Differences between revisions 1 and 5 (spanning 4 versions)
Revision 1 as of 2009-03-12 22:20:44
Size: 3496
Editor: JohnHarrison
Comment:
Revision 5 as of 2009-03-16 03:29:43
Size: 6245
Editor: anonymous
Comment: converted to 1.6 markup
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
I needed to set up an FTPS server, after trying a couple of servers and not having any joy I asked on #debian and was recommended to try ProFTPD. It's easy to configure and does all the things we need... I needed to set up an FTPS server.

A
fter trying a couple of servers and not having any joy I asked on #debian and was recommended to try ProFTPD.

It's easy to configure and does all the things we needed...

NOTE: FTPS is NOT the same thing as SFTP (which is part of SSH). FTPS is FTP over SSL (TLS).
Line 7: Line 13:
Line 11: Line 16:
These were the new/changed files I ended up with:
Line 14: Line 20:
-rw-r--r-- 1 root root 953 2009-03-11 14:57 /etc/proftpd/local.conf
-rw-r--r-- 1 root root 655 2009-03-11 14:39 /etc/proftpd/server.csr
-rw-r--r-- 1 root root 963 2009-03-11 14:32 /etc/proftpd/server.key
-rw-r--r-- 1 root root 1108 2009-03-12 22:30 /etc/proftpd/local.conf
-rw-r--r-- 1 root root 738 2009-03-12 22:24 /etc/proftpd/modules.conf
-rw-r--r-- 1 root root 3808 2009-03-12 22:38 /etc/proftpd/proftpd.conf
-rw-r--r-- 1 root root 2538 2009-03-12 22:30 /etc/proftpd/server.crt
-rw-r--r-- 1 root root 655 2009-03-12 22:30 /etc/proftpd/server.csr
-rw-r--r-- 1 root root 963 2009-03-12 22:30 /etc/proftpd/server.key
Line 27: Line 36:
NB: For the purposes of testing I created my own CA with a self-signed certificate to sign the certificates as needed.
Line 28: Line 38:
 * http://tldp.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/chap24sec195.html
 * http://www.ccl.net/cca/software/UNIX/apache/apache2.0.49-rh7.0/files/sign.sh.shtml
  I used the tldp version.
I found copies of sign.sh here:
Line 32: Line 40:
  I used this to set up the Chrooted environment:  * http://tldp.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/chap24sec195.html
 * http://www.ccl.net/cca/software/UNIX/apache/apache2.0.49-rh7.0/files/sign.sh.shtml
I used the tldp version.
Line 34: Line 44:
 *  http://www.proftpd.org/docs/howto/Chroot.html
  I added this line:
I used this to set up the Chrooted environment:

* http://www.proftpd.org/docs/howto/Chroot.html
I added this line:
Line 38: Line 50:
Include /etc/proftpd/local.conf}}} Include /etc/proftpd/local.conf
}}}
to the bottom of /etc/proftpd/proftpd.conf
Line 45: Line 59:
contains:
Line 81: Line 97:
In the end it didn't work, and I went to #proftpd on irc.freenode.net where I found castaglia (TJ Saunders) who debugged it with me and got it working.

I found that the version that currently installs on Etch (1.3.0 stable) seems to be configured for the wrong version of SSL.

{{{
curl: (35) Unknown SSL protocol error in connection to localhost.localdomain:21
}}}
Line 82: Line 105:
Client: What I did to get it working...

Download the latest source:

{{{
$ wget -N ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.2.tar.gz
$ tar xvzf proftpd-1.3.2.tar.gz
$ cd proftpd-1.3.2
$ ./configure --sysconfdir=/etc/proftpd --localstatedir=/var/log --with-modules=mod_tls
$ make
}}}
I then had a copy of the latest version of proftpd with TLS support compiled in.

