NSLU2-Linux
view · edit · print · history

Optware.Proftpd History

Hide minor edits - Show changes to markup

July 27, 2007, at 10:38 PM by Robert -- Managed Hosting, Colocation and Data Center Services by victoryushchenkonashpresudent ...
July 20, 2007, at 07:30 PM by fcarolo -- removed false wikilinks
Changed line 37 from:
  1. Check line 7 in /opt/etc/proftpd.conf if it reads: ServerType? standalone. If not, change this.
to:
  1. Check line 7 in /opt/etc/proftpd.conf if it reads: ServerType standalone. If not, change this.
Changed lines 111-112 from:
I don't see why this is necessary. By downloading the config.bin? file (using the web UI), you can save permanent (across reboot) changes to the /etc/passwd file. (This is described in more detail elsewhere, e.g., look on http://www.batbox.org/nslu2-linux.html). This worked fine for me. Am I missing something? Are there other changes (alluded to above) that blow it away?
to:
I don't see why this is necessary. By downloading the config.bin file (using the web UI), you can save permanent (across reboot) changes to the /etc/passwd file. (This is described in more detail elsewhere, e.g., look on http://www.batbox.org/nslu2-linux.html). This worked fine for me. Am I missing something? Are there other changes (alluded to above) that blow it away?
July 16, 2007, at 09:08 PM by pedxing --
Changed lines 111-112 from:
I don't see why this is necessary. By downloading the config.bin file (using the web UI), you can save permanent (across reboot) changes to the /etc/passwd file. (This is described in more detail elsewhere, e.g., look on http://www.batbox.org/nslu2-linux.html). This worked fine for me. Am I missing something? Are there other changes (alluded to above) that blow it away?
to:
I don't see why this is necessary. By downloading the config.bin? file (using the web UI), you can save permanent (across reboot) changes to the /etc/passwd file. (This is described in more detail elsewhere, e.g., look on http://www.batbox.org/nslu2-linux.html). This worked fine for me. Am I missing something? Are there other changes (alluded to above) that blow it away?
May 17, 2007, at 07:12 PM by abe --
Changed line 37 from:
  1. The default config is for use with xinetd. To use the standalone server, change line 7 in /opt/etc/proftpd.conf into ServerType? standalone.
to:
  1. Check line 7 in /opt/etc/proftpd.conf if it reads: ServerType? standalone. If not, change this.
May 17, 2007, at 07:10 PM by abe --
Changed lines 36-37 from:
  1. Set up startup script: cp /opt/doc/proftpd/S58proftpd /opt/etc/init.d. NB: The default config is for use with xinetd. To use the standalone server, change line 7 in /opt/etc/proftpd.conf into ServerType? standalone.
to:
  1. Set up startup script: cp /opt/doc/proftpd/S58proftpd /opt/etc/init.d.
  2. The default config is for use with xinetd. To use the standalone server, change line 7 in /opt/etc/proftpd.conf into ServerType? standalone.
May 17, 2007, at 07:10 PM by abe --
Changed lines 36-38 from:
  1. Set up startup script: cp /opt/doc/proftpd/S58proftpd /opt/etc/init.d

NB: The default config is for use with xinetd. To use the standalone server, change line 7 in /opt/etc/proftpd.conf into ServerType? standalone.

to:
  1. Set up startup script: cp /opt/doc/proftpd/S58proftpd /opt/etc/init.d. NB: The default config is for use with xinetd. To use the standalone server, change line 7 in /opt/etc/proftpd.conf into ServerType? standalone.
May 17, 2007, at 07:09 PM by abe --
Deleted line 36:
Added line 38:
May 17, 2007, at 07:08 PM by abe --
Added lines 37-38:

NB: The default config is for use with xinetd. To use the standalone server, change line 7 in /opt/etc/proftpd.conf into ServerType? standalone.

April 14, 2007, at 01:50 AM by Alienz -- warning at top
Added lines 7-8:

Warning! You could seriously screw up your slug installing this. Do it with caution and backup/image your drive first! I spent days trying to clean up the mess! --Alienz

February 25, 2007, at 10:02 PM by RobHam -- SSL/TLS script changed - ref. recent news group postings
Changed lines 287-290 from:
  1. off = clients can connect using insecure FTP or secure FTP/SSL
  2. ctrl = encrypt only the ctrl channel using FTP/SSL
  3. data = encrypt only the data channel using FTP/SSL (not recommended)
  4. on = encrypt both the ctrl and data channels using FTP/SSL
to:
  1. off - clients can connect using insecure FTP or secure FTP/SSL
  2. ctrl - encrypt only the ctrl channel using FTP/SSL
  3. data - encrypt only the data channel using FTP/SSL (not recommended)
  4. on - encrypt both the ctrl and data channels using FTP/SSL
Changed lines 301-302 from:
  1. off = client SSL certificates are not requried
  2. on = client SSL certificates are required
to:
  1. off - client SSL certificates are not requried
  2. on - client SSL certificates are required
February 25, 2007, at 10:00 PM by RobHam -- SSL/TLS script changed - ref. recent news group postings
Changed line 281 from:
  1. SSLv23? - Use SSL3? for ctrl and TLS1? for data ports (works with most clients)
to:
  1. SSLv23? - Use SSL3? for ctrl and TLS1? for data channels (works with most clients)
Changed line 286 from:
  1. Clients are required to use FTP over TLS when talking to this server
to:
  1. Clients are required to use FTP over SSL/TLS when talking to this server
Changed lines 288-290 from:
  1. ctrl = encrypt only the ctrl port using FTP/SSL
  2. data = encrypt only the data port using FTP/SSL (not recommended)
  3. on = encrypt both the ctrl and data ports using FTP/SSL
to:
  1. ctrl = encrypt only the ctrl channel using FTP/SSL
  2. data = encrypt only the data channel using FTP/SSL (not recommended)
  3. on = encrypt both the ctrl and data channels using FTP/SSL
February 25, 2007, at 09:37 PM by RobHam -- SSL/TLS script changed - ref. recent news group postings
Changed lines 272-273 from:

Using a Unix compatable text editor insert the following script section into the proftpd configuration file /opt/etc/proftpd.conf, just paste it to the end of the file.

to:

Using a Linux compatable text editor insert the following script section into the proftpd configuration file /opt/etc/proftpd.conf, just paste it to the end of the file.

