Pure-FTPd
Pure-FTPd is a free (BSD), secure, production-quality and
standard-conformant FTP server. It doesn't provide useless bells and
whistles, but focuses on efficiency and ease of use. It provides simple
answers to common needs, plus unique useful features for personal users
as well as hosting providers.
- Latest release : 1.0.29 (released on March 15th, 2010) Т.е. проект живой, юзать можно
Security first.
Pure-FTPd is actively supported, and it was always designed with security in mind, and the code is always re-audited as new kind of vulnerabilities are discussed.
The server can run with privilege separation for paranoid security. It can even run 100% non-root, with its built-in chroot() emulation and virtual accounts.
Transmission of cleartext passwords and commands can be avoided : Pure-FTPd has optional support for an SSL/TLS encryption layer using the OpenSSL library. Т.е. могЁм чрутить, могем юзать шифрование. Выглядит ОК.
Pure-FTPd works on your server.
The same source code compiles and runs on Linux, OpenBSD, NetBSD, DragonflyBSD FreeBSD, Solaris, Tru64, Darwin, Irix, HPUX, AIX and iPhone.
Pre-built binary packages are available for Novell, Mandriva, Debian, Ubuntu, PLD Linux, Stampede Linux, Slackware Linux (Slimslack), Multilinux, Sorcerer Linux, Fli4L (the one-disk router), ROOT Linux, Gentoo Linux and almost every other free operating system.
Pure-FTPd is also available in BSD systems : FreeBSD (/usr/ports/ftp/pure-ftpd/), OpenBSD (/usr/ports/net/pure-ftpd/), DragonflyBSD and NetBSD (/usr/pkgsrc/net/pureftpd/). Собстьвенно списокчек осей, на которых живем.
Pure-FTPd speaks your language.
All server messages are translated in English, German, Romanian, French, Polish, Spanish, Danish, Dutch, Italian, Brazilian Portuguese, Slovak, Korean, Swedish, Norwegian, Russian, Traditional Chinese, Simplified Chinese, Czech, Turkish, Hungarian and Catalan.
It helps your customers understand diagnostics, even when english isn’t their native language.
Messages are in independant files and they can be easily translated to new languages, or customized.
Transparent conversion of client to filesystem charsets is implemented, with UTF-8 support.
Есть поддержка русского языка ( правда не сильно уверен что оно таки необходимо, но радует)
An excellent choice for newbies.
Отакот, любой новичок может установить и запустить мегасуперсекюрный ФТП сервер за 5 минут.
Beginners can install a Pure-FTPd server in 5 minutes. It can be as simple as installing the package, typing “pure-ftpd &” and… that’s all. You already have a running server, and clients can start to connect.
There’s no need to review any long and complex configuration file, where possible mistakes could have security and reliability implications. Pure-FTPd uses simple command-line switches to enable the features you need.
Для Pure-FTPd лучше чтоб он не дергал конфигфайлы а был запущен с нужными ключами.
http://download.pureftpd.org/pub/pure-ftpd/doc/README.Configuration-File
Unlike many daemons, Pure-FTPd doesn't read any configuration file (but for
LDAP and SQL). Instead, it uses command-line options. For instance, the '-H'
flag is designed to speed up highly loaded servers, by avoiding DNS lookups.
To enable this, just add it to the server name:
/usr/local/sbin/pure-ftpd -H
Alternative long options are also supported. Here's an equivalent of the
previous command:
/usr/local/sbin/pure-ftpd --dontresolve
But you can use traditional configuration files over command-line
options. Adding a parser for configuration files in the server is a bad
idea. It slows down everything and needs resources for nothing.
http://download.pureftpd.org/pub/pure-ftpd/doc/README
тут список конфигурационных ключей с описанием--with-mysql: use the native MySQL support for users database. When this
option is enabled, system accounts can be bypassed. MySQL client libraries
should be installed to use that feature. If MySQL is installed in a custom
location, you can use the --with-mysql=<directory> syntax. See the
README.MySQL file for more info about MySQL and Pure-FTPd.
--with-tls: enable TLS support. Read README.TLS for more about this feature.
--with-certfile=<file>: the file with the SSL certificate (see README.TLS). The
default is /etc/ssl/private/pure-ftpd.pem .
--with-language=russian
http://download.pureftpd.org/pub/pure-ftpd/doc/README.MySQL
описалово поддержки юзерей в мускульной базе
------------------------ MYSQL SUPPORT ------------------------
Since release 0.99.1, Pure-FTPd has a built-in support for MySQL databases.
When MySQL is enabled, all account info is fetched from a central MySQL
database.
