improve FTP support

- allow to disable active mode - allow to disable SITE commands - add optional support for calculating hash value of files - add optional support for the non standard COMB command
2024-11-21 23:20:24 +00:00 · 2020-12-24 18:48:06 +01:00 · 2020-12-24 18:48:06 +01:00 · 1dce1eff48
commit 1dce1eff48
parent 5b1d8666b3
15 changed files with 375 additions and 31 deletions
--- a/common/common.go
+++ b/common/common.go
@ -612,16 +612,23 @@ func (c ConnectionStatus) GetConnectionDuration() string {

 // GetConnectionInfo returns connection info.
 // Protocol,Client Version and RemoteAddress are returned.
-// For SSH commands the issued command is returned too.
 func (c ConnectionStatus) GetConnectionInfo() string {
-	result := fmt.Sprintf("%v. Client: %#v From: %#v", c.Protocol, c.ClientVersion, c.RemoteAddress)
-	if c.Protocol == ProtocolSSH && len(c.Command) > 0 {
-		result += fmt.Sprintf(". Command: %#v", c.Command)
+	var result strings.Builder
+
+	result.WriteString(fmt.Sprintf("%v. Client: %#v From: %#v", c.Protocol, c.ClientVersion, c.RemoteAddress))
+
+	if c.Command == "" {
+		return result.String()
 	}
-	if c.Protocol == ProtocolWebDAV && len(c.Command) > 0 {
-		result += fmt.Sprintf(". Method: %#v", c.Command)
+
+	switch c.Protocol {
+	case ProtocolSSH, ProtocolFTP:
+		result.WriteString(fmt.Sprintf(". Command: %#v", c.Command))
+	case ProtocolWebDAV:
+		result.WriteString(fmt.Sprintf(". Method: %#v", c.Command))
 	}
-	return result
+
+	return result.String()
 }

 // GetTransfersAsString returns the active transfers as string
--- a/config/config.go
+++ b/config/config.go
@ -113,6 +113,10 @@ func Init() {
 				Start: 50000,
 				End:   50100,
 			},
+			DisableActiveMode:  false,
+			EnableSite:         false,
+			HASHSupport:        0,
+			CombineSupport:     0,
 			CertificateFile:    "",
 			CertificateKeyFile: "",
 		},
@ -660,6 +664,10 @@ func setViperDefaults() {
 	viper.SetDefault("ftpd.active_transfers_port_non_20", globalConf.FTPD.ActiveTransfersPortNon20)
 	viper.SetDefault("ftpd.passive_port_range.start", globalConf.FTPD.PassivePortRange.Start)
 	viper.SetDefault("ftpd.passive_port_range.end", globalConf.FTPD.PassivePortRange.End)
+	viper.SetDefault("ftpd.disable_active_mode", globalConf.FTPD.DisableActiveMode)
+	viper.SetDefault("ftpd.enable_site", globalConf.FTPD.EnableSite)
+	viper.SetDefault("ftpd.hash_support", globalConf.FTPD.HASHSupport)
+	viper.SetDefault("ftpd.combine_support", globalConf.FTPD.CombineSupport)
 	viper.SetDefault("ftpd.certificate_file", globalConf.FTPD.CertificateFile)
 	viper.SetDefault("ftpd.certificate_key_file", globalConf.FTPD.CertificateKeyFile)
 	viper.SetDefault("webdavd.certificate_file", globalConf.WebDAVD.CertificateFile)
--- a/docs/full-configuration.md
+++ b/docs/full-configuration.md
@ -104,6 +104,10 @@ The configuration file contains the following sections:
  - `active_transfers_port_non_20`, boolean. Do not impose the port 20 for active data transfers. Enabling this option allows to run SFTPGo with less privilege. Default: false.
  - `force_passive_ip`, ip address.  Deprecated, please use `bindings`
  - `passive_port_range`, struct containing the key `start` and `end`. Port Range for data connections. Random if not specified. Default range is 50000-50100.
+  - `disable_active_mode`, boolean. Set to `true` to disable active FTP, default `false`.
+  - `enable_site`, boolean. Set to true to enable the FTP SITE command. We support `chmod` and `symlink` if SITE support is enabled. Default `false`
+  - `hash_support`, integer. Set to `1` to enable FTP commands that allow to calculate the hash value of files. These FTP commands will be enabled: `HASH`, `XCRC`, `MD5/XMD5`, `XSHA/XSHA1`, `XSHA256`, `XSHA512`. Please keep in mind that to calculate the hash we need to read the whole file, for remote backends this means downloading the file, for the encrypted backend this means decrypting the file. Default `0`.
+  - `combine_support`, integer. Set to 1 to enable support for the non standard `COMB` FTP command. Combine is only supported for local filesystem, for cloud backends it has no advantage as it will download the partial files and will upload the combined one. Cloud backends natively support multipart uploads. Default `0`.
  - `certificate_file`, string. Certificate for FTPS. This can be an absolute path or a path relative to the config dir.
  - `certificate_key_file`, string. Private key matching the above certificate. This can be an absolute path or a path relative to the config dir. A certificate and the private key are required to enable explicit and implicit TLS. Certificate and key files can be reloaded on demand sending a `SIGHUP` signal on Unix based systems and a `paramchange` request to the running service on Windows.
  - `tls_mode`, integer. Deprecated, please use `bindings`
--- a/ftpd/ftpd.go
+++ b/ftpd/ftpd.go
@ -27,9 +27,10 @@ type Binding struct {
 	Address string `json:"address" mapstructure:"address"`
 	// The port used for serving requests
 	Port int `json:"port" mapstructure:"port"`
-	// apply the proxy configuration, if any, for this binding
+	// Apply the proxy configuration, if any, for this binding
 	ApplyProxyConfig bool `json:"apply_proxy_config" mapstructure:"apply_proxy_config"`
-	// set to 1 to require TLS for both data and control connection
+	// Set to 1 to require TLS for both data and control connection.
+	// Set to 2 to enable implicit TLS
 	TLSMode int `json:"tls_mode" mapstructure:"tls_mode"`
 	// External IP address to expose for passive connections.
 	ForcePassiveIP string `json:"force_passive_ip" mapstructure:"force_passive_ip"`
@ -103,10 +104,26 @@ type Configuration struct {
 	CertificateKeyFile string `json:"certificate_key_file" mapstructure:"certificate_key_file"`
 	// Do not impose the port 20 for active data transfer. Enabling this option allows to run SFTPGo with less privilege
 	ActiveTransfersPortNon20 bool `json:"active_transfers_port_non_20" mapstructure:"active_transfers_port_non_20"`
-	// Port Range for data connections. Random if not specified
-	PassivePortRange PortRange `json:"passive_port_range" mapstructure:"passive_port_range"`
+	// Set to true to disable active FTP
+	DisableActiveMode bool `json:"disable_active_mode" mapstructure:"disable_active_mode"`
+	// Set to true to enable the FTP SITE command.
+	// We support chmod and symlink if SITE support is enabled
+	EnableSite bool `json:"enable_site" mapstructure:"enable_site"`
+	// Set to 1 to enable FTP commands that allow to calculate the hash value of files.
+	// These FTP commands will be enabled: HASH, XCRC, MD5/XMD5, XSHA/XSHA1, XSHA256, XSHA512.
+	// Please keep in mind that to calculate the hash we need to read the whole file, for
+	// remote backends this means downloading the file, for the encrypted backend this means
+	// decrypting the file
+	HASHSupport int `json:"hash_support" mapstructure:"hash_support"`
+	// Set to 1 to enable support for the non standard "COMB" FTP command.
+	// Combine is only supported for local filesystem, for cloud backends it has
+	// no advantage as it will download the partial files and will upload the
+	// combined one. Cloud backends natively support multipart uploads.
+	CombineSupport int `json:"combine_support" mapstructure:"combine_support"`
 	// Deprecated: please use Bindings
 	TLSMode int `json:"tls_mode" mapstructure:"tls_mode"`
+	// Port Range for data connections. Random if not specified
+	PassivePortRange PortRange `json:"passive_port_range" mapstructure:"passive_port_range"`
 }

 // ShouldBind returns true if there is at least a valid binding
--- a/ftpd/ftpd_test.go
+++ b/ftpd/ftpd_test.go
@ -2,7 +2,9 @@ package ftpd_test

 import (
 	"crypto/rand"
+	"crypto/sha256"
 	"crypto/tls"
+	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"io"
@ -37,6 +39,7 @@ const (
 	logSender       = "ftpdTesting"
 	ftpServerAddr   = "127.0.0.1:2121"
 	sftpServerAddr  = "127.0.0.1:2122"
+	ftpSrvAddrTLS   = "127.0.0.1:2124" // ftp server with implicit tls
 	defaultUsername = "test_user_ftp"
 	defaultPassword = "test_password"
 	configDir       = ".."
@ -157,6 +160,7 @@ func TestMain(m *testing.M) {
 	ftpdConf.BannerFile = bannerFileName
 	ftpdConf.CertificateFile = certPath
 	ftpdConf.CertificateKeyFile = keyPath
+	ftpdConf.EnableSite = true

 	// required to test sftpfs
 	sftpdConf := config.GetSFTPDConfig()
@ -165,7 +169,8 @@ func TestMain(m *testing.M) {
 			Port: 2122,
 		},
 	}
-	sftpdConf.HostKeys = []string{filepath.Join(os.TempDir(), "id_ed25519")}
+	hostKeyPath := filepath.Join(os.TempDir(), "id_ed25519")
+	sftpdConf.HostKeys = []string{hostKeyPath}

 	extAuthPath = filepath.Join(homeBasePath, "extauth.sh")
 	preLoginPath = filepath.Join(homeBasePath, "prelogin.sh")
@ -205,6 +210,35 @@ func TestMain(m *testing.M) {
 	waitTCPListening(sftpdConf.Bindings[0].GetAddress())
 	ftpd.ReloadTLSCertificate() //nolint:errcheck

+	ftpdConf = config.GetFTPDConfig()
+	ftpdConf.Bindings = []ftpd.Binding{
+		{
+			Port:    2124,
+			TLSMode: 2,
+		},
+	}
+	ftpdConf.CertificateFile = certPath
+	ftpdConf.CertificateKeyFile = keyPath
+	ftpdConf.EnableSite = false
+	ftpdConf.DisableActiveMode = true
+	ftpdConf.CombineSupport = 1
+	ftpdConf.HASHSupport = 1
+
+	go func() {
+		logger.Debug(logSender, "", "initializing FTP server with config %+v", ftpdConf)
+		if err := ftpdConf.Initialize(configDir); err != nil {
+			logger.ErrorToConsole("could not start FTP server: %v", err)
+			os.Exit(1)
+		}
+	}()
+
+	waitTCPListening(ftpdConf.Bindings[0].GetAddress())
+
+	// ensure all the initial connections to check if the service is alive are disconnected
+	for len(common.Connections.GetStats()) > 0 {
+		time.Sleep(50 * time.Millisecond)
+	}
+
 	exitCode := m.Run()
 	os.Remove(logFilePath)
 	os.Remove(bannerFile)
@ -213,6 +247,8 @@ func TestMain(m *testing.M) {
 	os.Remove(postConnectPath)
 	os.Remove(certPath)
 	os.Remove(keyPath)
+	os.Remove(hostKeyPath)
+	os.Remove(hostKeyPath + ".pub")
 	os.Exit(exitCode)
 }

@ -1578,6 +1614,218 @@ func TestChmod(t *testing.T) {
 	assert.NoError(t, err)
 }