Added lines 280-283:
  1. Set the TLSProtocol? to one of the following
  2. SSLv23? - Use SSL3? for ctrl and TLS1? for data ports (works with most clients)
  3. SSLv3? - Use only SSL3?
  4. TLSv1? - Use only TLS1?
Changed lines 287-290 from:
  1. off = clients can connect using insecure FTP or secure FTP/SSL
  2. on = clients can only connect using secure FTP/SSL
	TLSRequired? off
to:
  1. off = clients can connect using insecure FTP or secure FTP/SSL
  2. ctrl = encrypt only the ctrl port using FTP/SSL
  3. data = encrypt only the data port using FTP/SSL (not recommended)
  4. on = encrypt both the ctrl and data ports using FTP/SSL
	TLSRequired? ctrl
Changed line 300 from:
  1. Authenticate clients that want to use FTP over TLS
to:
  1. Authenticate clients that want to use FTP over SSL/TLS
Changed lines 310-321 from:

Note that the above script includes a modification (TLSProtocol TLSv1 changed to TLSProtocol SSLv23). This is needed to be compatable with the current version of the OpenSSL package and using the old config line would cause some FTP client programs problems during logging in. When using the new config line the control port traffic will be encrypted using SSLv3 and the data port traffic using TLSv1.

The three possible TLSprotocol settings are :-

  • SSLv23 - allow both SSLv3 and TLSv1
  • SSLv3 - allow only SSLv3
  • TLSv1 - allow only TLSv1

All use of SSLv2 is disabled.

RobHam

to:

Note that all use of SSLv2 is disabled by default with ProFTPD.

RobHam - modified Feb 2007

December 11, 2006, at 06:33 PM by RobHam -- Expanded the note regarding [=SSL3=] and [=TLS1=], TLS script modified
Changed lines 304-307 from:

Note that the above script includes a modification (TLSProtocol TLSv1 changed to TLSProtocol SSLv23). This change is needed because support for SSLv3 was introduced into the current version of the OpenSSL package and using the old config line would cause some FTP client programs problems during logging in. When using the new config line TLSProtocol SSLv23 the config port traffic will be encrypted using SSLv3 and the data port traffic using TLSv1.

The three possible protocol settings are :-

to:

Note that the above script includes a modification (TLSProtocol TLSv1 changed to TLSProtocol SSLv23). This is needed to be compatable with the current version of the OpenSSL package and using the old config line would cause some FTP client programs problems during logging in. When using the new config line the control port traffic will be encrypted using SSLv3 and the data port traffic using TLSv1.

The three possible TLSprotocol settings are :-

December 11, 2006, at 11:31 AM by RobHam -- Expanded the note regarding [=SSL3=] and [=TLS1=], TLS script modified
Changed lines 304-305 from:

Note that the above script includes a modification (TLSProtocol TLSv1 changed to TLSProtocol SSLv23). This change is needed because support for SSLv3? was introduced into the current version of the OpenSSL package and using the old config line would cause some FTP client programs problems during logging in. When using the new config line TLSProtocol SSLv23 the config port traffic will be encrypted using SSLv3 and the data port traffic using TLSv1.

to:

Note that the above script includes a modification (TLSProtocol TLSv1 changed to TLSProtocol SSLv23). This change is needed because support for SSLv3 was introduced into the current version of the OpenSSL package and using the old config line would cause some FTP client programs problems during logging in. When using the new config line TLSProtocol SSLv23 the config port traffic will be encrypted using SSLv3 and the data port traffic using TLSv1.

Changed lines 308-313 from:

All use of SSLv2? is disabled.

to:
  • SSLv23 - allow both SSLv3 and TLSv1
  • SSLv3 - allow only SSLv3
  • TLSv1 - allow only TLSv1

All use of SSLv2 is disabled.

December 11, 2006, at 11:26 AM by RobHam -- Expanded the note regarding [=SSL3=] and [=TLS1=], TLS script modified
Changed lines 304-305 from:

Note that the above script includes a modification (TLSProtocol TLSv1 changed to TLSProtocol SSLv23). This change is needed because support for SSL ver 3 was introduced into the current version of the OpenSSL package and using the old config line would cause some FTP client programs problems during logging in. When using the new config line TLSProtocol SSLv23 the config port traffic will be encrypted using SSL3 (SSL2 with some older clients) and the data port traffic using TLS1.

to:

Note that the above script includes a modification (TLSProtocol TLSv1 changed to TLSProtocol SSLv23). This change is needed because support for SSLv3? was introduced into the current version of the OpenSSL package and using the old config line would cause some FTP client programs problems during logging in. When using the new config line TLSProtocol SSLv23 the config port traffic will be encrypted using SSLv3 and the data port traffic using TLSv1.

The three possible protocol settings are :-

All use of SSLv2? is disabled.

December 11, 2006, at 10:30 AM by RobHam -- Expanded the note regarding [=SSL3=] and [=TLS1=], TLS script modified
Changed lines 304-305 from:

Note that the above script includes a modification (TLSProtocol TLSv1 changed to TLSProtocol SSLv23). This change is needed because support for SSL ver 3 was introduced into the current version of the OpenSSL package and using the old config line would cause some FTP client programs problems during logging in. When using the new config line TLSProtocol SSLv23) the config port traffic will be encrypted using SSL3 (and perhaps SSL2 with some older clients) and the data port traffic using TLS1.

to:

Note that the above script includes a modification (TLSProtocol TLSv1 changed to TLSProtocol SSLv23). This change is needed because support for SSL ver 3 was introduced into the current version of the OpenSSL package and using the old config line would cause some FTP client programs problems during logging in. When using the new config line TLSProtocol SSLv23 the config port traffic will be encrypted using SSL3 (SSL2 with some older clients) and the data port traffic using TLS1.

Changed lines 312-313 from:

After making my proftpd require TLS and trying to connect to it using sftp (thanks for the tutorial RobHam) I kept getting the following error:

to:

After making my proftpd require TLS and trying to connect to it using sftp I kept getting the following error:

December 11, 2006, at 10:27 AM by RobHam -- Expanded the note regarding [=SSL3=] and [=TLS1=], TLS script modified
Changed lines 304-305 from:

Note that the above script includes a modification (TLSProtocol TLSv1 changed to TLSProtocol SSLv23). This change is needed because support for SSL ver 3 was introduced into the current version of the OpenSSL? package and using the old config line would cause some FTP client programs problems during logging in. When using the new config line TLSProtocol SSLv23) the config port traffic will be encrypted using SSL3? (and perhaps SSL2? with some older clients) and the data port traffic using TLS1?.

to:

Note that the above script includes a modification (TLSProtocol TLSv1 changed to TLSProtocol SSLv23). This change is needed because support for SSL ver 3 was introduced into the current version of the OpenSSL package and using the old config line would cause some FTP client programs problems during logging in. When using the new config line TLSProtocol SSLv23) the config port traffic will be encrypted using SSL3 (and perhaps SSL2 with some older clients) and the data port traffic using TLS1.

December 11, 2006, at 10:19 AM by RobHam -- Expanded the note regarding SSL3 and TLS1, TLS script modified.
Changed lines 280-281 from:
to:
Changed lines 304-305 from:

Note that some FTP clients that claim to support SSL seem to have problems connecting when server side SSL/TLS is enabled. If you experience problems where connections are rejected then a work around that works in most cases is to change the relevant line above to TLSProtocol SSLv23

to:

Note that the above script includes a modification (TLSProtocol TLSv1 changed to TLSProtocol SSLv23). This change is needed because support for SSL ver 3 was introduced into the current version of the OpenSSL? package and using the old config line would cause some FTP client programs problems during logging in. When using the new config line TLSProtocol SSLv23) the config port traffic will be encrypted using SSL3? (and perhaps SSL2? with some older clients) and the data port traffic using TLS1?.

December 06, 2006, at 06:59 PM by RobHam -- Note added regarding using the config line TLSProtocol SSLv23
Changed lines 304-305 from:

Note that some FTP clients that claim to support SSL do not fully support the TLS version 1 protocol. If you experience problems where connections are rejected then a workaround that works in most cases is to change the relevant line above to TLSProtocol SSLv23

to:

Note that some FTP clients that claim to support SSL seem to have problems connecting when server side SSL/TLS is enabled. If you experience problems where connections are rejected then a work around that works in most cases is to change the relevant line above to TLSProtocol SSLv23

December 06, 2006, at 05:47 PM by RobHam -- Note added regarding using the config line TLSProtocol SSLv23
Added lines 304-305:

Note that some FTP clients that claim to support SSL do not fully support the TLS version 1 protocol. If you experience problems where connections are rejected then a workaround that works in most cases is to change the relevant line above to TLSProtocol SSLv23

April 20, 2006, at 04:28 PM by marco --
Changed lines 327-329 from:

-Mark

to:

-Mark

I also find use full information on th following website http://gentoo-wiki.com/HOWTO_ProFTPD

January 06, 2006, at 03:34 AM by Rufus -- tip on installing xinetd - doh
Changed lines 30-31 from:
to:


(Note2: Probably obvious [but I missed it] but xinetd needs to be installed and configured prior to installing proftpd. "ipkg install xinetd" Check the only_allow line carefully in the /opt/etc/xinetd.conf to ensure it matches your network / requirements for ftp / telnet client ip address ranges i.e. 192.168.1.0/24 will need changing if your local network uses a different IP range, and you may need external ip addresses to be able to access your box. - Rufus)

September 27, 2005, at 10:21 AM by Stein -- ps aux |grep xinet will show you the PID
Changed lines 29-30 from:
to:


(Note: Didn't work for me as the "/var/log/run/xinetd.pid" was not created... ps aux |grep xinet will show you the PID to use instead of "`cat /var/run/xinetd.pid`" -Stein)

September 15, 2005, at 04:56 AM by AlanLiu --
Added lines 106-107:
I don't see why this is necessary. By downloading the config.bin file (using the web UI), you can save permanent (across reboot) changes to the /etc/passwd file. (This is described in more detail elsewhere, e.g., look on http://www.batbox.org/nslu2-linux.html). This worked fine for me. Am I missing something? Are there other changes (alluded to above) that blow it away?
September 01, 2005, at 03:41 PM by ingeba -- Info on configuring encrypted sessions
Changed lines 47-48 from:

Bob_tm

to:
Added lines 56-57:

ingeba

Changed lines 108-109 from:
  • Tip 4: Proftpd and NAT routers. Proftpd is easily configured for access across a NAT enabled router by enabling a Passive port range. The following example will configure twenty Passive ports for data transfer in the range 50000 to 50019.
to:
  • Tip 4: Proftpd and NAT routers. Proftpd is easily configured for access across a NAT enabled router by enabling a Passive port range. The following example will configure twenty Passive ports for data transfer in the range 50000 to 50019. Both passive ports and your external IP-address/hostname are needed if there is no hidden FTP proxy in the NAT router or the FTP control connection is encrypted (TLS/SSL).
Changed lines 116-117 from:
MasqueradeAddress your.domain.name.goes.here.com
to:
MasqueradeAddress your.domain.name.or.ip.address.goes.here
August 30, 2005, at 10:45 AM by ingeba -- Info on spped improvements and standalone
Added lines 35-36:

NOTE: Experience shows that there is very little to gain performance-wise from running standalone. The gain from running from xinetd depends on the amount of time proftpd is in active use (the less it is in use, the more often more RAM is available to other apps).

