ProFTPd-TLS-SQL Mini How-to

Jani Reinikainen,

Revision 0.1.2, 23. January 2007

Since there are no Ubuntu/Debian packages for ProFTPd with TLS and SQL support, I had to compile from source. However, I just used apt-get to get the SSL libraries.

# apt-get update
# apt-get install openssl libssl-dev libmysqlclient15-dev zlib1g-dev gcc make g++

I extracted the patched ProFTPd-TLS source and changed to the newly created directory.

$ wget ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.0a.tar.bz2
$ tar xfvj proftpd-1.3.0a.tar.bz2
$ cd proftpd-1.3.0a

Compile the patched ProFTPd source (mod_ratio and mod_sql are supplied by the default ProFTPd source).

$ ./configure --with-modules=mod_ratio:mod_sql:mod_sql_mysql:mod_tls:mod_diskuse:mod_md5fs --with-libraries=/usr/lib/ --with-openssl-dir=/usr/lib/ssl
$ make
# make install

Create a DSA certificate (stronger than RSA). This certificate is valid for 10 years (3650 days).

$ cd /etc/ssl/certs/
# openssl req -new -x509 -days 3650 -nodes -out ftpd.crt -keyout ftpd.key
# openssl dhparam -out ftpd.dhp 1024

This is actually a CSR only (unsigned certificate). Now, modify the proftpd.conf file.

# vi /usr/local/etc/proftpd.conf

I placed this inside my proftpd.conf:

# These are the TLS related options, default values
TLSEngine                      on
TLSDSACertificateFile          /etc/ssl/certs/ftpd.crt
TLSDSACertificateKeyFile       /etc/ssl/certs/ftpd.key
TLSDHParamFile                 /etc/ssl/certs/ftpd.dhp
TLSCipherSuite                 ALL:!ADH
TLSRequired                    off
# don't verify any peer certificates
TLSOptions                     NoCertRequest


# Options for SQL
SQLConnectInfo                  localhost proftpd password
SQLUserInfo                     users userid password uid gid homedir shell
SQLGroupInfo                    groups groupname gid members
SQLAuthTypes                    Crypt Backend Plaintext
SQLHomedirOnDemand              off

For a full example of a proftpd.conf file, check here. Next, create the SQL databases and tables for user authentication.

mysql> CREATE DATABASE proftpd;
mysql> USE proftpd;

mysql> CREATE TABLE users (
 userid varchar(30) NOT NULL UNIQUE,
 password varchar(30) NOT NULL,
 uid int(11) NOT NULL,
 gid int(11),
 homedir varchar(255),
 shell varchar(255),
 count int(11),
 frate int(11),
 fcred int(11),
 brate int(11),
 bcred int(11),
 fstor int(11),
 fretr int(11),
 bstor int(11),
 bretr int(11)
);

NB: frate, fcred, brate, bcred, fstor, fretr, bstor and bretr are only needed by mod_ratio, otherwise they can be omitted. Quoted form the mod_sql README: "The column names above are the default names used if SQLRatioStats is set to 'on'. This directive is used solely by mod_ratio. Without mod_ratio running, this directive will have no effect."

mysql> CREATE TABLE groups (
 groupname varchar(30) NOT NULL,
 gid int(11) NOT NULL,
 members BLOB
);

mysql> INSERT INTO users (userid, password, uid, gid, homedir, shell) VALUES
("user", "foobar", "1001", "1001", "/home/user", "/bin/false");

mysql> GRANT SELECT ON proftpd.* TO proftpd@localhost IDENTIFIED BY "password";

Okay, log out of MySQL and let's see if ProFTPd starts.

# proftpd -c /usr/local/etc/proftpd.conf

If it does, great! If not, the following commands are useful for debugging:

# tail -f /var/log/mysql.log
# proftpd -c /usr/local/etc/proftpd.conf -d 4 -n

Supervising the standalone version of ProFTPd is trivial:

# mkdir -p /service/proftpd/log/{main,supervise} /service/proftpd/supervise

A sample run file for Daemontools:

#!/bin/sh
exec /usr/local/sbin/proftpd -n

Chmod the run file +x and supervise should bring up ProFTPd a few seconds later, assuming that svscan is running.

# chmod +x /service/proftpd/run

Windows FTP clients that can do explicit SSL/TLS:

CuteFTP Pro
Ws_FTP
IglooFTP Pro
Secure FTP

Linux/UNIX FTP clients that can do explicit SSL/TLS:

IglooFTP Pro
Secure FTP
SurgeFTP
lftp

Related URLs:

http://www.proftpd.org/