Frequently Asked Questions

The NearlyFreeSpeech.NET FAQ (*)

Uploading (*)

What is the connection information to upload files to my web site?

The username for SFTP and ssh access is not the same as your member login; it is based on both your member login and the site name. The password, however, is the same as your member password. The specifics are listed in the "SSH/SFTP Information" box on each site's information panel in our member interface.

To find this information:

  1. Visit the Sites panel to display your list of sites.
  2. Select the site's "short name" in the "Sites" table to display the details about the site you want to access.
  3. Find the box titled "SSH/SFTP Information."
  4. Locate the username row and the appropriate hostname row for the protocol you wish to use.

How do I upload my content to my site?

This question depends largely on what tools you are using to create and manage the content of your site. There are four primary approaches people use.

In all cases, you'll need to check the documentation for the program you are using for specific instructions, but at a minimum you will require the connection information for your site to upload successfully.

We do not provide any "built-in" web tools in our member interface for content authoring. Such tools tend to be very limited; they offer only basic functionality and tend to produce a whole lot of nearly identical websites. As such, they do not provide the sophisticated and powerful options expected by our members.

Can I access my web site via ssh?

Yes. To access a website via ssh, use the connection information.

The SSH key fingerprints for ssh.phx.nearlyfreespeech.net are in this FAQ entry.

SFTP and scp are supported. Port forwarding is supported but is only permitted for establishing secure remote connections to your MySQL database.

Important: Our ssh environment is provided solely for maintaining your website and is not to be used for any other purpose. This specifically prohibits using it for proxying, port forwarding, or anything similar. Automated access to the ssh server is likewise prohibited, with an exception allowing connections once per day for the purpose of making offsite backups.

What directory do I upload my web site's files to?

All uploading clients should automatically be in the correct folder after they connect. Do not change your upload directory setting unless you are absolutely sure your client is getting it wrong.

For FTP clients (including publishing programs such as Dreamweaver that upload using FTP), the correct directory is /public.

For ssh and SFTP clients, the correct directory is /home/public.

(Once uploaded, scripts that run on your site will use a different path to access your files, depending on whether they are PHP or CGI.)

What hostname should I use for SFTP?

To SFTP files to our service, use the same hostname that you use for ssh, not the one you use for FTP. You can get this hostname by clicking the "Sites" tab at the top of the page, then clicking the site name from the "Your Web Sites" list. The hostname will be listed under "SSH/SFTP Information." For convenience, we have created an sftp.xxx.nearlyfreespeech.net alias, where the xxx part is the same for you as it is for ssh and FTP.

What program should I use to connect via ssh?

Any working ssh client should be able to connect to our systems. The "reference" implementation in our opinion is the OpenSSH application, available on most Unix platforms (including MacOS X, most easily accessed using the included "Terminal" application) and on Windows via the Cygwin or Interix environments.

On Windows, the far-and-away best ssh application is VanDyke Technologies' Secure CRT. This program is rather expensive ($99) but worth every penny if ssh on Windows is a part of your daily life. PuTTY is a very popular free alternative. It is a little less pleasant to use, but is very workable. (PuTTY requires no local installation and is a perfect tool to slap on a USB memory stick for secure access from anywhere.)

Other alternatives do exist, but these are the most common and the ones we use ourselves.

Why do I have to enable FTP in two places to get it to work?

Because FTP is an insecure protocol that should never be used. We strongly recommend leaving FTP disabled and using SSH or SFTP instead.

FTP access can be restricted on a per-member and a per-site basis. These settings are completely independent; both the member accessing a site and the site being accessed must have FTP enabled in order for access to succeed.

This is to allow maximum access control granularity in situations where multiple members share access to multiple sites via our adjunct access feature. For example, if you don't want to allow FTP access to your site, and you want to make sure a member with adjunct access doesn't enable FTP access for themself and overrule you.

To enable FTP access for your membership, visit the Profile page and toggle that setting in the "Details" box.

To enable FTP access for a site, visit the Sites panel and select the site by its short name to view its Site Information page, where you'll see the FTP setting in the "SSH/SFTP Information" box.

What is SFTP?

SFTP is the Secure File Transfer Protocol. It is sort of a hybrid between FTP and ssh.

You can use SFTP to send files to our service. It's much safer and more private than regular FTP because it encrypts both your password and your file transfers.

Since SFTP piggybacks on the ssh protocol, SFTP is also robust in the face of NAT routers and firewalls, which often cause problems for FTP.

Due to its advantages, SFTP is the recommended method for uploading content to your site.

There are a number of SFTP applications listed in our member wiki. (Note that "Secure FTP," which only supports SSL/TLS-encrypted FTP, will not work for accessing our servers via SFTP.)

Can I configure my ssh connection to use a public key?

Yes, but.

Our system does not access your site's filesystem until after you have authenticated yourself. Also, correct authentication depends on both member name and site (since more than one member name may have permission to access a given site and a given member name may be able to access more than one site). Therefore, you cannot place a public key file in your site's filesystem to bypass password authentication.

Instead, we keep a separate keychain for ssh keys for each member outside the filesystem. If you have a public key you wish to use to authenticate your ssh connection in lieu of your password, you can set that up on the profile tab.

Per current best security practices, here are the key types we support:

DSA/DSS ("ssh-dss") keys are not supported. This is a US government FIPS standard developed by the NSA and intended only for low-security usage. (Read: they are probably not secure.)

Once installed into your membership's keychain, an ssh key may be used to authenticate access to any site you are authorized to access, including all of your own sites and any sites you may have adjunct access to.

I tried to SFTP to ftp.xxx.nearlyfreespeech.net and it failed. Why?