Added lines 49-56:
  • It takes a long time from the initial connection to proftpd is made until the login prompt appears (several seconds). This is solved by putting the following lines in the main section of /opt/etc/proftpd.conf (not global or a virtual server section):

(:table border=0 width=100% bgcolor=#eeeeff:) (:cell:)

 UseReverseDNS off
 IdentLookups off

(:tableend:)

August 07, 2005, at 09:37 PM by ingeba -- Added info about large files
Changed lines 15-16 from:
to:
  • Supports large files (> 2GB)
August 07, 2005, at 05:47 AM by Mark -- minor formatting change
Added lines 292-293:

Fix Received message too long Errors

Changed lines 295-296 from:

Received message too long 458961211

to:

Received message too long 458961211

August 07, 2005, at 02:30 AM by Mark -- added sftp & bash fix info
Added lines 290-308:

After making my proftpd require TLS and trying to connect to it using sftp (thanks for the tutorial RobHam) I kept getting the following error: Received message too long 458961211

The reason that this happens is because my .bashrc displays information when I log on (because I installed bash and followed the bash tutorial to get a bunch of system stats when I log on). sftp is not expecting this information and dies with the above error message. To get rid of this message if you have to add the following to your .bashrc:

(:table border=0 width=100% bgcolor=#eeeeff:) (:cell:)

 
if [[ -n $PS1 ]]; then
  #.bashrc stuff that outputs text to the terminal
fi

(:tableend:)

This lets you keep your text output when you log on, which I like, but still allows sftp login.

-Mark

May 23, 2005, at 04:44 PM by RobHam -- Tip 1 amended to reflect better unslung ver 3.x and 4.x
Changed lines 48-49 from:
  • Tip 1: Securing the server. The default proftpd.conf file will allow anonymous users direct access to the root directory /. This is easily changed by editing the line : <Anonymous ~ftp>. Suggest changing to : <Anonymous /share/hdd/data/public>.
to:
  • Tip 1: Securing the server. The default proftpd.conf file will allow anonymous users direct access to the root directory /. This is easily changed by editing the line : <Anonymous ~ftp>
Suggest changing to : <Anonymous /public>
Note - for unslung version 3.x users suggest changing to :
<Anonymous /share/hdd/data/public>
May 22, 2005, at 10:32 PM by bobtm -- Added info on encrypted FTP and NAT
Changed lines 91-92 from:
  • Tip 4: Proftpd and NAT routers. Proftpd is easily configured for access across a NAT enabled router by enabaling a Passive port range. The following example will configure twenty Passive ports for data transfer in the range 50000 to 50019.
to:
  • Tip 4: Proftpd and NAT routers. Proftpd is easily configured for access across a NAT enabled router by enabling a Passive port range. The following example will configure twenty Passive ports for data transfer in the range 50000 to 50019.
Added lines 107-108:

Note: Since SSL/TLS encrypts the control channel, NAT routers cannot read it to manage incoming TCP connection automatically. If you are behind a NAT router (usually on a 10.*.*.* or 192.168.*.* network), follow tip 4.

May 22, 2005, at 08:08 PM by RobHam -- Another slight improvement to the Proftpd SSL/TLS instructions
Changed lines 105-106 from:

How to configure Proftpd for SSL/TSL authentication/encryption

to:

How to configure Proftpd for SSL/TLS authentication/encryption

Changed line 109 from:
  1. Creating a signing script file
to:
  1. Creating a signing script file (shame that this is not included with the openssl instalation).
Changed lines 112-114 from:
  1. Enabling SSL/TSL encription within proftpd
to:
  1. Enabling SSL/TLS encription within proftpd
Added line 176:
  1. default key expiry set to 5 years but can be changed
Changed line 222 from:

2. Generate a self signed root certificate and copy the root certificate to folder /opt/etc/ftpd/\\

to:

2. Generate a self signed root certificate (expiry set to 5 years but can be changed) and copy the root certificate to folder /opt/etc/ftpd/\\

Changed line 229 from:

If you want to remove the passphrase from the server key, use: -\\

to:

If you want to remove the passphrase from the server key (there is no real need for a password here so you will probably want to remove it), use: -\\

May 22, 2005, at 07:48 PM by RobHam --
Added lines 278-279:

Change the TLSRequired and TLSVerifyClient configuration settings above as required.

May 22, 2005, at 07:44 PM by RobHam --
Changed lines 271-272 from:
  1. off = client certificates are not requried
  2. on = client certificates are required
to:
  1. off = client SSL certificates are not requried
  2. on = client SSL certificates are required
May 22, 2005, at 07:42 PM by RobHam --
Changed line 258 from:
  1. Clients are required to use FTP over TLS when talking to this server.
to:
  1. Clients are required to use FTP over TLS when talking to this server
Changed line 270 from:
  1. Authenticate clients that want to use FTP over TLS?
to:
  1. Authenticate clients that want to use FTP over TLS
May 22, 2005, at 07:40 PM by RobHam -- very slight tidy up to the SSL/TSL instructions
Changed lines 259-260 from:
  1. off - clients can connect using insecure FTP or secure FTP/SSL
  2. on - clients can only connect using secure FTP/SSL
to:
  1. off = clients can connect using insecure FTP or secure FTP/SSL
  2. on = clients can only connect using secure FTP/SSL
Changed lines 271-272 from:
  1. on - client certificates are required
to:
  1. off = client certificates are not requried
  2. on = client certificates are required
May 20, 2005, at 04:23 PM by RobHam --
Changed line 176 from:

default_days = 365

to:

default_days = 1825

May 20, 2005, at 04:20 PM by RobHam --
Added lines 114-116:

Method

May 20, 2005, at 04:18 PM by RobHam -- Added instructions to enable SSL/TSL encription
Added lines 103-273:

How to configure Proftpd for SSL/TSL authentication/encryption

The following list of instructions is largely based on Enabling HTTPS for Apache. The method involves: -

