Frequently Asked Questions

The NearlyFreeSpeech.NET FAQ (*)

Uploading (*)

What is the connection information to upload files to my web site?

The username for SFTP and ssh access is not the same as your member login; it is based on both your member login and the site name. The password, however, is the same as your member password. The specifics are listed in the "SSH/SFTP Information" box on each site's information panel in our member interface.

To find this information:

  1. Visit the Sites panel to display your list of sites.
  2. Select the site's "short name" in the "Sites" table to display the details about the site you want to access.
  3. Find the box titled "SSH/SFTP Information."
  4. Locate the username row and the appropriate hostname row for the protocol you wish to use.

How do I upload my content to my site?

This question depends largely on what tools you are using to create and manage the content of your site. There are four primary approaches people use.

In all cases, you'll need to check the documentation for the program you are using for specific instructions, but at a minimum you will require the connection information for your site to upload successfully.

We do not provide any "built-in" web tools in our member interface for content authoring. Such tools tend to be very limited; they offer only basic functionality and tend to produce a whole lot of nearly identical websites. As such, they do not provide the sophisticated and powerful options expected by our members.

Can I access my web site via ssh?

Yes. To access a website via ssh, use the connection information.

The SSH key fingerprints for our ssh servers are in this FAQ entry.

SFTP and scp are supported. Port forwarding is supported but is only permitted for establishing secure remote connections to your MySQL database.

Important: Our ssh environment is provided solely for maintaining your website and is not to be used for any other purpose. This specifically prohibits using it for proxying, port forwarding, or anything similar. Automated access to the ssh server is likewise prohibited, with an exception allowing connections once per day for the purpose of making offsite backups.

What directory do I upload my web site's files to?

All uploading clients should automatically be in the correct folder after they connect. Do not change your software's default upload directory setting unless you are absolutely sure your client is getting it wrong.

For FTP clients (including publishing programs such as Dreamweaver that upload using FTP), the correct directory is /public.

For ssh and SFTP clients, the correct directory is /home/public.

(Once uploaded, scripts that run on your site will use a different path to access your files, depending on whether they are PHP or CGI.)

What hostname should I use for SSH/SFTP?

To get the correct hostname to use for ssh/SFTP access to your site:

  1. Go to the Sites tab in the member interface.
  2. Select your site name from the list to go to its Site Information panel.
  3. On the Site Information panel, find the box titled "SSH/SFTP Information."
  4. The "SSH/SFTP Hostname" line will contain the exact hostname to use for ssh and SFTP.

This will be different than any of your site aliases or the hostname used for FTP.

How do I connect to the shell with ssh?

Most people use one of these three options:

Other options also exist, but are substantially less popular:

Once you have found or installed your ssh program, give it your connection information to get connected to your site hosted on our service. If you are using OpenSSH or a similar tool, the command looks something like:

ssh username_sitename@ssh.xyz1.nearlyfreespeech.net

Graphical tools vary widely; consult their documentation.

Once connected, you will get a shell prompt, which may look something like:

[example /home/public]$

Actual prompts can vary widely but tend to end in $ or %. To reflect these variations, in our documentation, we use:

YourPrompt$ echo "Hello, world!"

to indicate that you should type the command echo "Hello, world!" (but not the YourPrompt$ part) at your shell prompt, whatever it looks like.

Due to the variety of ssh options and the complexity of the Unix shell, the full details of their use are well beyond the scope of a FAQ. Many online tutorials exist, like this one. For a deeper dive, many community colleges offer continuing education classes covering one or both topics.

Why do I have to enable FTP in two places to get it to work?

Because FTP is an insecure protocol that should never be used. We strongly recommend leaving FTP disabled and using SSH or SFTP instead.

FTP access can be restricted on a per-member and a per-site basis. These settings are completely independent; both the member accessing a site and the site being accessed must have FTP enabled in order for access to succeed.

This is to allow maximum access control granularity in situations where multiple members share access to multiple sites via our adjunct access feature. For example, if you don't want to allow FTP access to your site, and you want to make sure a member with adjunct access doesn't enable FTP access for themself and overrule you.

To enable FTP access for your membership, visit the Profile page and toggle that setting in the "Details" box.