+func TestCombineDisabled(t *testing.T) {
+	u := getTestUser()
+	localUser, _, err := httpd.AddUser(u, http.StatusOK)
+	assert.NoError(t, err)
+	sftpUser, _, err := httpd.AddUser(getTestSFTPUser(), http.StatusOK)
+	assert.NoError(t, err)
+	for _, user := range []dataprovider.User{localUser, sftpUser} {
+		client, err := getFTPClient(user, true)
+		if assert.NoError(t, err) {
+			err = checkBasicFTP(client)
+			assert.NoError(t, err)
+
+			code, response, err := client.SendCustomCommand("COMB file file.1 file.2")
+			assert.NoError(t, err)
+			assert.Equal(t, ftp.StatusNotImplemented, code)
+			assert.Equal(t, "COMB support is disabled", response)
+
+			err = client.Quit()
+			assert.NoError(t, err)
+		}
+	}
+
+	_, err = httpd.RemoveUser(sftpUser, http.StatusOK)
+	assert.NoError(t, err)
+	_, err = httpd.RemoveUser(localUser, http.StatusOK)
+	assert.NoError(t, err)
+	err = os.RemoveAll(localUser.GetHomeDir())
+	assert.NoError(t, err)
+}
+
+func TestActiveModeDisabled(t *testing.T) {
+	u := getTestUser()
+	user, _, err := httpd.AddUser(u, http.StatusOK)
+	assert.NoError(t, err)
+	client, err := getFTPClientImplicitTLS(user)
+	if assert.NoError(t, err) {
+		err = checkBasicFTP(client)
+		assert.NoError(t, err)
+		code, response, err := client.SendCustomCommand("PORT 10,2,0,2,4,31")
+		assert.NoError(t, err)
+		assert.Equal(t, ftp.StatusNotAvailable, code)
+		assert.Equal(t, "PORT command is disabled", response)
+
+		code, response, err = client.SendCustomCommand("EPRT |1|132.235.1.2|6275|")
+		assert.NoError(t, err)
+		assert.Equal(t, ftp.StatusNotAvailable, code)
+		assert.Equal(t, "EPRT command is disabled", response)
+
+		err = client.Quit()
+		assert.NoError(t, err)
+	}
+
+	client, err = getFTPClient(user, false)
+	if assert.NoError(t, err) {
+		code, response, err := client.SendCustomCommand("PORT 10,2,0,2,4,31")
+		assert.NoError(t, err)
+		assert.Equal(t, ftp.StatusCommandOK, code)
+		assert.Equal(t, "PORT command successful", response)
+
+		code, response, err = client.SendCustomCommand("EPRT |1|132.235.1.2|6275|")
+		assert.NoError(t, err)
+		assert.Equal(t, ftp.StatusCommandOK, code)
+		assert.Equal(t, "EPRT command successful", response)
+
+		err = client.Quit()
+		assert.NoError(t, err)
+	}
+
+	_, err = httpd.RemoveUser(user, http.StatusOK)
+	assert.NoError(t, err)
+	err = os.RemoveAll(user.GetHomeDir())
+	assert.NoError(t, err)
+}
+
+func TestSITEDisabled(t *testing.T) {
+	u := getTestUser()
+	user, _, err := httpd.AddUser(u, http.StatusOK)
+	assert.NoError(t, err)
+	client, err := getFTPClientImplicitTLS(user)
+	if assert.NoError(t, err) {
+		err = checkBasicFTP(client)
+		assert.NoError(t, err)
+
+		code, response, err := client.SendCustomCommand("SITE CHMOD 600 afile.txt")
+		assert.NoError(t, err)
+		assert.Equal(t, ftp.StatusBadCommand, code)
+		assert.Equal(t, "SITE support is disabled", response)
+
+		err = client.Quit()
+		assert.NoError(t, err)
+	}
+	_, err = httpd.RemoveUser(user, http.StatusOK)
+	assert.NoError(t, err)
+	err = os.RemoveAll(user.GetHomeDir())
+	assert.NoError(t, err)
+}
+
+func TestHASH(t *testing.T) {
+	u := getTestUser()
+	localUser, _, err := httpd.AddUser(u, http.StatusOK)
+	assert.NoError(t, err)
+	sftpUser, _, err := httpd.AddUser(getTestSFTPUser(), http.StatusOK)
+	assert.NoError(t, err)
+	u = getTestUserWithCryptFs()
+	u.Username += "_crypt"
+	cryptUser, _, err := httpd.AddUser(u, http.StatusOK)
+	assert.NoError(t, err)
+	for _, user := range []dataprovider.User{localUser, sftpUser, cryptUser} {
+		client, err := getFTPClientImplicitTLS(user)
+		if assert.NoError(t, err) {
+			testFilePath := filepath.Join(homeBasePath, testFileName)
+			testFileSize := int64(131072)
+			err = createTestFile(testFilePath, testFileSize)
+			assert.NoError(t, err)
+			err = checkBasicFTP(client)
+			assert.NoError(t, err)
+			err = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)
+			assert.NoError(t, err)
+
+			h := sha256.New()
+			f, err := os.Open(testFilePath)
+			assert.NoError(t, err)
+			_, err = io.Copy(h, f)
+			assert.NoError(t, err)
+			hash := hex.EncodeToString(h.Sum(nil))
+			err = f.Close()
+			assert.NoError(t, err)
+
+			code, response, err := client.SendCustomCommand(fmt.Sprintf("XSHA256 %v", testFileName))
+			assert.NoError(t, err)
+			assert.Equal(t, ftp.StatusRequestedFileActionOK, code)
+			assert.Contains(t, response, hash)
+
+			code, response, err = client.SendCustomCommand(fmt.Sprintf("HASH %v", testFileName))
+			assert.NoError(t, err)
+			assert.Equal(t, ftp.StatusFile, code)
+			assert.Contains(t, response, hash)
+
+			err = client.Quit()
+			assert.NoError(t, err)
+
+			err = os.Remove(testFilePath)
+			assert.NoError(t, err)
+			if user.Username == defaultUsername {
+				err = os.RemoveAll(user.GetHomeDir())
+				assert.NoError(t, err)
+			}
+		}
+	}
+
+	_, err = httpd.RemoveUser(sftpUser, http.StatusOK)
+	assert.NoError(t, err)
+	_, err = httpd.RemoveUser(localUser, http.StatusOK)
+	assert.NoError(t, err)
+	err = os.RemoveAll(localUser.GetHomeDir())
+	assert.NoError(t, err)
+	_, err = httpd.RemoveUser(cryptUser, http.StatusOK)
+	assert.NoError(t, err)
+	err = os.RemoveAll(cryptUser.GetHomeDir())
+	assert.NoError(t, err)
+}
+
+func TestCombine(t *testing.T) {
+	u := getTestUser()
+	localUser, _, err := httpd.AddUser(u, http.StatusOK)
+	assert.NoError(t, err)
+	sftpUser, _, err := httpd.AddUser(getTestSFTPUser(), http.StatusOK)
+	assert.NoError(t, err)
+	for _, user := range []dataprovider.User{localUser, sftpUser} {
+		client, err := getFTPClientImplicitTLS(user)
+		if assert.NoError(t, err) {
+			testFilePath := filepath.Join(homeBasePath, testFileName)
+			testFileSize := int64(131072)
+			err = createTestFile(testFilePath, testFileSize)
+			assert.NoError(t, err)
+			err = checkBasicFTP(client)
+			assert.NoError(t, err)
+			err = ftpUploadFile(testFilePath, testFileName+".1", testFileSize, client, 0)
+			assert.NoError(t, err)
+			err = ftpUploadFile(testFilePath, testFileName+".2", testFileSize, client, 0)
+			assert.NoError(t, err)
+
+			code, response, err := client.SendCustomCommand(fmt.Sprintf("COMB %v %v %v", testFileName, testFileName+".1", testFileName+".2"))
+			assert.NoError(t, err)
+			if user.Username == defaultUsername {
+				assert.Equal(t, ftp.StatusRequestedFileActionOK, code)
+				assert.Equal(t, "COMB succeeded!", response)
+			} else {
+				assert.Equal(t, ftp.StatusFileUnavailable, code)
+				assert.Contains(t, response, "COMB is not supported for this filesystem")
+			}
+
+			err = client.Quit()
+			assert.NoError(t, err)
+
+			err = os.Remove(testFilePath)
+			assert.NoError(t, err)
+			if user.Username == defaultUsername {
+				err = os.RemoveAll(user.GetHomeDir())
+				assert.NoError(t, err)
+			}
+		}
+	}
+
+	_, err = httpd.RemoveUser(sftpUser, http.StatusOK)
+	assert.NoError(t, err)
+	_, err = httpd.RemoveUser(localUser, http.StatusOK)
+	assert.NoError(t, err)
+	err = os.RemoveAll(localUser.GetHomeDir())
+	assert.NoError(t, err)
+}
+
 func checkBasicFTP(client *ftp.ServerConn) error {
 	_, err := client.CurrentDir()
 	if err != nil {
@ -1647,6 +1895,30 @@ func ftpDownloadFile(remoteSourcePath string, localDestPath string, expectedSize
 	return nil
 }