  1. Creating a signing script file
  2. Creating a Certificate Authority (CA) key and root Certificate
  3. Creating a Server key and signed Server Certificate
  4. Enabling SSL/TSL encription within proftpd

Login as user root and create a home folder for use by openssl to store the signing script and to create keys and certificates in. Make the folder read/write only by user root.
mkdir /opt/etc/openssl
chmod 600 /opt/etc/openssl

Move to the new folder
cd /opt/etc/openssl

You will now need to create a signing script by copying the following scipt section into a new file called sign.sh using a Unix compatable text editor. Store the script in the above folder.

sign.sh

(:table border=0 width=100% bgcolor=#eeeeff:) (:cell:)

 
#!/bin/sh
##
##  sign.sh -- Sign a SSL Certificate Request (CSR)
##  Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved.
##

#   argument line handling
CSR=$1
if [ $# -ne 1 ]; then
    echo "Usage: sign.sign <whatever>.csr"; exit 1
fi
if [ ! -f $CSR ]; then
    echo "CSR not found: $CSR"; exit 1
fi
case $CSR in
   *.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
       * ) CERT="$CSR.crt" ;;
esac

#   make sure environment exists
if [ ! -d ca.db.certs ]; then
    mkdir ca.db.certs
fi
if [ ! -f ca.db.serial ]; then
    echo '01' >ca.db.serial
fi
if [ ! -f ca.db.index ]; then
    cp /dev/null ca.db.index
fi

#   create an own SSLeay config
cat >ca.config <<EOT
[ ca ]
default_ca              = CA_own
[ CA_own ]
dir                     = .
certs                   = \$dir
new_certs_dir           = \$dir/ca.db.certs
database                = \$dir/ca.db.index
serial                  = \$dir/ca.db.serial
RANDFILE                = \$dir/ca.db.rand
certificate             = \$dir/ca.crt
private_key             = \$dir/ca.key
unique_subject          = no
default_days            = 365
default_crl_days        = 30
default_md              = md5
preserve                = no
policy                  = policy_anything
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
EOT

#  sign the certificate
echo "CA signing: $CSR -> $CERT:"
openssl ca -config ca.config -out $CERT -infiles $CSR
echo "CA verifying: $CERT <-> CA cert"
openssl verify -CAfile ca.crt $CERT

#  cleanup after SSLeay
rm -f ca.config
rm -f ca.db.serial.old
rm -f ca.db.index.old

#  die gracefully
exit 0

(:tableend:)

Make sign.sh owned by root and executable
chown root:root /opt/etc/openssl/sign.sh
chmod 700 /opt/etc/openssl/sign.sh

Creating the Keys and Certificates

1. Create a new root key for your own Certificate Authority (CA)
openssl genrsa -des3 -out ca.key 1024

If you want to remove the passphrase from the root key, use: -
mv ca.key ca.key.orig
openssl rsa -in ca.key.orig -out ca.key

2. Generate a self signed root certificate and copy the root certificate to folder /opt/etc/ftpd/
openssl req -new -x509 -days 1825 -key ca.key -out ca.crt
cp /opt/etc/openssl/ca.crt /opt/etc/ftpd/

3. Create the server key
openssl genrsa -des3 -out server.key 1024

If you want to remove the passphrase from the server key, use: -
mv server.key server.key.orig
openssl rsa -in server.key.orig -out server.key

Copy the server key to folder /opt/etc/ftpd/
cp /opt/etc/openssl/server.key /opt/etc/ftpd/

4. Prepare a certificate signing request (CSR).
Important - when asked for a Common Name - enter localhost
openssl req -new -key server.key -out server.csr

5. Sign your server key using the previously saved script file
./sign.sh server.csr

6. Copy the server certificate to folder /opt/etc/ftpd/
cp /opt/etc/openssl/server.crt /opt/etc/ftpd/

Modify proftpd.conf

Using a Unix compatable text editor insert the following script section into the proftpd configuration file /opt/etc/proftpd.conf, just paste it to the end of the file.

(:table border=0 width=100% bgcolor=#eeeeff:) (:cell:)

 
<IfModule mod_tls.c>
	TLSEngine on
	TLSLog /opt/var/proftpd/tls.log
	TLSProtocol TLSv1

# Clients are required to use FTP over TLS when talking to this server.
# off - clients can connect using insecure FTP or secure FTP/SSL
# on  - clients can only connect using secure FTP/SSL
	TLSRequired off

# Server's certificate
	TLSRSACertificateFile /opt/etc/ftpd/server.crt
	TLSRSACertificateKeyFile /opt/etc/ftpd/server.key

# CA the server trusts
	TLSCACertificateFile /opt/etc/ftpd/ca.crt

# Authenticate clients that want to use FTP over TLS?
# on  - client certificates are required
	TLSVerifyClient off
</IfModule>

(:tableend:)

May 06, 2005, at 03:44 PM by RobHam --
Changed lines 48-49 from:
  • Tip 1: The default proftpd.conf file will allow anonymous users direct access to the root directory /. This is easily changed by editing the line : <Anonymous ~ftp>. Suggest changing to : <Anonymous /share/hdd/data/public>.
to:
  • Tip 1: Securing the server. The default proftpd.conf file will allow anonymous users direct access to the root directory /. This is easily changed by editing the line : <Anonymous ~ftp>. Suggest changing to : <Anonymous /share/hdd/data/public>.
May 06, 2005, at 03:37 PM by RobHam --
Changed lines 21-22 from:

The possibilities for configuration are endless. Go to the Proftpd website and edit /opt/etc/proftpd according to your needs. SSL certificates are to be stored in /opt/etc/ftpd and the list of users not allowed to log on in /opt/etc/ftpusers.

to:

The possibilities for configuration are endless. Go to the Proftpd website and edit /opt/etc/proftpd.conf according to your needs. SSL certificates are to be stored in /opt/etc/ftpd and the list of users not allowed to log on in /opt/etc/ftpusers.

Added lines 46-47:

Changed lines 50-51 from:
to:

Changed lines 75-76 from:
to:

Added lines 89-102:

  • Tip 4: Proftpd and NAT routers. Proftpd is easily configured for access across a NAT enabled router by enabaling a Passive port range. The following example will configure twenty Passive ports for data transfer in the range 50000 to 50019.
1. Using a text editor such as vi, add the following line to the top section of the configuration file /opt/etc/proftpd.conf
PassivePorts 50000 50019
2. (Optional) Proftpd has the ability to display a domain name during the client login process rather than just the internal IP, handy if you are accessing using Dyndns or a similar service etc. Add the following line to the top section as above.
MasqueradeAddress your.domain.name.goes.here.com
3. In your router setup, forward port 21 and the port range 50000 to 50019 to your NSLU2 internal IP address (default for NSLU2 is 192.168.1.77).
April 17, 2005, at 08:27 AM by RobHam --
Changed lines 39-40 from:
  • Says warning: unable to determine IP address of '<SlugName?>' on startup. This is because /etc/nsswitch.conf is missing up until 4.x. Fix it by doing echo "hosts: files dns" > /etc/nsswitch.conf and restart proftpd.
to:
  • Says warning: unable to determine IP address of '<SlugName>' on startup. This is because /etc/nsswitch.conf is missing up until 4.x. Fix it by doing echo "hosts: files dns" > /etc/nsswitch.conf and restart proftpd.
Changed line 73 from:
  • Tip 3: Missing users Home Directory - a possible workaround. ProFTPD? currently needs a users home directory entry in the /etc/passwd file for users to login.
to:
  • Tip 3: Missing users Home Directory - a possible workaround. Proftpd currently needs a users home directory entry in the /etc/passwd file for users to login.
Changed lines 79-80 from:
Any manual changes to this file will not withstand a re-boot or withstand any changes made to some of the web configuration pages. ProFTPD? does have a workable work around for this by configuring a manually maintained dedicated passwd file just for use by ProFTPD?, suggested location for such a file is a disk directory such as /opt/etc/.
to:
Any manual changes to this file will not withstand a re-boot or withstand any changes made to some of the web configuration pages. Proftpd does have a workable work around for this by configuring a manually maintained dedicated passwd file just for use by Proftpd, suggested location for such a file is a disk directory such as /opt/etc/.
Changed line 82 from:
  1. Change the relevant proftpd.conf directive located in the
    global section to read:
    AuthUserFile? /opt/etc/passwd.proftpd
to:
  1. Change the relevant proftpd.conf directive located in the global section to read:
    AuthUserFile /opt/etc/passwd.proftpd
Changed lines 85-86 from:
to:

RobHam

April 16, 2005, at 11:18 PM by RobHam --
Added lines 72-84:
  • Tip 3: Missing users Home Directory - a possible workaround. ProFTPD? currently needs a users home directory entry in the /etc/passwd file for users to login.
Change example:
someuser:hashedpw:2000:501:::/dev/null
to
someuser:hashedpw:2000:501::/share/hdd/data/someuser:/dev/null
Any manual changes to this file will not withstand a re-boot or withstand any changes made to some of the web configuration pages. ProFTPD? does have a workable work around for this by configuring a manually maintained dedicated passwd file just for use by ProFTPD?, suggested location for such a file is a disk directory such as /opt/etc/.
So...
  1. Change the relevant proftpd.conf directive located in the
    global section to read:
    AuthUserFile? /opt/etc/passwd.proftpd
  2. Create and populate a new /opt/etc/passwd.proftpd file using a text editor with your required users by copying them from the system /etc/passwd file. Modify these users as required following the passwd file conventions.
Added line 86:
April 16, 2005, at 10:13 PM by RobHam --
Changed lines 46-48 from:
  • Tip 1: The default proftpd.conf file will allow anonymous users direct access to the root directory /. This is easily changed by editing the line : <Anonymous ~ftp>. Suggest changing to : <Anonymous /share/hdd/data/public>.
to:
  • Tip 1: The default proftpd.conf file will allow anonymous users direct access to the root directory /. This is easily changed by editing the line : <Anonymous ~ftp>. Suggest changing to : <Anonymous /share/hdd/data/public>.
Changed line 51 from:

(:table border=0 width=100% bcolor=#eeeeff:)

to:

(:table border=0 width=100% bgcolor=#eeeeff:)

April 16, 2005, at 10:01 PM by RobHam --
Changed lines 46-66 from:
  • Tip 1: The default proftpd.conf file will allow anonymous users direct access to the root directory /. This is easily changed by editing the line : <Anonymous ~ftp>. Suggest changing to : <Anonymous /share/hdd/data/public>.
  • Tip 2: Securing the server. The default /etc/passwd file contains a list of default user names, some are hidden from the web interface, all theoretically can be used to login to the server (root and admin are most at risk). You can disable these names by placing them in a text file called 'ftpusers'. Save the text file to the folder /opt/etc/. An example ftpusers file with the current default user names is:-
# /opt/etc/ftpusers
# Inclusion of 'root' here has limited functionality, to disable
# 'root' access use the proftpd.conf directive - RootLogin? off
root
# Including 'ftp' here will disable anonymous login
ftp
# Other default users
bin
lp
mail
nobody
ourtelnetrescueuser
guest
admin
# End of file
to:
  • Tip 1: The default proftpd.conf file will allow anonymous users direct access to the root directory /. This is easily changed by editing the line : <Anonymous ~ftp>. Suggest changing to : <Anonymous /share/hdd/data/public>.
  • Tip 2: Securing the server. The default /etc/passwd file contains a list of default user names, some are hidden from the web interface, all theoretically can be used to login to the server (root and admin are most at risk). You can disable these names by placing them in a text file called ftpusers. Save the text file to the folder /opt/etc/. An example ftpusers file with the current default user names is:-

(:table border=0 width=100% bcolor=#eeeeff:) (:cell:)

