I needed to set up an FTPS server, after trying a couple of servers and not having any joy I asked on #debian and was recommended to try ProFTPD. It's easy to configure and does all the things we need...
I used this to set up the SSL:
I used this to create the certificates I needed:
-rw-r--r-- 1 root root 1124 2009-03-11 13:49 /etc/inetd.conf -rw-r--r-- 1 root root 953 2009-03-11 14:57 /etc/proftpd/local.conf -rw-r--r-- 1 root root 655 2009-03-11 14:39 /etc/proftpd/server.csr -rw-r--r-- 1 root root 963 2009-03-11 14:32 /etc/proftpd/server.key -rwxr-xr-x 1 root root 1563 2009-03-11 14:45 /etc/proftpd/sign.sh -rw-r--r-- 1 root root 2538 2009-03-11 14:50 /etc/ssl/ca.db.certs/01.pem -rw-r--r-- 1 root root 2538 2009-03-11 14:52 /etc/ssl/ca.db.certs/02.pem -rw-r--r-- 1 root root 184 2009-03-11 14:52 /etc/ssl/ca.db.index -rw-r--r-- 1 root root 20 2009-03-11 14:52 /etc/ssl/ca.db.index.attr -rw-r--r-- 1 root root 92 2009-03-11 14:50 /etc/ssl/ca.db.index.old -rw-r--r-- 1 root root 3 2009-03-11 14:52 /etc/ssl/ca.db.serial -rw-r--r-- 1 root root 1155 2009-03-11 14:38 /etc/ssl/certs/ca.crt -rw-r--r-- 1 root root 951 2009-03-11 14:37 /etc/ssl/private/ca.key
http://tldp.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/chap24sec195.html
http://www.ccl.net/cca/software/UNIX/apache/apache2.0.49-rh7.0/files/sign.sh.shtml
- I used the tldp version. I used this to set up the Chrooted environment:
http://www.proftpd.org/docs/howto/Chroot.html
- I added this line:
Include /etc/proftpd/local.conf
The local.conf file:
-rw-r--r-- 1 root root 953 2009-03-11 14:57 /etc/proftpd/local.conf
# # Chroot everyone to their home directory # DefaultRoot ~ # # Configure server for SSL only: # <IfModule mod_tls.c> TLSEngine on TLSLog /var/log/proftpd/tls.log # Support both SSLv3 and TLSv1 TLSProtocol SSLv3 TLSv1 # Are clients required to use FTP over TLS when talking to this server? # Require SSL/TLS on both channels. TLSRequired on # Server's certificate TLSRSACertificateFile /etc/proftpd/server.crt TLSRSACertificateKeyFile /etc/proftpd/server.key # CA the server trusts TLSCACertificateFile /etc/ssl/certs/ca.crt # Authenticate clients that want to use FTP over TLS? TLSVerifyClient off # Allow SSL/TLS renegotiations when the client requests them, but # do not force the renegotations. Some clients do not support # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these # clients will close the data connection, or there will be a timeout # on an idle data connection. TLSRenegotiate required off # # new # TLSOptions NoCertRequest # TLSTimeoutHandshake 60 </IfModule>
Client: