-
Important Announcement for the TrueNAS Community.
The TrueNAS Community has now been moved. This forum has become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
Forced SSL on FTP
- Thread starter creepwood
- Start date
- Status
matthewowen01
Guru
- Joined
- May 27, 2011
- Messages
- 566
it may be much easier to use sftp. plenty of clients for windows mac and unix.
warri
Guru
- Joined
- Jun 6, 2011
- Messages
- 1,193
I stumbled over the same question the other day, because by using SCP / SFTP I missed the chroot() functionality.
It is possible to enable FTP over SSL, but you have to change your /etc/rc.d/ix-proftpd config file. There doesn't seem to be a functionality in the GUI yet.
Here are the modifications needed (+ for line added, - for line removed) for FreeNAS-8.0.1-BETA1:
Restart your FTP via WebGUI or CLI after you saved the changes, and voilà - FTPS should work now.
It is possible to enable FTP over SSL, but you have to change your /etc/rc.d/ix-proftpd config file. There doesn't seem to be a functionality in the GUI yet.
Here are the modifications needed (+ for line added, - for line removed) for FreeNAS-8.0.1-BETA1:
Code:
<IfModule mod_tls.c>
TLSEngine on
TLSProtocol ${proftpd_tlsprotocol}
- TLSOptions ${proftpd_tlsoptions}
+ TLSOptions ${proftpd_tlsoptions} NoSessionReuseRequired # Support FTP Clients who don't reuse session
TLSRSACertificateFile ${proftpd_tlsrsacertfile}
TLSRSACertificateKeyFile ${proftpd_tlsrsakeyfile}
TLSVerifyClient ${proftpd_tlsverifyclient}
+ TLSRequired auth # Require TLS on authentication (set to "on" if you want it for data+control+auth)
+ TLSLog /var/log/proftpd/tls.log # logging path
+ PassivePorts 60000 65535 # port range for my NAT
- $(bool_on ${proftpd_tlsrequired} " TLSRequired ${proftpd_tlsrequired}")
</IfModule>Restart your FTP via WebGUI or CLI after you saved the changes, and voilà - FTPS should work now.
J
James
Guest
warri
Guru
- Joined
- Jun 6, 2011
- Messages
- 1,193
There still seem to be some issues with running FTPS:
FTP failed to start due to lack of TLS RSA Certificate - GUI not informative
Cannot connect to proFTP. Error: GnuTLS error -12: A TLS fatal alert has been received.
This might be your problem, and should be fixed in the upcoming FreeNAS releases.
Btw, is there any reason you need to use FTPS? I changed to SFTP via SSH since my last post.
FTP failed to start due to lack of TLS RSA Certificate - GUI not informative
Cannot connect to proFTP. Error: GnuTLS error -12: A TLS fatal alert has been received.
This might be your problem, and should be fixed in the upcoming FreeNAS releases.
Btw, is there any reason you need to use FTPS? I changed to SFTP via SSH since my last post.
You don't need to change the config file manually : in the GUI - FTP service you switch on "Enable SSL/TLS" and in the Auxiliary parameters you can directly add a line with :
Code:
TLS Required on
This will force the client to use TLS on authentication and for data.
If I add this it won't work. But without it will. But I don't like that the user brows all directories.
And still FTPS won't work with this config. I think it is like warri described, the version. Further there is a space to much between TLS and Requiered.
Code:
Match User example
ForceCommand internal-sftp
AllowTcpForwarding no
ChrootDirectory /mnt/Raid/exampleAnd still FTPS won't work with this config. I think it is like warri described, the version. Further there is a space to much between TLS and Requiered.
warri
Guru
- Joined
- Jun 6, 2011
- Messages
- 1,193
The example code you posted is for configuring SFTP (over ssh) - don't confuse FTPS (FTP Secure) and SFTP (SSH File Transfer Protocol). If you meant to post a SFTP configuration, here is mine:
Code:
Match Group sftp
ChrootDirectory /mnt/
ForceCommand internal-sftp
AllowTcpForwarding noThis allows all users belonging to the sftp group to connect via SFTP, and also restricts them to the /mnt/ directory, so they can not browse any other folders. Again, this is no addition for the FTP configuration, but the SSH configuration!
