[BlueOnyx:11354] Re: 5108R FTPS

Michael Stauber mstauber at blueonyx.it
Wed Sep 19 16:23:11 -05 2012 

Hi Ken,

>> For some reason Michael's solution did not work for me. Proftpd would not 
>> start.
>>
>> My solution was to:
>> 1.  Leave it as    inet
>> 2. Add the lines below to the /etc/proftpd.conf  within the <Global> 
>> </Global> container
>> <IfModule mod_tls.c>
>>   TLSEngine on
>>   TLSLog /var/log/tls.log
>>   TLSRequired off
>>   TLSOptions NoCertRequest
>>   TLSRSACertificateFile /etc/admserv/certs/certificate
>>   TLSRSACertificateKeyFile /etc/admserv/certs/key
>>   TLSVerifyClient off
>>   TLSRenegotiate required off
>> </IfModule>
>>
>> Then within my "Secure FX" software set it to use:
>>  -  FTPS  explicit
>>  -  on port 22
>>  -  disable certificate validation (if you are using something else for 
>> the hostname instead of the servername )
>>
>>
>>
> 
> Also, maybe we could have the DeferWelcome and ServerIdent Off set in the 
> <Global> by default also.
> http://www.proftpd.org/docs/directives/linked/config_ref_DeferWelcome.html
> http://www.proftpd.org/docs/directives/linked/config_ref_ServerIdent.html

Many thanks for the suggestions, Ken. I will test them out and will see
what I can come up with. I also have a copy of "Secure FX", but I'm a
bit confused that you use it with "FTPS explicit" on port 22 (SSH).

Because that would imply that the user has to have shell access,
although for FTPS on port 21 or 990 that wouldn't be required.

If you use port 22, then this would rather imply SFTP (instead of FTPS),
which already worked before we did any modifications.

There is also something else that I have been thinking about off and on:
The introduction of a shell called "scponly". It would allow limited
shell access to a user. Limited in so far that he can use SCP to upload
files, but cannot use SSH to get a bash. That would come in handy in so
far as we could say: We support SFTP (if shell access or SCPonly is
enabled for the user), but forget about FTPS, which we won't support.

This would save us a lot of hassles such as having to have extra vhost
containers in proftpd.conf for every IP where we want to use FTPS on.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list