing a fresh install. Most people will have one user (root) - so I would probably elaborate on both of those issues, as if someone tries to do this with just the one account they have (root) this step will fail – care to elaborate on user creation, to circumvent users seeing a load failed trying this with root?
Thanks for the article!
@phrozen755: Check out <a href=“https://www.digitalocean.com/community/articles/how-to-set-up-ssh-keys--2”>https://www.digitalocean.com/community/articles/how-to-set-up-ssh-keys--2</a>—it’s recommended to use ssh keys instead of passwords.
@kituannjoseph: What’s the output of <pre>proftpd --configtest</pre>?
proftpd --configtest
Checking syntax of configuration file Syntax check complete.
is it possible to combine this but instead the authorized keys use mysql as backend?
I am a little confuse here
“sudo ssh-keygen -e -f ~username/.ssh/authorized_keys | sudo tee /etc/proftpd/authorized_keys/username”
I did try that but it didnt work. As I belive it is trying to find my public key file which I saved but for me I saved it in my documents folder so I did this
“sudo ssh-keygen -e -f ~kenpachi/Documents/ssh-key/my-public-key| sudo tee /etc/proftpd/authorized_keys/kenpachi”
I did that but it didn’t work Please help.
I have read the before issues with this but the answer is not very clear
I follow all this steps for 12.04, no problem. In 14.04 I followed the same steps but I can’t login:
Error: Server sent disconnect message Error: type 14 (no more auth methods available): Error: “No other authentication mechanisms available” Error: Could not connect to server
Did something changed in 14.04?
Thank you very much and if anyone have any idea please help me. Thank you again. Best Regards.
Found the solution for the problem, made a new droplet with Ubuntu 12.04 and just forgot Ubuntu 14.04.
Are you still using 12.04? because I’m having the same problem you have on 2014. Thanks!
Is this guide assuming that SSH keys have already been set-up on the server?
@infinitelink: Yes, you can set up SSH Keys by following this tutorial: How To Set Up SSH Keys.
This article is very poor and should be re-written. It needs to go much further into depth - especially after reading follow up comments, and the need to take actions prior to doing the steps in this article (like the fact that SSH keys need to be created prior)
When trying to use the “sudo ssh-keygen -e -f ~username/.ssh/authorized_keys | sudo tee /etc/proftpd/authorized_keys/username” command (using proper usernames), I’m asked for a sudo password which I enter, but the whole thing hangs after I hit enter and never completes.
Good tutorial. I also installed logrotate. Logrotate fails to restart ProFTPd:
i always got Error: Disconnected: No supported authentication methods available (server sent: publickey) used with filezilla … So please help me … my sudo service proftpd status is working currently …
Running only
sudo ssh-keygen -e -f /home/arce/.ssh/authorized_keysalways get me an error:laod failed.I trying using root (super user), sudo and it didn’t work.
It is a Debian 7.
Isn’t this all completely unnecessary?
If you already have a SSH server, an SFTP client should be able to connect to the SSH port (22 by default) just out of the box, without even installing an ftp server.
I’ve just checked on my droplet, which is a freshly installed Debian where I haven’t installed any FTP client. I can connect with Filezilla with SFTP.
Yes. The SFTP server included with OpenSSH is secure and easy to user. However, some users are more familiar with older FTP servers and feel more comfortable working with them.
This configuration simply shows how to set up the ProFTPd software to use SFTP instead of the insecure FTP for users how wish to keep using ProFTPd. If you have no need to use ProFTPd, there is no reason to go through the above steps.
when i put sudo apt-get update && sudo apt-get install proftpd it works but in the end i get fatal:failed to fork . & i don’t get any prompet to chose “standalone” . next command “sudo nano /etc/proftpd/proftpd.conf” i get blank page means file doesn’t exist because proftp hasn’t been installed successfully so what to do ?
Failed to fork means that apt can’t start a new process because there isn’t enough memory. Try adding a swap file to your droplet: How To Add Swap on Ubuntu 14.04 | DigitalOcean.
