NSLU2-Linux
view · edit · print · history

Proftpd

Why proftpd

Check out http://www.proftpd.org

Warning! You could seriously screw up your slug installing this. Do it with caution and backup/image your drive first! I spent days trying to clean up the mess! --Alienz

  • Has virtual users
  • Has bandwidth limitation (only per session, not global)
  • Has SSL/TLS authentication/encryption.
  • Has control tools, like ftptop and ftpwho, letting you see all that is going on on your server.
  • Has a number of authentication methods
  • Comes with integration scripts for running with the Linksys inetd, the Inetutils inetd and xinetd (recommended) as well as standalone server setup.
  • Full man page installation.
  • Has quotas, up/down-load ratios and almost all you could want from an FTPD.
  • Supports large files (> 2GB)

How to install

Install the package: ipkg install proftpd

How to configure

The possibilities for configuration are endless. Go to the Proftpd website and edit /opt/etc/proftpd.conf according to your needs. SSL certificates are to be stored in /opt/etc/ftpd and the list of users not allowed to log on in /opt/etc/ftpusers.

How to activate

With xinetd

Since the proftpd package installs a xinetd configuration file, just do kill -SIGHUP `cat /var/run/xinetd.pid` to make xinetd reread its configuration files.
(Note: Didn't work for me as the "/var/log/run/xinetd.pid" was not created... ps aux |grep xinet will show you the PID to use instead of "`cat /var/run/xinetd.pid`" -Stein)
(Note2: Probably obvious [but I missed it] but xinetd needs to be installed and configured prior to installing proftpd. "ipkg install xinetd" Check the only_allow line carefully in the /opt/etc/xinetd.conf to ensure it matches your network / requirements for ftp / telnet client ip address ranges i.e. 192.168.1.0/24 will need changing if your local network uses a different IP range, and you may need external ip addresses to be able to access your box. - Rufus)

As standalone server

  1. Set up startup script: cp /opt/doc/proftpd/S58proftpd /opt/etc/init.d.
  2. Check line 7 in /opt/etc/proftpd.conf if it reads: ServerType standalone. If not, change this.
  3. Run: . /opt/etc/init.d/S58proftpd

NOTE: Experience shows that there is very little to gain performance-wise from running standalone. The gain from running from xinetd depends on the amount of time proftpd is in active use (the less it is in use, the more often more RAM is available to other apps).

Troubleshooting

As standalone

  • Says unable to listen to local socket: No such file or directory on startup. This is because the directory /opt/var/proftpd was not created on proftpd install prior to IPK version 4. Just create the directories.
  • Says warning: unable to determine IP address of '<SlugName>' on startup. This is because /etc/nsswitch.conf is missing up until 4.x. Fix it by doing echo "hosts: files dns" > /etc/nsswitch.conf and restart proftpd.

General

  • NOTE: The users must have a home directory in their /etc/passwd entry to log in. The directory does not have to exist if DefaultRoot is set.
  • It takes a long time from the initial connection to proftpd is made until the login prompt appears (several seconds). This is solved by putting the following lines in the main section of /opt/etc/proftpd.conf (not global or a virtual server section):
 UseReverseDNS off
 IdentLookups off

ingeba


  • Tip 1: Securing the server. The default proftpd.conf file will allow anonymous users direct access to the root directory /. This is easily changed by editing the line : <Anonymous ~ftp>
Suggest changing to : <Anonymous /public>
Note - for unslung version 3.x users suggest changing to :
<Anonymous /share/hdd/data/public>

  • Tip 2: Securing the server. The default /etc/passwd file contains a list of default user names, some are hidden from the web interface, all theoretically can be used to login to the server (root and admin are most at risk). You can disable these names by placing them in a text file called ftpusers. Save the text file to the folder /opt/etc/. An example ftpusers file with the current default user names is:-
 
# /opt/etc/ftpusers
# Inclusion of 'root' here has limited functionality, to disable
# 'root' access use the proftpd.conf directive - RootLogin off 
root
# Including 'ftp' here will disable anonymous login
ftp
# Other default users
bin
lp
mail
nobody
ourtelnetrescueuser
guest
admin
# End of file


