Saturday, July 01, 2006

FTPS with vsftpd Part 1

When I first mention FTPS, most people have the same reaction, “you mean SFTP?” No, I do not. SFTP, while very useful, is quite different from FTPS. In this article I explain the simple steps involved in setting up FTPS with vsftpd.


SFTP is included with OpenSSH and allows system users to transfer files in an FTP like session over an encrypted SSH connection. The main advantage is that if you have SSH up and running, it is most likely that you also have SFTP. The main disadvantage is that users of your SFTP service must have shell accounts, and you cannot use a nologin shell.

This is less than ideal for many circumstances. For example, I run a shared web server where I host sites for family and friends. It is important to me to provide a way for the owners of websites to upload their content via an encrypted connection. At first I considered SFTP, but I really did not want to give all the webmasters shell access to my server.

Enter FTPS. FTPS is simply FTP with SSL. I had heard about it a while back, but always dismissed it as something exotic and not well supported. As it turns out, just about every popular FTP client now supports FTPS.

Combining FTPS with the “virtual” users feature of vsftpd allows the webmasters to login and upload content usesing SSL to protect their passwords. Their accounts are limited to FTP, and beyond that, are limited to just their web content directories.

FTPS also allows for the FTP-DATA connection to be unencrypted. The FTP-CONTROL connection, in which the users' login and password is transfered, is always encrypted. The choice of whether or not to encrypt the data channel is made by the client. The advantage of not using encryption on the data channel means faster file transfers.

Personally, I opt for the speedier unencrypted data channel. I am not very concerned about encrypting content that will be available via a webserver, as long as passwords are protected.

--

Only a few steps are needed to activate FTPS (note that I use Red Hat Enterprise Linux 4, but most other unix like operating systems should be similar):

  1. First you must generate an appropriate ssl certificate:
    openssl req -new -x509 -nodes -out vsftpd.pem -keyout vsftpd.pem

  2. Copy the cert to your vsftpd directory:
    cp vsftpd.pem /etc/vsftpd

  3. Add the following to vsftpd.conf:
    ssl_enable=YES
    rsa_cert_file=/etc/vsftpd/vsftpd.pem
    force_local_data_ssl=NO

Once the above configuration is active, system (and “virtual”) users will be required to use a client that supports FTPS. If your server allows Anonymous users, they will only be able to login with plain old FTP. With vsftpd, FTPS is only for authenticated users.

Further reading:

Labels:

posted by Joshua M. Hoffman at 10:40 AM

Digg It

3 Comments:

Blogger Вадек said...

Hi, my working config is:


ssl_enable=YES
rsa_cert_file=/etc/vsftpd/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/vsftpd.pem
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES


vsftpd version is 2.0.5

1:48 PM  
Blogger K said...

Well, I've done everything I could to get that vsftpd work with ssl, and it works.

BUT, it only works in FTPES mode and not FTPS.

I tried anything I could to make it work in FTPS...T___T

If you could give me a hand there :

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES

ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

7:43 AM  
Blogger Chris K. Haley said...

Hi Joshua,

We've had good luck using the Tectia SSH server. It allows SFTP connections without having to have a shell account that can be accessed via SSH / login in anyway.

Best Regards,
Chris

9:19 AM  

Post a Comment

<< Home