+func getFTPClientImplicitTLS(user dataprovider.User) (*ftp.ServerConn, error) {
+	ftpOptions := []ftp.DialOption{ftp.DialWithTimeout(5 * time.Second)}
+	tlsConfig := &tls.Config{
+		ServerName:         "localhost",
+		InsecureSkipVerify: true, // use this for tests only
+		MinVersion:         tls.VersionTLS12,
+	}
+	ftpOptions = append(ftpOptions, ftp.DialWithTLS(tlsConfig))
+	ftpOptions = append(ftpOptions, ftp.DialWithDisabledEPSV(true))
+	client, err := ftp.Dial(ftpSrvAddrTLS, ftpOptions...)
+	if err != nil {
+		return nil, err
+	}
+	pwd := defaultPassword
+	if user.Password != "" {
+		pwd = user.Password
+	}
+	err = client.Login(user.Username, pwd)
+	if err != nil {
+		return nil, err
+	}
+	return client, err
+}
+
 func getFTPClient(user dataprovider.User, useTLS bool) (*ftp.ServerConn, error) {
 	ftpOptions := []ftp.DialOption{ftp.DialWithTimeout(5 * time.Second)}
 	if useTLS {
@ -1662,7 +1934,7 @@ func getFTPClient(user dataprovider.User, useTLS bool) (*ftp.ServerConn, error)
 		return nil, err
 	}
 	pwd := defaultPassword
-	if len(user.Password) > 0 {
+	if user.Password != "" {
 		pwd = user.Password
 	}
 	err = client.Login(user.Username, pwd)
--- a/ftpd/handler.go
+++ b/ftpd/handler.go
@ -17,7 +17,8 @@ import (
 )

