<IfModule mod_tls.c> TLSEngine on TLSProtocol ${proftpd_tlsprotocol} - TLSOptions ${proftpd_tlsoptions} + TLSOptions ${proftpd_tlsoptions} NoSessionReuseRequired # Support FTP Clients who don't reuse session TLSRSACertificateFile ${proftpd_tlsrsacertfile} TLSRSACertificateKeyFile ${proftpd_tlsrsakeyfile} TLSVerifyClient ${proftpd_tlsverifyclient} + TLSRequired auth # Require TLS on authentication (set to "on" if you want it for data+control+auth) + TLSLog /var/log/proftpd/tls.log # logging path + PassivePorts 60000 65535 # port range for my NAT - $(bool_on ${proftpd_tlsrequired} " TLSRequired ${proftpd_tlsrequired}") </IfModule>
I stumbled over the same question the other day, because by using SCP / SFTP I missed the chroot() functionality.
It is possible to enable FTP over SSL, but you have to change your /etc/rc.d/ix-proftpd config file. There doesn't seem to be a functionality in the GUI yet.
Here are the modifications needed (+ for line added, - for line removed) for FreeNAS-8.0.1-BETA1:
TLS Required on
Match User example ForceCommand internal-sftp AllowTcpForwarding no ChrootDirectory /mnt/Raid/example
TLS Required on
If I add this it won't work. But without it will. But I don't like that the user brows all directories.
And still FTPS won't work with this config. I think it is like warri described, the version. Further there is a space to much between TLS and Requiered.
Match Group sftp ChrootDirectory /mnt/ ForceCommand internal-sftp AllowTcpForwarding no
The example code you posted is for configuring SFTP (over ssh) - don't confuse FTPS (FTP Secure) and SFTP (SSH File Transfer Protocol). If you meant to post a SFTP configuration, here is mine:
Code:Match Group sftp ChrootDirectory /mnt/ ForceCommand internal-sftp AllowTcpForwarding no
This allows all users belonging to the sftp group to connect via SFTP, and also restricts them to the /mnt/ directory, so they can not browse any other folders. Again, this is no addition for the FTP configuration, but the SSH configuration!
What is your exact configuration for SSH and the user? Also check the logs, maybe there is a more detailed message on what went wrong.
Protocol 2 UseDNS no Subsystem sftp /usr/libexec/sftp-server ChallengeResponseAuthentication no ClientAliveCountMax 3 ClientAliveInterval 15 Port 22 PermitRootLogin yes AllowTcpForwarding yes Compression no PasswordAuthentication yes PubkeyAuthentication yes
Jan 5 09:02:26 freenas sshd[5441]: fatal: bad ownership or modes for chroot directory component "/mnt/nymeria/"
LogLevel VERBOSE Match Group sftp ChrootDirectory /mnt/nymeria/ ForceCommand internal-sftp AllowTcpForwarding no
The MatchGroup/MatchUser directive seems to be missing.
Add something like this to the Extra Options field in the SSH config of the WebGUI:
Code:LogLevel VERBOSE Match Group sftp ChrootDirectory /mnt/nymeria/ ForceCommand internal-sftp AllowTcpForwarding no
(This should be reflected in the /etc/ssh/sshd_config afterwards!)
Then create a group sftp and add the user to the group.
After that restart the SSH service.
The folder I use for Chroot has permissions 755 and ownership root:wheel.