-2

I have a request to setup "mutual SSL Authentication" using SFTP. They want to have a ProFTPd SFTP server authenticate the client by certificate. Is this even possible using SFTP? I assume because SFTP is key based SSH rather than cert based, it is not easily done. I suspect what they really want would be FTPS but they insist SFTP. Is anyone doing anything like this? Thanks!

Mike J.
  • 1
  • 1
  • 2
  • Wait a minute: a ProFTPd is an `ftp` server. It cannot speak the `sftp` protocol which is something totally different. You need an `ssh` server for that, `sftp` is a subprotocol of `ssh2`. – arkascha Mar 30 '16 at 16:43
  • And yes, `sftp` should certainly be preferred over `ftps` which again should be preferred over `ftp`. – arkascha Mar 30 '16 at 16:44
  • OK, sorry, turns out I am not up to date! Indeed there appears to be an sftp module for ProFTPd. Interesting, though I ask myself if I really would want to trust such thing. – arkascha Mar 30 '16 at 16:46
  • ProFTPD's [mod_sftp](http://www.proftpd.org/docs/contrib/mod_sftp.html) does not currently support _certificates_ (either X509v3, as used by SSL/TLS, or OpenSSH's own SSH certificates); it can only authenticate clients by password, publickey, or (via [mod_auth_otp](http://www.proftpd.org/docs/contrib/mod_auth_otp.html)) one-time passwords. – Castaglia Mar 30 '16 at 17:48
  • Thanks Castaglia and arkascha! – Mike J. Mar 30 '16 at 19:28

1 Answers1

2

As already mentioned, the question does not make sense in several points:

  • SFTP is file transfer protocol over SSH, which does not support any "SSL authentication" (unless you use X.509 patch, thought it might be your target)
  • ProFTPd might support SFTP (not natively as mentioned in comments) and certainly not with different authentication than the one supported by SSH.

You can set up openssh with sftp-server and set up CA for signing host keys and client keys (not X.509, but openssh), which might suit your needs, except it is not "SSL".

Or the other way around, use ProFTPd, use real SSL, but give up SFTP in favour of FTPS.

Both solutions are valid and reasonable, but making some mutant between them does not seem like a good future-proof solution.

Community
  • 1
  • 1
Jakuje
  • 24,773
  • 12
  • 69
  • 75