Contact Sales Sitemap Customer Login

Configuring vsftpd for secure connections (TLS/SSL/SFTP)

This article pertains specifically to vsftpd on CentOS. Except for the installation instructions it should be adaptable to other distributions as well.

Traditional FTP is rather insecure. When you login, your username and password are transmitted in clear text, raising the possibility of your credentials beeing 'sniffed' by a malicious person. Fortunately there's an easy answer to this. You can quite easily configure your vsftpd server to use OpenSSL encryption, so that usernames & password, and even data files, are encrypted during transfer. It takes just a few simple steps:

Contents

Install vsftpd

vsftpd is the default FTP server supplied with CentOS. It should be installed by default (?) If it isn't you may install it by one of these methods:

Using yum (if you've installed yum):

 [root@vps] yum install vsftpd

Using rpm:

[root@vps] rpm -Uvh http://centos.mirror.vpslink.com/centos-4/4.3/os/i386/CentOS/RPMS/vsftpd-2.0.1-5.EL4.3.i386.rpm

If you install via rpm there may be dependencies to satisfy (other packages to install). (?)

Generate a Certificate

You use OpenSSL to generate a certificate for vsftpd. The certificate is store on your server, in a location of your choice. Here I choose to put it in the /etc/vsftpd directory. As well, you specify a 'lifetime' for the certificate; here's it set for a year ("-days 365").

Note that the backslashes only signify line breaks. You should be able to copy/paste & run it as it is, or remove the backslashes and the line breaks. You may need to create this directory first (mkdir /etc/vsftpd).

 [root@vps] openssl req -x509 -nodes -days 365 -newkey rsa:1024 \
 -keyout /etc/vsftpd/vsftpd.pem \
 -out /etc/vsftpd/vsftpd.pem

You will be prompted with a series of question, which you answer as they appear. When done the certificate will be installed in the /etc/vsftpd directory.

Configure vsftpd

To configure vsftpd you edit the file /etc/vsftpd/vsftpd.conf and add the following lines:

 ssl_enable=YES
 allow_anon_ssl=NO
 force_local_data_ssl=NO
 force_local_logins_ssl=NO
 ssl_tlsv1=YES
 ssl_sslv2=NO
 ssl_sslv3=NO
 rsa_cert_file=/etc/vsftpd/vsftpd.pem

Restart vsftpd for these settings to take effect:

 [root@vps] /etc/rc.d/init.d/vsftpd restart

If you set "force_local_logins_ssl=YES" then your clients will be required to use an FTP client that supports AUTH TLS/SSL in order to connect. If you leave it at "NO" then people can connect securely or insecurely.

Connect with a Secure Client

There are several FTP programs available that support AUTH TLS / SSL / SFTP. I use CoreFTP (http://www.coreftp.com). There's an unrestricted free version available, as well as a paid 'pro' version with some extra features. With CoreFTP you can select to use AUTH TLS, AUTH SSL, or FTP over SSH. You can choose to encrypt just your login, or directory and file transfers as well. In my experience all these options work fine when connecting to a VPSLink server running vsftpd & SSH.

Another free client is WinSCP. It is also available as a plug-in for FAR Manager, as well as a stand-alone client.

Excuse, but in my humble opinion, WinSCP does not work with ssl, and vsftpd does not work with sftp.

FireFTP (http://fireftp.mozdev.org/) is a Firefox extension that works swimmingly with vsftpd and SSL.

MOVEit Freely worked pretty well too (http://www.standardnetworks.com/products/?category_number=6&subcategory_number=1). I used MOVEit Freely which is a command-line windows client that can be scripted as well. The command-line to use is "ftps -a -e:on -z ftp.somedomain.tld".

Other Distributions

If you're using a Linux distribution other than CentOS you can still use vsftpd. How you install it will depend on your distro -- for package installers, check for a vsftpd package. If there isn't a package available you can always install from source. Check the vsftpd website at http://vsftpd.beasts.org/.

You must ensure that your vsftp is compiled with support for libssl. To check an installation of vsftpd for SSL support do:

 [root@vps] ldd /usr/sbin/vsftpd | grep libssl
 libssl.so.4 => /lib/libssl.so.4 (0x4001e000)
 

If you don't see output similar to this from the 'ldd' command then your vsftpd doesn't support SSL. You'll need to recompile it -- again, check the vsftpd website for documentation.

Retrieved from "http://wiki.vpslink.com/index.php?title=Configuring_vsftpd_for_secure_connections_(TLS/SSL/SFTP)&oldid=15224"
Recent Changes | RSS RSS Feed