 var (
-	errNotImplemented = errors.New("Not implemented")
+	errNotImplemented   = errors.New("Not implemented")
+	errCOMBNotSupported = errors.New("COMB is not supported for this filesystem")
 )

 // Connection details for an FTP connection.
@ -45,12 +46,12 @@ func (c *Connection) GetRemoteAddress() string {

 // Disconnect disconnects the client
 func (c *Connection) Disconnect() error {
-	return c.clientContext.Close(0, "")
+	return c.clientContext.Close()
 }

 // GetCommand returns an empty string
 func (c *Connection) GetCommand() string {
-	return ""
+	return c.clientContext.GetLastCommand()
 }

 // Create is not implemented we use ClientDriverExtentionFileTransfer
@ -285,6 +286,11 @@ func (c *Connection) GetHandle(name string, flags int, offset int64) (ftpserver.
 	if err != nil {
 		return nil, c.GetFsError(err)
 	}
+
+	if c.GetCommand() == "COMB" && !vfs.IsLocalOsFs(c.Fs) {
+		return nil, errCOMBNotSupported
+	}
+
 	if flags&os.O_WRONLY != 0 {
 		return c.uploadFile(p, name, flags)
 	}
@ -384,10 +390,11 @@ func (c *Connection) handleFTPUploadToExistingFile(flags int, resolvedPath, file
 		return nil, common.ErrQuotaExceeded
 	}
 	minWriteOffset := int64(0)
-	// ftpserverlib set os.O_WRONLY | os.O_APPEND for APPE
-	// and os.O_WRONLY | os.O_CREATE for REST. If is not APPE
-	// and REST = 0 then os.O_WRONLY | os.O_CREATE | os.O_TRUNC
-	// so if we don't have O_TRUC is a resume
+	// ftpserverlib sets:
+	// - os.O_WRONLY | os.O_APPEND for APPE and COMB
+	// - os.O_WRONLY | os.O_CREATE for REST.
+	// - os.O_WRONLY | os.O_CREATE | os.O_TRUNC if the command is not APPE and REST = 0
+	// so if we don't have O_TRUNC is a resume.
 	isResume := flags&os.O_TRUNC == 0
 	// if there is a size limit remaining size cannot be 0 here, since quotaResult.HasSpace
 	// will return false in this case and we deny the upload before
--- a/ftpd/internal_test.go
+++ b/ftpd/internal_test.go
@ -51,10 +51,22 @@ func (cc mockFTPClientContext) GetClientVersion() string {
 	return "mock version"
 }

