Frequently Asked Questions

The NearlyFreeSpeech.NET FAQ (*)

Uploading (*)

What is the connection information to upload files to my web site?

FTP, SFTP, and ssh all use the same username and password to access your site. This username is not the same as your member login; it is based on both your member login and the site name. The password is the same as your member password. The specifics are listed in the "FTP/SFTP/ssh Information" box on each site's information panel in our member interface.

To find this information:

  1. Visit the Sites panel to display your list of sites.
  2. Select the site's "short name" in the "Sites" table to display the details about the site you want to access.
  3. Find the box titled "FTP/SFTP/ssh Information."
  4. Locate the username row and the appropriate hostname row for the protocol you wish to use.

Please keep in mind that if you are using FTP to access your site (not recommended), you must enable it in two places.

How do I upload my content to my site?

This question depends largely on what tools you are using to create and manage the content of your site. There are four primary approaches people use.

In all cases, you'll need to check the documentation for the program you are using for specific instructions, but at a minimum you will require the connection information for your site to upload successfully.

We do not provide any "built-in" web tools in our member interface for content authoring. Such tools tend to be very limited and offer only basic functionality. As such, they do not provide the sophisticated and powerful options expected by our members.

Can I access my web site via ssh?

Yes. To access a website via ssh, use the connection information.

The SSH key fingerprints for ssh.phx.nearlyfreespeech.net are in this FAQ entry.

SFTP and scp are supported. Port forwarding is supported but is only permitted for establishing secure remote connections to your MySQL database.

Important: Our ssh environment is provided solely for maintaining your website and is not to be used for any other purpose. This specifically prohibits using it for proxying, port forwarding, or anything similar. Automated access to the ssh server is likewise prohibited, with an exception allowing connections once per day for the purpose of making offsite backups.

What directory do I upload my web site's files to?

All uploading clients should automatically be in the correct folder after they connect. Do not change your upload directory setting unless you are absolutely sure your client is getting it wrong.

For FTP clients (including publishing programs such as Dreamweaver that upload using FTP), the correct directory is /public.

For ssh and SFTP clients, the correct directory is /home/public.

(Once uploaded, scripts that run on your site will use a different path to access your files, depending on whether they are PHP or CGI.)

What hostname should I use for SFTP?

To SFTP files to our service, use the same hostname that you use for ssh, not the one you use for FTP. You can get this hostname by clicking the "Sites" tab at the top of the page, then clicking the site name from the "Your Web Sites" list. The hostname will be listed under "FTP/SFTP/ssh Information." For convenience, we have created an sftp.xxx.nearlyfreespeech.net alias, where the xxx part is the same for you as it is for ssh and FTP.

What program should I use to connect via ssh?

Any working ssh client should be able to connect to our systems. The "reference" implementation in our opinion is the OpenSSH application, available on most Unix platforms (including MacOS X, most easily accessed using the included "Terminal" application) and on Windows via the Cygwin or Interix environments.

On Windows, the far-and-away best ssh application is VanDyke Technologies' Secure CRT. This program is rather expensive ($99) but worth every penny if ssh on Windows is a part of your daily life. PuTTY is a very popular free alternative. It is a little less pleasant to use, but is very workable. (PuTTY requires no local installation and is a perfect tool to slap on a USB memory stick for secure access from anywhere.)

Other alternatives do exist, but these are the most common and the ones we use ourselves.

Why do I have to enable FTP in two places to get it to work?

FTP access can be controlled on a per-member and a per-site basis. Although some people expect these settings to be related, or expect one to supersede the other, they are completely independent. Both the member accessing a site and the site being accessed must have FTP enabled in order for access to succeed.

This is to allow maximum access control granularity in situations where multiple members share access to multiple sites via our adjunct membership feature. For example, if you don't want to allow FTP access to your site, and you want to make sure an adjunct user doesn't enable FTP access for himself and overrule you.

To enable FTP access for your membership, visit the Profile page and toggle that setting in the "Details" box.

