Debian 10 - Proftpd not starting on new install

Virtualmin
1

Hello everyone,

I’ve been trying to get this to work but I’m not educated enough in Debian I think…

So I’ve installed Debian 10 with the netinstall DVD 10.20 and installed no packages.
I’ve downloaded the install.sh file and executed it.

During the install (on the net part) the network card goes offline but I was able to get it back by doing an ifup ens192 and the intallation goes on without any errors.

I can do the installation wizard with no problems but when I go to the dashboard I see that the Proftpd service is not running.

I’ve investigated a bit using google and it has to do something with newer kind of certificates that have a new layout in the file and proftpd cannot use the new format.

I’ve tried the steps that were listed on the other websites but they didn’t help me…
The info I am referring to is here: https://github.com/proftpd/proftpd/issues/793

I hope someone can help. I can’t be the only one with this problem.
I’ve tried to re-install debian multiple times ( I think this is my 7th try )

Greetings

Frank Biesmans
The Binary One

2

A little follow up.

If I install openssh-sever (before install.sh script) there are some certificates that are not compatible. If I don’t install openssh-server (before install.sh script) there are no certificates.

Output that I get for systemctl status proftpd.service (without openssh-server):

fatal: SFTPHostKey: unable to check /etc/proftpd/ssh_host_rsa_key  no such file or directory
error: unable to open parse file /etc/proftpd/conf.d/virtualmin.conf Operation not permitted
fatal: SFTPHostKey: unable to check /etc/proftpd/ssh_host_ecdsa_key no such file or directory

Hope this helps or rings a bell.

3

What is the output of the command:

cat /etc/ssh/ssh_host_rsa_key

Is this file empty and has a key at all in it?

As a workaround, for now, you can comment out in /etc/proftpd/conf.d/virtualmin.conf file the following lines, so they would look like:

#SFTPHostKey /etc/proftpd/ssh_host_rsa_key
#SFTPHostKey /etc/proftpd/ssh_host_ecdsa_key

…and then restart the demon:

systemctl restart proftpd

I will pass this to @Joe for review, as I think, some configuration steps should be different or are failing on Debian 10.

4

@Joe This is how /etc/ssh/sshd_config looks like on Debian 10. SSH doesn’t seem to use those files at all.

image
image1594×569 91.3 KB

Maybe, it would be right to completely disable using of global RSA host key?

SFTPHostKey NoRSA
5

cat /etc/ssh/ssh_host_rsa_key --> . no such file or directory

I’ve commented out the two lines and the FTP server seems to be running now.
I’ll give it a try to see if everything is working now…

Thanks for the help!

6

Jumping in to be kept informed and because I run into the same issue on every new Debian 10 install.

7

OK, I think I got it.

@Joe Could you look at the Github link above ?

It seems that, on Debian 10, the SSH keys used by ProFTPD should be generated with the “-m PEM” flag in order to work properly.

I fixed it by doing this on my Debian 10 servers:

rm /etc/proftpd/ssh_host*
ssh-keygen -f /etc/proftpd/ssh_host_rsa_key -N '' -t rsa -m PEM
ssh-keygen -f /etc/proftpd/ssh_host_ecdsa_key -N '' -t ecdsa -m PEM
/etc/init.d/proftpd restart

Hope it helps.

1 Like
8

@Nico94 as it said …can you read that error msg please…? ssh keys != propdf crapware to be able to read it… please note ssh is sftp but it is not ftps… not ssl ftp… that is very different… ftp is pure text and very dangerous even if doing via ssl - and via ssl its freaking awesome slow… only sys like 20 years behind uses in gpl version… to be honest if you use ftp or ftps - I would rather not host with you… thats how bad it is… :slight_smile:

9

Not sure I fully understand your answer, sorry my English is probably not good enough.

Nobody is talking about doing FTP: the idea here is to make ProFTPD (but actually more specifically mod_sftp) working on “Debian 10 + Virtualmin” fresh installations … which is currently not the case: “out of the box” ProFTPD fails to start. This is so because ProFTPD’s mod_sftp does not support the keys as they are generated after Virtualmin’s install process.

This is my understanding of the current issue … but I might very well be wrong. If so, please correct me … or even better: if you have a better/safer workaround, feel free to share it :slight_smile:

10

@unborn: ProFTP also supports FTP over ssh via the mod_sftp plugin, and we enable that feature on port 2222. This allows for people who don’t want to offer full ssh access to their users via ssh, but do want to offer FTP over SSH. It’s not dangerous, ProFTPd is well-maintained software with a pretty good security record. FTP without encryption is dangerous, but there are multiple ways to connect to FTP with encryption and we support two of them (FTP with SSL/TLS and FTP over ssh, via both openssh and proftpd). @Nico94 is right, you’re wrong (and unnecessarily grouchy about it). :wink:

I guess I need to update Virtualmin-Config to handle this better.

3 Likes
11

@Joe well in this case I am sorry and I do finally understand the whole thingy - years back I did thought that proftpd is only for ftp and sftp (ftp with ssl on top of it), but now I see… thanks for let me to learn my lesson… - you know I am old folk, using just ssh :slight_smile: I left proftpd back in 2011 - that is the last time I’ve been using it - means I am perhaps obsolete in this discussion and wont be any help to fellow users. @Nico94 I am well sorry for my idiotic misunderstanding.

12

Don’t worry, the point here was to draw Joe’s attention on a possible bug … mission accomplished :slight_smile:

13

PureFTP should be used instead, faster and more secure