You are here

PureFTPd over TLS

You may need to allow a third party to have access to a site, but don't want to give the party full SSH server access. The solution can be to setup at secure FTP server using TLS/SSL encryption.


This article assumes that you are installing PureFTPd on a Debian flavored system, but the configuration part should be valid on other systems as well. To install, simply run this command.

~$ apt-get install pure-ftpd-common pure-ftpd

I use virtual users to log into PureFTP, so to enable this I need to have a real user that can be used to mask the virtual user on the system. So the command below adds an group and user that can be used.

~$ groupadd ftpgroup
~$ useradd -g ftpgroup -d /dev/null -s /etc ftpuser


The default configuration that comes with PureFTPd, one Debian, can be used on most systems with only a few modifications. PureFTPd stores it configuration in a collection of files in the folder "/etc/pure-ftpd/conf/". Each filename is a configuration parameter and the content is the option(s). See the TLS configuration on this page for an example.

Before virtual user authentication can be used a symlink have to be created in the auth folder to the PureDB configuration file.

~$ cd /etc/pure-ftpd/auth
~$ ln -s ../conf/PureDB 50pure

If you only want to enable virtual users to log in. You will have to disable PAM and Unix authentication as shown below.

~$ echo no > /etc/pure-ftpd/conf/PAMAuthentication
~$ echo no > /etc/pure-ftpd/conf/UnixAuthentication


To enable SSL/TLS by generating a self signed certificate with the command below. You can also use a "real" certificate, which will be a better solution for production systems. The location of the certificate should be the same as below, as PureFTPd looks for it at this location.

~$ openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
~$ echo 2 > /etc/pure-ftpd/conf/TLS
~$ /etc/init.d/pure-ftpd restart

The option/number insert in the TLS configuration file has the following effect.

  • 0 disables TLS.
  • 1 makes TLS optional for users.
  • 2 forces all users to use TLS.

User Management

PureFTPd gives you the option to control each user differently and set different limitations. The basic commands list and show, which respectively lists all users and shows detail information about a single user. For a full list of options you can execute the command "pure-pw" without any parameters.

~$ pure-pw list
~$ pure-pw show <username>

Create user

You create virtual ftp user by executing the useradd. You will be asked for a password and a confirmation when executing the first command. As you can see the "real" user and group create under the configuration section is used here. The later command updates/creates the binary database that PureFTPd uses for fast access.

~$ pure-pw useradd <username> -u ftpuser -g ftpgroup -d <dir>
~$ pure-pw mkdb

Reset password

If you need to reset a users password the passwd command can be used. The -m parameter ensures that the binary database is updated as well and not only the password file.

~$ pure-pw passwd <name> -m

Delete user

Simply run the userdel command.

~$ pure-pw userdel <username> -m

Limit bandwidth

You can limit both download (-t) and upload (-T) bandwidth, below they are limited 10 Kbps.

~$ pure-pw usermod <username> -t 10 -T 10 -m

Block IP

You can block access from a network range or a single IP as shown below. You can also allow access from an IP or range by using "-r" with the same parameters.

~$ pure-pw usermod <username> -R -m
~$ pure-pw usermod <username> -R -m

Upload max

You can set the maximum allowed amount of data to be uploaded using the "-N" parameter. The command below sets the maximum upload to 10 Mb.

~$ pure-pw usermod <username> -N 10 -m

Time interval

To limit access to a time interval the "-z" option can be used.

~$ pure-pw usermod <username> -z 0900-1600 -m

Default options (unlimited)

You can reset an option to default by using the empty string as parameter value.

~$ pure-pw usermod <username> -N '' -m

FTP Clients

  • Cyberduck is a Mac client that supports SSL/TLS and many other options. A trail version can be download form this homepage and the full version can be install from the App Store.
  • coreFTP is a free windows client that support SSL/TLS.
  • FileZilla runs on almost any platforms, but have some issues with firewalls and active connections.



Your information is great

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.