|
Since there are no Ubuntu/Debian packages for ProFTPd with TLS and SQL support, I had to compile from source. However, I just used apt-get to get the SSL libraries.
# apt-get update
# apt-get install openssl libssl-dev libmysqlclient15-dev zlib1g-dev gcc make g++
I extracted the patched ProFTPd-TLS source and changed to the newly created directory.
$ wget ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.0a.tar.bz2
$ tar xfvj proftpd-1.3.0a.tar.bz2
$ cd proftpd-1.3.0a
Compile the patched ProFTPd source (mod_ratio and mod_sql are supplied by the default ProFTPd source).
$ ./configure --with-modules=mod_ratio:mod_sql:mod_sql_mysql:mod_tls:mod_diskuse:mod_md5fs --with-libraries=/usr/lib/ --with-openssl-dir=/usr/lib/ssl
$ make
# make install
Create a DSA certificate (stronger than RSA). This certificate is valid for 10 years (3650 days).
$ cd /etc/ssl/certs/
# openssl req -new -x509 -days 3650 -nodes -out ftpd.crt -keyout ftpd.key
# openssl dhparam -out ftpd.dhp 1024
This is actually a CSR only (unsigned certificate). Now, modify the proftpd.conf file.
# vi /usr/local/etc/proftpd.conf
I placed this inside my proftpd.conf:
# These are the TLS related options, default values
TLSEngine on
TLSDSACertificateFile /etc/ssl/certs/ftpd.crt
TLSDSACertificateKeyFile /etc/ssl/certs/ftpd.key
TLSDHParamFile /etc/ssl/certs/ftpd.dhp
TLSCipherSuite ALL:!ADH
TLSRequired off
# don't verify any peer certificates
TLSOptions NoCertRequest
# Options for SQL
SQLConnectInfo localhost proftpd password
SQLUserInfo users userid password uid gid homedir shell
SQLGroupInfo groups groupname gid members
SQLAuthTypes Crypt Backend Plaintext
SQLHomedirOnDemand off
For a full example of a proftpd.conf file, check here. Next, create the SQL databases and tables for user authentication.
mysql> CREATE DATABASE proftpd;
mysql> USE proftpd;
mysql> CREATE TABLE users (
userid varchar(30) NOT NULL UNIQUE,
password varchar(30) NOT NULL,
uid int(11) NOT NULL,
gid int(11),
homedir varchar(255),
shell varchar(255),
count int(11),
frate int(11),
fcred int(11),
brate int(11),
bcred int(11),
fstor int(11),
fretr int(11),
bstor int(11),
bretr int(11)
);
NB: frate, fcred, brate, bcred, fstor, fretr, bstor and bretr are only needed by mod_ratio, otherwise they can be omitted. Quoted form the mod_sql README: "The column names above are the default names used if SQLRatioStats is set to 'on'. This directive is used solely by mod_ratio. Without mod_ratio running, this directive will have no effect."
mysql> CREATE TABLE groups (
groupname varchar(30) NOT NULL,
gid int(11) NOT NULL,
members BLOB
);
mysql> INSERT INTO users (userid, password, uid, gid, homedir, shell) VALUES
("user", "foobar", "1001", "1001", "/home/user", "/bin/false");
mysql> GRANT SELECT ON proftpd.* TO proftpd@localhost IDENTIFIED BY "password";
Okay, log out of MySQL and let's see if ProFTPd starts.
# proftpd -c /usr/local/etc/proftpd.conf
If it does, great! If not, the following commands are useful for debugging:
# tail -f /var/log/mysql.log
# proftpd -c /usr/local/etc/proftpd.conf -d 4 -n
Supervising the standalone version of ProFTPd is trivial:
# mkdir -p /service/proftpd/log/{main,supervise} /service/proftpd/supervise
A sample run file for Daemontools:
#!/bin/sh
exec /usr/local/sbin/proftpd -n
Chmod the run file +x and supervise should bring up ProFTPd a few seconds later, assuming that svscan is running.
# chmod +x /service/proftpd/run
Windows FTP clients that can do explicit SSL/TLS:
Linux/UNIX FTP clients that can do explicit SSL/TLS:
Related URLs:
|
Technical Documents 
