In 1st part of this post I have very general setting for pure-ftp configured. In this post we’ll explore about testing functionality of this ftp server using simple auth plus how configure TLS section.
To test the server I need to add user. I used to use sysinstall for this purpose but since sysinstall no longer available on FreeBSD then I use bsdconfig.
Introduce bsdconfig
From bsconfig manual :
bsdconfig is used to set up many system configuration settings, both for
new systems, as well as changing configuration settings of existing systems.bsdconfig optionally takes a command as an argument. If invoked with no arguments,
it will bring up an interactive menu listing the available modules.
I like gui version so I type bsdconfig or you can use full path : /usr/sbin/bsdconfig
If not available you can install it.
From ports
# /usr/ports/sysutils/bsdconfig && make install
From pkg
# pkg install bsdconfig
For pure-ftp purpose I need bsdconfig for add new user :
#bsdconfig
Choose “Login/Group Management”
Choose Add Login and enter login name.
I choose Yes for default values as I want bsdconfig fill all values for me.
If you choose No then You can configure full name, password and more. If you familiar with wheel group then you can adjust that setting here.
Click OK and data stored.
After Login added. The rest is change password.
# passwd alamsyah
Changing local password for alamsyah
New Password:
Retype New Password:
root@pureftp:~ #
Testing from client
I use ftp client from windows (coreftp) and enter ip provided by vultr.
Click Connect and you’ll get your account.
At this stage user authentication work from user that exist in server. Next step is configure and enable TLS .
Configure and enable TLS support for pure-ftp on FreeBSD 10
To create the key, pure-ftp provide the steps here :
# mkdir -p /etc/ssl/private
#openssl req -x509 -nodes -newkey rsa:1024 -keyout \
/etc/ssl/private/pure-ftpd.pem \
-out /etc/ssl/private/pure-ftpd.pem
Answer all question.
Next step is enable TLS. Pure-ftp provide 3 options :
# ee /usr/local/etc/pure-ftpd.conf
# This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don’t use SSL/TLS security mechanisms,
# including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (–with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.# TLS 1
To enable TLS support then you’ll need to remove # before TLS 1 and change the value from 1 to 2.
Save the file.
By changing to 2 you force client to use TLS security.
Restart pure-ftp server
# /usr/local/etc/rc.d/pure-ftpd restart
Stopping pureftpd.
Waiting for PIDS: 77338.
Starting pureftpd.
Running: /usr/local/sbin/pure-ftpd -g/var/run/pure-ftpd.pid -A -c50 -B -C8 -D -fftp -H -I15 -L10000:8 -m4 -s -U133:022 -u100 -k99 -Z -Y2
pure-ftpd: invalid option — Y
pure-ftpd: invalid option — 2
If you see that error message “invalid option” then you might miss the options when you install pure-ftp.
To fix it.
# cd /usr/ports/ftp/pure-ftpd/
# make deinstall
# make rmconfig
# make install
don’t forget to choose TLS this time.
Try to restart service after install.
# /usr/local/etc/rc.d/pure-ftpd restart
Stopping pureftpd.
Waiting for PIDS: 78474.
Starting pureftpd.
Running: /usr/local/sbin/pure-ftpd -g/var/run/pure-ftpd.pid -A -c50 -B -C8 -D -fftp -H -I15 -L10000:8 -m4 -s -U133:022 -u100 -k99 -Z -Y2
No problem this time.
Try to test again from client side.
If you try again without using TLS, error message will be displayed :
20-You are user number 1 of 50 allowed.
220-Local time is now 12:52. Server port: 21.
220-IPv6 connections are also welcome on this server.
220———- Welcome to Pure-FTPd [privsep] [TLS] ———-
USER alamsyah
421 Sorry, cleartext sessions are not accepted on this server.
Connection Failed
Client need to choose AUTH TLS
Try again
20———- Welcome to Pure-FTPd [privsep] [TLS] ———-
220-You are user number 1 of 50 allowed.
220-Local time is now 12:54. Server port: 21.
220-IPv6 connections are also welcome on this server.
220———- Welcome to Pure-FTPd [privsep] [TLS] ———-
AUTH TLS
234 AUTH TLS OK.
TLSv1, cipher TLSv1/SSLv3 (DHE-RSA-AES256-SHA) – 256 bit
USER alamsyah
331 User alamsyah OK. Password required
PASS **********
230 OK. Current restricted directory is /
SYST
215 UNIX Type: L8
Keep alive off…
PWD
257 “/” is your current location
PBSZ 0
200 PBSZ=0
PROT P
200 Data protection level set to “private”
PASV
227 Entering Passive Mode (104,207,128,100,156,76)
LIST
Connect socket #1300 to 104.207.128.100, port 40012…
TLSv1, cipher TLSv1/SSLv3 (DHE-RSA-AES256-SHA) – 256 bit
150 Accepted data connection
226-Options: -a -l
226 10 matches total
Transferred 706 bytes in 0.010 second
Yes, this time connection successfully established.
At this stage pure-ftp able to serve using unix auth and protect user password via TLS. This setting is very minimum. As the title about virtual user then I’ll continue about setting virtual user in pure-ftp under FreeBSD 10.
Stay tune.