I know this as an old thread and I'm dredging it back up, but I've been wrestling with this same problem - how to restrict access for sftp users - and when I add a Match User or Match Group section to sshd_config then I get an authentication failure when the user tries to log in. What am I getting wrong?
Here's the contents of my current sshd_config file:
Code:
Protocol 2 UseDNS no Subsystem sftp /usr/libexec/sftp-server ChallengeResponseAuthentication no ClientAliveCountMax 3 ClientAliveInterval 15 Port 22 PermitRootLogin yes AllowTcpForwarding yes Compression no PasswordAuthentication yes PubkeyAuthentication yes
For the user I am trying to set up, I specified their home directory as the ftp directory I want them to be locked into when they ssh in. The permissions on that home directory are 755
Is there any other information that might help diagnose the issue?
One thing that comes to mind is that my volumes are all UFS (it's a 32 bit machine, so it can't address enough RAM to run ZFS properly). The instructions in the official documentation for chrooting ssh users involve making a separate ZFS dataset for each user, and I didn't really know if there is a similar method that works for UFS.
Update: I took a look at auth.log and this jumped out at me:
Do I have to change the ownership or permissions of the whole volume? Currently my admin user (not root) is listed as the owner of that volume, with permissions set as 775.
Code:
Jan 5 09:02:26 freenas sshd[5441]: fatal: bad ownership or modes for chroot directory component "/mnt/nymeria/"
Do I have to change the ownership or permissions of the whole volume? Currently my admin user (not root) is listed as the owner of that volume, with permissions set as 775.
warri
Guru
- Joined
- Jun 6, 2011
- Messages
- 1,193
The MatchGroup/MatchUser directive seems to be missing.
Add something like this to the Extra Options field in the SSH config of the WebGUI:
(This should be reflected in the /etc/ssh/sshd_config afterwards!)
Then create a group sftp and add the user to the group.
After that restart the SSH service.
The folder I use for Chroot has permissions 755 and ownership root:wheel.
Add something like this to the Extra Options field in the SSH config of the WebGUI:
Code:
LogLevel VERBOSE
Match Group sftp
ChrootDirectory /mnt/nymeria/
ForceCommand internal-sftp
AllowTcpForwarding no
(This should be reflected in the /etc/ssh/sshd_config afterwards!)
Then create a group sftp and add the user to the group.
After that restart the SSH service.
The folder I use for Chroot has permissions 755 and ownership root:wheel.
I actually tried adding a match group section, but after I put it in, my ftp user couldn't log in at all. So I took it back out.
Weird twist #1: the user's home folder isn't actually /mnt/nymeria , it's /mnt/nymeria/ftp/dpt . So I'm a tad confused as to why the error message came out exactly that way.
So, if i want the user to be chrooted into /mnt/nymeria/ftp/dpt do I just need to change the permissions of its parent directories as well?
If I'm understanding this correctly - the chroot directory needs to be owned by root:wheel with permissions set to 755, then the match group thing should work? Are there other things I should check for?
Weird twist #1: the user's home folder isn't actually /mnt/nymeria , it's /mnt/nymeria/ftp/dpt . So I'm a tad confused as to why the error message came out exactly that way.
So, if i want the user to be chrooted into /mnt/nymeria/ftp/dpt do I just need to change the permissions of its parent directories as well?
If I'm understanding this correctly - the chroot directory needs to be owned by root:wheel with permissions set to 755, then the match group thing should work? Are there other things I should check for?
Update part 2: it works now, I just had to change the ownership and permissions of all the parent directories all the way up the tree.
So, a question about best practices - right now I have a directory in /mnt/nymeria/ftp for each ftp user, and all of them need to be owned by root:wheel for chroot to work correctly. Is there a better way to do this? The example in the documentation has a separate ZFS dataset for each user. Is there a UFS equivalent?
I mean, I'll probably just build a 64-bit machine with enough ram and configure it with ZFS in the near future. This machine was more of an experiment, cobbled together from scraps and spare parts.
So, a question about best practices - right now I have a directory in /mnt/nymeria/ftp for each ftp user, and all of them need to be owned by root:wheel for chroot to work correctly. Is there a better way to do this? The example in the documentation has a separate ZFS dataset for each user. Is there a UFS equivalent?
I mean, I'll probably just build a 64-bit machine with enough ram and configure it with ZFS in the near future. This machine was more of an experiment, cobbled together from scraps and spare parts.
- Status
