FTP, SFTP, and TFTP
10 minute read.
Last Modified 2021-04-05 14:25 EDTThe File Transfer Protocol (FTP) is a simple option for data transfers. The additional SSH and Trivial FTP options provide secure or simple config file transfer methods, respectively.
Options for configuring FTP, SSH, and TFTP are in the system Services. Click the edit to configure the related service.
FTP requires a new dataset and local user account.
Go to Storage > Pools to add a new dataset. 
Next, go to Accounts > Users > Add to create a local user on the TrueNAS. 
Assign a user name, password, and link the newly created dataset for the FTP share as the home directory of the user. This can be done on a per user basis, or a global account for FTP can also be created, for example OurOrgFTPacnt, etc.
Return to Storage > Pools, find the new dataset, and click more_vert > Edit Permissions. Set the Owner fields (user and group) to the newly created user account. Be sure to click Apply User and Apply Group before saving.
To configure FTP, go to the Services page, find the FTP entry, and click the edit.
Configure the options according to your environment and security considerations.
General Options
Name | Description |
---|---|
Port | Set the port the FTP service listens on. |
Clients | The maximum number of simultaneous clients. |
Connections | Set the maximum number of connections per IP address. 0 means unlimited. |
Login Attempts | Enter the maximum number of attempts before client is disconnected. Increase this if users are prone to typos. |
Timeout | Maximum client idle time in seconds before client is disconnected. |
Certificate | The SSL certificate to be used for TLS FTP connections. To create a certificate, use System –> Certificates. |
Advanced
Access
Name | Description |
---|---|
Always Chroot | When set, a local user is only allowed access to their home directory if they are a member of the wheel group. Setting this option is discouraged as it increases security risk. |
Allow Root Login | Allow anonymous FTP logins with access to the directory specified in Path. |
Allow Anonymous Login | Allow any local user to log in. By default, only members of the ftp group are allowed to log in. |
Allow Local User Login | Setting this option results in timeouts when identd is not running on the client. |
Require IDENT Authentication | Sets default permissions for newly created files. |
File Permissions | Sets default permissions for newly created directories. |
TLS
Name | Description |
---|---|
Enable TLS | Allow encrypted connections. Requires a certificate created or imported with the System > Certificates menu. |
TLS Policy | Define whether the control channel, data channel, both channels, or neither channel of an FTP session must occur over SSL/TLS. The policies are described here. |
TLS Allow Client Renegotiations | Setting this option is not recommended as it breaks several security measures. Refer to mod_tls for more details. |
TLS Allow Dot Login | If set, the user home directory is checked for a .tlslogin file which contains one or more PEM-encoded certificates. If not found, the user is prompted for password authentication. |
TLS Allow Per User | If set, the password of the user can be sent unencrypted. |
TLS Common Name Required | When set, the common name in the certificate must match the FQDN of the host. |
TLS Enable Diagnostics | If set when troubleshooting a connection, logs more verbosely. |
TLS Export Certificate Data | Set to export the certificate environment variables. |
TLS No Certificate Request | Set if the client cannot connect, and it is suspected the client is poorly handling the server certificate request. |
TLS No Empty Fragments | Enabling this option is not recommended as it bypasses a security mechanism. |
TLS No Session Reuse Required | Setting this option reduces the security of the connection, so only use it if the client does not understand reused SSL sessions. |
TLS Export Standard Vars | If selected, sets several environment variables. |
TLS DNS Name Required | If set, the DNS name of the client must resolve to its IP address and the cert must contain the same DNS name. |
TLS IP Address Required | If set, the client certificate must contain the IP address that matches the IP address of the client. |
Bandwidth
Name | Description |
---|---|
Local User Upload Bandwidth: (Examples: 500 KiB, 500M, 2 TB) * | In KiBs or greater. A default of 0 KiB means unlimited. This field accepts human-readable input (Ex. 50 GiB, 500M, 2 TB). If units are not specified, the value defaults to KiB. |
Local User Download Bandwidth * | In KiBs or greater. A default of 0 KiB means unlimited. This field accepts human-readable input (Ex. 50 GiB, 500M, 2 TB). If units are not specified, the value defaults to KiB. |
Anonymous User Upload Bandwidth * | In KiBs or greater. A default of 0 KiB means unlimited. This field accepts human-readable input (Ex. 50 GiB, 500M, 2 TB). If units are not specified, the value defaults to KiB. |
Anonymous User Download Bandwidth * | In KiBs or greater. A default of 0 KiB means unlimited. This field accepts human-readable input (Ex. 50 GiB, 500M, 2 TB). If units are not specified, the value defaults to KiB. |
Other Options
Name | Description |
---|---|
Minimum Passive Port * | Used by clients in PASV mode. A default of 0 means any port above 1023. |
Maximum Passive Port * | Used by clients in PASV mode. A default of 0 means any port above 1023. |
Enable FXP | Set to enable the File eXchange Protocol. This option makes the server vulnerable to FTP bounce attacks so it is not recommended. |
Allow Transfer Resumption | Set to allow FTP clients to resume interrupted transfers. |
Perform Reverse DNS Lookups | Set to perform reverse DNS lookups on client IPs. This can cause long delays if reverse DNS is not configured. |
Masquerade Address | Public IP address or hostname. Set if FTP clients cannot connect through a NAT device. |
Display Login | Specify the message displayed to local login users after authentication. Not displayed to anonymous login users. |
Auxiliary Parameters | Used to add additional proftpd(8 parameters. |
Ensure chroot is enabled as this helps confine FTP sessions to a local user’s home directory and allow Local User Login.
Unless necessary, do NOT allow anonymous or root access. For better security, enable TLS when possible. This is effectively FTPS. When FTP is exposed to a WAN, enable TLS.
Use a browser or FTP client to connect to the TrueNAS FTP share. The images here show using FileZilla, a free option.
The user name and password are those of the local user account on the TrueNAS.
The default directory is the same as the user’s
SFTP or SSH File Transfer Protocol, is available by enabling SSH remote access to the TrueNAS system. SFTP is more secure than standard FTP as it applies SSL encryption on all transfers by default.
Go to Services, find the SSH entry, and click the edit.
Set Allow Password Authentication and decide if Log in as Root with Password is needed. SSH with root is a security vulnerability as it allows full remote control over the NAS with a terminal, not just SFTP transfer access. Review the remaining options and configure according to your environment or security needs.
Similar to the FTP setup, open FileZilla or another FTP client, or command line. This article shows using FileZilla as an example. Using FileZilla, enter SFTP://‘TrueNAS IP’, ‘username’, ‘password’, and port 22 to connect.
SFTP does not have chroot locking. While chroot is not 100% secure, the lack of chroot allows users to easily move up to the root directory and view internal system information. If this level of access is a concern, FTP with TLS may be the more secure choice.
Another way to allow SFTP access without granting read access to other areas of the NAS itself is to set up a jail and enable SSH.
Go to Jails > Add. Provide a name for the jail and pick a target FreeBSD image. 11.3 was used for the purpose of this guide.
Set the networking options to either DHCP or a static IP and confirm to create.
After the is created, open the jail menu by clicking the expand icon > on the right-hand side of the jail. Click START and open the SHELL.
Similar to the initial FTP setup, create a user in the jail.
Enter adduser
and follow the prompts including the password and home directory location.
When complete, the jail asks to confirm the credentials.
Enable SSH by editing the vi /etc/rc.conf
or ee /etc/rc.conf
depending on preference, add sshd_enable = "YES"
to the file, save, and exit.
Type service sshd enabled
to enable the service (enabled vs start indicates whether sshd starts one time or on every reboot).
Using an FTP client, such as FileZilla, log in with the jail IP address and user credentials. Like with SSH on TrueNAS, browsing to other folders and locations beyond the user’s home directory is possible, but unlike running on TrueNAS directly, only the components of the jail are available.
The Trivial File Transfer Protocol (TFTP) is a light-weight version of FTP typically used to transfer configuration or boot files between machines, such as routers, in a local environment. TFTP provides an extremely limited set of commands and provides no authentication.
When the TrueNAS system is only storing images and configuration files for network devices, configure and start the TFTP service. Starting the TFTP service opens UDP port 69.
Path
Name | Description |
---|---|
Directory | Browse to an existing directory to use for storage. Some devices can require a specific directory name. Consult the documentation for that device to see if there are any restrictions. |
Connection
Name | Description |
---|---|
Host | The default host to use for TFTP transfers. Enter an IP address. Example: 192.0.2.1 |
Port | The UDP port number that listens for TFTP requests. Example: 8050 |
Username | Select the account to use for TFTP requests. This account must have permission to the Directory. |
Access
Name | Description |
---|---|
File Permissions | Adjust the file permissions using the checkboxes. |
Allow New Files | Set when network devices need to send files to the system. |
Other Options
Name | Description |
---|---|
Auxiliary Parameters | Add more options from tftpd. Add one option on each line. |