Deprecating ftpd in the FreeBSD base system?

[sthaug at nethelp.no]

> FTP is (becoming?) a legacy protocol, and I think it may be time to
> remove the ftp server from the FreeBSD base system - with the recent
> security advisory for ftpd serving as a reminder.
> 
> I've proposed adding a deprecation notice to the man page in
> https://reviews.freebsd.org/D26447 to start this off. There are a
> number of ftp servers in ports, and if we're going to remove the base
> system one we can create a port for it first, as well.
> 
> Any comments or concerns, please follow up in the code review or in email here.

Could we, at the same time, improve the documentation for sftp? I had
to move an FTP server (with one chrooted user) from FTP to sftp today.
I did:

1. Add sftp user to /etc/passwd, with /usr/sbin/nologin as the shell.
2. Patch sshd config as follows:

--- etc/ssh/sshd_config.orig	2018-06-16 22:04:20.868762000 +0200
+++ etc/ssh/sshd_config	2020-09-16 10:10:53.133211000 +0200
@@ -112,7 +112,7 @@
 #Banner none
 
 # override default of no subsystems
-Subsystem	sftp	/usr/libexec/sftp-server
+Subsystem	sftp	internal-sftp -l INFO
 
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
@@ -120,3 +120,8 @@
 #	AllowTcpForwarding no
 #	PermitTTY no
 #	ForceCommand cvs server
+Match User sftp
+ChrootDirectory	/usr/local/ftp/sftp
+ForceCommand internal-sftp -l INFO
+X11Forwarding no
+AllowTcpForwarding no

3. Ensure all levels of /usr/local/ftp/sftp are owned by root.
4. Create /usr/local/ftp/sftp/dev and add the following line to
/etc/rc.conf:

syslogd_flags="-s -l /usr/local/ftp/sftp/dev/log"

Btw, I could not get /usr/libexec/sftp-server to work. Cryptic error
message: "Received message too long 1416128883". Googling that one
eventually led me to the internal-sftp subsystem and the rest of the
sshd_config changes. The sshd_config man page is good, but I couldn't
find anything about arguments (e.g. -l) for internal-sftp.

Steinar Haug, Nethelp consulting, sthaug at nethelp.no