From bd7346b842bc918cf31982433ae8449e26308651 Mon Sep 17 00:00:00 2001
From: Sebastian Hugentobler <sebastian@vanwa.ch>
Date: Tue, 13 Jun 2017 15:36:25 +0200
Subject: [PATCH] use sftp

---
 Dockerfile                                   | 10 +++---
 README.md                                    | 32 ++------------------
 rootfs/etc/confd/templates/proftpd.conf.tmpl | 25 +++++----------
 rootfs/etc/cont-init.d/02-dhparam            |  5 +++
 rootfs/etc/cont-init.d/03-ssh-keys           |  5 +++
 rootfs/musl_mempcpy.patch                    |  4 ++-
 6 files changed, 30 insertions(+), 51 deletions(-)
 create mode 100644 rootfs/etc/cont-init.d/02-dhparam
 create mode 100644 rootfs/etc/cont-init.d/03-ssh-keys

diff --git a/Dockerfile b/Dockerfile
index 79ac196..591921c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -7,13 +7,13 @@ RUN adduser -h /var/lib/proftp -u 2222 -D -G proftp proftp
 
 ADD /rootfs /
 
-RUN apk add --no-cache libressl openldap tar gcc make g++ openldap-dev file
+RUN apk add --no-cache libressl openssh-client openldap tar gcc make g++ openldap-dev zlib zlib-dev file
 
 RUN mkdir /tmp/proftpd
 RUN wget -qO- https://github.com/proftpd/proftpd/archive/$PROFTP_VERSION.tar.gz | tar -xz -C /tmp/proftpd --strip 1
 
 WORKDIR /tmp/proftpd
-RUN ./configure --with-modules=mod_ldap:mod_tls
+RUN ./configure --with-modules=mod_ldap:mod_sftp
 RUN patch -p1 -i /musl_mempcpy.patch
 RUN make && make install
 
@@ -21,6 +21,8 @@ RUN rm -r /tmp/proftpd
 RUN rm /musl_mempcpy.patch
 WORKDIR /
 
-RUN apk del tar gcc make g++ openldap-dev file
+RUN apk del tar gcc make g++ openldap-dev zlib-dev file
 
-EXPOSE 21
+VOLUME /var/lib/proftp/keys /var/lib/proftp/data
+
+EXPOSE 22
diff --git a/README.md b/README.md
index d4309dc..b38040a 100644
--- a/README.md
+++ b/README.md
@@ -1,39 +1,13 @@
-File access with [ProFTPD](http://www.proftpd.org/) and ldap authentication.
+File access with [ProFTPD](http://www.proftpd.org/) over sftp and ldap authentication.
 
 # Volumes
 - `/var/lib/proftp/data`: root directory for files
-- `/etc/ssl/proftp:ro`: certificates have to be here
+- `/var/lib/proftp/keys`: ssh key files
 
 # Environment Variables
 ## SERVER_NAME
 Name displayed to connecting users.
 
-## PASSIVE_LOWER_BOUND
-Lower bound for the passive port range.
-
-## PASSIVE_UPPER_BOUND
-Upper bound for the passive port range.
-
-## TLS_PROTOCOL
-- default: TLSv1.2
-
-SSL/TLS protocol version to use.
-
-## TLS_CIPHERS
-- default: AES128+EECDH:AES128+EDH
-
-Cipher list to use.
-
-## CERT_NAME
-- default: fullchain.pem
-
-Name of the certificate file.
-
-## KEY_NAME
-- default: privkey.pem
-
-Name of the key file.
-
 ## LDAP_URI
 Full ldap uri with search qualifier.
 
@@ -64,7 +38,7 @@ Whether to use tls when connecting to the ldap host.
 Whether to use auth bind with ldap.
 
