FTP server using Samba4 auth
- Title: FTP server using Samba4 auth
- Author(s): Mateo Burillo
- Date: 28 Agosto 2014
- Version(s): 1.0
- Zentyal profiles: All
In this article we describe how to deploy a secure FTP server using Zentyal's users backend (Samba4) to authorize system users.
The article assumes that your Zentyal server has Samba4 already installed, configured and enabled.
We are going to use vsftpd
sudo apt-get install vsftpd
Make sure your have PAM enabled in the LDAP Settings of your Zentyal server.
Remember as well to open the associated ports (20 and 21 by default) on the desired interfaces using Zentyal's firewall.
Follow this template to configure /etc/vsftpd.conf
# Run standalone listen=YES # Allow anonymous FTP anonymous_enable=NO anon_world_readable_only=YES
You may want to change this to anonymous_enable=YES if you desire to allow anonymous login
# Allow local users to log in local_enable=YES # # Allow any form of FTP write command write_enable=YES # # Default umask is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd) local_umask=022 anon_umask=022 # # Allow the anonymous FTP user to write files anon_upload_enable=NO anon_mkdir_write_enable=NO anon_other_write_enable=NO # # Activate directory messages dirmessage_enable=YES # # Display directory listings with the time in your local time zone use_localtime=YES # # Activate logging of uploads/downloads xferlog_enable=YES # # Make sure PORT transfer connections originate from port 20 (ftp-data) connect_from_port_20=YES # Customise the login banner string ftpd_banner=Welcome to Zentyal FTP service.
Change the banner to whatever you prefer.
# Restrict local users to their home directories chroot_local_user=YES seccomp_sandbox=NO
Change chroot_local_user to NO if you want the users to navigate the whole system. Comment out seccomp_sandbox=NO in that case.
# Activate the "-R" option to the builtin ls. This is disabled by default to # avoid remote users being able to cause excessive I/O on large sites. # However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option ls_recurse_enable=YES # # Show textual names in the user and group fields of directory listings text_userdb_names=YES # # Empty directory not writable by the ftp user as a secure chroot() jail at # times vsftpd does not require filesystem access secure_chroot_dir=/var/run/vsftpd/empty # # PAM service vsftpd will use pam_service_name=vsftpd # Support secure connections via SSL. This applies to the control connection # (including login) and also data connections ssl_enable=YES # # Certificate to use for SSL encrypted connections rsa_cert_file=/etc/ftpssl/ftp.pem
For the rsa_cert_file you may want to use your own valid certificates or just generate new ones:
root@zentyal:/etc/ftpssl# openssl genrsa 2048 > ftp.key
root@zentyal:/etc/ftpssl# chmod 400 ftp.key
root@zentyal:/etc/ftpssl# openssl req -new -x509 -nodes -sha1 -days 365 -key ftp.key > ftp.crt
root@zentyal:/etc/ftpssl# cat ftp.crt ftp.key > ftp.pem
# # Not to require all SSL data connections to exhibit SSL session reuse require_ssl_reuse=NO # # Force authenticated login and data via SSL force_local_logins_ssl=NO force_local_data_ssl=NO
Using this configuration you allow both FTP and FTPS. You can force SSL changing these two last configkeys to YES, take into account that some popular FTP clients don't support it.
Once you have finished configuring /etc/vsftpd.conf, you need to write the following content in the file /etc/pam.d/vsftpd
# Standard behaviour for ftpd(8). auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed # Note: vsftpd handles anonymous logins on its own. Do not enable pam_ftp.so. # Standard pam includes. @include common-account @include common-session @include common-auth
Restart the service
service vsftpd restart
And the users in your LDAP tree will be able to access your FTP server.