secure ftp to specific directory on Ubuntu?

pure_ftpd? Fast, small footprint, TLS (-Y 3).

@drake127:

pure_ftpd? Fast, small footprint, TLS (-Y 3).
looks goooood :-)

but I haven't found how I can configure it to my needs

I can give the new (virtual) user home directory but the main reason I am doing this exercise is to give him rw access to

* - /srv/www/domain1.com and
* - /srv/www/domain2.com

I guess I shouldn't touch the current permission.

So I am lost what to do.

Thank you

R.

Oh, you probably need to read readme (http://download.pureftpd.org/pub/pure-ftpd/doc/README). Simply you need to create database file and instruct purefptd to use it. Look for -l option and virtual users section.

While configuration files (well, pure_ftpd doesn't have config file, just command line options) can be intimidating, documentation is well written and you should be OK with it.

If you don't want to bother using a ftp server try something like this http://adamsworld.name/chrootjailv5.php

@drake127:

Oh, you probably need to read readme (http://download.pureftpd.org/pub/pure-ftpd/doc/README). Simply you need to create database file and instruct purefptd to use it. Look for -l option and virtual users section.

While configuration files (well, pure_ftpd doesn't have config file, just command line options) can be intimidating, documentation is well written and you should be OK with it. well I read the doc and was confused. So I asked at pure-ftp mailing list and looks like that is impossible or very hard to achieve what I need to.

If you know how to set it up could you share? :-)

Just to clarify ….

I want to

• serurely

• grant rw permissions

• to few directories (web server home dir) where the current permissions are www-data:www-data. I am not sure if I can modify these permissions and still get nginx work properly.

I can create directory structure for this exercise as pure-ftp needs.

Thank you

R.

It's not that hard, maybe you get little confused.

Here's my command line argument list: -S 127.0.0.1,21 -p 49152:50174 -B -l mysql:/etc/pure-ftpd/mysql.conf -u 2000 -0 -4 -A -E -H -U 137:027 -Y 3 Pretty self explanatory … well maybe not but it is documented. You want to change -S to address you use, -u is minimum allowed UID, -U is umask (file:dir), -Y 3 is TLS, -l is authentication. Others are not too important. I use MySQL, I trust pure-ftpd can work with berkdb as well.

My /etc/pure-ftpd/mysql.conf:

MYSQLSocket                     /var/run/mysqld/mysqld.sock
MYSQLUser               Pure-FTPd
MYSQLPassword           *******
MYSQLDatabase           *******
MYSQLCrypt              MD5
MySQLTransactions       On

MYSQLGetPW              SELECT `password` FROM `ftp_users` WHERE `user` = '\L'
MYSQLGetDir             SELECT `directory` FROM `ftp_users` WHERE `user` = '\L'
MYSQLGetUID             SELECT `uid` FROM `ftp_users` WHERE `user` = '\L'
MYSQLGetGID             SELECT `gid` FROM `ftp_users` WHERE `user` = '\L'

And table itself looks like this:

CREATE TABLE ftp_users (
  `user` varchar(32) COLLATE utf8_bin NOT NULL,
  `password` varchar(80) COLLATE utf8_bin DEFAULT NULL,
  `directory` varchar(64) COLLATE utf8_bin NOT NULL,
  uid varchar(32) COLLATE utf8_bin NOT NULL,
  gid varchar(32) COLLATE utf8_bin NOT NULL,
  PRIMARY KEY (`user`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_bin;

When you set this up, you can create FTP users with UID/GID you choose for them accessing directory of your choice and they are forced to use TLS encryption.

Sorry for half-cooked guide but I am too busy to make it step-by-step. So take this as simple hints what you need to do.

I read your post in mailing list and maybe it is me who get confused. In standard way, Pure-FTPd will allow you to browse directory recursively - thus if you grant access to /var/www, user gets access to all subdirectories (given their uid:gid have proper r/w permissions). This is usually desirable and normal.

However if you do wish to have whole /var/www with www-data:www-data permissions and you do want to grant user /var/www/jack and you don't want to give him access to /var/www/jack/keepout, then it's not gonna be that simple.

@drake127:

I read your post in mailing list and maybe it is me who get confused. In standard way, Pure-FTPd will allow you to browse directory recursively - thus if you grant access to /var/www, user gets access to all subdirectories (given their uid:gid have proper r/w permissions). This is usually desirable and normal.

However if you do wish to have whole /var/www with www-data:www-data permissions and you do want to grant user /var/www/jack and you don't want to give him access to /var/www/jack/keepout, then it's not gonna be that simple.
well, let's say I have 20 web sites on my linode and I want to give this kind of access to somebody for only 3 of them and then to give access to somebody else for another (different) 5 sites or so.

It seems to me that Pure-FTPd and linux ACL is the way… I need to investigave ACL more …

Thank you for your help

R

PS diiiky :-)

Still, you don't need to mess with ACL (for something that can be done without them).

Let's say we have these sites (all www-data:www-data)

/var/www/jacksite.net

/var/www/jacknewsite.com

/var/www/john.com

/var/www/johnoldies.com

/var/www/someotherguyssite.br

/var/www/sharenshare.ru

And these users: jack, john, carlos.

So, given my configuration above, I would insert following lines to the database:

INSERT INTO ftp_users VALUES

('jack', MD5('jackpass'), '/var/www/jacksite.net', 'www-data', 'www-data'),

('jack', MD5('jackpass'), '/var/www/jacknewsite.net', 'www-data', 'www-data'),

('jack', MD5('jackpass'), '/var/www/sharenshare.ru', 'www-data', 'www-data'),

('john', MD5('johnpass'), '/var/www/john.com', 'www-data', 'www-data'),

('john', MD5('johnpass'), '/var/www/johnoldies.com', 'www-data', 'www-data'),

('john', MD5('johnpass'), '/var/www/sharenshare.ru', 'www-data', 'www-data'),

('carlos', MD5('carlospass'), '/var/www/someotherguyssite.br', 'www-data', 'www-data')

I believe it is exactly what you need. It can be done without redundancy but you can play with that later (as well as with getting rid of one-user-running-it-approach).

@drake127:

Still, you don't need to mess with ACL (for something that can be done without them).

……..

I believe it is exactly what you need. It can be done without redundancy but you can play with that later (as well as with getting rid of one-user-running-it-approach).

It looks like what I need … I have to try to implement it and hopefully one day I can even understand it :-)

Thank you

R

@drake127:

….

I believe it is exactly what you need. It can be done without redundancy but you can play with that later (as well as with getting rid of one-user-running-it-approach).
* - do I have to compile pure-FTPd to enable mySQL connectio and ssl?

- could the user later on change his password by himself?</list> 

Thank you

R.

What distro? On Gentoo there is USE flag that enables MySQL support. Can imagine that others have it precompiled.

FTP protocol doesn't have means to change password and neither FTPd has one. You need to provide it by yourself issuing update to user table (UPDATE ftp_users SET password = MD5('pass') WHERE user = 'jonny'). It is up to you whether or how you would implement it.

@drake127:

What distro? On Gentoo there is USE flag that enables MySQL support. Can imagine that others have it precompiled
Ubuntu :-)

@drake127:

FTP protocol doesn't have means to change password and neither FTPd has one. You need to provide it by yourself issuing update to user table (UPDATE ftp_users SET password = MD5('pass') WHERE user = 'jonny'). It is up to you whether or how you would implement it. I thought that I cannot let user to change their password. Just wanted to be sure.

Thank you

what is better

FTP-over-SSL or

FTP-over-SSH?

or it really doesn't matter in my case?

Thank you

R.

Former usually is easier to detach from system user accounts, and you seem to be wanting such separation. Latter requires user to be able to log in via SSH, after all.

@drake127:

Still, you don't need to mess with ACL (for something that can be done without them).

…

I believe it is exactly what you need. It can be done without redundancy but you can play with that later (as well as with getting rid of one-user-running-it-approach).

I did what you suggested and when I sure core FTP I get

Resolving mydomain.com...  
Connect socket #736 to xx.xx.xx.xx, port 21...
Can't establish connection --> mydomain.com:21 @ Thu Sep 23 23:36:20 2010   (10054-38)
An existing connection was forcibly closed by the remote host.  

ps aux |grep ftp gives me

root     26716  0.0  0.3   6248  1532 ?        Ss   23:28   0:00 pure-ftpd (SERVER) 

ps aux|grep mysql gives me

mysql    26563  0.0  3.6 129228 18764 ?        Ssl  23:12   0:00 /usr/sbin/mysqld

I cannot find anything in /var/log/messages

Any idea how I can make it work ?

Thank you

R

netstat -at?