  • Tip 3: Missing users Home Directory - a possible workaround. Proftpd currently needs a users home directory entry in the /etc/passwd file for users to login.
Change example:
someuser:hashedpw:2000:501:::/dev/null
to
someuser:hashedpw:2000:501::/share/hdd/data/someuser:/dev/null
Any manual changes to this file will not withstand a re-boot or withstand any changes made to some of the web configuration pages. Proftpd does have a workable work around for this by configuring a manually maintained dedicated passwd file just for use by Proftpd, suggested location for such a file is a disk directory such as /opt/etc/.
So...
  1. Change the relevant proftpd.conf directive located in the global section to read:
    AuthUserFile /opt/etc/passwd.proftpd
  2. Create and populate a new /opt/etc/passwd.proftpd file using a text editor with your required users by copying them from the system /etc/passwd file. Modify these users as required following the passwd file conventions.
    I don't see why this is necessary. By downloading the config.bin file (using the web UI), you can save permanent (across reboot) changes to the /etc/passwd file. (This is described in more detail elsewhere, e.g., look on http://www.batbox.org/nslu2-linux.html). This worked fine for me. Am I missing something? Are there other changes (alluded to above) that blow it away?

  • Tip 4: Proftpd and NAT routers. Proftpd is easily configured for access across a NAT enabled router by enabling a Passive port range. The following example will configure twenty Passive ports for data transfer in the range 50000 to 50019. Both passive ports and your external IP-address/hostname are needed if there is no hidden FTP proxy in the NAT router or the FTP control connection is encrypted (TLS/SSL).
1. Using a text editor such as vi, add the following line to the top section of the configuration file /opt/etc/proftpd.conf
PassivePorts 50000 50019
2. (Optional) Proftpd has the ability to display a domain name during the client login process rather than just the internal IP, handy if you are accessing using Dyndns or a similar service etc. Add the following line to the top section as above.
MasqueradeAddress your.domain.name.or.ip.address.goes.here
3. In your router setup, forward port 21 and the port range 50000 to 50019 to your NSLU2 internal IP address (default for NSLU2 is 192.168.1.77).

How to configure Proftpd for SSL/TLS authentication/encryption

Note: Since SSL/TLS encrypts the control channel, NAT routers cannot read it to manage incoming TCP connection automatically. If you are behind a NAT router (usually on a 10.*.*.* or 192.168.*.* network), follow tip 4.

The following list of instructions is largely based on Enabling HTTPS for Apache. The method involves: -

  1. Creating a signing script file (shame that this is not included with the openssl instalation).
  2. Creating a Certificate Authority (CA) key and root Certificate
  3. Creating a Server key and signed Server Certificate
  4. Enabling SSL/TLS encription within proftpd

Method

Login as user root and create a home folder for use by openssl to store the signing script and to create keys and certificates in. Make the folder read/write only by user root.
mkdir /opt/etc/openssl
chmod 600 /opt/etc/openssl

Move to the new folder
cd /opt/etc/openssl

You will now need to create a signing script by copying the following scipt section into a new file called sign.sh using a Unix compatable text editor. Store the script in the above folder.

sign.sh

 
#!/bin/sh
##
##  sign.sh -- Sign a SSL Certificate Request (CSR)
##  Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved.
##

#   argument line handling
CSR=$1
if [ $# -ne 1 ]; then
    echo "Usage: sign.sign <whatever>.csr"; exit 1
fi
if [ ! -f $CSR ]; then
    echo "CSR not found: $CSR"; exit 1
fi
case $CSR in
   *.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
       * ) CERT="$CSR.crt" ;;
esac

#   make sure environment exists
if [ ! -d ca.db.certs ]; then
    mkdir ca.db.certs
fi
if [ ! -f ca.db.serial ]; then
    echo '01' >ca.db.serial
fi
if [ ! -f ca.db.index ]; then
    cp /dev/null ca.db.index
fi

#   create an own SSLeay config
cat >ca.config <<EOT
[ ca ]
default_ca              = CA_own
[ CA_own ]
dir                     = .
certs                   = \$dir
new_certs_dir           = \$dir/ca.db.certs
database                = \$dir/ca.db.index
serial                  = \$dir/ca.db.serial
RANDFILE                = \$dir/ca.db.rand
certificate             = \$dir/ca.crt
private_key             = \$dir/ca.key
unique_subject          = no
# default key expiry set to 5 years but can be changed
default_days            = 1825
default_crl_days        = 30
default_md              = md5
preserve                = no
policy                  = policy_anything
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
EOT

