--- On Fri, 6/3/09, Prashant Karmankar <[email protected]> wrote:
From: Prashant Karmankar <[email protected]> Subject: [LinuxVadaPav] FTP over ssl To: [email protected] Date: Friday, 6 March, 2009, 10:09 PM Hi, is there anybody know how to setup ftp over ssl on redhat box ? Thanks & Regards Prashant K Hello, First of all you must compile ftp with SSL to use SSL/TSL security and then follow the below steps. You can aloso download JSCAPE secure ftp server from below link: http://wareseeker.com/download/jscape-secure-ftp-server-for-linux-2.1.rar/167952 SSL/TLS With FTP FTPS is also known as FTPS Secure or FTP-SSL. What FTPS does is add the Transport Layer Security (TLS) and the Secure Sockets Layer (SSL) to the normal FTP on the same port 21. It is easy to confuse FTPS on port 21 with SFTP which is actually SSH on port 22. Add these settings to your /etc/vsftpd.conf file and you will have an anonymous ftp server that will allow anyone to download files from /var/ftp but they cannot upload. It will also protect all of your users as they must ftp into their home accounts using ssl. anonymous_enable=YES local_enable=YES rsa_cert_file=/ etc/vsftpd.pem ssl_enable=YES force_local_logins_ssl=YES force_local_data_ssl=YES ssl_tlsv1=YES ssl_sslv2=YES ssl_sslv3=YES You do not need to create the self-signed certificate as they are already created by the vsftpd server as you can see listed. Notice that ssl is enabled only for local logins, users who have accounts on the machine. The connection will still be on port 21. Once you have the server set up you will need a client that is ftps compatible. Create Self-Signed Certificate You can create a self-signed certificate with this command which will create a certificate for 1 year and the pem file is then saved in the /etc/directory. Note that you will need to change the /etc/vsftpd.conf file to enter the path of this file. You will be asked several questions which will identify your organization. # openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/vsftpd.pem -out /etc/vsftpd.pem Generating a 1024 bit RSA private key ……++++++ ..++++++ writing new private key to ‘/etc/vsftpd.pem’ —– You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. —– Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:MT Locality Name (eg, city) []:Trout Creek Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example LTD Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:example.com Email Address []:[email protected] Edit /etc/vsftpd.conf and comment out the rsa certificate and private key files that are there by default and add these lines which show the path to your self-signed certificate. rsa_cert_file=/etc/vsftpd.pem rsa_private_key_file=/etc/vsftpd.pem Restart the ftp server. service vsftpd restart Using a FTP Client that is SSL/TLS Compatible The popular Linux ftp client gFTP will not connect using SSL when you are using self-signed certificates, you would have to purchase a real certificate for your business. Another Linux alternative is to use ftp-ssl. This is a command line version of ftp and actually will replace ftp with this client. It functions that same as ftp. It will attempt to connect using ssl, if it is not enabled it will drop back to regular ftp. The Filezilla version for Linux continued to crash when the connection was made, so it is not a reliable option. When you connect you will be asked to accept the self-signed certificate, either which you made or the default for vsftp. Accept the certificate and you have encrypted FTP on port 21. If you have users connecting with FileZilla for Windows, which is reliable, you will need to make these changes so they can log in with SSL. Note the port is still 21 but the Servertype is now FTP over SSL. Regards, Mubeen Nakade. "Am Still Learning Linux" Cricket on your mind? Visit the ultimate cricket website. Enter http://beta.cricket.yahoo.com [Non-text portions of this message have been removed]