I found some of the 1.3.0 config was incompatible with 1.3.2 (or maybe with the configure options I'd used) so I commented out things to get it working:

These were my changes to /etc/proftpd/proftpd.conf

{{{
# diff /etc/proftpd/proftpd.conf.orig /etc/proftpd/proftpd.conf
7c7
< Include /etc/proftpd/modules.conf
---
> # Include /etc/proftpd/modules.conf
10c10
< UseIPv6 on
---
> UseIPv6 off
25c25
< DisplayFirstChdir .message
---
> # DisplayFirstChdir .message
68,70c68,70
< <IfModule mod_tls.c>
< TLSEngine off
< </IfModule>
---
> # <IfModule mod_tls.c>
> # TLSEngine off
> # </IfModule>
141a142,143
>
> Include /etc/proftpd/local.conf
}}}
----
 Test it with:

{{{
# ./proftpd -nd6
}}}
Which gives you lots of debug.

----
 For the client I used:
Line 85: Line 161:
And ended up with:

{{{
$ curl --ftp-ssl-reqd --insecure -u <user>:<password> -o i.got.this.file ftp://<server>/dir/test.file
}}}
One of the problems that TJ fixed for me was that I'd been trying to run it on port 990.

He got me to change it back to port 21 for Explicit FTPS rather than Implicit FTPS.

(Explicit means you can use either FTP or FTPS on the same port - Implicit tries to hard-wire it to FTPS only on that port, but that's no longer compliant with the RFC.)
Line 86: Line 173:
 * http://www.proftpd.org/docs/howto/Debugging.html
 *  http://www.proftpd.org/docs/howto/index.html
 *  http://www.proftpd.org/docs/RELEASE_NOTES-1.3.2
 *  http://www.mail-archive.com/slug@slug.org.au/msg28533.html
 *  http://www.linuxjournal.com/article/7520
 *  http://en.wikipedia.org/wiki/Steria
 *
http://www.customware.net/repository/pages/viewpage.action?pageId=42238192
 *
 *
Further reading:

 *
http://www.proftpd.org/docs/howto/Debugging.html
 * http://www.proftpd.org/docs/howto/index.html
 * http://www.proftpd.org/docs/RELEASE_NOTES-1.3.2
 * http://www.mail-archive.com/slug@slug.org.au/msg28533.html
 * http://www.linuxjournal.com/article/7520
 * http://www.customware.net/repository/pages/viewpage.action?pageId=42238192
 * http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.html
 * http://www.faqs.org/rfcs/rfc4217.html

I needed to set up an FTPS server.

After trying a couple of servers and not having any joy I asked on #debian and was recommended to try ProFTPD.

It's easy to configure and does all the things we needed...

NOTE: FTPS is NOT the same thing as SFTP (which is part of SSH). FTPS is FTP over SSL (TLS).

I used this to set up the SSL:

I used this to create the certificates I needed:

These were the new/changed files I ended up with:

-rw-r--r-- 1 root root 1124 2009-03-11 13:49 /etc/inetd.conf
-rw-r--r-- 1 root root 1108 2009-03-12 22:30 /etc/proftpd/local.conf
-rw-r--r-- 1 root root  738 2009-03-12 22:24 /etc/proftpd/modules.conf
-rw-r--r-- 1 root root 3808 2009-03-12 22:38 /etc/proftpd/proftpd.conf
-rw-r--r-- 1 root root 2538 2009-03-12 22:30 /etc/proftpd/server.crt
-rw-r--r-- 1 root root  655 2009-03-12 22:30 /etc/proftpd/server.csr
-rw-r--r-- 1 root root  963 2009-03-12 22:30 /etc/proftpd/server.key
-rwxr-xr-x 1 root root 1563 2009-03-11 14:45 /etc/proftpd/sign.sh
-rw-r--r-- 1 root root 2538 2009-03-11 14:50 /etc/ssl/ca.db.certs/01.pem
-rw-r--r-- 1 root root 2538 2009-03-11 14:52 /etc/ssl/ca.db.certs/02.pem
-rw-r--r-- 1 root root 184  2009-03-11 14:52 /etc/ssl/ca.db.index
-rw-r--r-- 1 root root 20   2009-03-11 14:52 /etc/ssl/ca.db.index.attr
-rw-r--r-- 1 root root 92   2009-03-11 14:50 /etc/ssl/ca.db.index.old
-rw-r--r-- 1 root root 3    2009-03-11 14:52 /etc/ssl/ca.db.serial
-rw-r--r-- 1 root root 1155 2009-03-11 14:38 /etc/ssl/certs/ca.crt
-rw-r--r-- 1 root root 951  2009-03-11 14:37 /etc/ssl/private/ca.key

NB: For the purposes of testing I created my own CA with a self-signed certificate to sign the certificates as needed.