@kamaln7 the tutorial here describes how to set up ProFTPD with a MySQL backend. Is it possible to combine these two i.e configure ProFTPD to use sftp while authenticating via MySQL backend?
when I type:“sudo ssh-keygen -e -f ~username/.ssh/authorized_keys | sudo tee /etc/proftpd/authorized_keys/username” it says:“no such file or directory” not sure if i have to make my own key and if I have to how do I do it?
I’m blocked here:
ssh-keygen -e -f /root/.ssh/authorized_keys | sudo tee /etc/proftpd/authorized_keys/rootit asks me toEnter passphase(which I don’t know what it is, I assume it’s my VPS SSH password) but it throwsload failederror! Any clue on how to get this thing working?Thanks!
I setup everything as described above without any issues but when I login with root user for file transfer I don’t have access to the user directories in /home/. Weird. Any ideas?
Another question… Is it possible to filter uploaded files to certain file types like .jpg, .png for specific SFTP user?
Many thanks!
Why can’t I connect via sftp to froxlor created users? After following the above steps, I did this: https://forum.froxlor.org/index.php/topic/12753-configuring-proftpd-to-act-as-sftp-server/
Why can’t I connect via sftp to froxlor clients?
I followed the above steps and then after that, I did the following:
-> Add the following to /etc/proftpd/modules.conf
LoadModule mod_sftp.c
-> Add the following to /etc/proftpd/sql.conf
Include /etc/proftpd/sftp.conf
-> Create file /etc/proftpd/sftp.conf with following content:
<IfModule mod_sftp.c> SFTPEngine on SFTPLog /var/log/proftpd/sftp.log SFTPHostKey /etc/ssh/ssh_host_dsa_key SFTPHostKey /etc/ssh/ssh_host_rsa_key </IfModule>
-> Restarted proftpd and ssh
if anyone have problem with multiple users, maybe this help you:
its:
I can’t find ~/.ssh/id_rsa file, can u help me?
Normally the write-ups here are done very well. However, this one is not. Is mod_sftp enabled in the modules.conf by default? What about authenticating with PAM/Keyboard-Interactive? Why assume someone has keys on their server (I know something my be “best practice” but that is no excuse to leave out details of other configuration methods). This article is frustrating because of how good it could be, but isn’t.
I wish this could get some attention and possible get a rewrite.
I can’t… connetc with ftp.
I saw to error
root@sosyalwebia:~# sudo ssh-keygen -e -f /home/username/.ssh/authorized_keys | sudo tee /etc/proftpd/authorized_keys/username ssh-keygen: /home/username/.ssh/authorized_keys: No such file or directory
Hi,
I have followed all these steps, and they work fine. Except when I connect to sftp using port 22 I still can log in and am not jailed to that folder.
I did do the steps in “Disable SFTP Access on the SSH Port” section!
Any ideas? I am using Ubuntu Server 14.04.
Thanks
I have ssh setup correctly and Im using the key on Filezilla. Everything works just fine. But I need the user to use only the home directory. So I’ve tried to setup as you wrote and when I try to connect to 2222 I get:
Error: Server sent disconnect message Error: type 14 (no more auth methods available): Error: “No other authentication mechanisms available” Error: No se pudo conectar al servidor
Thanks
I’m getting this issue when I’m trying to connect to the server…
Status: Connecting to example.com:2222… Response: fzSftp started, protocol_version=8 Command: keyfile “~.ssh\id_rsa” Command: open “tanner@example.com” 2222 Error: Connection attempt interrupted by user
I made sure to open port 2222 just in case it was the firewall… anyone else getting this problem? I went through the steps a couple of times again to make sure I didn’t follow them wrong…
Good article, all valid for ProFTPd today. Maybe a little detail about Ubuntu Fire Wall “ufw” for open the 2222 port. Thanks for all!
Any reason this has not been updated in years?