SFTP server: better to use SSH internal sftp subsystem or ProFTPD plugin?

Solution 1:

SSH's sftp server has some additional requirements for chroot directories, ie. user cant have write access to chroot dir in some enviroments this might be a problem.

If You also need ftp/ftps I would suggest giving mod_sftp a go. We are using it in production on about 20 servers with over 10k accounts with almost nil problems (sftp is the least used protocol). The downside might be that it doesn't support password authentication method, but it supports rsa key and keyboard-interactive so it is only a problem for very old clients.

Solution 2:

This is an older thread but I'd just like to add for future readers that we've been configuring servers to use proftpd with mod_sftp for years with no problems at all. I like very much that the separation of services gives fine-grained control over security, the service itself, and user management.

You can configure proftpd to support either or both passwords/keys with mod_sftp if you also include the sftp_pam module. Here's example config that enables both:

# Include all available modules
Include /etc/proftpd/modules.conf

<Global>
  <IfModule mod_sftp.c>
    <IfModule mod_sftp_pam.c>
      SFTPPAMEngine on
      SFTPPAMServiceName sftp
    </IfModule>

    SFTPEngine on
    SFTPLog /var/log/proftpd/sftp.log

    # Configure both the host keys
    SFTPHostKey /etc/ssh/ssh_host_rsa_key
    SFTPHostKey /etc/ssh/ssh_host_dsa_key

    SFTPAuthMethods publickey password keyboard-interactive
    SFTPAuthorizedUserKeys file:/etc/proftpd/authorized_keys/%u

    # Enable compression
    SFTPCompression delayed
  </IfModule>
</Global>