 
# /opt/etc/ftpusers
# Inclusion of 'root' here has limited functionality, to disable
# 'root' access use the proftpd.conf directive - RootLogin off 
root
# Including 'ftp' here will disable anonymous login
ftp
# Other default users
bin
lp
mail
nobody
ourtelnetrescueuser
guest
admin
# End of file

(:tableend:)

April 14, 2005, at 09:36 PM by RobHam --
Changed line 46 from:
  • Tip 1:The default proftpd.conf file will allow anonymous users direct access to the root directory /. This is easily changed by editing the line : <Anonymous ~ftp>. Suggest changing to : <Anonymous /share/hdd/data/public>.
to:
  • Tip 1: The default proftpd.conf file will allow anonymous users direct access to the root directory /. This is easily changed by editing the line : <Anonymous ~ftp>. Suggest changing to : <Anonymous /share/hdd/data/public>.
Deleted line 47:
Changed line 49 from:
  • Tip 2:Securing the server. The default /etc/passwd file contains a list of default user names, some are hidden from the web interface, all theoretically can be used to login to the server (root and admin are most at risk). You can disable these names by placing them in a text file called 'ftpusers'. Save the text file to the folder /opt/etc/. An example ftpusers file with the current default user names is:-
to:
  • Tip 2: Securing the server. The default /etc/passwd file contains a list of default user names, some are hidden from the web interface, all theoretically can be used to login to the server (root and admin are most at risk). You can disable these names by placing them in a text file called 'ftpusers'. Save the text file to the folder /opt/etc/. An example ftpusers file with the current default user names is:-
Changed line 52 from:
# Inclusion of 'root' here has no functionality, to disable
to:
# Inclusion of 'root' here has limited functionality, to disable
April 12, 2005, at 07:09 PM by RobHam --
Changed line 50 from:
  • Tip 2:Securing the server. The default /etc/passwd file contains a list of default user names, some are hidden from the web interface, all can be used to login to the server so pose a security. You can disable these names by placing them in a text file called 'ftpusers'. Save the text file to the folder /opt/etc/. An example ftpusers file with all current default user names is:-
to:
  • Tip 2:Securing the server. The default /etc/passwd file contains a list of default user names, some are hidden from the web interface, all theoretically can be used to login to the server (root and admin are most at risk). You can disable these names by placing them in a text file called 'ftpusers'. Save the text file to the folder /opt/etc/. An example ftpusers file with the current default user names is:-
Changed line 53 from:
# inclusion of 'root' here has no functionality, to disable
to:
# Inclusion of 'root' here has no functionality, to disable
Changed line 56 from:
# including 'ftp' here will disable anonymous login
to:
# Including 'ftp' here will disable anonymous login
Changed line 58 from:
# other default users
to:
# Other default users
Added line 66:
# End of file
April 12, 2005, at 07:04 PM by RobHam --
Added lines 49-68:
  • Tip 2:Securing the server. The default /etc/passwd file contains a list of default user names, some are hidden from the web interface, all can be used to login to the server so pose a security. You can disable these names by placing them in a text file called 'ftpusers'. Save the text file to the folder /opt/etc/. An example ftpusers file with all current default user names is:-
# /opt/etc/ftpusers
# inclusion of 'root' here has no functionality, to disable
# 'root' access use the proftpd.conf directive - RootLogin? off
root
# including 'ftp' here will disable anonymous login
ftp
# other default users
bin
lp
mail
nobody
ourtelnetrescueuser
guest
admin

RobHam?

April 12, 2005, at 06:40 PM by RobHam --
Changed lines 46-47 from:
  • Tip 1:The default proftpd.conf file will allow anonymous users direct access to the root directory /. This is easily changed by editing the line :-

<Anonymous ~ftp>.

to:
  • Tip 1:The default proftpd.conf file will allow anonymous users direct access to the root directory /. This is easily changed by editing the line : <Anonymous ~ftp>. Suggest changing to : <Anonymous /share/hdd/data/public>.
Changed lines 48-49 from:

Suggest changing to <Anonymous /share/hdd/data/public>.

to:
April 12, 2005, at 06:37 PM by RobHam --
Added lines 45-51:
  • Tip 1:The default proftpd.conf file will allow anonymous users direct access to the root directory /. This is easily changed by editing the line :-

<Anonymous ~ftp>.

Suggest changing to <Anonymous /share/hdd/data/public>.

April 11, 2005, at 12:09 PM by bobtm --
Changed line 42 from:
  • NOTE: The users must have a home directory in their /etc/passwd entry to log in. The directory does not have to exist if @@DefaultRoot@@ is set.
to:
  • NOTE: The users must have a home directory in their /etc/passwd entry to log in. The directory does not have to exist if DefaultRoot is set.
April 11, 2005, at 12:08 PM by bobtm --
Changed line 42 from:
  • NOTE: The users must have a home directory in their /etc/passwd entry to log in. The directory does not have to exist if DefaultRoot? is set.
to:
  • NOTE: The users must have a home directory in their /etc/passwd entry to log in. The directory does not have to exist if @@DefaultRoot@@ is set.
April 11, 2005, at 12:08 PM by bobtm --
Changed line 21 from:

The possibilities for configuration are endless. Go to the Proftpd website and edit /opt/etc/proftpd according to your needs. SSL certificates are to be stored in /opt/etc/ftpd.

to:

The possibilities for configuration are endless. Go to the Proftpd website and edit /opt/etc/proftpd according to your needs. SSL certificates are to be stored in /opt/etc/ftpd and the list of users not allowed to log on in /opt/etc/ftpusers.

Added lines 40-42:

General

  • NOTE: The users must have a home directory in their /etc/passwd entry to log in. The directory does not have to exist if DefaultRoot? is set.
March 25, 2005, at 12:10 AM by bobtm --
Changed line 31 from:
  1. Set up startup script: cp /opt/doc/proftpd/S58proftpd to /opt/etc/init.d
to:
  1. Set up startup script: cp /opt/doc/proftpd/S58proftpd /opt/etc/init.d
March 25, 2005, at 12:09 AM by bobtm --
Changed line 21 from:

The possibilities for configuration are endless. Go to the Proftpd website and edit /opt/etc/proftpd according to your needs. SSL certificates are to be stored in /opt/etc/ftpd and restart proftpd.

to:

The possibilities for configuration are endless. Go to the Proftpd website and edit /opt/etc/proftpd according to your needs. SSL certificates are to be stored in /opt/etc/ftpd.