To enable FTP access for a site, visit the Sites panel and select the site by its short name to view its Site Information page, where you'll see the FTP setting in the "SSH/SFTP Information" box.

What is SFTP?

SFTP is the Secure File Transfer Protocol. It is sort of a hybrid between FTP and ssh.

You can use SFTP to send files to our service. It's much safer and more private than regular FTP because it encrypts both your password and your file transfers.

Since SFTP piggybacks on the ssh protocol, SFTP is also robust in the face of NAT routers and firewalls, which often cause problems for FTP.

Due to its advantages, SFTP is the recommended method for uploading content to your site.

There are a number of SFTP applications listed in our member wiki. (Note that "Secure FTP," which only supports SSL/TLS-encrypted FTP, will not work for accessing our servers via SFTP.)

Can I configure my ssh connection to use a public key?

Yes, but.

Our system does not access your site's filesystem until after you have authenticated yourself. Also, correct authentication depends on both member name and site (since more than one member name may have permission to access a given site and a given member name may be able to access more than one site). Therefore, you cannot place a public key file in your site's filesystem to bypass password authentication.

Instead, we keep a separate keychain for each member. To use an ssh public key, you can add it to your keychain on the profile tab.

Once installed into your membership's keychain, an ssh key will authenticate you for any site you are authorized to access, including your sites and any sites you may have adjunct access to.

Per current best security practices, here are the key types we support:

DSA/DSS ("ssh-dss") keys are not supported at all. This is a US government FIPS standard developed by the NSA and intended only for low-security usage. (Read: they are probably not secure.)

If you use an RSA key, you must use a client that supports RFC8332 for SHA-256 (rsa-sha2-256) and SHA-512 (rsa-sha2-512) signatures. As of 2021, our servers no longer accept RSA keys with SHA-1 signatures because they are demonstrably insecure. If you run into that issue, please update your OpenSSH client and/or consider switching to faster, safer Ed25519 keys.

I tried to SFTP to ftp.xxx.nearlyfreespeech.net and it failed. Why?

Despite the similar names, SFTP and FTP have absolutely nothing in common. If your FTP hostname is ftp.xxx.nearlyfreespeech.net then the correct hostname for SFTP is sftp.xxx.nearlyfreespeech.net.

What are the fingerprints for the NearlyFreeSpeech.NET ssh keys?

We publish SSHFP records for our SSH servers that should automate validating the keys, but if you need or want to check them, the current keys are:

ssh.nyc1.nearlyfreespeech.net

Ed25519 (256 bit)
SHA256: etjM+pc9ujAYv0M7gTAiLUHdZe0nAxlEQ2PRIdEjvRE
SHA1: XO+J7hJ4V4e+zVpBz+0wu4LHPFg
ECDSA (256 bit)
SHA256: xrzTydrj/Zy5Q4fMdP9wuG0r6yNsiZMpUAVSk4RVdvw
SHA1: BUCA+eGPJg9732Po81bw9qWoAbc
RSA (4096 bit)
SHA256: 0dJWfqf2P7gyPJbrNEpffWJPggXvSiKZUjmWvFFMXV0
SHA1: HqJG7/hWJWcOMpMMDz1TiW69hEk

ssh.phx.nearlyfreespeech.net

Ed25519 (256 bit)
SHA256: 52JfRUFuT6UWh9jfWYnLensuRn9no6ucwM3ekbjyPFc
SHA1: +jDA6wignc8EqEBfkN2a8JYn7aA
ECDSA (256 bit)
SHA256: a+Ny0PLkKhm80+5kqzqfVXIlbkQpn/CpMMrzurd8sDI
SHA1: HdoGYbf3aAKAwcFDmxNGkiX5Edk
RSA (4096 bit)
SHA256: 7WCr3k7tjnbA2OhynZ0k7SP6r1bUdeoP8VPdFRURaSg
SHA1: f+FVYHE2wjq3i5Y+wU4lFrtGuxM

If your client is giving you key fingerprints in MD5 format, check your settings (e.g., FingerprintHash sha256) or update your ssh client.

What do I do if I have problems with FTP?

Use SFTP or SCP instead.