To compile the server with MySQL support, you first have to build and
install the MySQL client libraries. MySQL is freely available from
http://www.mysql.com/ and binary packages are included in many major
distributions. But if you choose a binary form, don't forget to also install
the development packages if they are available separately.
Then, configure Pure-FTPd with --with-mysql and your favorite extra gadgets:
./configure --with-mysql --with-cookie --with-throttling --with-ratios
If your MySQL libraries are installed in a special path, you can specify it
like this:
./configure --with-mysql=/opt/mysql
In this example, headers (like mysql.h) will be searched in
/opt/mysql/include and /opt/mysql/include/mysql, while related libraries
will be searched in /opt/mysql/lib and /opt/mysql/lib/mysql .
Then, install the server as usual:
make install
------------------------ MYSQL CONFIGURATION FILE ------------------------
Before running the server, you have to create a configuration file. Why a
configuration file instead of simple command-line options? you may ask.
Because for security reasons, you may want to hide how to connect to your
MySQL server. And as command-line options can be discovered by local users
(with 'ps auxwww' for instance), it's more secure to use a configuration
file for sensitive data. Keep it readable only by root (chmod 600) .
Here's a sample configuration file:
#MYSQLServer localhost
#MYSQLPort 3306
MYSQLSocket /tmp/mysql.sock
MYSQLUser root
MYSQLPassword rootpw
MYSQLDatabase pureftpd
MYSQLCrypt cleartext
MYSQLGetPW SELECT Password FROM users WHERE User="\L"
MYSQLGetUID SELECT Uid FROM users WHERE User="\L"
MYSQLGetGID SELECT Gid FROM users WHERE User="\L"
MYSQLGetDir SELECT Dir FROM users WHERE User="\L"
Have a look at the sample pureftpd-mysql.conf configuration file for
explanations of every keyword.
Save the configuration file anywhere. Let's say /etc/pureftpd-mysql.conf .
Then, you have to run the pure-ftpd command with '-l mysql:' (it's an 'ell'
not a 'one') followed by the path of that configuration file. Here's an
example with tcpserver:
tcpserver -DHRl0 0 21 /usr/local/bin/pure-ftpd -l mysql:/etc/pureftpd-mysql.conf &
You can mix different authentication methods. For instance, if you want to
use system (/etc/passwd) accounts when an account is not found in a MySQL
database, use -l mysql:/etc/pureftpd-mysql.conf -l unix
------------------------ TABLES STRUCTURES ------------------------
Pure-FTPd is very flexible and users can be stored in any way in SQL tables.
You just have to have fields with the following info:
- The user's login.
- The user's password, in plaintext, MD5, crypt()ed or MySQL's password()
format. Pure-FTPd also accepts the "any" value for the MySQLCrypt field.
With "any", all hashing functions (not plaintext) are tried.
* RECOMMENDATION: On Solaris systems and on very old C libraries, use MySQL
MD5 hashing. On all other systems, better use crypt(), which adds a salt.
Avoid password() whoose hash function is rather weak, not portable, and it is
supposed to be only used for internal accounts of MySQL servers. password() is
no more supported by Pure-FTPd with MySQL 4.1.0 and later.
- The system uid to map the user to. This can be a numeric id or a user
name, looked up at run-time.
- The system gid (numeric or not) .
- The home directory.
Here's a dump of a simple table to handle this:
CREATE TABLE users (
User VARCHAR(16) BINARY NOT NULL,
Password VARCHAR(64) BINARY NOT NULL,
Uid INT(11) NOT NULL default '-1',
Gid INT(11) NOT NULL default '-1',
Dir VARCHAR(128) BINARY NOT NULL,
PRIMARY KEY (User)
);
Uid and Gid can be char() instead of int() if you want to use names instead
of values.
Then, in the pureftpd-mysql.conf configuration file, you have to provide SQL
templates to fetch the needed info.
Let's take the previous example:
MYSQLGetPW SELECT Password FROM users WHERE User="\L"
MYSQLGetUID SELECT Uid FROM users WHERE User="\L"
MYSQLGetGID SELECT Gid FROM users WHERE User="\L"
MYSQLGetDir SELECT Dir FROM users WHERE User="\L"
For each query:
\L is replaced by the login of a user trying to authenticate.
\I is replaced by the IP address the client connected to.
\P is replaced by the port number the client connected to.
\R is replaced by the remote IP address the client connected from.
\D is replaced by the remote IPv4 address, as a long decimal number.
