sftp with "DefaultRoot ~ " fails

[mflage]

What I Did

When connecting with FileZilla towards Proftpd's mod_sftp I'm not able to connect if the user should be jailed into his/her home directory. If I remove the DefaultRoot enforcement, then I'm able to log in just fine.

Using FileZilla 3.28.0 on Ubuntu 18.04.

What I Expected/Wanted

I expect to be able to log in even though I have DefaultRoot configured. The strange thing is that this works just fine on a different system, running the same version of FileZilla, Proftpd and Ubuntu (only a slightly different Linux kernel).

If I connect using OpenSSH then I'm able to successfully connect. If I comment out the DefaultRoot directive, then I'm also able to connect just fine.

I enabled trace output and comparing the working OpenSSH and non-working FileZilla, I could see these differences a long way down in the trace:

OpenSSH

2019-10-01 14:03:58,493 [26702] <ssh2:3>: sent SSH_MSG_USER_AUTH_SUCCESS (52) packet (24 bytes)
2019-10-01 14:03:58,493 [26702] <response:7>: response added to pending list: 230 User marius logged in

FileZilla with DefaultRoot enabled

2019-10-01 14:00:40,992 [26258] <ssh2:3>: sent SSH_MSG_USER_AUTH_SUCCESS (52) packet (48 bytes)
2019-10-01 14:00:40,992 [26258] <signal:9>: handling SIGSEGV (signal 11) 

FileZilla without DefaultRoot enabled

2019-10-01 14:31:12,197 [27757] <ssh2:3>: sent SSH_MSG_USER_AUTH_SUCCESS (52) packet (48 bytes)
2019-10-01 14:31:12,197 [27757] <response:7>: response added to pending list: 230 User marius logged in

ProFTPD Version and Configuration

$ proftpd -V
Compile-time Settings:
  Version: 1.3.5e (maint)
  Platform: LINUX [Linux 4.15.0-55-generic x86_64]
  Built: Mon Feb 5 2018 23:27:47 UTC
  Built With:
    configure  '--build=x86_64-linux-gnu' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=${prefix}/lib/x86_64-linux-gnu' '--libexecdir=${prefix}/lib/x86_64-linux-gnu' '--disable-maintainer-mode' '--disable-dependency-tracking' '--prefix=/usr' '--with-includes=/usr/include/postgresql:/usr/include/mysql' '--mandir=/usr/share/man' '--sysconfdir=/etc/proftpd' '--localstatedir=/run' '--libexecdir=/usr/lib/proftpd' '--enable-sendfile' '--enable-facl' '--enable-dso' '--enable-autoshadow' '--enable-ctrls' '--with-modules=mod_readme' '--enable-ipv6' '--enable-nls' '--enable-memcache' '--with-lastlog=/var/log/lastlog' '--enable-pcre' '--disable-strip' '--build' 'x86_64-linux-gnu' '--with-shared=mod_unique_id:mod_site_misc:mod_load:mod_ban:mod_quotatab:mod_sql:mod_sql_mysql:mod_sql_postgres:mod_sql_sqlite:mod_sql_odbc:mod_dynmasq:mod_quotatab_sql:mod_ldap:mod_quotatab_ldap:mod_ratio:mod_tls:mod_rewrite:mod_radius:mod_wrap:mod_wrap2:mod_wrap2_file:mod_wrap2_sql:mod_quotatab_file:mod_quotatab_radius:mod_facl:mod_ctrls_admin:mod_copy:mod_deflate:mod_ifversion:mod_tls_memcache:mod_geoip:mod_exec:mod_sftp:mod_sftp_pam:mod_sftp_sql:mod_shaper:mod_sql_passwd:mod_ifsession' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/proftpd-dfsg-IzaTCF/proftpd-dfsg-1.3.5e=. -fstack-protector-strong -Wformat -Werror=format-security' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fdebug-prefix-map=/build/proftpd-dfsg-IzaTCF/proftpd-dfsg-1.3.5e=. -fstack-protector-strong -Wformat -Werror=format-security'

  CFLAGS: -g -O2 -fdebug-prefix-map=/build/proftpd-dfsg-IzaTCF/proftpd-dfsg-1.3.5e=. -fstack-protector-strong -Wformat -Werror=format-security -Wall
  LDFLAGS: -L$(top_srcdir)/lib -Wl,-Bsymbolic-functions -Wl,-z,relro  -L/usr/lib/x86_64-linux-gnu -L/usr/lib/x86_64-linux-gnu
  LIBS:  -lpcreposix -lpcre -lssl -lcrypto -lcap  -lmemcached -lmemcachedutil  -lpam -lsupp -lcrypt -ldl 

  Files:
    Configuration File:
      /etc/proftpd/proftpd.conf
    Pid File:
      /run/proftpd.pid
    Scoreboard File:
      /run/proftpd.scoreboard
    Header Directory:
      /usr/include/proftpd
    Shared Module Directory:
      /usr/lib/proftpd

  Features:
    + Autoshadow support
    + Controls support
    + curses support
    - Developer support
    + DSO support
    + IPv6 support
    + Largefile support
    + Lastlog support
    + Memcache support
    + ncurses support
    + NLS support
    + OpenSSL support
    + PCRE support
    + POSIX ACL support
    + Shadow file support
    + Sendfile support
    + Trace support

  Tunable Options:
    PR_TUNABLE_BUFFER_SIZE = 1024
    PR_TUNABLE_DEFAULT_RCVBUFSZ = 8192
    PR_TUNABLE_DEFAULT_SNDBUFSZ = 8192
    PR_TUNABLE_GLOBBING_MAX_MATCHES = 100000
    PR_TUNABLE_GLOBBING_MAX_RECURSION = 8
    PR_TUNABLE_HASH_TABLE_SIZE = 40
    PR_TUNABLE_NEW_POOL_SIZE = 512
    PR_TUNABLE_SCOREBOARD_BUFFER_SIZE = 80
    PR_TUNABLE_SCOREBOARD_SCRUB_TIMER = 30
    PR_TUNABLE_SELECT_TIMEOUT = 30
    PR_TUNABLE_TIMEOUTIDENT = 10
    PR_TUNABLE_TIMEOUTIDLE = 600
    PR_TUNABLE_TIMEOUTLINGER = 30
    PR_TUNABLE_TIMEOUTLOGIN = 300
    PR_TUNABLE_TIMEOUTNOXFER = 300
    PR_TUNABLE_TIMEOUTSTALLED = 3600
    PR_TUNABLE_XFER_SCOREBOARD_UPDATES = 10

/etc/proftpd/proftpd.conf is not modified from the default version, sftp.conf included below:

<IfModule mod_sftp.c>
        UseReverseDNS off
        WtmpLog off
        <VirtualHost 0.0.0.0>
                SFTPEngine on
                Port 2222

                TransferLog /var/log/proftpd/xferlog
                ExtendedLog /var/log/proftpd/ftp.log DIRS,AUTH,INFO default

                # Configure both the RSA and DSA host keys, using the same host key
                # files that OpenSSH uses.
                SFTPHostKey /etc/ssh/ssh_host_rsa_key
                SFTPHostKey /etc/ssh/ssh_host_dsa_key

                <Directory />
                        HideFiles ^\..*
                </Directory>

                DefaultRoot ~

                SFTPAuthorizedUserKeys file:/etc/proftpd/authorized_keys/%u

                # Enable compression
                SFTPCompression delayed
                DisplayConnect None
                DisplayLogin None
        </VirtualHost>
</IfModule>

[mflage]

Ok, now I have no idea what's going on here. Am I on candid camera or something? I just realized that adding a space after '~' in the configuration directive allowed me to log in successfully (and be jailed in my home directory).

I'm not able to use any group expressions after '~', then it fails again. Ideally I want to omit a group from being jailed (which I have for the ftp service - where it works just fine).

Could this be for real?

Edit: Ok, now I'm definitely confused. This only worked for one user, not for any of the others... What's going on here?

[Castaglia]

What does ProFTPD debug logging (different from trace logging, and the SFTP module logging) show, for both the success and failure cases? I suspect that the trailing space is a red herring, that there's something else unexpected in your configuration.

[mflage]

What does ProFTPD debug logging (different from trace logging, and the SFTP module logging) show, for both the success and failure cases? I suspect that the trailing space is a red herring, that there's something else unexpected in your configuration.

I tried running proftpd like this:

proftpd -nd10

The logs then say:

