Setting Up vsftpd + TLS On Debian Squeeze
Author: Falko Timme
Follow me on Twitter
FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure. This article explains how to set up vsftpd with TLS on a Debian Squeeze server.
I do not issue any guarantee that this will work for you!
1 Preliminary Note
In this tutorial I use the hostname server1.example.com with the IP address 192.168.0.100. These settings might differ for you, so you have to replace them where appropriate.
2 Installing vsftpd And OpenSSL
OpenSSL is needed by TLS; to install vsftpd and OpenSSL, we simply run:
apt-get install vsftpd openssl
3 Creating The SSL Certificate For TLS
In order to use TLS, we must create an SSL certificate. I create it in /etc/ssl/private - if the directory doesn't exist, create it now::
mkdir -p /etc/ssl/private
chmod 700 /etc/ssl/private
Afterwards, we can generate the SSL certificate as follows:
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) [Some-State]: <-- Enter your State or Province Name.
Locality Name (eg, city) : <-- Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) : <-- Enter your Organizational Unit Name (e.g. "IT Department").
Common Name (eg, YOUR name) : <-- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").
Email Address : <-- Enter your Email Address.
4 Enabling TLS In vsftpd
In order to enable TLS in vsftpd, open /etc/vsftpd.conf...
... and add or change the following options:
[...] # Turn on SSL ssl_enable=YES # Allow anonymous users to use secured SSL connections allow_anon_ssl=YES # All non-anonymous logins are forced to use a secure SSL connection in order to # send and receive data on data connections. force_local_data_ssl=YES # All non-anonymous logins are forced to use a secure SSL connection in order to send the password. force_local_logins_ssl=YES # Permit TLS v1 protocol connections. TLS v1 connections are preferred ssl_tlsv1=YES # Permit SSL v2 protocol connections. TLS v1 connections are preferred ssl_sslv2=NO # permit SSL v3 protocol connections. TLS v1 connections are preferred ssl_sslv3=NO # Disable SSL session reuse (required by WinSCP) require_ssl_reuse=NO # Select which SSL ciphers vsftpd will allow for encrypted SSL connections (required by FileZilla) ssl_ciphers=HIGH # This option specifies the location of the RSA certificate to use for SSL # encrypted connections. rsa_cert_file=/etc/ssl/private/vsftpd.pem [...]
If you use force_local_logins_ssl=YES and force_local_data_ssl=YES, then only TLS connections are allowed (this locks out any users with old FTP clients that don't have TLS support); by using force_local_logins_ssl=NO and force_local_data_ssl=NO both TLS and non-TLS connections are allowed, depending on what the FTP client supports.
Apart from the TLS options, make sure you also have the following settings in your vsftpd.conf to enable non-anonymous logins:
[...] # Uncomment this to allow local users to log in. local_enable=YES # # Uncomment this to enable any form of FTP write command. write_enable=YES # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) local_umask=022 [...] # You may restrict local users to their home directories. See the FAQ for # the possible risks in this before using chroot_local_user or # chroot_list_enable below. chroot_local_user=YES [...]
Restart vsftpd afterwards:
That's it. You can now try to connect using your FTP client; however, you should configure your FTP client to use TLS (this is a must if you use force_local_logins_ssl=YES and force_local_data_ssl=YES) - see the next chapter how to do this with FileZilla.
5 Configuring FileZilla For TLS
In order to use FTP with TLS, you need an FTP client that supports TLS, such as FileZilla.
In FileZilla, open the Server Manager:
Select the server that uses vsftpd with TLS; in the Server Type drop-down menu, select FTPES instead of normal FTP:
Now you can connect to the server. If you do this for the first time, you must accept the server's new SSL certificate:
If everything goes well, you should now be logged in on the server:
- vsftpd: https://security.appspot.com/vsftpd.html
- FileZilla: http://filezilla-project.org/
- Debian: http://www.debian.org/