-func (cc mockFTPClientContext) Close(code int, message string) error {
+func (cc mockFTPClientContext) Close() error {
 	return nil
 }

+func (cc mockFTPClientContext) HasTLSForControl() bool {
+	return false
+}
+
+func (cc mockFTPClientContext) HasTLSForTransfers() bool {
+	return false
+}
+
+func (cc mockFTPClientContext) GetLastCommand() string {
+	return ""
+}
+
 // MockOsFs mockable OsFs
 type MockOsFs struct {
 	vfs.Fs
@ -209,7 +221,7 @@ func TestUserInvalidParams(t *testing.T) {
 			End:   11000,
 		},
 	}
-	server := NewServer(c, configDir, binding, 0)
+	server := NewServer(c, configDir, binding, 3)
 	_, err := server.validateUser(u, mockFTPClientContext{})
 	assert.Error(t, err)

@ -241,7 +253,7 @@ func TestUserInvalidParams(t *testing.T) {

 func TestClientVersion(t *testing.T) {
 	mockCC := mockFTPClientContext{}
-	connID := fmt.Sprintf("%v", mockCC.ID())
+	connID := fmt.Sprintf("2_%v", mockCC.ID())
 	user := dataprovider.User{}
 	connection := &Connection{
 		BaseConnection: common.NewBaseConnection(connID, common.ProtocolFTP, user, nil),
@ -258,7 +270,7 @@ func TestClientVersion(t *testing.T) {

 func TestDriverMethodsNotImplemented(t *testing.T) {
 	mockCC := mockFTPClientContext{}
-	connID := fmt.Sprintf("%v", mockCC.ID())
+	connID := fmt.Sprintf("2_%v", mockCC.ID())
 	user := dataprovider.User{}
 	connection := &Connection{
 		BaseConnection: common.NewBaseConnection(connID, common.ProtocolFTP, user, nil),
--- a/ftpd/server.go
+++ b/ftpd/server.go
@ -93,6 +93,10 @@ func (s *Server) GetSettings() (*ftpserver.Settings, error) {
 		ConnectionTimeout:        20,
 		Banner:                   s.statusBanner,
 		TLSRequired:              ftpserver.TLSRequirement(s.binding.TLSMode),
+		DisableSite:              !s.config.EnableSite,
+		DisableActiveMode:        s.config.DisableActiveMode,
+		EnableHASH:               s.config.HASHSupport > 0,
+		EnableCOMB:               s.config.CombineSupport > 0,
 	}, nil
 }