2019-10-04 00:07:55,734 mfl-server proftpd[24812] 0.0.0.0 (172.16.238.9[172.16.238.9]): retrieved UID 1000 for user 'marius'
2019-10-04 00:07:55,734 mfl-server proftpd[24812] 0.0.0.0 (172.16.238.9[172.16.238.9]): retrieved group 'marius' for GID 1000
2019-10-04 00:07:55,735 mfl-server proftpd[24812] 0.0.0.0 (172.16.238.9[172.16.238.9]): retrieved group IDs: 1000, 4, 24, 27, 30, 46, 108, 124, 142, 143, 146, 1005, 1006
2019-10-04 00:07:55,735 mfl-server proftpd[24812] 0.0.0.0 (172.16.238.9[172.16.238.9]): retrieved group names: marius, adm, cdrom, sudo, dip, plugdev, lpadmin, sambashare, docker, incron, lxd, prod
2019-10-04 00:07:55,735 mfl-server proftpd[24812] 0.0.0.0 (172.16.238.9[172.16.238.9]): dispatching PRE_CMD command 'PASS (hidden)' to mod_shaper
2019-10-04 00:07:55,735 mfl-server proftpd[24812] 0.0.0.0 (172.16.238.9[172.16.238.9]): ROOT PRIVS at mod_shaper.c:2026
2019-10-04 00:07:55,735 mfl-server proftpd[24812] 0.0.0.0 (172.16.238.9[172.16.238.9]): RELINQUISH PRIVS at mod_shaper.c:2028
2019-10-04 00:07:55,735 mfl-server proftpd[24812] 0.0.0.0 (172.16.238.9[172.16.238.9]): dispatching PRE_CMD command 'PASS (hidden)' to mod_wrap2
2019-10-04 00:07:55,735 mfl-server proftpd[24812] 0.0.0.0 (172.16.238.9[172.16.238.9]): dispatching PRE_CMD command 'PASS (hidden)' to mod_ban
2019-10-04 00:07:55,735 mfl-server proftpd[24812] 0.0.0.0 (172.16.238.9[172.16.238.9]): dispatching PRE_CMD command 'PASS (hidden)' to mod_wrap
2019-10-04 00:07:55,735 mfl-server proftpd[24812] 0.0.0.0 (172.16.238.9[172.16.238.9]): dispatching PRE_CMD command 'PASS (hidden)' to mod_radius
2019-10-04 00:07:55,735 mfl-server proftpd[24812] 0.0.0.0 (172.16.238.9[172.16.238.9]): dispatching PRE_CMD command 'PASS (hidden)' to mod_delay
2019-10-04 00:07:55,735 mfl-server proftpd[24812] 0.0.0.0 (172.16.238.9[172.16.238.9]): dispatching PRE_CMD command 'PASS (hidden)' to mod_auth
2019-10-04 00:07:55,735 mfl-server proftpd[24812] 0.0.0.0 (172.16.238.9[172.16.238.9]): retrieved UID 1000 for user 'marius'
2019-10-04 00:07:55,735 mfl-server proftpd[24812] 0.0.0.0 (172.16.238.9[172.16.238.9]): ROOT PRIVS at mod_sftp_pam.c:351
2019-10-04 00:07:55,739 mfl-server proftpd[24812] 0.0.0.0 (172.16.238.9[172.16.238.9]): RELINQUISH PRIVS at mod_sftp_pam.c:390
2019-10-04 00:07:55,740 mfl-server proftpd[24812] 0.0.0.0 (172.16.238.9[172.16.238.9]): ROOT PRIVS at mod_sftp_pam.c:428
2019-10-04 00:07:57,389 mfl-server proftpd[24812] 0.0.0.0 (172.16.238.9[172.16.238.9]): RELINQUISH PRIVS at mod_sftp_pam.c:445
2019-10-04 00:07:57,389 mfl-server proftpd[24812] 0.0.0.0 (172.16.238.9[172.16.238.9]): ProFTPD terminating (signal 11)
2019-10-04 00:07:57,389 mfl-server proftpd[24812] 0.0.0.0 (172.16.238.9[172.16.238.9]): ProFTPD terminating (signal 11)
2019-10-04 00:07:57,390 mfl-server proftpd[24812] 0.0.0.0 (172.16.238.9[172.16.238.9]): mod_sftp/0.9.9: scrubbing 2 passphrases from memory
2019-10-04 00:07:57,390 mfl-server proftpd[24812] 0.0.0.0 (172.16.238.9[172.16.238.9]): SSH2 session closed.

We have over the last couple of days retrieved a lot of reports from customers having issues connecting over sftp, across different clients. So there is definitely something with the sftp module for proftpd that's a bit off. Feel like we have different error messages for different clients. OpenSSH looks like it's working fine for the most part, but for instance FileZilla and WinSCP are experiencing issues.

[mflage]

bump We're having lots of issues with the sftp implementation from proftpd, so it would definitely be nice to get some feedback on this. FileZilla definitely doesn't work, in addition we have quite a lot of libraries and other implementations that also fails.

[Castaglia]

Can you try a newer version of ProFTPD, e.g. 1.3.6, or the master branch on GitHub?

[Castaglia]

It's possible that this is a duplicate/symptom of Issue #656; using the latest ProFTPD code from the master branch on GitHub can confirm if this is the case.

[mflage]

Can you try a newer version of ProFTPD, e.g. 1.3.6, or the master branch on GitHub?

Yes, I definitely can try that, but the problem is that I'm running this on a production server running Ubuntu 18.04 and I'm having issues getting package for 1.3.6 for this version. First distro with packaged version for this is 18.10 and I don't want to "bastardize" a production server with manually backporting OR building from source. Do you have a pre-built package available or instructions for building the package that can be used for 18.04?