How to install virtual Ftp hosting with PureFTP on FreeBSD 10 : Part 2 – TLS & Unix Auth

In 1st part of this post I have very general setting for pure-ftp configured. In this post we’ll explore about testing functionality of this ftp server using simple auth plus how configure TLS section.

To test the server I need to add user. I used to use sysinstall for this purpose but since sysinstall no longer available on FreeBSD then I use bsdconfig.

Introduce bsdconfig

From bsconfig manual :

bsdconfig is used to set up many system configuration settings, both for
new systems, as well as changing configuration settings of existing systems.

bsdconfig optionally takes    a command as an    argument.  If invoked with no arguments,
it will bring up an interactive    menu listing the available modules.

I like gui version so I type bsdconfig or you can use full path : /usr/sbin/bsdconfig

If not available you can install it.

From ports

# /usr/ports/sysutils/bsdconfig && make install

From pkg

# pkg install bsdconfig

For pure-ftp purpose I need bsdconfig for add new user :

#bsdconfig

Choose “Login/Group Management”

bsdconfig as sysinstall replacement

Choose Add Login and enter login name.

bsdconfig add user

I choose Yes for default values as I want bsdconfig fill all values for me.

bsdconfig set user details

If you choose No then You can configure  full name, password and more. If you familiar with wheel group then you can adjust that setting here.

bsdconfig acccept default values

Click OK and data stored.

After Login added. The rest is change password.

# passwd alamsyah
Changing local password for alamsyah
New Password:
Retype New Password:
root@pureftp:~ #

Testing from client

I use ftp client from windows (coreftp) and enter ip provided by vultr.

connect to pure-ftp server that run under freebsd 10 from windows ftp client

Click Connect and you’ll get your account.

connect to pure-ftp server that run under freebsd 10 from windows ftp client : connected

At this stage user authentication work from user that exist in server. Next step is configure and enable TLS .

Configure and enable TLS support for pure-ftp on FreeBSD 10

To create the key, pure-ftp provide the steps here :

# mkdir -p /etc/ssl/private
#openssl req -x509 -nodes -newkey rsa:1024 -keyout \
/etc/ssl/private/pure-ftpd.pem \
-out /etc/ssl/private/pure-ftpd.pem

Answer all question.

Next step is enable TLS. Pure-ftp provide 3 options :

# ee /usr/local/etc/pure-ftpd.conf

# This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don’t use SSL/TLS security mechanisms,
#     including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (–with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.

# TLS                      1

To enable TLS support then you’ll need to remove # before TLS  1 and change the value from 1 to 2.

Save the file.

By changing to 2 you force client to use TLS security.

Restart pure-ftp server

# /usr/local/etc/rc.d/pure-ftpd restart

Stopping pureftpd.
Waiting for PIDS: 77338.
Starting pureftpd.
Running: /usr/local/sbin/pure-ftpd -g/var/run/pure-ftpd.pid -A -c50 -B -C8 -D -fftp -H -I15 -L10000:8 -m4 -s -U133:022 -u100 -k99 -Z -Y2
pure-ftpd: invalid option — Y
pure-ftpd: invalid option — 2

If you see that error message “invalid option” then you might miss the options when you install pure-ftp.

To fix it.

# cd /usr/ports/ftp/pure-ftpd/

# make deinstall

# make rmconfig

# make install

don’t forget to choose TLS this time.

Try to restart service after install.

# /usr/local/etc/rc.d/pure-ftpd restart
Stopping pureftpd.
Waiting for PIDS: 78474.
Starting pureftpd.
Running: /usr/local/sbin/pure-ftpd -g/var/run/pure-ftpd.pid -A -c50 -B -C8 -D -fftp -H -I15 -L10000:8 -m4 -s -U133:022 -u100 -k99 -Z -Y2

No problem this time.

Try to test again from client side.

If you try again without using TLS, error message will be displayed :

20-You are user number 1 of 50 allowed.
220-Local time is now 12:52. Server port: 21.
220-IPv6 connections are also welcome on this server.
220———- Welcome to Pure-FTPd [privsep] [TLS] ———-
USER alamsyah
421 Sorry, cleartext sessions are not accepted on this server.
Connection Failed

Client need to choose AUTH TLS

connect to pure-ftp server that run under freebsd 10 from windows ftp client : setting tls

Try again

20———- Welcome to Pure-FTPd [privsep] [TLS] ———-
220-You are user number 1 of 50 allowed.
220-Local time is now 12:54. Server port: 21.
220-IPv6 connections are also welcome on this server.
220———- Welcome to Pure-FTPd [privsep] [TLS] ———-
AUTH TLS
234 AUTH TLS OK.
TLSv1, cipher TLSv1/SSLv3 (DHE-RSA-AES256-SHA) – 256 bit
USER alamsyah
331 User alamsyah OK. Password required
PASS **********
230 OK. Current restricted directory is /
SYST
215 UNIX Type: L8
Keep alive off…
PWD
257 “/” is your current location
PBSZ 0
200 PBSZ=0
PROT P
200 Data protection level set to “private”
PASV
227 Entering Passive Mode (104,207,128,100,156,76)
LIST
Connect socket #1300 to 104.207.128.100, port 40012…
TLSv1, cipher TLSv1/SSLv3 (DHE-RSA-AES256-SHA) – 256 bit
150 Accepted data connection
226-Options: -a -l
226 10 matches total
Transferred 706 bytes in 0.010 second

Yes, this time connection successfully established.

At this stage pure-ftp able to serve using unix auth and protect user password via TLS. This setting is very minimum. As the title about virtual user then I’ll continue about setting virtual user in pure-ftp under FreeBSD 10.

Stay tune.