@drake127:

netstat -at?

tcp        0      0 localhost:9000          *:*                     LISTEN     
tcp        0      0 localhost:mysql         *:*                     LISTEN     
tcp        0      0 *:www                   *:*                     LISTEN     
tcp        0      0 localhost:ftp           *:*                     LISTEN     
tcp        0      0 *:ssh                   *:*                     LISTEN     
tcp        0      0 localhost:postgresql    *:*                     LISTEN     
tcp        0     48 mydomain:ssh              202-xxx-80-xxx.pe:54270 ESTABLISHED
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN

using filezilla ftp over implicit tls

Status:    Resolving address of rsness.com
Status:    Connecting to 97.xx.xxx.xx:990...
Error:    Connection timed out
Error:    Could not connect to server

and over explicit tls

Status:    Resolving address of rsness.com
Status:    Connecting to 97.xxx.xxx.xx:xxx...
Status:    Connection established, waiting for welcome message...
Error:    Connection closed by server
Error:    Could not connect to server

You can't listen on localhost. You need to change -S parameter to your public IP address.

@drake127:

You can't listen on localhost. You need to change -S parameter to your public IP address.

looks much better. Using TFP over explicit TLS

Status:    Resolving address of mydomain.com
Status:    Connecting to 97.xxx.xxx.xxx:21...
Status:    Connection established, waiting for welcome message...
Response:    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Response:    220-You are user number 1 of 50 allowed.
Response:    220-Local time is now 10:56\. Server port: 21.
Response:    220-This is a private system - No anonymous login
Response:    220 You will be disconnected after 15 minutes of inactivity.
Command:    AUTH TLS
Response:    500 Command not understood.
Command:    AUTH SSL
Response:    500 Command not understood.
Error:    Critical error
Error:    Could not connect to server

Did you specify -Y 3? If so, can you confirm that your build has compiled support for TLS/SSL? Are you aware you need to correctly set up SSL certficate (/etc/ssl/private/pure-ftpd.pem on my distro).

@drake127:

Did you specify -Y 3? If so, can you confirm that your build has compiled support for TLS/SSL? Are you aware you need to correctly set up SSL certficate (/etc/ssl/private/pure-ftpd.pem on my distro).

I am doing exactly what you said :-)

now I am running the server by

/usr/local/sbin/pure-ftpd -S xx.xx.xx.xx,21 -p 49152:50174 -B -l mysql:/etc/pure-ftpd/mysql.conf -u 2000 -0 -4 -A -E -H -U 137:027 -Y 3

I followed the steps from pure-ftpd.org to create the certificate

-rw------- 1 root root 2071 Sep 23 23:27 /etc/ssl/private/pure-ftpd.pem

So I compile my own build by

./configure --with-mysql --with-cookie --with-throttling --with-ratios --with-tls
make install-strip

and I set up the mySQL exactly as you said.

PS

Thank you for helping me out

R.

how can I debug this? I tried -d switch but there is nothing special in /var/log/messages except

Sep 24 11:34:25 server pure-ftpd: (?@xx.xx.xx.xx) [INFO] New connection from xx.xx.xx.xx
Sep 24 11:34:25 server pure-ftpd: (?@xx.xx.xx.xx) [INFO] Logout.

You seem to use client which doesn't support TLS/SSL. I tried to connect to your server and TLS session was succesfully established. See your log.

Edit: You may want to remove your IP from previous post. ;-)

@drake127:

You seem to use client which doesn't support TLS/SSL. I tried to connect to your server and TLS session was succesfully established. See your log. I am using FileZilla2. Which one did you use? And what 'type of connection/server type' did you use?

@drake127:

Edit: You may want to remove your IP from previous post. ;-)
thank you :roll:

Sep 24 12:02:45 server pure-ftpd: (?@xx.xx.xx.xx) [INFO] New connection from xx.xx.xx.xx
Sep 24 12:02:46 server pure-ftpd: (?@xx.xx.xx.xx) [INFO] SSL/TLS: Enabled TLSv1/SSLv3 with DHE-RSA-AES256-SHA, 256 secret bits cipher
Sep 24 12:02:48 server pure-ftpd: (?@xx.xx.xx.xx) [INFO] Logout.
Sep 24 12:02:55 server pure-ftpd: (?@xx.xx.xx.xx) [INFO] New connection from xx.xx.xx.xx
Sep 24 12:02:59 server pure-ftpd: (?@xx.xx.xx.xx) [INFO] SSL/TLS: Enabled TLSv1/SSLv3 with DHE-RSA-AES256-SHA, 256 secret bits cipher
Sep 24 12:03:08 server pure-ftpd: (?@xx.xx.xx.xx) [WARNING] Authentication failed for user [d127-test]
Sep 24 12:07:21 server pure-ftpd: (?@xx.xx.xx.xx) [INFO] Logout.

