[BlueOnyx:11358] Re: 5108R FTPS

Tobias Gablunsky t.gablunsky at cbxnet.de
Fri Sep 21 06:46:59 -05 2012 

Hello,

I got it running with the following configuration:

in /etc/xinetd.d/proftpd I copied the "ftp" section to a second section "ftps" with the identical settings. This causes (after a /etc/init.d/xinetd restart) that xinetd listens on port 990 too and starts proftpd if a connection attempt is made to this port.

The global TLS section in proftpd.conf works as follows:

# TLS
<IfModule mod_tls.c>
   TLSEngine on
   TLSLog /var/log/proftpd/tls.log
   TLSRequired off
   TLSRSACertificateFile /etc/pki/dovecot/certs/dovecot.pem
   TLSRSACertificateKeyFile /etc/pki/dovecot/private/dovecot.pem
   TLSVerifyClient off
   TLSOptions NoCertRequest NoSessionReuseRequired
   TLSRenegotiate required off
</IfModule>

The second option for TLSOptions "NoSessionReuseRequired" is especially for FileZilla to work.

In FileZilla I created a session with encryption "Explicit FTP over SSL" and Port explicitely set to 990.

With this settings FTPS is working globally.

Regarding scponly: as I can see the latest version is "jan 2006 scponly 4.6 release" - so seems to me the project is dead?!

Tobias

 

> -----Original Message-----
> From: blueonyx-bounces at mail.blueonyx.it 
> [mailto:blueonyx-bounces at mail.blueonyx.it] On Behalf Of Ken - 
> Precision Web Hosting, Inc
> Sent: Thursday, September 20, 2012 1:06 AM
> To: BlueOnyx General Mailing List
> Subject: [BlueOnyx:11357] Re: 5108R FTPS
> 
> 
> ----- Original Message ----- 
> From: "Michael Stauber" <mstauber at blueonyx.it>
> To: "BlueOnyx General Mailing List" <blueonyx at mail.blueonyx.it>
> Sent: Wednesday, September 19, 2012 2:23 PM
> Subject: [BlueOnyx:11354] Re: 5108R FTPS
> 
> 
> > Hi Ken,
> >
> >>> For some reason Michael's solution did not work for me. 
> Proftpd would 
> >>> not
> >>> start.
> >>>
> >>> My solution was to:
> >>> 1.  Leave it as    inet
> >>> 2. Add the lines below to the /etc/proftpd.conf  within 
> the <Global>
> >>> </Global> container
> >>> <IfModule mod_tls.c>
> >>>   TLSEngine on
> >>>   TLSLog /var/log/tls.log
> >>>   TLSRequired off
> >>>   TLSOptions NoCertRequest
> >>>   TLSRSACertificateFile /etc/admserv/certs/certificate
> >>>   TLSRSACertificateKeyFile /etc/admserv/certs/key
> >>>   TLSVerifyClient off
> >>>   TLSRenegotiate required off
> >>> </IfModule>
> >>>
> >>> Then within my "Secure FX" software set it to use:
> >>>  -  FTPS  explicit
> >>>  -  on port 22
> >>>  -  disable certificate validation (if you are using 
> something else for
> >>> the hostname instead of the servername )
> >>>
> >>>
> >>>
> >>
> >> Also, maybe we could have the DeferWelcome and ServerIdent 
> Off set in the
> >> <Global> by default also.
> >> 
> http://www.proftpd.org/docs/directives/linked/config_ref_Defer
> Welcome.html
> >> 
> http://www.proftpd.org/docs/directives/linked/config_ref_Serve
> rIdent.html
> >
> > Many thanks for the suggestions, Ken. I will test them out 
> and will see
> > what I can come up with. I also have a copy of "Secure FX", 
> but I'm a
> > bit confused that you use it with "FTPS explicit" on port 22 (SSH).
> >
> > Because that would imply that the user has to have shell access,
> > although for FTPS on port 21 or 990 that wouldn't be required.
> >
> > If you use port 22, then this would rather imply SFTP 
> (instead of FTPS),
> > which already worked before we did any modifications.
> >
> > There is also something else that I have been thinking 
> about off and on:
> > The introduction of a shell called "scponly". It would allow limited
> > shell access to a user. Limited in so far that he can use 
> SCP to upload
> > files, but cannot use SSH to get a bash. That would come in 
> handy in so
> > far as we could say: We support SFTP (if shell access or SCPonly is
> > enabled for the user), but forget about FTPS, which we 
> won't support.
> >
> > This would save us a lot of hassles such as having to have 
> extra vhost
> > containers in proftpd.conf for every IP where we want to 
> use FTPS on.
> >
> > -- 
> > With best regards
> >
> > Michael Stauber
> > _______________________________________________
> >
> 
> Michael
> 
> Sorry, I was wrong. It's port 21.
> 
> 
> Ken 
> 
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
>

More information about the Blueonyx mailing list