You can mix all of these to store info in various tables. For instance, with
\I, you can have a different table for every domain, so that joe@domain1
won't be the same account than joe@domain2 . And with \R, you can restrict
one account to one specific address.
With MySQL 4.1 and later, multiple statements can be used using a semicolumn
(";") as a delimiter.
Please note that a login can only contains common characters: A...Z, a...z,
0...9, -, ., _, space, :, @ and ' . For security purposes, other characters
are forbidden.
You can also remove uid and gid fields in your tables and use default
values instead (thus saving useless lookups) . Two directives are
useful to serve that purpose: MYSQLDefaultUID and MYSQLDefaultGID.
Obvious example:
MYSQLDefaultUID 1000
MYSQLDefaultGID 1000
Using these directives overrides MYSQLGetUID and MYSQLGetGID.
------------------------ PER-USER SETTINGS ------------------------
Individual settings can be set for every user, using optional queries.
- MySQLGetQTAFS is the maximal number of files a user can store in his home
directory.
Example:
MySQLGetQTAFS SELECT QuotaFiles FROM users WHERE User="\L"
- MySQLGetQTASZ is the maximal disk usage, in Megabytes.
Example:
MySQLGetQTASZ SELECT QuotaSize FROM users WHERE User="\L"
- MySQLGetRatioUL and MySQLGetRatioDL are optional ratios.
Example:
MySQLGetRatioUL SELECT ULRatio FROM users WHERE User="\L"
MySQLGetRatioDL SELECT DLRatio FROM users WHERE User="\L"
- MySQLGetBandwidthUL and MySQLGetBandwidthDL are optional upload and
download bandwidth restrictions. Returned values should be in KB/s.
Example:
MySQLGetBandwidthUL SELECT ULBandwidth FROM users WHERE User="\L"
MySQLGetBandwidthDL SELECT DLBandwidth FROM users WHERE User="\L"
- MySQLForceTildeExpansion is yet another optional feature, to enable "~"
expansion in paths. 0 disables it (default), 1 enables it. Only enable this
if real (system) users and virtual (MySQL) users match. In all other cases,
don't enable it blindly.
------------------------ TRANSACTIONS ------------------------
If you upgraded your tables to transaction-enabled tables, you can configure
Pure-FTPd to take advantage of transactions. That way, you can be sure that
all info parsed by the server is complete even if you're updating it at the
same time.
To enable transactions, add this line:
MySQLTransactions On
Don't enable transactions on tables that still are in ISAM or MyISAM
formats. Transactions are only working with newer backends (Gemini, InnoDB,
BerkeleyDB...) and in recent MySQL versions.
------------------------ STORED PROCEDURES ------------------------
Mike Goins says:
To get pure-ftp to use a MySQL 5 stored procedure, use statements like:
MYSQLGetDir CALL get_path_from_name("\L")
instead of
MYSQLGetDir SELECT user_dir FROM user WHERE user_name="\L"
Note that this requires the type of Stored Procedure that returns a result set
in a single call as opposed to the two call method:
CALL sp('value', @a); SELECT @a
------------------------ ANONYMOUS USERS ------------------------
If you want to accept anonymous users on your FTP server, you don't need to
have any 'ftp' user in the MySQL directory. But you need to have a system
'ftp' account on the FTP server.
Важно!
При использовании конфига с MySQL для анонимных ФТП юзеров
не надо создавать учетки в мускульной базе. Нужен только системный фтп аккаунт.
------------------------ ROOT USERS ------------------------
А вот рутовым ходить никак нельзя!
If a MySQL user entry has a root (0) uid and/or gid, Pure-FTPd will refuse
to log him in.
Without this preventive restriction, if your MySQL server ever gets
compromised, the attacker could also easily compromise the FTP server.
Security barriers are also implemented to avoid bad implications if wrong
data types (eg. binary blobs instead of plain text) are fetched with SQL
queries.
http://download.pureftpd.org/pub/pure-ftpd/doc/README.Virtual-Users------------------------ VIRTUAL USERS ------------------------
Поддержка виртуальных юзеров.
Since release 0.99.2, Pure-FTPd supports virtual users.
Virtual users is a simple mechanism to store a list of users, with their
password, name, uid, directory, etc. It's just like /etc/passwd. But it's
not /etc/passwd. It's a different file, only for FTP.
It means that you can easily create FTP-only accounts without messing up
your system accounts.
Additionnaly, virtual users files can store individual quotas, ratios,
bandwidth, etc. System accounts can't do this.
Thousands of virtual users can share the same system user, as long as they
all are chrooted and they have their own home directory.
So a good thing to do before using virtual users is to create a system user
for this. Of course, you can use any existing account like "nobody" (but not
root), but it's better to have a dedicated account.
Let's create an "ftpgroup" group and an "ftpuser" user.
Linux/OpenBSD/NetBSD/Solaris/HPUX/OSX/a lot of other Unix-like systems:
groupadd ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
FreeBSD/DragonflyBSD:
pw groupadd ftpgroup
pw useradd ftpuser -g ftpgroup -d /dev/null -s /etc
Then, all maintenance of virtual users can be made with the "pure-pw"
command. You can also edit the files by hand if you want.
Files storing virtual users have one line per user. These lines have the
following syntax:
<account>:<password>:<uid>:<gid>:<gecos>:<home directory>:<upload
bandwidth>:<download bandwidth>:<upload ratio>:<download ratio>:<max number
of connections>:<files quota>:<size quota>:<authorized local IPs>:<refused
local IPs>:<authorized client IPs>:<refused client IPs>:<time
restrictions>
Fields can be left empty (exceptions: account, password, uid, gid, home
directory) .
Passwords are compatible with the hashing function used in /etc/passwd or
/etc/master.passwd . They are crypto hashed with blowfish, md5, multiple-des
and simple des, in this order, according to what your system has support fort.
------------------------ CREATING A NEW USER ------------------------
To add a new user, use the following syntax:
pure-pw useradd <login> [-f <passwd file>] -u <uid> [-g <gid>]
-D/-d <home directory> [-c <gecos>]
[-t <download bandwidth>] [-T <upload bandwidth>]
[-n <max number of files>] [-N <max Mbytes>]
[-q <upload ratio>] [-Q <download ratio>]
[-r <allow client host>[/<mask>][,<allow client host>[/<mask>]]...]
[-R <deny client host>[/<mask>][,<deny client host>[/<mask>]]...]
[-i <allow local host>[/<mask>][,<allow client host>[/<mask>]]...]
[-I <deny local host>[/<mask>][,<deny local host>[/<mask>]]...]
[-y <max number of concurrent sessions>]
[-z <hhmm>-<hhmm>] [-m]
Let's create "joe", whoose home directory will be /home/ftpusers/joe . The
system account associated with "joe" is "ftpusers".
pure-pw useradd joe -u ftpuser -d /home/ftpusers/joe
Joe's password is asked twice.
With -d, joe will be chrooted. If you want to give joe access to the whole
filesystem, use -D instead of -d.
You don't need to create /home/ftpusers/joe if you run pure-ftpd with the
-j (--createhome) switch. With that switch, home directories will
automatically be created when users will log in for the first time.
The "-z" option allow a user to connect only during a range of day time.
For instance, with -z 0900-1800, joe will only be able to connect from 9 am
to 18 pm. Warning: a user that connected during authorized hours can
finish his session after these authorized hours.
-r and -R are handy to restrict where the user can connect from. They can be
followed by a simple IP/mask pair (-r 192.168.1.0/24), multiple pairs
separated by a coma (-r 192.168.1.0/24,10.1.0.0/16,127.0.0.1/32), single IPs
(-r 192.168.1.4,10.1.1.5), host names (-r bla.bla.net,yopcitron.com), or any
combination of those.
-y is to restrict the number of concurrent sessions a user can have
at the same time. '' or 0 mean unlimited. Avoid this feature on very loaded
servers. Use per-ip limits instead.
Ok, "joe" has been created. By default, the list of virtual users is stored
in the /etc/pureftpd.passwd file (you can of course change this with -f
<file>) .
Let's have a look at its content:
joe:$1$LX/3.F60$bYdYwsQOYIaWq.Ko.hfI3.:500:101::/home/ftpusers/joe/./:::::::::::::
Passwords are hashed with the best one-way hash function your system supports.
Hashes are tried in this order: Blowfish, MD5, multiple DES, simple DES.
------------------------ CHANGING INFO ------------------------
Once virtual users have been created, you can edit their info. For instance
you can add bandwidth throttling, change quotas, add their full name, update
ratio, etc.
The "pure-pw usermod" command works just like "pure-pw useradd" except that
it modifies an existing account instead of creating a new one.
For instance, we will add a quota to Joe. Joe should be limited to 1000
files and 10 Megabytes.
pure-pw usermod joe -n 1000 -N 10
Let's have a look at /etc/pureftpd.passwd:
joe:$1$LX/3.F60$bYdYwsQOYIaWq.Ko.hfI3.:500:101::/home/ftpusers/joe/./::::::1000:10485760::::::
As you can see, the size quota is stored in bytes in the file.
