ProFTPd: Enabling/Disabling TLS Based On User Or Group

Want to support HowtoForge? Become a subscriber!
 
Submitted by falko (Contact Author) (Forums) on Mon, 2012-06-25 16:38. :: FTP | Security

ProFTPd: Enabling/Disabling TLS Based On User Or Group

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Follow me on Twitter
Last edited 06/20/2012

FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure. While this is a good thing, not all FTP clients support TLS. This article explains how to enable or disable TLS in ProFTPd based on the FTP user or group.

I do not issue any guarantee that this will work for you!

 

1 Preliminary Note

I assume that you have TLS set up already, for example as described in this tutorial: Setting Up ProFTPd + TLS On Debian Squeeze

Of course, you can use TLSRequired off in your ProFTPd configuration as this allows for TLS and non-TLS logins, but if you want to make your FTP setup as secure as possible, you should enforce the use of TLS and make exceptions only for the users or groups that use an FTP client that doesn't support TLS (if using another FTP client is not an option for those users).

 

2 TLS Configuration Based On User/Group

Let's assume you have the following TLS configuration in your ProFTPd configuration that enforces TLS for everybody:

[...]
<IfModule mod_tls.c>
          TLSEngine                  on
          TLSLog                     /var/log/proftpd/tls.log
          TLSProtocol                SSLv23
          TLSOptions                 NoCertRequest
          TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
          TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
          TLSVerifyClient            off
          TLSRequired                on
</IfModule>
[...]

We can now use IfUser and IfGroup sections to make exceptions, but these take effect only if we add the line TLSOptions AllowPerUser to our TLS configuration, like so:

[...]
<IfModule mod_tls.c>
          TLSEngine                  on
          TLSOptions                 AllowPerUser
          TLSLog                     /var/log/proftpd/tls.log
          TLSProtocol                SSLv23
          TLSOptions                 NoCertRequest
          TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
          TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
          TLSVerifyClient            off
          TLSRequired                on
</IfModule>
[...]

(Make sure you add the line right after the TLSEngine on line as order seems to count - in my first tries I added it before the TLSRequired line where it didn't seem to have any effect.)

If we want to allow the FTP user testuser to use plain FTP instead of FTP, we can configure this as follows:

[...]
<IfModule mod_tls.c>
          TLSEngine                  on
          TLSOptions                 AllowPerUser
          TLSLog                     /var/log/proftpd/tls.log
          TLSProtocol                SSLv23
          TLSOptions                 NoCertRequest
          TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
          TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
          TLSVerifyClient            off
          TLSRequired                on
</IfModule>

<IfUser testuser>
          TLSRequired off
</IfUser>
[...]

For the group testgroup, the configuration would look as follows:

[...]
<IfModule mod_tls.c>
          TLSEngine                  on
          TLSOptions                 AllowPerUser
          TLSLog                     /var/log/proftpd/tls.log
          TLSProtocol                SSLv23
          TLSOptions                 NoCertRequest
          TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
          TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
          TLSVerifyClient            off
          TLSRequired                on
</IfModule>

<IfGroup testgroup>
          TLSRequired off
</IfGroup>
[...]

It's also possible to negate users/groups, e.g. as follows:

[...]
<IfModule mod_tls.c>
          TLSEngine                  on
          TLSOptions                 AllowPerUser
          TLSLog                     /var/log/proftpd/tls.log
          TLSProtocol                SSLv23
          TLSOptions                 NoCertRequest
          TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
          TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
          TLSVerifyClient            off
          TLSRequired                on
</IfModule>

<IfUser testuser>
          TLSRequired off
</IfUser>

<IfUser !testuser>
          TLSRequired on
</IfUser>
[...]

This enforces TLS for all users other than testuser (this is just for demonstration purposes as in this example TLS is enabled globally in the <IfModule mod_tls.c> section). Likewise for groups:

[...]
<IfModule mod_tls.c>
          TLSEngine                  on
          TLSOptions                 AllowPerUser
          TLSLog                     /var/log/proftpd/tls.log
          TLSProtocol                SSLv23
          TLSOptions                 NoCertRequest
          TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
          TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
          TLSVerifyClient            off
          TLSRequired                on
</IfModule>

<IfGroup testgroup>
          TLSRequired off
</IfGroup>

<IfGroup !testgroup>
          TLSRequired on
</IfGroup>
[...]

That's all there is about this. You can find more details about IfUser/IfGroup in the ProFTPd documentation: http://www.proftpd.org/docs/contrib/mod_ifsession.html

As always, don't forget to restart ProFTPd after you've modified its configuration!

 

3 Links


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Anonymous (not registered) on Tue, 2012-06-26 13:45.

Opinion follows:

Most people using FTP really should be using a different, more secure, protocol like sftp.

The ProFTP servers have been hacked previously and back-doors added. http://www.zdnet.com/blog/security/open-source-proftpd-hacked-backdoor-planted-in-source-code/7787  Other FTP servers had similar issues too.  We don't know if new issues exist or not.  FTP servers are a big target for crackers, that is certain.

In the corporate world, FTP, rcp and telnet use was ended around 2000 due to password security concerns and FTP protocol complexities in firewalls.

These days, FTP should only be used when you want to share everything on the server with the entire world. The subtle differences between straight FTP or FTP over TLS/SSL is too confusing for the iOS crowd to understand.  It is best to just use bit-torrent or http to share files to the entire world. If you want to restrict which files are shared with specific people, sftp would be better.

Submitted by Guido Kostons (not registered) on Tue, 2012-06-26 13:17.
This is exactly what I need. My good old Dreamweaver CS3 doesn't support FTP with TLS/SSL. So now I can force my ftp users to use TLS and me myself, on my local network, without TLS. :) Thanks Falco, great work! Guido