perfeng_FTPS_solution
2:05 PMRationale
FTP is a legacy protocol and using it for anything other an anonymous downloads is a major security no-no. An extension to the FTP protocol, called FTPS, allows for encrypting all communications, thus increasing the security and prolonging the life of the FTP protocol. The extension calls for the client, once initially connected to the server, to request encryption for all subsequent communications with the "AUTH TLS" command (this happens before attempting to log in.) If TLS negotiation is successful, all commands and data transferred are encrypted. This article will step you through setting up a FTPS solution on Red Hat Linux systems using OpenSSL and VSFTPD.Requirements
From the Security FAQ:- users connecting to the service must not use local user accounts or Active Directory accounts
- the service must run on non-standard ports
Client-facing documentation
Documentation for the FTPS service for distribution to clients is available here (a PDF version will be attached to the page for convenient emailing.)Download and build vsftpd
You need to download vsftpd & OpenSSL and build them. You can download vsftpd and OpenSSL internally or download them from the OpSource FTP server (209.34.77.21) in the VSFTPD folder. Note, the actual version numbers contained in the archives may differ from those shown here.Move the tar files into a directory you have write privileges on and unpack them:
$ tar xzf vsftpd-207_opsource.tgz $ tar xzf openssl-098j_opsource.tgz
$ cd openssl-0.9.8j $ sudo ./build_openssl OpenSSL needs to be installed in the client's /usr/local/ tree. It should NOT be installed over the system OpenSSL binaries and libraries. When prompted, enter a directory to install OpenSSL into. A 'openssl' directory will be created. What top-level directory should OpenSSL be installed to? /usr/local/work Installing OpenSSL into /usr/local/work Configuring the source Building the binaries Running test suite Installing binaries Creating symbolic link in /opt Installation of OpenSSL complete.
$ sudo ./build_vsftpd Installing new vsftpd binary Installing/Updating init script Installing/Updating PAM configuration Installing/Replacing vsftpd configuration. You MUST edit /etc/vsftpd/vsftpd.conf before starting vsftpd. Installing/Replacing vsftpd.chroot_list file. Installing/Replacing the vsftpd.user_list file Installing inital username/password database. It is blank. You must add accounts to it. vsftp installed. There are several things you must do before it will work: 1. set a password for the ftpuser account (if it was created during install) 2. edit the /etc/vsftpd/vsftpd.conf file and set the directory for virtual users to a real location and change the ownership of it to the ftpuser user and group. 3. edit /etc/vsftpd/vsftpd_users and add usernames and passwords 4. for the usernames you put in vsftpd_users, you must add them to /etc/vsftpd.user_list so they'll be allowed to log in 5. install a valid certificate in /etc/vsftpd/vsftpd.pem or generate a self-signed certificate 6. test, test, test
SSL Certificate
vsftpd is configured to only allow logins over FTPS. This means you need to install a valid SSL key and certificate or generate a self-signed key and certificate before any users will be able to log in. The key+cert should be in PEM format with both key and cert in the same file. The default file is /etc/vsftpd/vsftpd.pem but you can specify a different PEM file in the /etc/vsftpd/vsftpd.conf file. See this page for information on generating certificate requests and self-signed certificates.Virtual Users
vsftpd allows for the use of virtual users. This is accomplished using PAM and not vsftpd itself. The PAM subsystem has a module, pam_userdb, that reads a database of username/password values. The vsftpd file in /etc/pam.d uses the pam_userdb module for auth and account. Since it is the only module used, it will never check the local /etc/passwd database nor Active Directory. This limits logins by vsftpd to just the virtual users.A special program was written to allow you to manage the virtual user database. The command is vsftpd_users_tool and it can only be run by root or with sudo. It allows you to add, update and delete users from the database. NOTE: passwords should be enclosed in single quotes.
$ sudo vsftpd_users_tool Usage: vsftpd_users_tool <action> username [pass] Where 'action' is one of: --add|--create|--insert add username to the database with password pass --update|--modify|--change change the password of username to pass --delete|--remove delete username from the database
sudo changes
As stated previously, you need to run the vsftpd_users_tool command with sudo. If clients want to run this tool and maintain SLA compliance, Engineers need to add rules to the /etc/sudoers file so clients can run vsftpd_users_tool. The following rule will be sufficient:user ALL=(ALL) /usr/local/bin/vsftpd_users_tool
Virtual Users home directories
The home directories for virtual users must exist before the user can log in. Neither vsftpd nor PAM will create it but the vsftpd_users_tool will if you use the --add function. The --update feature does not modify an existing directory and the --delete feature does not remove the directory. When creating user directories manually, the ftpuser user and group must own the directories. The location of the home directories is given by the local_root parameter in the /etc/vsftpd/vsftpd.conf file. The $USER token is replaced by the virtual username.For example, FTPS was rolled out on a Deposco server. Virtual user home directories are under /usr/local/deposco/ftpusers. This directory's permissions look like this:
$ ls -l /usr/local/deposco/ total 44 drwxr-xr-x 3 ftpuser ftpuser 4096 Mar 11 13:32 ftpusers
$ ls -l /usr/local/deposco/ftpusers/ total 4 drwxr-xr-x 3 ftpuser ftpuser 4096 Apr 17 14:56 flintstones
0 comments