#  sign the certificate
echo "CA signing: $CSR -> $CERT:"
openssl ca -config ca.config -out $CERT -infiles $CSR
echo "CA verifying: $CERT <-> CA cert"
openssl verify -CAfile ca.crt $CERT

#  cleanup after SSLeay
rm -f ca.config
rm -f ca.db.serial.old
rm -f ca.db.index.old

#  die gracefully
exit 0

Make sign.sh owned by root and executable
chown root:root /opt/etc/openssl/sign.sh
chmod 700 /opt/etc/openssl/sign.sh

Creating the Keys and Certificates

1. Create a new root key for your own Certificate Authority (CA)
openssl genrsa -des3 -out ca.key 1024

If you want to remove the passphrase from the root key, use: -
mv ca.key ca.key.orig
openssl rsa -in ca.key.orig -out ca.key

2. Generate a self signed root certificate (expiry set to 5 years but can be changed) and copy the root certificate to folder /opt/etc/ftpd/
openssl req -new -x509 -days 1825 -key ca.key -out ca.crt
cp /opt/etc/openssl/ca.crt /opt/etc/ftpd/

3. Create the server key
openssl genrsa -des3 -out server.key 1024

If you want to remove the passphrase from the server key (there is no real need for a password here so you will probably want to remove it), use: -
mv server.key server.key.orig
openssl rsa -in server.key.orig -out server.key

Copy the server key to folder /opt/etc/ftpd/
cp /opt/etc/openssl/server.key /opt/etc/ftpd/

4. Prepare a certificate signing request (CSR).
Important - when asked for a Common Name - enter localhost
openssl req -new -key server.key -out server.csr

5. Sign your server key using the previously saved script file
./sign.sh server.csr

6. Copy the server certificate to folder /opt/etc/ftpd/
cp /opt/etc/openssl/server.crt /opt/etc/ftpd/

Modify proftpd.conf

Using a Linux compatable text editor insert the following script section into the proftpd configuration file /opt/etc/proftpd.conf, just paste it to the end of the file.

 
<IfModule mod_tls.c>
	TLSEngine on
	TLSLog /opt/var/proftpd/tls.log
# Set the TLSProtocol to one of the following
# SSLv23 - Use SSL3 for ctrl and TLS1 for data channels (works with most clients)
# SSLv3  - Use only SSL3
# TLSv1  - Use only TLS1
	TLSProtocol SSLv23

# Clients are required to use FTP over SSL/TLS when talking to this server
# off  - clients can connect using insecure FTP or secure FTP/SSL
# ctrl - encrypt only the ctrl channel using FTP/SSL
# data - encrypt only the data channel using FTP/SSL (not recommended)
# on   - encrypt both the ctrl and data channels using FTP/SSL
	TLSRequired ctrl

# Server's certificate
	TLSRSACertificateFile /opt/etc/ftpd/server.crt
	TLSRSACertificateKeyFile /opt/etc/ftpd/server.key

# CA the server trusts
	TLSCACertificateFile /opt/etc/ftpd/ca.crt

# Authenticate clients that want to use FTP over SSL/TLS
# off - client SSL certificates are not requried
# on  - client SSL certificates are required
	TLSVerifyClient off
</IfModule>

Change the TLSRequired and TLSVerifyClient configuration settings above as required.

Note that all use of SSLv2 is disabled by default with ProFTPD.

RobHam - modified Feb 2007


Fix Received message too long Errors

After making my proftpd require TLS and trying to connect to it using sftp I kept getting the following error:

Received message too long 458961211

The reason that this happens is because my .bashrc displays information when I log on (because I installed bash and followed the bash tutorial to get a bunch of system stats when I log on). sftp is not expecting this information and dies with the above error message. To get rid of this message if you have to add the following to your .bashrc:

 
if [[ -n $PS1 ]]; then
  #.bashrc stuff that outputs text to the terminal
fi

This lets you keep your text output when you log on, which I like, but still allows sftp login.

-Mark

I also find use full information on th following website http://gentoo-wiki.com/HOWTO_ProFTPD

view · edit · print · history · Last edited by Robert.
Based on work by fcarolo, pedxing, abe, Alienz, RobHam, marco, Rufus, Stein, AlanLiu, ingeba, Mark, and bobtm.
Originally by bobtm.
Page last modified on July 27, 2007, at 10:38 PM