------------------------ RESETTING ATTRIBUTES ------------------------
To disable file quotas, use pure-pw usermod <user> -n ''
To disable size quotas, use pure-pw usermod <user> -N ''
To disable ratios, use pure-pw usermod <user> -q '' -Q ''
To disable download bandwidth throttling, use pure-pw usermod <user> -t ''
To disable upload bandwidth throttling, use pure-pw usermod <user> -T ''
To disable IP filtering, use pure-pw usermod <user> <-i,-I,-r or -R> ''
To disable time restrictions, use pure-pw usermod <user> -z ''
To disable the number of concurrent sessions, use pure-pw usermod <user> -y ''
------------------------ DELETING USERS ------------------------
We won't delete Joe at this time. Joe is a fine guy :) But FYI, deleting an
user is as simple as running "pure-pw userdel", whoose syntax is:
pure-pw userdel <login> [-f <passwd file>] [-m]
Deleting Joe would be:
pure-pw userdel joe
The content of his home directory is kept. Delete it by hand if you want.
------------------------ CHANGING PASSWORDS ------------------------
To change the password of a user, use "pure-pw passwd":
pure-pw passwd <login> [-f <passwd file>] [-m]
------------------------ DISPLAYING INFO ------------------------
To review info about one user, reading the /etc/pureftpd.passwd file is ok,
but it's not really human-friendly.
It's why you can use "pure-pw show", whoose syntax is:
pure-pw show <login> [-f <passwd file>]
Let's try with joe:
pure-pw show joe
Login : joe
Password : $1$LX/3.F60$bYdYwsQOYIaWq.Ko.hfI3.
UID : 500 (ftpuser)
GID : 101 (ftpgroup)
Directory : /home/ftpusers/joe/./
Full name :
Download bandwidth : 0 Kb (unlimited)
Upload bandwidth : 0 Kb (unlimited)
Max files : 1000 (enabled)
Max size : 10 Mb (enabled)
Ratio : 0:0 (unlimited:unlimited)
Allowed local IPs :
Denied local IPs :
Allowed client IPs : 192.168.0.0/16
Denied client IPs : 192.168.1.1,blah.verybadhost.com
Time restrictions : 0900-1800 (enabled)
Max sim sessions : 0 (unlimited)
"/./" at the end of a home directory means that this user will be chrooted.
------------------------ COMMITING CHANGES ------------------------
IMPORTANT:
You can add, modify and delete users with the previous commands, or by
editing /etc/pureftpd.passwd by hand. But the FTP server won't consider the
changes you make to that file, until you commit them.
Commiting changes really means that a new file is created from
/etc/pureftpd.passwd (or whatever file name you choose) . That new file is a
PureDB file. It contains exactly the same info than the other file. But in
that file, accounts are sorted and indexed for faster access, even with
thousands of accounts. PureDB files are binary files, don't try to view them
or your terminal will beep like hell.
Let's create a PureDB file from /etc/pureftpd.passwd. The indexed file will
be called /etc/pureftpd.pdb (as always, choose whatever name you like):
pure-pw mkdb
this reads /etc/pureftpd.passwd and creates /etc/pureftpd.pdb by default, but
to read another file, add the pdb file, optionnaly followed by -f <passwd file>
For instance:
pure-pw mkdb /etc/accounts/myaccounts.pdb -f /etc/accounts/myaccounts.txt
All modifications you made to the virtual users database will be committed
atomatically: all new accounts will be activated at the same time and all
deleted users won't be able to log in as soon as you'll have hit the Return
key.
There's no need to restart the pure-ftpd server to commit changes.
You can also change something to the text passwords file (add users, change
password, delete users, etc) and automatically run
"pure-pw mkdb /etc/pureftpd.pdb" afterwards. To do so, just use the -m
switch:
pure-pw passwd joe -m
This command will change Joe's password in pureftpd.passwd *and* commit the
change to /etc/pureftpd.pwd .
------------------------ ENABLING VIRTUAL USERS ------------------------
Of course, to use virtual users, you have to enable their support in the FTP
server itself. At compile-time, this is done by giving --with-puredb to
./configure (--with-everything also enables it and binary packages have it
compiled in) .
Then, add this switch to your usual pure-ftpd switches:
-l puredb:/path/to/puredb_file
If long options are enabled, you can also use --login instead of -l .
Let's run the server with automatic creation of home directories and puredb
authentication:
/usr/local/sbin/pure-ftpd -j -lpuredb:/etc/pureftpd.pdb &
Try to 'ftp localhost' and log in as joe.
