You may need to allow a third party to have access to a site, but don't want to give the party full SSH server access. The solution can be to setup at secure FTP server using TLS/SSL encryption.
This article assumes that you are installing PureFTPd on a Debian flavored system, but the configuration part should be valid on other systems as well. To install, simply run this command.
~$ apt-get install pure-ftpd-common pure-ftpd
I use virtual users to log into PureFTP, so to enable this I need to have a real user that can be used to mask the virtual user on the system. So the command below adds an group and user that can be used.
~$ groupadd ftpgroup
~$ useradd -g ftpgroup -d /dev/null -s /etc ftpuser
The default configuration that comes with PureFTPd, one Debian, can be used on most systems with only a few modifications. PureFTPd stores it configuration in a collection of files in the folder "/etc/pure-ftpd/conf/". Each filename is a configuration parameter and the content is the option(s). See the TLS configuration on this page for an example.
Before virtual user authentication can be used a symlink have to be created in the auth folder to the PureDB configuration file.
~$ cd /etc/pure-ftpd/auth
~$ ln -s ../conf/PureDB 50pure
If you only want to enable virtual users to log in. You will have to disable PAM and Unix authentication as shown below.
~$ echo no > /etc/pure-ftpd/conf/PAMAuthentication
~$ echo no > /etc/pure-ftpd/conf/UnixAuthentication
To enable SSL/TLS by generating a self signed certificate with the command below. You can also use a "real" certificate, which will be a better solution for production systems. The location of the certificate should be the same as below, as PureFTPd looks for it at this location.
~$ openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
~$ echo 2 > /etc/pure-ftpd/conf/TLS
~$ /etc/init.d/pure-ftpd restart
The option/number insert in the TLS configuration file has the following effect.
- 0 disables TLS.
- 1 makes TLS optional for users.
- 2 forces all users to use TLS.
PureFTPd gives you the option to control each user differently and set different limitations. The basic commands list and show, which respectively lists all users and shows detail information about a single user. For a full list of options you can execute the command "pure-pw" without any parameters.
~$ pure-pw list
~$ pure-pw show <username>
You create virtual ftp user by executing the useradd. You will be asked for a password and a confirmation when executing the first command. As you can see the "real" user and group create under the configuration section is used here. The later command updates/creates the binary database that PureFTPd uses for fast access.
~$ pure-pw useradd <username> -u ftpuser -g ftpgroup -d <dir>
~$ pure-pw mkdb
If you need to reset a users password the passwd command can be used. The -m parameter ensures that the binary database is updated as well and not only the password file.
~$ pure-pw passwd <name> -m
Simply run the userdel command.
~$ pure-pw userdel <username> -m
You can limit both download (-t) and upload (-T) bandwidth, below they are limited 10 Kbps.
~$ pure-pw usermod <username> -t 10 -T 10 -m
You can block access from a network range or a single IP as shown below. You can also allow access from an IP or range by using "-r" with the same parameters.
~$ pure-pw usermod <username> -R 192.168.2.0/24 -m
~$ pure-pw usermod <username> -R 192.168.0.8 -m
You can set the maximum allowed amount of data to be uploaded using the "-N" parameter. The command below sets the maximum upload to 10 Mb.
~$ pure-pw usermod <username> -N 10 -m
To limit access to a time interval the "-z" option can be used.
~$ pure-pw usermod <username> -z 0900-1600 -m
Default options (unlimited)
You can reset an option to default by using the empty string as parameter value.
~$ pure-pw usermod <username> -N '' -m
- Cyberduck is a Mac client that supports SSL/TLS and many other options. A trail version can be download form this homepage and the full version can be install from the App Store.
- coreFTP is a free windows client that support SSL/TLS.
- FileZilla runs on almost any platforms, but have some issues with firewalls and active connections.