Despite the similar names, SFTP and FTP have absolutely nothing in common. If your FTP hostname is ftp.xxx.nearlyfreespeech.net then the correct hostname for SFTP is sftp.xxx.nearlyfreespeech.net.

What are the fingerprints for the NearlyFreeSpeech.NET ssh keys?

The current keys are:

RSA (4096 bit)
MD5: fc:89:a1:64:74:70:a4:82:58:c1:73:4e:72:59:63:56
SHA256: 7WCr3k7tjnbA2OhynZ0k7SP6r1bUdeoP8VPdFRURaSg
DSA (1024 bit)
MD5: 8a:75:6f:51:20:90:8e:95:5c:49:d0:e8:d5:f8:4c:e0
SHA256: daDdLp54a4ReZmEmb4g0v8hMyEIb+iSH3f/RASU8vhk
ECDSA (256 bit)
MD5: d0:d8:b4:2b:03:60:44:55:9d:ee:83:10:ad:6f:d2:f0
SHA256: a+Ny0PLkKhm80+5kqzqfVXIlbkQpn/CpMMrzurd8sDI
Ed25519 (256 bit)
MD5: bc:53:6c:e0:9e:b4:e6:d7:5d:20:07:01:63:d9:cb:e5
SHA256: 52JfRUFuT6UWh9jfWYnLensuRn9no6ucwM3ekbjyPFc

What do I do if I have problems with FTP?

Use SFTP or SCP instead.

Our official answer to any problem with FTP is don't use FTP. Ever. For anything.

FTP support has been deprecated since 2010. It is an outdated, insecure protocol that does not work very well on the modern Internet. We will not provide any support for any problems you have while using it.

If you insist on using it anyway against our advice, you're on your own. Here are some historical notes about FTP that may (or may not) help:

What if I think the name of your ssh server is too long?

Easy way: You can use nfsnssh.com instead of ssh.phx.nearlyfreespeech.net if you prefer.

Better way: OpenSSH allows the creation of "nicknames" which serve this function admirably. To use this feature, create (or edit) the file ~/.ssh/config (on the client machine you will be connecting from, not ours!) and add content like this:

Host nfsnssh
        Hostname ssh.phx.nearlyfreespeech.net
        Port 22

With this done, you can use "nfsnssh" as if it were a hostname in ssh, scp, and sftp. For example, just use ssh mylogin_mysite@nfsnssh to connect to mysite as mylogin.

You can even use the User option to create per-site nicknames to make commands even shorter:

Host *_nfsn
        Hostname ssh.phx.nearlyfreespeech.net
        Port 22

Host mysite_nfsn
        User mylogin_mysite

Host othersite_nfsn
        User mylogin_othersite
Then you just ssh mysite_nfsn to connect to mysite and ssh othersite_nfsn to connect to othersite. It doesn't get much shorter than that! See the ssh_config man page for complete details.

If you don't happen to be using OpenSSH, a lot of other ssh tools offer similar options, many with graphical interfaces that make establishing a connection as simple as clicking, regardless of the hostname.

I can connect to NearlyFreeSpeech.NET just fine, so why is your SFTP or ssh server unreachable or timing out?

The first thing to check is to make sure you are using the correct connection information for your site, including your username and password as well as the correct name of the server for the service you are trying to use. You should always check this, even if you are sure it is correct, before exploring more exotic options.

If you are unable to connect at all, or if the connection appears to drop immediately, one possible explanation for this is that you are running firewall software (or have a hardware firewall) that is blocking your connection.

If you use file sharing software, many "P2P block list" applications can block connections to us.

In such cases you will need to either disable the application or set up a manual override to allow the connection.

The most common diagnostics that indicate problems with firewalls and blocking software are "Permission Denied," "No route to host," "Connection refused," "Host unreachable," or "General failure" when attempting to access our FTP or ssh servers, but no similar problem when trying to access your site(s) or ours by HTTP or HTTPS. If you can't access anything at all, the problem is likely something else.

This can also happen if you have non-functional IPv6 connectivity. Our ssh server supports IPv6 and some home network devices advertise IPv6 capability even if it is not supported by your ISP.

Is automated FTP access to the system allowed?

No. Automated FTP access is never allowed. (And the use of FTP at all is strongly discouraged.)

If automated FTP accesses are detected, the affected site's FTP access may be automatically disabled. If the problem reoccurs, we will block it entirely.

Embedded devices that upload information via FTP automatically such as webcams and weather stations are strictly prohibited. They are a security disaster; they broadcast your plaintext member password over the Internet every time they connect.

If you need FTP access for allowable purposes, but your FTP access to one of your sites has been blocked due to repeated or egregious violation of our policies in this area, and you are a subscription member, you can contact our support for assistance. If you are not a subscription member and you have FTP access blocked under this policy, you will have to alter your methodology to use SSH/SFTP (which you should be doing anyway) and to comply fully with the policies outlined above.

(This answer is for FTP. For SSH, see this related entry.)

Is automated SSH/SFTP access to the system allowed?

Any automated SSH/SFTP access must use a public key. No hardcoded passwords!

As long as you are physically initiating uploads or downloads yourself you're fine, even if an automated component is involved. (Just make sure you're either using a key or typing the password by hand.)

Unattended automated SSH/SFTP access is allowed only for these purposes:

If you want automatic unattended uploads beyond these limits, you should use HTTP POST or PUT requests and a small script on your site to receive the files.

Please respect the shared resources used by SSH—which we currently do not charge for—by observing these guidelines. If you have any questions about what is allowable, please ask.

(This answer is for SSH and SFTP. Automated FTP access is never allowed.)