Since there are no Ubuntu/Debian packages for ProFTPd with TLS and SQL support, I had to compile from source. However, I just used apt-get to get the SSL libraries.
# apt-get install openssl libssl-dev libmysqlclient15-dev zlib1g-dev gcc make g++
I extracted the patched ProFTPd-TLS source and changed to the newly created directory.
$ tar xfvj proftpd-1.3.0a.tar.bz2
$ cd proftpd-1.3.0a
Compile the patched ProFTPd source (mod_ratio and mod_sql are supplied by the default ProFTPd source).
# make install
Create a DSA certificate (stronger than RSA). This certificate is valid for 10 years (3650 days).
# openssl req -new -x509 -days 3650 -nodes -out ftpd.crt -keyout ftpd.key
# openssl dhparam -out ftpd.dhp 1024
This is actually a CSR only (unsigned certificate). Now, modify the proftpd.conf file.
I placed this inside my proftpd.conf:
# These are the TLS related options, default values TLSEngine on TLSDSACertificateFile /etc/ssl/certs/ftpd.crt TLSDSACertificateKeyFile /etc/ssl/certs/ftpd.key TLSDHParamFile /etc/ssl/certs/ftpd.dhp TLSCipherSuite ALL:!ADH TLSRequired off # don't verify any peer certificates TLSOptions NoCertRequest # Options for SQL SQLConnectInfo localhost proftpd password SQLUserInfo users userid password uid gid homedir shell SQLGroupInfo groups groupname gid members SQLAuthTypes Crypt Backend Plaintext SQLHomedirOnDemand off
For a full example of a proftpd.conf file, check here. Next, create the SQL databases and tables for user authentication.
mysql> CREATE DATABASE proftpd; mysql> USE proftpd; mysql> CREATE TABLE users ( userid varchar(30) NOT NULL UNIQUE, password varchar(30) NOT NULL, uid int(11) NOT NULL, gid int(11), homedir varchar(255), shell varchar(255), count int(11), frate int(11), fcred int(11), brate int(11), bcred int(11), fstor int(11), fretr int(11), bstor int(11), bretr int(11) );
NB: frate, fcred, brate, bcred, fstor, fretr, bstor and bretr are only needed by mod_ratio, otherwise they can be omitted. Quoted form the mod_sql README: “The column names above are the default names used if SQLRatioStats is set to ‘on’. This directive is used solely by mod_ratio. Without mod_ratio running, this directive will have no effect.”
mysql> CREATE TABLE groups ( groupname varchar(30) NOT NULL, gid int(11) NOT NULL, members BLOB ); mysql> INSERT INTO users (userid, password, uid, gid, homedir, shell) VALUES ("user", "foobar", "1001", "1001", "/home/user", "/bin/false"); mysql> GRANT SELECT ON proftpd.* TO proftpd@localhost IDENTIFIED BY "password";
Okay, log out of MySQL and let’s see if ProFTPd starts.
If it does, great! If not, the following commands are useful for debugging:
# proftpd -c /usr/local/etc/proftpd.conf -d 4 -n
Supervising the standalone version of ProFTPd is trivial:
#!/bin/sh exec /usr/local/sbin/proftpd -n
Chmod the run file +x and supervise should bring up ProFTPd a few seconds later, assuming that svscan is running.
Windows FTP clients that can do explicit SSL/TLS:
- CuteFTP Pro
- IglooFTP Pro
- Secure FTP
Linux/UNIX FTP clients that can do explicit SSL/TLS:
- IglooFTP Pro
- Secure FTP