Adding SFTP support to Plone

Hi,

I want to move from FTP to SFTP. I know Zope by default doesn't support SFTP. Has anyone had experience using:

Any reason I shouldn't try to use SFTP v FTP? Suggestions for different product?

I'm using Plone 5, and I haven't tested this product yet.

Thanks all

This extension is for buildout and has nothing to do with any protocol support in Plone.

-aj

thank aj,

Thanks for your response. I need to ask a few questions to clarify for me.

I use Putty to access SSH and FileZilla for FTP/SFTP.
Zope (therefore Plone?) does not support SFTP, correct? This is what you mean by protocol support for Plone, correct?
what does it mean that buildout supports SFTP.

In the documentation, I found this: "Then you can use sftp URLs for find-links or index URLs."

What does this mean?

Thanks for your help

Buildout is for installing Plone and dependencies.
Buildout has nothing to do with protocols supported by Plone which are only http, webdav and ftp.

-aj

the buidout plugin you mention is a plugin for buildout which is the tool configure and install plone and its plugins. It adds no features to zope or plone itself.

Plones support for FTP and webdav comes directly from Zope. Zopes implementation of ftp is old and built at a very low lever into Zope. It doesn't support sftp and probably isn't likely in the near future but there is no harm in submitting a feature request to the zope community to support it.

I'm not sure if there is another way of support sftp to upload cotnent into plone. Perhaps if there is s standalone sftp to fto/webdav server?

What do you need to protect? The passwords or the data?

If just the passwords, use an ssl tunnel for the ftp control channel.

If you're concerned with the data, and it's primarily blobs, use reflecto and a file-system directory accessible via sftp.

2 Likes

Some dozen years ago, when he was at Zope Corp., Fred Drake once wrote an "SFTPGateway" that was a proxy from SFTP to passive FTP, intending to target ZServer. It was never released to my knowledge (just in long-since-dead public CVS), and even if resurrected would likely require significant update to work with current Twisted and pyCrypto... at which point, even if you could obtain this, I suspect it would be easier to re-write something like from the ground-up this based on Paramiko to support current protocols (12 years is a long time for bit rot).

Anyway, you have some alternatives to consider:

(1) Use stunnel across public networks. Or a VPN.

(2) Use DAV, really. At the point where you are using FTP to ZServer, you might as well. Let the encrypted channel be a commodity HTTP proxy problem for Apache or nginx.

(3) Do what Steve suggests, and just SFTP file uploads to file system. If you don't want to use Reflecto to wrap/serve them, then write a cron job or a small file-watcher (e.g. use watchdog or iNofify, etc) to sync them into your ZServer based on hard-coded criteria for destination folder.

(4) Write software to make something similar to SFTPGateway/proxy solution, likely not the practical choice.

I should also point out: SSH, even to OpenSSH, is super-slow channel for uploading on high-speed networks, maybe 2.5 times slower than CIFS or HTTP.

IMHO, while imperfect, WebDAV is the path of least resistance.

Sean

Thanks all for your explanation. Now I understand the different moving parts.

  1. I use SFTP over FileZilla when communicating with my server, so I know that is safe.
  2. FTP is via low level Zope stuff and unlikely to change.
  3. SteveM, you had some good ideas. I think the approach I'll take is either accept insecure FTP, or in the past I've used WebDAV and/or https (put) to upload files. I'll have to go back and refresh my memory and see if either will work for what I want.

thanks again.

I'm quibbling, really just to quibble, with this. Not for any good reason :wink:

ftp is obnoxiously resistant to tunneling due to the odd dual-channel mechanism (control and data). All it's really possible to protect via tunneling is the control channel. That protects your passwords, but the data will transfer in the clear. Since it's passing in the clear, it's not slowed by SSH. O'Reilly's SSH book is a great resource, and the FTP chapter is online: http://docstore.mik.ua/orelly/networking_2ndEd/ssh/ch11_02.htm

While I am no protocol expert, what I'm referring to with SFTP upload speeds is OOTB flow-control slowness in OpenSSH:

I noticed on my home 802.11 network that uploading multi-GB ISO files over SFTP was 2-3 times slower than using CIFS or AFS between two Macs (regardless of compression options), and have concluded this is largely an OpenSSH prototcol issue.

Sean

BTW, not well publised but plone 5 has built in support for TUS which does resumable uploads via contents upload.
We are using this for allowing large secure multi file uploads of videos.

1 Like

I am eager to use TUS, but have two questions for anyone in the know:

(1) Will this route around maximum request size in front-end proxy (e.g. nginx client_max_body_size)?

(2) Does TUS require sticky sessions to specific instance? I already do this with haproxy, but want to know what happens on redispatch to a different zserver?

Sean

Yes and yes. It uses 5mb upload chunks into a tmp folder and reasembles them at the end. Soit either needs a shared tmp folder or sticky sessions.
It would be nice if the implementation had a mode that didn't require sticky sessions but I can't see how without zodb bloat. Maybe by used a shared tempory storage?
Be aware there are a couple of bugs with what was released in plone 5, mainly that some js was omitted. But its not hard to fix.

@djay,
So for the average Plone admin wait for Plone 5.0.1 if you want hassle free TUS?

@pigeonflight: correct, wait for 5.0.1. or use plone 4.3 with wildcard.foldercontents where it works.

It’s explained in this issue https://github.com/plone/plone.app.content/issues/64