Enabling FTPS using vsftp
Note: This page applies to SFTP Gateway version 2.x. Visit Here for documentation on version 3.x.
Note: In previous versions of SFTP Gateway (i.e. 2.000.04
and 1.004.3
),
files uploaded via the FTP protocol were getting uploaded prematurely,
resulting in file corruption. This issue has been fixed in 2.001.00
.
By default SFTP Gateway uses SFTP, which leverages OpenSSH. FTPS is not configured by default, because it requires that you expose additional ports.
However, there are some situations where you might need FTPS:
- Legacy clients that only support FTPS
- FTPS supports X509 SSL certificates, which may be a requirement for securely identifying the server
Here are instructions on how to install and configure vsftp on SFTP Gateway to add FTPS functionality. It also covers how to add an SSL certificate.
Installation
Elevate privileges to root:
sudo su
Install vsftp with this command:
yum install vsftpd -y
Create certificates
As a preparatory step, you need to first create a self-signed certificate. This is to encrypt your FTPS traffic.
Run the following commands:
mkdir /etc/ssl/private/ && cd $_
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout vsftpd.key -out vsftpd.crt -subj "/C=NA/ST=NA/L=NA/O=NA/OU=NA/CN=NA"
(Feel free to put in real values for your state, locality, organization, etc.)
This creates a directory /etc/ssl/private/
And then it creates two files:
vsftpd.crt
: This is your SSL certificatevsftpd.key
: This is the private key
Eventually, you want to use a real SSL certificate, but for now, a self-signed cert will do.
Configure vsftp
Edit /etc/vsftpd/vsftpd.conf
On line 12, change anonymous_enable
from YES
to NO
:
anonymous_enable=NO
On line 100, uncomment the following line:
chroot_local_user=YES
Append the following to the end of the vsftpd.conf
file:
rsa_cert_file=/etc/ssl/private/vsftpd.crt
rsa_private_key_file=/etc/ssl/private/vsftpd.key
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH
user_sub_token=$USER
local_root=/home/$USER/home/$USER
pasv_enable=YES
pasv_min_port=1024
pasv_max_port=1048
pasv_address=<Public IP of your instance>
Note: remember to set the last line (pasv_address
) to your Elastic IP
The first section configures SSL.
The second section sets the chroot directory.
And the third section configures your IP and ports.
Restart the service to apply your changes:
systemctl restart vsftpd
Make sure vsftpd runs after a reboot:
systemctl enable vsftpd
Configure your Network Security Group
FTPS requires several ports, so you'll have to open them up on your Network Security Group.
- Edit the inbound rules for the Network Security Group
- Add a rule for Custom TCP, Port range
20-21
, from Source Anywhere - Add a rule for Custom TCP, Port range
1024-1048
, from Source Anywhere
Integrate with SFTP Gateway
There are a few steps needed to get vsftp working with SFTP Gateway.
Use the web admin UI to create an SFTP user
Set the SFTP user's password, also using the web admin UI
SFTP Gateway disables the user's shell for security reasons. You need to re-enable the user's shell in order to use FTPS (remember to change
<username>
to a real value):
sudo su
ldappassword=`grep spring.ldap.password /opt/sftpgw/application.properties | cut -d'=' -f2`
ldapmodify -D cn=admin -w $ldappassword
dn: uid=<username>,ou=People,dc=sftpgateway,dc=com
changeType: modify
add: loginShell
loginShell: /bin/bash
After entering these commands, hit <Enter>
twice, followed by Ctrl-C
.
This is an LDAP command that sets the loginShell
property to /bin/bash
.
Connecting an FTPS client
To test, connect using FileZilla.
- Protocol: Select
FTP - File Transfer Protocol
- Encryption: Select
Require explicit FTP over TLS
Log in with your username and password.
Since you're using a self-signed certificate, you will be prompted with this window. Click OK to proceed.
If all goes well, you should see your /uploads
and /local/
folders.
Troubleshooting
When troubleshooting a failed login, be sure to check the following log file:
/var/log/audit/audit.log
And FTP transfers are stored in this file:
/var/log/xferlog
For interpret the transfer log syntax, refer to this article: http://www.castaglia.org/proftpd/doc/xferlog.html
Where to go from here
For more details on installing vsftp, check out this Stack Overflow article.
For more on configuring SSL for vsftp, see this article.