 # Ports
-- 21
+- 22
 - All ports in the defined bounds
 
 ## Capabilities
diff --git a/rootfs/etc/confd/templates/proftpd.conf.tmpl b/rootfs/etc/confd/templates/proftpd.conf.tmpl
index 0c9488f..6bcbbb8 100644
--- a/rootfs/etc/confd/templates/proftpd.conf.tmpl
+++ b/rootfs/etc/confd/templates/proftpd.conf.tmpl
@@ -1,7 +1,7 @@
 ServerName "{{getenv "SERVER_NAME"}}"
 ServerType standalone
 DefaultServer on
-Port 21
+Port 22
 UseIPv6 off
 Umask 006 007
 MaxInstances 30
@@ -12,31 +12,22 @@ DefaultChdir /var/lib/proftp/data
 AllowOverwrite on
 RequireValidShell off
 
-PassivePorts {{getenv "PASSIVE_LOWER_BOUND"}} {{getenv "PASSIVE_UPPER_BOUND"}}
-
 <Limit SITE_CHMOD>
   DenyAll
 </Limit>
 
-<IfModule mod_tls.c>
-    TLSEngine on
-    TLSProtocol {{getenv "TLS_PROTOCOL" "TLSv1.2"}}
-    TLSRequired on
-
-    TLSRSACertificateFile /etc/ssl/proftp/{{getenv "CERT_NAME" "fullchain.pem"}}
-    TLSRSACertificateKeyFile /etc/ssl/proftp/{{getenv "KEY_NAME" "privkey.pem"}}
-
-    TLSVerifyClient off
-    TLSServerCipherPreference on
-    TLSSessionCache internal: 1800
-    TLSCipherSuite {{getenv "TLS_CIPHERS" "AES128+EECDH:AES128+EDH"}}
+<IfModule mod_sftp.c>
+    SFTPEngine on
+    SFTPAuthMethods password
+    SFTPDHParamFile /var/lib/proftp/keys/dhparams.pem
+    SFTPHostKey /var/lib/proftp/keys/ssh_rsa_key
 </IfModule>
 
 <IfModule mod_ldap.c>
     AuthOrder mod_ldap.c
-    
+
     LDAPAttr uid cn
-    
+
     LDAPServer {{getenv "LDAP_URI"}}
     LDAPUseTLS {{getenv "LDAP_USE_TLS" "on"}}
     LDAPAuthBinds {{getenv "LDAP_USE_AUTH_BIND" "on"}}
diff --git a/rootfs/etc/cont-init.d/02-dhparam b/rootfs/etc/cont-init.d/02-dhparam
new file mode 100644
index 0000000..900dea2
--- /dev/null
+++ b/rootfs/etc/cont-init.d/02-dhparam
@@ -0,0 +1,5 @@
+#!/usr/bin/with-contenv sh
+
+if [ ! -f /var/lib/proftp/keys/dhparams.pem ]; then
+    openssl dhparam -outform PEM -5 nbits >> /var/lib/proftp/keys/dhparams.pem
+fi
diff --git a/rootfs/etc/cont-init.d/03-ssh-keys b/rootfs/etc/cont-init.d/03-ssh-keys
new file mode 100644
index 0000000..0042a07
--- /dev/null
+++ b/rootfs/etc/cont-init.d/03-ssh-keys
@@ -0,0 +1,5 @@
+#!/usr/bin/with-contenv sh
+
+if [ ! -f /var/lib/proftp/keys/ssh_rsa_key ]; then
+    ssh-keygen -b 2048 -t rsa -f /var/lib/proftp/keys/ssh_rsa_key -q -N ""
+fi
diff --git a/rootfs/musl_mempcpy.patch b/rootfs/musl_mempcpy.patch
index 8376029..9653969 100644
--- a/rootfs/musl_mempcpy.patch
+++ b/rootfs/musl_mempcpy.patch
@@ -1,6 +1,8 @@
+diff --git a/lib/pr_fnmatch.c b/lib/pr_fnmatch.c
+index a1cb101..03956c1 100644
 --- a/lib/pr_fnmatch.c
 +++ b/lib/pr_fnmatch.c
-@@ -250,7 +250,7 @@
+@@ -250,7 +250,7 @@ __wcschrnul (const wchar_t *s, wint_t c)
  # endif
  # define STRLEN(S) strlen (S)
  # define STRCAT(D, S) strcat (D, S)