@ -156,7 +160,7 @@ func (s *Server) GetTLSConfig() (*tls.Config, error) {
 }

 func (s *Server) validateUser(user dataprovider.User, cc ftpserver.ClientContext) (*Connection, error) {
-	connectionID := fmt.Sprintf("%v_%v", common.ProtocolFTP, cc.ID())
+	connectionID := fmt.Sprintf("%v_%v_%v", common.ProtocolFTP, s.ID, cc.ID())
 	if !filepath.IsAbs(user.HomeDir) {
 		logger.Warn(logSender, connectionID, "user %#v has an invalid home dir: %#v. Home dir must be an absolute path, login not allowed",
 			user.Username, user.HomeDir)
--- a/go.mod
+++ b/go.mod
@ -11,7 +11,7 @@ require (
 	github.com/aws/aws-sdk-go v1.36.13
 	github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf // indirect
 	github.com/eikenb/pipeat v0.0.0-20200430215831-470df5986b6d
-	github.com/fclairamb/ftpserverlib v0.11.0
+	github.com/fclairamb/ftpserverlib v0.11.1-0.20201224162151-6345897942b7
 	github.com/frankban/quicktest v1.11.2 // indirect
 	github.com/go-chi/chi v1.5.1
 	github.com/go-chi/render v1.0.1
--- a/go.sum
+++ b/go.sum
@ -178,8 +178,8 @@ github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5y
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M=
-github.com/fclairamb/ftpserverlib v0.11.0 h1:leyKdtf3Xk9POY/akxicXrrHF5804PVqnXlUBUYN4Tk=
-github.com/fclairamb/ftpserverlib v0.11.0/go.mod h1:lCDfM4WqDDh/wlVMZP185tEH93I0t5gsY2/lKfrLl3o=
+github.com/fclairamb/ftpserverlib v0.11.1-0.20201224162151-6345897942b7 h1:k7T/6Ik8zVR3TMrCPKxqahbbGKaIpS5pYqb3bXlc40k=
+github.com/fclairamb/ftpserverlib v0.11.1-0.20201224162151-6345897942b7/go.mod h1:X6sAMSYtN0YDPu+nHfyE9dsKPUOrEZ8O5EMgt1xvPwk=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g=
 github.com/franela/goblin v0.0.0-20200105215937-c9ffbefa60db/go.mod h1:7dvUGVsVBjqR7JHJk0brhHOZYGmfBYOrK0ZhYMEtBr4=
--- a/httpd/schema/openapi.yaml
+++ b/httpd/schema/openapi.yaml
@ -1326,7 +1326,7 @@ components:
        command:
          type: string
          nullable: true
-          description: SSH command or WebDAV method
+          description: SSH/FTP command or WebDAV method
        last_activity:
          type: integer
          format: int64
--- a/sftpd/server.go
+++ b/sftpd/server.go
@ -42,7 +42,7 @@ type Binding struct {
 	Address string `json:"address" mapstructure:"address"`
 	// The port used for serving requests
 	Port int `json:"port" mapstructure:"port"`
-	// apply the proxy configuration, if any, for this binding
+	// Apply the proxy configuration, if any, for this binding
 	ApplyProxyConfig bool `json:"apply_proxy_config" mapstructure:"apply_proxy_config"`
 }

--- a/sftpgo.json
+++ b/sftpgo.json
@ -55,6 +55,10 @@
      "start": 50000,
      "end": 50100
    },
+    "disable_active_mode": false,
+    "enable_site": false,
+    "hash_support": 0,
+    "combine_support": 0,
    "certificate_file": "",
    "certificate_key_file": ""
  },
--- a/webdavd/internal_test.go
+++ b/webdavd/internal_test.go
@ -752,6 +752,9 @@ func TestBasicUsersCache(t *testing.T) {
 	assert.NoError(t, err)
 	_, ok = dataprovider.GetCachedWebDAVUser(username)
 	assert.False(t, ok)
+
+	err = os.RemoveAll(u.GetHomeDir())
+	assert.NoError(t, err)
 }

 func TestUsersCacheSizeAndExpiration(t *testing.T) {
@ -934,6 +937,9 @@ func TestUsersCacheSizeAndExpiration(t *testing.T) {
 	assert.NoError(t, err)
 	err = dataprovider.DeleteUser(user4)
 	assert.NoError(t, err)
+
+	err = os.RemoveAll(u.GetHomeDir())
+	assert.NoError(t, err)
 }

 func TestRecoverer(t *testing.T) {
--- a/webdavd/webdavd_test.go
+++ b/webdavd/webdavd_test.go
@ -149,7 +149,8 @@ func TestMain(m *testing.M) {
 			Port: 9022,
 		},
 	}
-	sftpdConf.HostKeys = []string{filepath.Join(os.TempDir(), "id_ecdsa")}
+	hostKeyPath := filepath.Join(os.TempDir(), "id_ecdsa")
+	sftpdConf.HostKeys = []string{hostKeyPath}

 	webDavConf := config.GetWebDAVDConfig()
 	webDavConf.Bindings = []webdavd.Binding{
@ -217,6 +218,8 @@ func TestMain(m *testing.M) {
 	os.Remove(postConnectPath)
 	os.Remove(certPath)
 	os.Remove(keyPath)
+	os.Remove(hostKeyPath)
+	os.Remove(hostKeyPath + ".pub")
 	os.Exit(exitCode)
 }