------------------------ CONVERTING SYSTEM ACCOUNTS ------------------------
Прикольная фича - конвертнуть все системные аккаунты в виртуальных ФТП пользователей.
You can convert all system (/etc/passwd) accounts to virtual FTP users, with
the "pure-pwconvert" tool.
Just run it:
pure-pwconvert >> /etc/pureftpd.passwd
If you do it as a non-privileged user, passwords won't be filled in. If you
do it as root, everything will be copied, even hashed passwords.
Copying system accounts to FTP accounts makes sense, because that way, users
can use different passwords for FTP and for Telnet access.
------------------------ ENVIRONNEMENT VARIABLES ------------------------
If defined, a PURE_PASSWDFILE environment variable can set the default path
to the pureftpd.passwd file. Without this variable, it defaults to
/etc/pureftpd.passwd .
If defined, a PURE_DBFILE environment variable can set the default path
to the pureftpd.pdb file. Without this variable, it defaults to
/etc/pureftpd.pdb .
http://download.pureftpd.org/pub/pure-ftpd/doc/README.TLS
------------------------ SSL/TLS SUPPORT ------------------------
Pure-FTPd has experimental support for encryption of the control and data
channels using SSL/TLS security mechanisms. Support for encrypted commands
began with version 1.0.16, and encryption of the data channel has been
implemented in version 1.0.22.
When this extra security layer is enabled, login and passwords are no more
sent cleartext. Neither are other commands sent by your client nor replies
made by the server.
------------------------ COMPILATION ------------------------
To support SSL/TLS, the OpenSSL library must already be installed on your
system. This is a common requirement so your operating system probably already
ships with it.
Pure-FTPd also has to be configured with the --with-tls switch before
compilation :
./configure --with-tls ...
make install-strip
If something goes wrong, try to bring your OpenSSL library up-to-date.
If your system does not have a working randomness device like /dev/srandom,
/dev/arandom or /dev/random, please have a look at the OpenSSL FAQ in order to
properly seed the PRNG for your operating system.
------------------------ CERTIFICATES ------------------------
To use SSL/TLS, you must provide a file called /etc/ssl/private/pure-ftpd.pem
with a private key for your host and the related certificate.
The location can be changed at compile-time with the --with-certfile option
passed to ./configure.
A certificate is similar to an identity card. You fill a form with a set of
personal info, then you have some trusted third-party bash an official stamp
onto it to confirm its validity.
If you already have an SSL certificate for another service on the same host
(commonly for HTTPS), you can use it as well with Pure-FTPd and other
SSL-enabled services.
If you don't have any certificate, you have to get one. Make a Google search
for "SSL certificates" to find authorities that will sell you certificates with
valid "official" signatures.
Once you have a valid and stamped certificate, clients will usually be able
to connect to your host with no further question.
You can also avoid these third-party authorities and put your own stamp. You
will get a so called "self-signed certificate".
With a self-signed certificate, only you can tell whether the certificate is
valid or not. If bad dudes are able to take on your server (ex: man-in-the
middle attacks), clients won't notice. Also some client software will ask the
user whether he's willing to accept your certificate.
On the other hand, self-signed certificates are free and ready to serve.
To summarize : if you are an ISP, buy a certificate or lousy customers will
call your support before clicking on "accept this certificate". If you are
paranoid, if a man-in-the-middle attack would be a disaster for your business
and if you don't trust the hops between clients and servers, buy a
certificate. Or better, use ssh. In all other cases, a self-certificate is
probably good enough.
To create a self-signed certificate, you can use the following commands :
mkdir -p /etc/ssl/private
openssl req -x509 -nodes -newkey rsa:1024 -keyout \
/etc/ssl/private/pure-ftpd.pem \
-out /etc/ssl/private/pure-ftpd.pem
chmod 600 /etc/ssl/private/*.pem
In this example, 1024 is the number of bits used for authentication. In some
countries, using or exporting keys whoose size is more than 512 bits is
prohibited. Take care of this. There's no need to use huge keys either. A key
of 1024 bits is considered extremely secure. And to be fair, even a 512 bits
key is extremely long to brute-force with standard hardware.
