[BlueOnyx:11357] Re: 5108R FTPS

Ken - Precision Web Hosting, Inc kenlists at precisionweb.net
Wed Sep 19 18:06:06 -05 2012 

----- Original Message ----- 
From: "Michael Stauber" <mstauber at blueonyx.it>
To: "BlueOnyx General Mailing List" <blueonyx at mail.blueonyx.it>
Sent: Wednesday, September 19, 2012 2:23 PM
Subject: [BlueOnyx:11354] Re: 5108R FTPS


> Hi Ken,
>
>>> For some reason Michael's solution did not work for me. Proftpd would 
>>> not
>>> start.
>>>
>>> My solution was to:
>>> 1.  Leave it as    inet
>>> 2. Add the lines below to the /etc/proftpd.conf  within the <Global>
>>> </Global> container
>>> <IfModule mod_tls.c>
>>>   TLSEngine on
>>>   TLSLog /var/log/tls.log
>>>   TLSRequired off
>>>   TLSOptions NoCertRequest
>>>   TLSRSACertificateFile /etc/admserv/certs/certificate
>>>   TLSRSACertificateKeyFile /etc/admserv/certs/key
>>>   TLSVerifyClient off
>>>   TLSRenegotiate required off
>>> </IfModule>
>>>
>>> Then within my "Secure FX" software set it to use:
>>>  -  FTPS  explicit
>>>  -  on port 22
>>>  -  disable certificate validation (if you are using something else for
>>> the hostname instead of the servername )
>>>
>>>
>>>
>>
>> Also, maybe we could have the DeferWelcome and ServerIdent Off set in the
>> <Global> by default also.
>> http://www.proftpd.org/docs/directives/linked/config_ref_DeferWelcome.html
>> http://www.proftpd.org/docs/directives/linked/config_ref_ServerIdent.html
>
> Many thanks for the suggestions, Ken. I will test them out and will see
> what I can come up with. I also have a copy of "Secure FX", but I'm a
> bit confused that you use it with "FTPS explicit" on port 22 (SSH).
>
> Because that would imply that the user has to have shell access,
> although for FTPS on port 21 or 990 that wouldn't be required.
>
> If you use port 22, then this would rather imply SFTP (instead of FTPS),
> which already worked before we did any modifications.
>
> There is also something else that I have been thinking about off and on:
> The introduction of a shell called "scponly". It would allow limited
> shell access to a user. Limited in so far that he can use SCP to upload
> files, but cannot use SSH to get a bash. That would come in handy in so
> far as we could say: We support SFTP (if shell access or SCPonly is
> enabled for the user), but forget about FTPS, which we won't support.
>
> This would save us a lot of hassles such as having to have extra vhost
> containers in proftpd.conf for every IP where we want to use FTPS on.
>
> -- 
> With best regards
>
> Michael Stauber
> _______________________________________________
>

Michael

Sorry, I was wrong. It's port 21.


Ken

More information about the Blueonyx mailing list