Our official answer to any problem with FTP is don't use FTP. Ever. For anything.

FTP support has been deprecated since 2010. It is an outdated, insecure protocol that does not work very well on the modern Internet. We will not provide any support for any problems you have while using it.

If you insist on using it anyway against our advice, you're on your own. Here are some historical notes about FTP that may (or may not) help:

What if I think the name of your ssh server is too long?

Easy way: You can use xyz1.nfsnssh.com instead of ssh.xyz1.nearlyfreespeech.net if you prefer.

Better way: OpenSSH allows the creation of nicknames. To use this feature, create (or edit) the file ~/.ssh/config (on the client machine you will be connecting from, not ours!) and add content like this:

Host nfsnssh
        Hostname ssh.xyz1.nearlyfreespeech.net
        Port 22

With this done, you can use "nfsnssh" as if it were a hostname in ssh, scp, and sftp. For example, just use ssh mylogin_mysite@nfsnssh to connect to mysite as mylogin.

You can even use the User option to create per-site nicknames to make commands even shorter:

Host *_nfsn
        Hostname ssh.xyz1.nearlyfreespeech.net
        Port 22

Host mysite_nfsn
        User mylogin_mysite

Host othersite_nfsn
        User mylogin_othersite
Then you just ssh mysite_nfsn to connect to mysite and ssh othersite_nfsn to connect to othersite. It doesn't get much shorter than that! See the ssh_config man page for complete details.

If you don't happen to be using OpenSSH, many other ssh tools offer similar options, many with graphical interfaces that make establishing a connection as simple as clicking, regardless of the hostname.

I can connect to NearlyFreeSpeech.NET just fine, so why is your SFTP or ssh server unreachable or timing out?

The first thing to check is to make sure you are using the correct connection information for your site, including your username and password as well as the correct name of the server for the service you are trying to use. You should always check this, even if you are sure it is correct, before exploring more exotic options.

If you are unable to connect at all, or if the connection appears to drop immediately, one possible explanation for this is that you are running firewall software (or have a hardware firewall) that is blocking your connection.

If you use file sharing software, many "P2P block list" applications can block connections to us.

In such cases you will need to either disable the application or set up a manual override to allow the connection.

The most common diagnostics that indicate problems with firewalls and blocking software are "Permission Denied," "No route to host," "Connection refused," "Host unreachable," or "General failure" when attempting to access our FTP or ssh servers, but no similar problem when trying to access your site(s) or ours by HTTP or HTTPS. If you can't access anything at all, the problem is likely something else.

This can also happen if you have non-functional IPv6 connectivity. Our ssh server supports IPv6 and some home network devices advertise IPv6 capability even if it is not supported by your ISP.

Is automated FTP access to the system allowed?

No. Automated FTP access is never allowed. (And the use of FTP at all is strongly discouraged.)

If automated FTP accesses are detected, the affected site's FTP access may be automatically disabled. If the problem reoccurs, we will block it entirely.

Embedded devices that upload information via FTP automatically such as webcams and weather stations are strictly prohibited. They are a security disaster; they broadcast your plaintext member password over the Internet every time they connect.

If you need FTP access for allowable purposes, but your FTP access to one of your sites has been blocked due to repeated or egregious violation of our policies in this area, and you are a subscription member, you can contact our support for assistance. If you are not a subscription member and you have FTP access blocked under this policy, you will have to alter your methodology to use SSH/SFTP (which you should be doing anyway) and to comply fully with the policies outlined above.

(This answer is for FTP. For SSH, see this related entry.)

Is automated SSH/SFTP access to the system allowed?

Any automated SSH/SFTP access must use a public key. No hardcoded passwords!

As long as you are physically initiating uploads or downloads yourself you're fine, even if an automated component is involved. (Just make sure you're either using a key or typing the password by hand.)

Unattended automated SSH/SFTP access is allowed only for these purposes:

If you want automatic unattended uploads beyond these limits, you should use HTTP POST or PUT requests and a small script on your site to receive the files.

Please respect the shared resources used by SSH—which we currently do not charge for—by observing these guidelines. If you have any questions about what is allowable, please ask.

(This answer is for SSH and SFTP. Automated FTP access is never allowed.)