perfeng_FTPS_solution

2:05 PM

Rationale

FTP is a legacy protocol and using it for anything other an anonymous downloads is a major security no-no. An extension to the FTP protocol, called FTPS, allows for encrypting all communications, thus increasing the security and prolonging the life of the FTP protocol. The extension calls for the client, once initially connected to the server, to request encryption for all subsequent communications with the "AUTH TLS" command (this happens before attempting to log in.) If TLS negotiation is successful, all commands and data transferred are encrypted. This article will step you through setting up a FTPS solution on Red Hat Linux systems using OpenSSL and VSFTPD.

Requirements

From the Security FAQ:
  • users connecting to the service must not use local user accounts or Active Directory accounts
  • the service must run on non-standard ports
There are known compatibility bugs between vsftpd and some ftp clients. To resolve these bugs, a newer version of vsftpd will be built using the source code. Since the newer version of vsftpd uses functions of OpenSSL not found in the system OpenSSL, a newer version of OpenSSL will be built and installed, too.

Client-facing documentation

Documentation for the FTPS service for distribution to clients is available here (a PDF version will be attached to the page for convenient emailing.)

Download and build vsftpd

You need to download vsftpd & OpenSSL and build them. You can download vsftpd and OpenSSL internally or download them from the OpSource FTP server (209.34.77.21) in the VSFTPD folder. Note, the actual version numbers contained in the archives may differ from those shown here.
Move the tar files into a directory you have write privileges on and unpack them:
$ tar xzf vsftpd-207_opsource.tgz
$ tar xzf openssl-098j_opsource.tgz
First, build OpenSSL but do not overwrite the system OpenSSL libraries. To do this, use sudo and run the build_openssl script. You will be prompted for an installation directory. This should be /usr/local/CLIENT (where CLIENT is the client name.)
$ cd openssl-0.9.8j
$ sudo ./build_openssl
OpenSSL needs to be installed in the client's /usr/local/ tree. It should NOT be
installed over the system OpenSSL binaries and libraries.

When prompted, enter a directory to install OpenSSL into. A 'openssl' directory will be created.
What top-level directory should OpenSSL be installed to? /usr/local/work
Installing OpenSSL into /usr/local/work
Configuring the source
Building the binaries
Running test suite
Installing binaries
Creating symbolic link in /opt
Installation of OpenSSL complete.
Now, we need to build and install vsftpd. Change directory to the vsftpd-2.0.7 directory and use sudo to run the build_vsftpd script.
$ sudo ./build_vsftpd 
Installing new vsftpd binary
Installing/Updating init script
Installing/Updating PAM configuration
Installing/Replacing vsftpd configuration. You MUST edit /etc/vsftpd/vsftpd.conf before starting vsftpd.
Installing/Replacing vsftpd.chroot_list file.
Installing/Replacing the vsftpd.user_list file
Installing inital username/password database. It is blank. You must add accounts to it.
vsftp installed. There are several things you must do before it will work:
1. set a password for the ftpuser account (if it was created during install)
2. edit the /etc/vsftpd/vsftpd.conf file and set the directory for virtual users to a real location
   and change the ownership of it to the ftpuser user and group.
3. edit /etc/vsftpd/vsftpd_users and add usernames and passwords
4. for the usernames you put in vsftpd_users, you must add them to /etc/vsftpd.user_list so they'll be
   allowed to log in
5. install a valid certificate in /etc/vsftpd/vsftpd.pem or generate a self-signed certificate
6. test, test, test
As the output indicates, you need to set a password for the ftpuser user, edit the /etc/vsftpd/vsftpd.conf file and change the settings at the top where indicated. Of particular note is the directory tree where virtual users' directories will be and the database for virtual users. You will also need to specify port numbers for listen, PORT and PASV transfers and the PASV IP address, since you will be NATed.

SSL Certificate

vsftpd is configured to only allow logins over FTPS. This means you need to install a valid SSL key and certificate or generate a self-signed key and certificate before any users will be able to log in. The key+cert should be in PEM format with both key and cert in the same file. The default file is /etc/vsftpd/vsftpd.pem but you can specify a different PEM file in the /etc/vsftpd/vsftpd.conf file. See this page for information on generating certificate requests and self-signed certificates.

Virtual Users

vsftpd allows for the use of virtual users. This is accomplished using PAM and not vsftpd itself. The PAM subsystem has a module, pam_userdb, that reads a database of username/password values. The vsftpd file in /etc/pam.d uses the pam_userdb module for auth and account. Since it is the only module used, it will never check the local /etc/passwd database nor Active Directory. This limits logins by vsftpd to just the virtual users.
A special program was written to allow you to manage the virtual user database. The command is vsftpd_users_tool and it can only be run by root or with sudo. It allows you to add, update and delete users from the database. NOTE: passwords should be enclosed in single quotes.
$ sudo vsftpd_users_tool
Usage: vsftpd_users_tool <action> username [pass]
        Where 'action' is one of:
        --add|--create|--insert  add username to the database with password pass
        --update|--modify|--change  change the password of username to pass
        --delete|--remove  delete username from the database
After adding users to the vsftpd_login database, you must add them to the /etc/vsftpd.user_list file. This file lists all users that are allowed to log in via vsftpd. If the name is not listed, the account is blocked. This is an added security measure and allows you to lockout accounts without having to rebuild the vsftpd_login database.

sudo changes

As stated previously, you need to run the vsftpd_users_tool command with sudo. If clients want to run this tool and maintain SLA compliance, Engineers need to add rules to the /etc/sudoers file so clients can run vsftpd_users_tool. The following rule will be sufficient:
user ALL=(ALL) /usr/local/bin/vsftpd_users_tool
The user can be a specific client user or it can be a group specially created for this.

Virtual Users home directories

The home directories for virtual users must exist before the user can log in. Neither vsftpd nor PAM will create it but the vsftpd_users_tool will if you use the --add function. The --update feature does not modify an existing directory and the --delete feature does not remove the directory. When creating user directories manually, the ftpuser user and group must own the directories. The location of the home directories is given by the local_root parameter in the /etc/vsftpd/vsftpd.conf file. The $USER token is replaced by the virtual username.
For example, FTPS was rolled out on a Deposco server. Virtual user home directories are under /usr/local/deposco/ftpusers. This directory's permissions look like this:
$ ls -l /usr/local/deposco/
total 44
drwxr-xr-x   3 ftpuser ftpuser  4096 Mar 11 13:32 ftpusers
The user directories in it look like this:
$ ls -l /usr/local/deposco/ftpusers/
total 4
drwxr-xr-x  3 ftpuser ftpuser 4096 Apr 17 14:56 flintstones
Note that the owner and group are "ftpuser". If the directory is owned by any other user, the virtual user will not be able to log in.

Upgrading from a previous version of vsftpd

If you need to upgrade from a previous version, there will be a upgrade_vsftpd script in the archive. It will install the new binary, init script, PAM configuration file and user management tool script (if you've made any changes to these files, you must reapply your changes.) It will not update any of the configuration files nor modify the user database. You will be responsible for testing the service against the configuration file to make sure it works properly.

Share This Story

Tags:

Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Aenean commodo ligula eget dolor Aenean massa.

You Might Also Like

0 comments

Contact Form

Name

Email *

Message *

Translate

Wikipedia

Search results