Here's what the /etc/ssl/private/pure-ftpd.pem should look like :
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQC+KU+laUdHceXk4ZWSH5nFJPd/TJjpZVuVgZ5FuS2/mkof8kOV
AoGBAIh2MNetAx+8FpP3ZlRkJP8alhleKGVk/SH+0EuMpZ3XtNXUDrf5QU96FLlf
rx0bLVWBq6mahgWTPVi25W9FFaQa83dLuizUcncCsF5sjbibXyT+f+r5KdcSi4Qv
YgI4fCvpDje5mSUj6zKESho+3fAfo9nt1XU+iHT/bPdDOCfBAkEA5JX5QVdoRTmr
h+NN7wjayTCJBxEe+Q8RSccF/NnnShKIpY8CqKOOhWCKRZ1dWYXPM7u55wyrkpNf
FgOGJl/TMJqfdLvWD70S2aG1EQ3La+KF1joT2oWQE6M6QLhdMh9ReKQqKoECQQCG
lGU5qG0TrQJBANT3od0sX87IXI1lQ7LTqAk+jcLCmLi5RK6mY6i1fklyjKj5Ym8i
qKyUVqMfdCyeLIotZFlJ2y3jSa+c0uLu+qNLYFhv0YsLxlxB4Dft4UmzIdFzudbn
jBjrk71j3uxNK8huKNgGNCOOJhFaM6dBMQQJBrRQTFkWO5YXIu5RKF/AhQIDAQAB
r1UtzLiXtS0dn4IElkGBqE+7DXmZxDRzuzkCQDHkCeMZEMkLLUUbd4cUh6why8af
rA20klIHrlYwp9+2nve82MzGY0Q2Shovo1KUJik1AvYGCNYBh1p+r9asyGqum/P5
QTNPO1GXEb9ErUMQtDqpAkA0XlRHrYWZ+qFByBvsLgJY4L151DblcQ0xuC9qrn67
SwWH5WI9d0CffE30Ab1VpDnzKRn1ncBfvh3GIdLBgtjy
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIICoDCCAgmgAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJBVTET
MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ
dHkgTHRkMB4XDTAzMDcyMDEzMzQyOFoXDTAzMDgxOTEzMzQyOFowRTELMAkGA1UE
wNr5m+Tnh4ad8OzT/XycKl4HJA0wbQYDVR0jBGYwZIAUwNr5m+Tnz4ad8OzT/Xyc
BhMCQVUxEzARBgNVBAgTXlNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp
ZGdpdHMgUHR5IEx0ZDCBnzANBgkqhkig9w0BAQEFAAOBjQAwgYkCgYEAvilPpWlH
R3Hl5OGVkh+ZxST3f0yY6WVblYGeRbktv5pKH/JDlaislFajH3QsniyKLWRZSdst
40mvnNLi7vqjS2BYb9GLC8ZcQeA37eFJsyHRc7nW54wY65O9Y97sTSvIbijYBjQj
jiYRWjOnQTEECQa0UExZFjuWFyLuUShfwIUCAwEAAaOBnRCBnDAdBgNVHQ4EFgQU
/zANBgkqhkiG9w0BAQQFAAOBgQAD6Wv8wvy+cbNdhrH/3kdsCX6BzP63xrI81XHO
Kl4HJA2hSaRHMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEw
HwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGSCAQAwDAYDVR0TBAUwAwEB
rCDQ6/tnrrLfjhjMGPWt1NZ1EG6KvMa4Qt9Jd2GnKRn5aOFqiVl1efB7XOeK9XeN
kTjc03V3gg1ls+UMGxaUsFJsD5Y5PpETeWQz1NQW4DK5k7Sr/2+6eEmfXk8YTvKR
QZ2/xw==
-----END CERTIFICATE-----
Note: theorically, a client should always connect using a valid, verifiable
certificate. In the real world this is rarely the case. Most clients just use
invalid certificates. It's why Pure-FTPd doesn't require client certificates
to be valid, but if you absolutely need this feature and you know what you are
doing, define the REQUIRE_VALID_CLIENT_CERTIFICATE macro before compiling the
server.
If you changed the installation prefix when pure-ftpd was compiled, the
certificate must be in the <prefix sysconf dir>/ssl/private/pure-ftpd.pem file.
------------------------ ACCEPTING TLS SESSIONS ------------------------
Once the certificate has been installed, you need to start a TLS-enabled
pure-ftpd daemon with the -Y (or --tls=) switch. Example :
/usr/local/sbin/pure-ftpd --tls=1 &
- With "--tls=0", support for SSL/TLS is disabled. This is the default.
- With "--tls=1", clients can connect either the traditional way or through an
SSL/TLS layer. This is probably the setting you need if you want to enable
TLS without having too much angry customers.
- With "--tls=2", cleartext sessions are refused and only SSL/TLS compatible
clients are accepted.
- With "--tls=3", cleartext sessions are refused and only SSL/TLS compatible
clients are accepted. Clear data connections are also refused, so private
data connections are enforced. This is an extreme setting.
