Skip to content

Setting Up Secure FTPS for Linux with vsftps

July 16, 2011

I needed to run FTPS on a friend’s Linux server. My plan was to disable regular FTP and only allow FTPS connections. (By the way, FTPS is FTP+SSL, not to be confused with SFTP, which was already working).

I thought this would be a few minutes of work: install a package, maybe tweak a configuration to enable it, and done. It actually took me longer, because it didn’t work immediately and I had to set out troubleshooting (meaning searching FAQs, forums, and trial-and-error switching on configuration options until it worked as expected).

Here I gather the steps required to get FTPS running on an Ubuntu install of Linux. There were instructions out there, but none seemed to work for me, as they were all missing bits and pieces and I ended up having to combine info from a few different places. Ultimately, it was this forum post that saved me, as it provided a missing piece not documented in the other instructions. I had the same problem described, that when restarting the daemon the process never stayed running.

Instructions:

  1. Get the vsftpd and openssl packages if you don’t already have them:
    apt-get install vsftpd openssl
  2. Generate a key used for SSL:
    adduser ftpsecure
    openssl req -new -x509 -days 365 -keyout vsftp.key -out vsftp.crt
    openssl rsa -in vsftp.key -out vsftp_clean.key
    cat vsftp.crt vsftp_clean.key > /usr/share/ssl-cert/vsftpd.pem
    cp vsftp.key_clean.key /usr/share/ssl-cert/vsftp.key
  3. Make changes to the configuration file /etc/vsftpd.conf. The following changes assume you have the default vsftp.conf, so these settings should already exist, so you just need to uncomment or tweak them to match:

    write_enable=YES
    local_umask=022
    nopriv_user=ftpsecure
    chroot_local_user=YES
    rsa_cert_file=/usr/share/ssl-cert/vsftpd.pem
  4. Add the following settings, which were not in the default configuration:
    rsa_private_key_file=/usr/share/ssl-cert/vsftp.key
    ssl_enable=YES
    allow_anon_ssl=NO
    force_local_data_ssl=YES
    force_local_logins_ssl=YES
    ssl_tlsv1=YES
    ssl_sslv2=YES
    ssl_sslv3=YES
  5. Restart the service:

    service stop vsftpd
    service start vsftpd

I’m not really explaining what these steps mean, just summarizing what needs to be done. Check the vsftpd web site for in-depth coverage.

After wasting an hour on what I thought would be a trivial minute-long change, it reminded me of all the time sunk on getting my computers running back in the early Linux days (particularly getting wireless to work on a laptop, and enabling audio for some obscure sound card I had in my desktop system). The distributions these days are much improved, mostly working out of the box, but occasionally tasks like this remind me why I don’t administer my own Linux as much as I used to, and I’m much happier running Linux in a VM for the occasions I need it (which is usually when I need access to the UNIX development tools).

No comments yet

Leave a Reply

Your email address will not be published. Required fields are marked *