Changed line 39 from:
  • Says warning: unable to determine IP address of '<SlugName?>' on startup. This is because /etc/nsswitch.conf is missing up until 4.x. Fix it by doing echo "hosts: files dns" > /etc/nsswitch.conf.
to:
  • Says warning: unable to determine IP address of '<SlugName?>' on startup. This is because /etc/nsswitch.conf is missing up until 4.x. Fix it by doing echo "hosts: files dns" > /etc/nsswitch.conf and restart proftpd.
March 25, 2005, at 12:09 AM by bobtm --
Changed line 21 from:

The possibilities for configuration are endless. Go to the Proftpd website and edit /opt/etc/proftpd according to your needs. SSL certificates are to be stored in /opt/etc/ftpd.

to:

The possibilities for configuration are endless. Go to the Proftpd website and edit /opt/etc/proftpd according to your needs. SSL certificates are to be stored in /opt/etc/ftpd and restart proftpd.

Added line 39:
  • Says warning: unable to determine IP address of '<SlugName?>' on startup. This is because /etc/nsswitch.conf is missing up until 4.x. Fix it by doing echo "hosts: files dns" > /etc/nsswitch.conf.
March 24, 2005, at 06:24 PM by bobtm --
Changed line 21 from:

The possibilities for configuration are endless. Go to the Proftpd website and edit /opt/etc/proftpd according to your needs. SSL certificates are to be stored in /opt/etc/ftpd. Make sure to backup your configuration file as reinstalling or upgrading proftpd is likely to overwrite it (yes, it sucks).

to:

The possibilities for configuration are endless. Go to the Proftpd website and edit /opt/etc/proftpd according to your needs. SSL certificates are to be stored in /opt/etc/ftpd.

Deleted line 24:

Chose your mode of running it (one of the below).

Changed lines 26-40 from:

With Linksys inetd

  1. Set up the diversion script: cp /opt/doc/rc.xinetd.proftpd /unslung/rc.xinetd
  2. Run: . /etc/rc.d/rc.xinetd

With Inetutils inetd

  1. Add the ftp entry: cat /opt/doc/proftpd/inetd.conf.proftpd >> /opt/etc/inetd.conf
  2. Run: . /etc/rc.d/rc.xinetd

With xinetd (recommended)

  1. Add proftpd entry: cp /opt/doc/proftpd/proftpd.xinetd /opt/etc/xinetd.d/proftpd
  2. Run: . /etc/rc.d/rc.xinetd
to:

With xinetd

Since the proftpd package installs a xinetd configuration file, just do kill -SIGHUP `cat /var/run/xinetd.pid` to make xinetd reread its configuration files.

Changed lines 31-32 from:
  1. Set up startup script: cp /opt/doc/proftpd/S68proftpd to /opt/etc/init.d
  2. Run: . /opt/etc/init.d/S68proftpd
to:
  1. Set up startup script: cp /opt/doc/proftpd/S58proftpd to /opt/etc/init.d
  2. Run: . /opt/etc/init.d/S58proftpd
Changed line 36 from:

Let the trouble commence.

to:

As standalone

Added line 38:
  • Says unable to listen to local socket: No such file or directory on startup. This is because the directory /opt/var/proftpd was not created on proftpd install prior to IPK version 4. Just create the directories.
February 03, 2005, at 06:08 PM by bobtm --
Added line 13:
  • Full man page installation.
February 03, 2005, at 05:40 PM by bobtm --
Changed lines 1-52 from:

Describe {{Proftpd}} here.

to:

Proftpd

Why proftpd

Check out http://www.proftpd.org

  • Has virtual users
  • Has bandwidth limitation (only per session, not global)
  • Has SSL/TLS authentication/encryption.
  • Has control tools, like ftptop and ftpwho, letting you see all that is going on on your server.
  • Has a number of authentication methods
  • Comes with integration scripts for running with the Linksys inetd, the Inetutils inetd and xinetd (recommended) as well as standalone server setup.
  • Has quotas, up/down-load ratios and almost all you could want from an FTPD.

How to install

Install the package: ipkg install proftpd

How to configure

The possibilities for configuration are endless. Go to the Proftpd website and edit /opt/etc/proftpd according to your needs. SSL certificates are to be stored in /opt/etc/ftpd. Make sure to backup your configuration file as reinstalling or upgrading proftpd is likely to overwrite it (yes, it sucks).

How to activate

Chose your mode of running it (one of the below).

With Linksys inetd

  1. Set up the diversion script: cp /opt/doc/rc.xinetd.proftpd /unslung/rc.xinetd
  2. Run: . /etc/rc.d/rc.xinetd

With Inetutils inetd

  1. Add the ftp entry: cat /opt/doc/proftpd/inetd.conf.proftpd >> /opt/etc/inetd.conf
  2. Run: . /etc/rc.d/rc.xinetd

With xinetd (recommended)

  1. Add proftpd entry: cp /opt/doc/proftpd/proftpd.xinetd /opt/etc/xinetd.d/proftpd
  2. Run: . /etc/rc.d/rc.xinetd

As standalone server

  1. Set up startup script: cp /opt/doc/proftpd/S68proftpd to /opt/etc/init.d
  2. Run: . /opt/etc/init.d/S68proftpd

Troubleshooting

Let the trouble commence.

Bob_tm

view · edit · print · history · Last edited by Robert.
Based on work by fcarolo, pedxing, abe, Alienz, RobHam, marco, Rufus, Stein, AlanLiu, ingeba, Mark, and bobtm.
Originally by bobtm.
Page last modified on July 27, 2007, at 10:38 PM