# pure-ftpd over ssh with virtual users problem

## JJacobsson

Hello, I am having problems with running pure-ftpd over ssh (sftp). If I use system accounts, everything works fine (both normal and sftp). But if I try to use virtual account's (using puredb, nothing fancy like MySQL or anything...) I can only connect over normal ftp, not over sftp.

Correction, I can connect, but the password is rejected. Has anyone else experienced this?

----------

## steveb

wich version of pure-ftpd are you using?

cheers

SteveB

----------

## JJacobsson

1.0.16b, the one in portage...

----------

## steveb

try the 1.0.17a release. it is not in portage, but you can download it directly from the homepage of pure-ftpd: pure-ftpd-1.0.17a.ebuild

cheers

SteveB

----------

## JJacobsson

Installed, but I still have the same problem... :/

----------

## steveb

did you follow the quide in the FAQ?

```
* FTP over SSH.

-> How to run Pure-FTPd over SSH? I want to encrypt all connection data

(including passwords) .

FTP-over-SSH is a nice alternative over FTP-over-SSL (impossible to securely

firewall) and SFTP (which is slower, but only uses one port) .

Customers using Windows can use FTP-over-SSH with the excellent Van Dyke's

SecureFX client (http://www.vandyke.com) . It doesn't require any special

knowledge: just tell your customer to check "FTP-over-SSH2" in the

"Protocol" listbox when creating an account for your FTP server.

On the server side, here's how to manage FTP-over-SSH accounts:

1) Add /usr/bin/false to your /etc/shells file (on some systems, it's

/bin/false) .

2) To create a FTP-over-SSH account, create a system account with /dev/null

as a home directory and /usr/bin/false as a shell. You don't need a

dedicated uid: the same uid can be reused for every FTP-over-SSH account.

3) Create a virtual user account for that user (either with PureDB, SQL or

LDAP) . Give that virtual user a real home directory and only allow

connections coming from 127.0.0.1 (all FTP-over-SSH sessions will come from

localhost, due to SSH tunneling) .

People with no home directory (/dev/null) and no valid shell

(/usr/bin/false) won't be able to get a shell nor to run any command on your

server. But they will be granted FTP-over-SSH sessions.

Here are examples (Linux/OpenBSD/ISOS/EkkoBSD commands, translate them if

necessary) .

1) Creating a regular FTP account:

pure-pw useradd customer1 -m -d /home/customer1 -u ftpuser

2) Creating a FTP-over-SSH account (non-encrypted sessions are denied):

useradd -u ftpuser -g ftpgroup -d /dev/null -s /usr/bin/false customer2

pure-pw useradd customer2 -m -d /home/customer2 -u ftpuser -r 127.0.0.1/32

3) Creating an account who can use regular (unencrypted) FTP from the

internal network (192.168.1.x), but who must use FTP-over-SSH when coming

from an external network (internet):

useradd -u ftpuser -g ftpgroup -d /dev/null -s /usr/bin/false customer3

pure-pw useradd customer3 -m -d /home/customer3 -u ftpuser \

        -r 127.0.0.1/32,192.168.1.0/24
```

cheers

SteveB

----------

## JJacobsson

Unfortunatly, I did... almost to the letter. I dident name my user and group the same but otherwise... 

What's so wierd is that the virtual user account's work, just not over ssh with sftp.

----------

## JJacobsson

Hu, it seems like pure-ftpd doesent get a say in the matter when I try to connect over ssh... I get this in the logs:

[sshd] Failed password for illegal user <username> from ::ffff:213.65.1.161 port 60063 ssh2

Something wrong with my sshd config perhaps? Or PAM maybe? Any one with a clue?

----------