To enable FTP access for your site, visit the Sites panel and select the site by its "short name" to view its Site Information page, where you'll see the FTP setting in the "FTP/SFTP/SSH Information" box.

Note that as of May 18, 2010, FTP access is deprecated. While we have no current plans to remove it, it is disabled by default on new sites and memberships. (And must therefore be enabled in both places if you want it.)

FTP is an insecure protocol that should never be used, much less as part of any new development. It is strongly recommended that you leave FTP disabled and access your site with SSH or SFTP.

What is SFTP?

SFTP is the Secure File Transfer Protocol. It is sort of a hybrid between FTP and ssh.

You can use SFTP to send files to our service. It's much safer and more private than regular FTP because it encrypts both your password and your file transfers.

Since SFTP piggybacks on the ssh protocol, SFTP is also robust in the face of NAT routers and firewalls, which often cause problems for FTP.

Due to its advantages, SFTP is the recommended method for uploading content to your site.

There are a number of SFTP applications listed in our member wiki. (Note that "Secure FTP," which only supports SSL/TLS-encrypted FTP, will not work for accessing our servers via SFTP.)

Can I configure my ssh connection to use a public key?

Yes, but.

Our system does not access your site's filesystem until after you have authenticated yourself. Also, correct authentication depends on both member name and site (since more than one member name may have permission to access a given site and a given member name may be able to access more than one site). Therefore, you cannot place a public key file in your site's filesystem to bypass password authentication.

Instead, we keep a separate keychain for ssh keys for each member outside the filesystem. If you have a public key you wish to use to authenticate your ssh connection in lieu of your password, you can set that up on the profile tab.

Per current best security practices, here are the key types we support:

DSA/DSS ("ssh-dss") keys are not supported. This is a US government FIPS standard developed by the NSA and intended only for low-security usage. (Read: they are probably not secure.)

Once installed into your membership's keychain, an ssh key may be used to authenticate access to any site you are authorized to access, including all of your own sites and any sites you may have adjunct access to.

I tried to SFTP to ftp.xxx.nearlyfreespeech.net and it failed. Why?

Despite the similar names, SFTP and FTP have absolutely nothing in common. If your FTP hostname is ftp.xxx.nearlyfreespeech.net then the correct hostname for SFTP is sftp.xxx.nearlyfreespeech.net.

What are the fingerprints for the NearlyFreeSpeech.NET ssh keys?

The current keys are:

RSA (4096 bit)
MD5: fc:89:a1:64:74:70:a4:82:58:c1:73:4e:72:59:63:56
SHA256: 7WCr3k7tjnbA2OhynZ0k7SP6r1bUdeoP8VPdFRURaSg
DSA (1024 bit)
MD5: 8a:75:6f:51:20:90:8e:95:5c:49:d0:e8:d5:f8:4c:e0
SHA256: daDdLp54a4ReZmEmb4g0v8hMyEIb+iSH3f/RASU8vhk
ECDSA (256 bit)
MD5: d0:d8:b4:2b:03:60:44:55:9d:ee:83:10:ad:6f:d2:f0
SHA256: a+Ny0PLkKhm80+5kqzqfVXIlbkQpn/CpMMrzurd8sDI
Ed25519 (256 bit)
MD5: bc:53:6c:e0:9e:b4:e6:d7:5d:20:07:01:63:d9:cb:e5
SHA256: 52JfRUFuT6UWh9jfWYnLensuRn9no6ucwM3ekbjyPFc

I am having trouble uploading with FTP. What could be wrong?

First, please consider using an uploading method other than FTP, such as SFTP or SCP. FTP is a complex, insecure protocol that does not work very well on the modern Internet. If you have an alternative, use it.

Please also keep in mind that, as of May 2010, memberships now come with FTP disabled by default, so if you must use it, you'll need to make sure it's properly enabled first.

With that said, almost all FTP problems are caused by NAT devices (especially cheap residential gateway routers) incorrectly processing FTP connections, or by personal firewall software blocking FTP access. These problems generally manifest as being able to connect to the FTP server, but not to upload or download any files. FTP has two operating modes, active and passive. The first response to any FTP connection problem should be to switch your FTP client from active mode to passive mode, or vice versa. Switching modes almost always clears up FTP issues.

Other potential problem areas for FTP include your local firewall configuration (hardware or software) and incorrect FTP connection information.

What if I think the name of your ssh server is too long?

Easy way: You can use nfsnssh.com instead of ssh.phx.nearlyfreespeech.net if you prefer.

Better way: OpenSSH allows the creation of "nicknames" which serve this function admirably. To use this feature, create (or edit) the file ~/.ssh/config (on the client machine you will be connecting from, not ours!) and add content like this:

Host nfsnssh
        Hostname ssh.phx.nearlyfreespeech.net
        Port 22

With this done, you can use "nfsnssh" as if it were a hostname in ssh, scp, and sftp. For example, just use ssh mylogin_mysite@nfsnssh to connect to mysite as mylogin.

You can even use the User option to create per-site nicknames to make commands even shorter:

Host *_nfsn
        Hostname ssh.phx.nearlyfreespeech.net
        Port 22

Host mysite_nfsn
        User mylogin_mysite

Host othersite_nfsn
        User mylogin_othersite
Then you just ssh mysite_nfsn to connect to mysite and ssh othersite_nfsn to connect to othersite. It doesn't get much shorter than that! See the ssh_config man page for complete details.

If you don't happen to be using OpenSSH, a lot of other ssh tools offer similar options, many with graphical interfaces that make establishing a connection as simple as clicking, regardless of the hostname.

I can connect to NearlyFreeSpeech.NET just fine, so why is your FTP or ssh server unreachable or timing out?

The first thing to check is to make sure you are using the correct connection information for your site, including your username and password as well as the correct name of the server for the service you are trying to use. You should always check this, even if you are sure it is correct, before exploring more exotic options.

Once that's done, one possible explanation for this is that you are running firewall software that uses a "P2P block list" to block connections. As an example, the P2P application PeerBlock (formerly PeerGuardian) in its default configuration uses lists on which we appear and blocks FTP/ssh traffic.

In such cases you will need to either disable the application or set up a manual override to allow the connection.

The most common diagnostics that indicate this specific problem are "Permission Denied," "No route to host," "Connection refused," "Host unreachable," or "General failure" when attempting to access our FTP or ssh servers, but no similar problem when trying to access your site(s) or ours by HTTP or HTTPS. If you can't access anything at all, the problem is likely something else.

As of October 2010, we are known to be listed on the Bluetack "level1" list and the TBG "PrimaryThreats" list. The stated reasons for listing us are dubious, but since these lists basically say "do not connect to these IPs for illegal P2P file sharing" we don't really mind being listed, since that type of usage would not be concordant with our Terms & Conditions of Service.

This can also happen if you have non-functional IPv6 connectivity. Our ssh server supports IPv6 and some home network devices advertise IPv6 capability even if it is not supported by your ISP.

Is automated SSH/FTP access to the system allowed?

For the most part, no. We do not allow unattended, automated access because it is an excessive use of resources we currently do not charge for and because it can be very bad for our system security.

This means that the of use embedded devices that upload information via FTP automatically on a regular basis, such as web cams and certain "weather station" devices in conjunction with our service is strictly prohibited. Such devices are a security disaster; they broadcast your member password over the Internet every few minutes in plaintext, and we will not allow that. If we find evidence of FTP being used in this fashion it will be disabled or, after repeated problems, blocked entirely.

We are somewhat less strict about SSH access, as the focus is more on excessive resource usage. We will overlook unattended SSH access under the following conditions:

Please be respectful of the shared resources assigned to FTP and SSH by observing these guidelines.

If you have an application that needs the ability to remotely upload on a regular/automated basis, it is entirely possible to do so. All you need to do is set those tasks up via HTTP, e.g. using POST or PUT requests and a small script to receive the files.

All these limits apply only to unattended access. As long as you are physically present at the keyboard initiating uploads or downloads yourself, no such limitations are imposed.