I used Total Commnader 7.55 with OpenSSL 1.0 binaries. There are not many options, just one checkbox.

In Filezilla you may have option to use Explicit or implicit TLS (SSL). Just play with it a little. I failed on authentication (naturally) so server is working to that point just fine.

@drake127:

I used Total Commnader 7.55 with OpenSSL 1.0 binaries. There are not many options, just one checkbox. I am on mac right now so cannot try TC. I tried also Secure FTP 2.6 with the same result.
@drake127:

In Filezilla you may have option to use Explicit or implicit TLS (SSL). Just play with it a little. I failed on authentication (naturally) so server is working to that point just fine.
FileZilla with explicit TLS gives me

> Response: 220–-------- Welcome to Pure-FTPd [privsep] [TLS] –--------

Response: 220-You are user number 1 of 50 allowed.

Response: 220-Local time is now 12:35. Server port: 21.

Response: 220-This is a private system - No anonymous login

Response: 220 You will be disconnected after 15 minutes of inactivity.

Command: AUTH TLS

Response: 500 Command not understood.

Command: AUTH SSL

Response: 500 Command not understood.

Error: Critical error

Error: Could not connect to server

with explicit I get … Note the port number. It seems to me that pure-ftpd is not listening there

Status:    Resolving address of rsness.com
Status:    Connecting to xx.xx.xx.xx:990...
Error:    Connection timed out
Error:    Could not connect to server

I created a test account if you want to try out …

Thank you

R.

so I tried

• FileZilla

• secure ftp

• cyberduck

on OSX

and TC 7.5 on win

all with the same result. I'd say that the authentication part is not working properly but have no idea how I can investigate that more.

Interesting is that when you tried to log in there was more info in the log file. Even your test user name. I have never got that….

Try to use Filezilla with implicit and force port to 21. To use Total Commander, make sure you installed OpenSSL binaries that are not part of TC installation.

I tried to login with my test account without success. You probably can find cause in your log file. My guess is that www-data UID is lower that 2000 and thus denied (as per your option -u 2000).

@drake127:

Try to use Filezilla with implicit and force port to 21.
Tried with this result

16:25:10 Status:    Connection established, initializing TLS...
16:25:11 Error:    GnuTLS error -9: A TLS packet with unexpected length was received.
16:25:11 Error:    Could not connect to server

@drake127:

To use Total Commander, make sure you installed OpenSSL binaries that are not part of TC installation.
I did install OpenSSL binaries before I tried.
@drake127:

I tried to login with my test account without success. You probably can find cause in your log file. My guess is that www-data UID is lower that 2000 and thus denied (as per your option -u 2000).
I changed it to -u 30 as www-data is 33

R.

Strange, still auth failed. Could I see how my row in table looks like? What does it write in log right now? Is it able to connect to the database? Does my folder exists?

Any such error would cause authentication problem.

@drake127:

Strange, still auth failed. Could I see how my row in table looks like? What does it write in log right now? Is it able to connect to the database? Does my folder exists?

Any such error would cause authentication problem.

/var/log/messages

Sep 24 16:51:20 server pure-ftpd: (?@xx.xx.xx.xx) [INFO] SSL/TLS: Enabled TLSv1/SSLv3 with DHE-RSA-AES256-SHA, 256 secret bits cipher
Sep 24 16:51:26 server pure-ftpd: (?@xx.xx.xx.xx) [WARNING] Authentication failed for user [drake127]
Sep 24 16:51:41 server pure-ftpd: (?@x.xx.xx.xx) [WARNING] Authentication failed for user [drake]

and

mysql> select * from ftp_users where user = "drake";
+-------+----------------------------------+------------+----------+----------+
| user  | password                         | directory  | uid      | gid      |
+-------+----------------------------------+------------+----------+----------+
| drake | 2851a862c810901fb50717a9d01075e8 | /tmp/drake | www-data | www-data |
+-------+----------------------------------+------------+----------+----------+

and

www-data:x:33:33:www-data:/var/www:/bin/sh

big THANX to drake127 for helping me out. It is wooooorking now.

I guest I didn't specify correct ip for pure-ftpd to listen on.

R