When SSL/TLS has been successfully negociated for a connection, you'll see
something similar to this in log files :
<<
SSL/TLS: Enabled TLSv1/SSLv3 with AES256-SHA, 256 secret bits cipher
>>
A cipher using traditional algorithms with a 40 bits key is weak but
exportable to almost any country. This is the minimum size accepted by the
server, else a "Cipher too weak" error message will be logged and reported to
the client.
------------------------ COMPATIBLE CLIENTS ------------------------
Pure-FTPd was reported to be fully compatible with the following clients with
the SSL/TLS encryption layer turned on :
* CoreFTP Lite (Windows)
URL: http://www.coreftp.com/
SSL/TLS perfectly works when "AUTH TLS" is enabled. CoreFTP Lite has some
neat features like IPv6 support, remote file searching, .htaccess editing,
queueing, bandwidth control, etc.
CoreFTP Lite is free both for personnal and business use, but people who want
to register in order to get the enhanced (non-"lite") version and commercial
support can get a special discount for Pure-FTPd users, through this secret link :
http://www.2checkout.com/cgi-bin/ccbuyers/purchase.2c?sid=62821&product_id=9&quantity=1
* SmartFTP (Windows)
URL: http://www.smartftp.com/
An excellent client with IPv6 support, port range limitation and other
useful features (!= bloat) . And it's free for personal, educational and non-
commercial use. And it detects Pure-FTPd :)
SSL/TLS perfectly works when the "FTP over SSL (explicit)" protocol is
selected and when the data connection mode (Tools->Settings->SSL) is set to
"clear data connection" while the AUTH mode (also in Tools->Settings->SSL) is
set to "TLS".
* IglooFTP Pro (Windows, Linux)
URL: http://www.iglooftp.com/
SSL/TLS is automatically detected and works when Preferences->Security->
Encrypt is set to "Commands [if possible], Transfers [if possible]".
* FlashFXP (Windows)
URL: http://www.flashfxp.com/
SSL/TLS works. In the "Quick connect" dialog box, pick the "SSL"
tab and :
- enable Auth TLS
- disable Secure File Listing
- disable Secure File Transfers
* SDI FTP (Windows)
URL: http://www.sdisw.com/
SSL/TLS works. In the "Connection" tab, just pick "SSL Support: TLSv1".
* LFTP (Unix, MacOS X)
URL: http://lftp.yar.ru/
SSL/TLS is automatically detected and works out of the box.
* RBrowser (MacOS X)
URL: http://www.rbrowser.com/
A cute graphical client for MacOS that was reported to work by Jason Rust
and Robert Vasvari.
* Glub Tech Secure FTP Client (at least Unix, MacOS X and Windows)
URL: http://secureftp.glub.com/
SSL/TLS is automatically detected and works out of the box.
* FileZilla (Windows, OSX, Linux)
URL: http://filezilla-project.org/
SSL/TLS works. In the "Site details" dialog box, pick "FTP over TLS
(explicit encryption)" as the "Servertype".
Reported by Philip Hallstrom.
* Cyberduck (OSX)
http://cyberduck.ch/
SSL/TLS works out of the box.
Ну и для тех кто хочет читануть по русскиАвтор: lissyara достаточно хорошо описал там:
http://www.lissyara.su/archive/pureftpd/
оттуда интересный/важный момент про ерроры в логах...Из минусов - нет возможности, как в proftpdJun 13 20:22:41 lissyara pure-ftpd: (?@?) [ERROR] Ошибка в конфигурации: Плохой файл конфигурации SQL: /usr/local/etc/pureftpd-mysql.conf
на запись в MySQL логов - кто что передал-принял, какие были команды и с
каким результатом... Очень удобная феня... Также при ошибках в конфиге
не ругается на то, в какой строке ошибка - я оставил незакомменченым
одно предложение из комментов, по-русски - не запускался, и в логах так
ругался:
Jun 13 20:25:45 lissyara pure-ftpd: (?@?) [ERROR] Ошибка в конфигурации: Плохой файл конфигурации SQL: /usr/local/etc/pureftpd-mysql.conf
Хорошо хоть конфиги не большие, и удалось быстро найти...
Радует наличие такой приблуды как pure-ftpwho
And to watch who’s doing what, the pure-ftpwho command shows a table
with currently active sessions, how much bandwidth is taken by every
user, what files they are uploading or downloading, where they are
coming from, etc.
Ведь приятно видеть в таблице кто, когда и сколько :)
© 2010 Анатолий Панченко a.k. MADRAT
