By default SFTP Gateway uses SFTP, which leverages OpenSSH. FTPS is not configured by default, because it requires that you expose additional ports.
However, there are some situations where you might need FTPS:
- Legacy clients that only support FTPS
- FTPS supports X509 SSL certificates, which may be a requirement for securely identifying the server
Here are instructions on how to install and configure vsftp on SFTP Gateway to add FTPS functionality. It also covers how to add an SSL certificate.
Elevate privileges to root:
Install vsftp with this command:
yum install vsftpd -y
As a preparatory step, you need to first create a self-signed certificate. This is to encrypt your FTPS traffic.
Run the following commands:
mkdir /etc/ssl/private/ && cd $_ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout vsftpd.key -out vsftpd.crt -subj "/C=NA/ST=NA/L=NA/O=NA/OU=NA/CN=NA"
(Feel free to put in real values for your state, locality, organization, etc.)
This creates a directory
And then it creates two files:
vsftpd.crt: This is your SSL certificate
vsftpd.key: This is the private key
Eventually, you want to use a real SSL certificate, but for now, a self-signed cert will do.
On line 12, change
On line 96, uncomment the following line:
Append the following to the end of the
rsa_cert_file=/etc/ssl/private/vsftpd.crt rsa_private_key_file=/etc/ssl/private/vsftpd.key ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=NO force_local_logins_ssl=NO ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO require_ssl_reuse=NO ssl_ciphers=HIGH user_sub_token=$USER local_root=/home/$USER/home/$USER pasv_enable=YES pasv_min_port=1024 pasv_max_port=1048 pasv_address=<Public IP of your instance>
Note: remember to set the last line (
pasv_address) to your Elastic IP
The first section configures SSL.
The second section sets the chroot directory.
And the third section configures your IP and ports.
Restart the service to apply your changes:
Make sure vsftpd runs after a reboot:
chkconfig vsftpd on
Configure your Security Group
FTPS requires several ports, so you'll have to open them up on your EC2 Security Group.
- In CloudFormation, click the Resources tab
- Click the link next to
SFTPGatewayInstanceto open the EC2 instance details
- At the bottom, click the link next to Security groups
- Click the Inbound tab
- Click Edit
- Add a rule for Custom TCP, Port range 20-21, from Source Anywhere
- Add a rule for Custom TCP, Port range 1024-1048, from Source Anywhere
- Click Save
Integrate with SFTP Gateway
There are a few steps in order to get vsftp working with SFTP Gateway.
Create a new user:
Set a password for this user:
addsftpuser command disable's the user's shell for security reasons. You need to re-enable the user's shell in order to use FTPS:
usermod -s /bin/bash robtest
Connecting an FTPS client
To test, connect using FileZilla.
- Protocol: Select
FTP - File Transfer Protocol
- Encryption: Select
Require explicit FTP over TLS
Log in with your username and password.
Since you're using a self-signed certificate, you will be prompted with this window. Click OK to proceed.
If all goes well, you should see your
Where to go from here
For more details on installing vsftp, check out this Stack Overflow article.
For more on configuring SSL for vsftp, see this article.