I found copies of sign.sh here:

I used the tldp version.

I used this to set up the Chrooted environment:

I added this line:

Include /etc/proftpd/local.conf

to the bottom of /etc/proftpd/proftpd.conf

The local.conf file:

-rw-r--r-- 1 root root 953  2009-03-11 14:57 /etc/proftpd/local.conf

contains:

#
# Chroot everyone to their home directory
#
DefaultRoot ~
#
# Configure server for SSL only:
#
<IfModule mod_tls.c>
    TLSEngine on
    TLSLog /var/log/proftpd/tls.log
    # Support both SSLv3 and TLSv1
    TLSProtocol SSLv3 TLSv1
    # Are clients required to use FTP over TLS when talking to this server?
    # Require SSL/TLS on both channels.
    TLSRequired on
    # Server's certificate
    TLSRSACertificateFile /etc/proftpd/server.crt
    TLSRSACertificateKeyFile /etc/proftpd/server.key
    # CA the server trusts
    TLSCACertificateFile /etc/ssl/certs/ca.crt
    # Authenticate clients that want to use FTP over TLS?
    TLSVerifyClient off
    # Allow SSL/TLS renegotiations when the client requests them, but
    # do not force the renegotations.  Some clients do not support
    # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
    # clients will close the data connection, or there will be a timeout
    # on an idle data connection.
    TLSRenegotiate required off
    #
    # new
    #
    TLSOptions NoCertRequest
    # TLSTimeoutHandshake 60
</IfModule>

In the end it didn't work, and I went to #proftpd on irc.freenode.net where I found castaglia (TJ Saunders) who debugged it with me and got it working.

I found that the version that currently installs on Etch (1.3.0 stable) seems to be configured for the wrong version of SSL.

curl: (35) Unknown SSL protocol error in connection to localhost.localdomain:21


What I did to get it working...

Download the latest source:

$ wget -N ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.2.tar.gz
$ tar xvzf proftpd-1.3.2.tar.gz
$ cd proftpd-1.3.2
$ ./configure --sysconfdir=/etc/proftpd --localstatedir=/var/log --with-modules=mod_tls
$ make

I then had a copy of the latest version of proftpd with TLS support compiled in.

I found some of the 1.3.0 config was incompatible with 1.3.2 (or maybe with the configure options I'd used) so I commented out things to get it working:

These were my changes to /etc/proftpd/proftpd.conf

# diff /etc/proftpd/proftpd.conf.orig /etc/proftpd/proftpd.conf
7c7
< Include /etc/proftpd/modules.conf
---
> # Include /etc/proftpd/modules.conf
10c10
< UseIPv6                               on
---
> UseIPv6                               off
25c25
< DisplayFirstChdir               .message
---
> # DisplayFirstChdir               .message
68,70c68,70
< <IfModule mod_tls.c>
< TLSEngine off
< </IfModule>
---
> # <IfModule mod_tls.c>
> # TLSEngine off
> # </IfModule>
141a142,143
>
> Include /etc/proftpd/local.conf


  • Test it with:

# ./proftpd -nd6

Which gives you lots of debug.


And ended up with:

$ curl --ftp-ssl-reqd --insecure -u <user>:<password> -o i.got.this.file ftp://<server>/dir/test.file

One of the problems that TJ fixed for me was that I'd been trying to run it on port 990.

He got me to change it back to port 21 for Explicit FTPS rather than Implicit FTPS.

(Explicit means you can use either FTP or FTPS on the same port - Implicit tries to hard-wire it to FTPS only on that port, but that's no longer compliant with the RFC.)


Further reading: