(408) 943-4100               V   Commercial Support

FTP, SFTP, and TFTP

  10 minute read.

Last Modified 2021-04-05 14:25 EDT

The File Transfer Protocol (FTP) is a simple option for data transfers. The additional SSH and Trivial FTP options provide secure or simple config file transfer methods, respectively.

Options for configuring FTP, SSH, and TFTP are in the system Services. Click the to configure the related service.

FTP requires a new dataset and local user account.

Go to Storage > Pools to add a new dataset. ![StoragePoolsAddDataset](</images/CORE/12.0/StoragePoolsAddDataset.png “Adding a new Dataset”)

Next, go to Accounts > Users > Add to create a local user on the TrueNAS. ![AccountsUsersAdd](</images/CORE/12.0/AccountsUsersAdd.png “Adding a new User Account”)

Assign a user name, password, and link the newly created dataset for the FTP share as the home directory of the user. This can be done on a per user basis, or a global account for FTP can also be created, for example OurOrgFTPacnt, etc.

Return to Storage > Pools, find the new dataset, and click > Edit Permissions. Set the Owner fields (user and group) to the newly created user account. Be sure to click Apply User and Apply Group before saving.

StoragePoolsEditPermissionsBasic

Service Configuration

To configure FTP, go to the Services page, find the FTP entry, and click the .

Services FTP Options

Configure the options according to your environment and security considerations.

General Options

NameDescription
PortSet the port the FTP service listens on.
ClientsThe maximum number of simultaneous clients.
ConnectionsSet the maximum number of connections per IP address. 0 means unlimited.
Login AttemptsEnter the maximum number of attempts before client is disconnected. Increase this if users are prone to typos.
TimeoutMaximum client idle time in seconds before client is disconnected.
CertificateThe SSL certificate to be used for TLS FTP connections. To create a certificate, use System –> Certificates.

Advanced

Access

NameDescription
Always ChrootWhen set, a local user is only allowed access to their home directory if they are a member of the wheel group. Setting this option is discouraged as it increases security risk.
Allow Root LoginAllow anonymous FTP logins with access to the directory specified in Path.
Allow Anonymous LoginAllow any local user to log in. By default, only members of the ftp group are allowed to log in.
Allow Local User LoginSetting this option results in timeouts when identd is not running on the client.
Require IDENT AuthenticationSets default permissions for newly created files.
File PermissionsSets default permissions for newly created directories.

TLS

NameDescription
Enable TLSAllow encrypted connections. Requires a certificate created or imported with the System > Certificates menu.
TLS PolicyDefine whether the control channel, data channel, both channels, or neither channel of an FTP session must occur over SSL/TLS. The policies are described here.
TLS Allow Client RenegotiationsSetting this option is not recommended as it breaks several security measures. Refer to mod_tls for more details.
TLS Allow Dot LoginIf set, the user home directory is checked for a .tlslogin file which contains one or more PEM-encoded certificates. If not found, the user is prompted for password authentication.
TLS Allow Per UserIf set, the password of the user can be sent unencrypted.
TLS Common Name RequiredWhen set, the common name in the certificate must match the FQDN of the host.
TLS Enable DiagnosticsIf set when troubleshooting a connection, logs more verbosely.
TLS Export Certificate DataSet to export the certificate environment variables.
TLS No Certificate RequestSet if the client cannot connect, and it is suspected the client is poorly handling the server certificate request.
TLS No Empty FragmentsEnabling this option is not recommended as it bypasses a security mechanism.
TLS No Session Reuse RequiredSetting this option reduces the security of the connection, so only use it if the client does not understand reused SSL sessions.
TLS Export Standard VarsIf selected, sets several environment variables.
TLS DNS Name RequiredIf set, the DNS name of the client must resolve to its IP address and the cert must contain the same DNS name.
TLS IP Address RequiredIf set, the client certificate must contain the IP address that matches the IP address of the client.

Bandwidth

NameDescription
Local User Upload Bandwidth: (Examples: 500 KiB, 500M, 2 TB) *In KiBs or greater. A default of 0 KiB means unlimited. This field accepts human-readable input (Ex. 50 GiB, 500M, 2 TB). If units are not specified, the value defaults to KiB.
Local User Download Bandwidth *In KiBs or greater. A default of 0 KiB means unlimited. This field accepts human-readable input (Ex. 50 GiB, 500M, 2 TB). If units are not specified, the value defaults to KiB.
Anonymous User Upload Bandwidth *In KiBs or greater. A default of 0 KiB means unlimited. This field accepts human-readable input (Ex. 50 GiB, 500M, 2 TB). If units are not specified, the value defaults to KiB.
Anonymous User Download Bandwidth *In KiBs or greater. A default of 0 KiB means unlimited. This field accepts human-readable input (Ex. 50 GiB, 500M, 2 TB). If units are not specified, the value defaults to KiB.

Other Options

NameDescription
Minimum Passive Port *Used by clients in PASV mode. A default of 0 means any port above 1023.
Maximum Passive Port *Used by clients in PASV mode. A default of 0 means any port above 1023.
Enable FXPSet to enable the File eXchange Protocol. This option makes the server vulnerable to FTP bounce attacks so it is not recommended.
Allow Transfer ResumptionSet to allow FTP clients to resume interrupted transfers.
Perform Reverse DNS LookupsSet to perform reverse DNS lookups on client IPs. This can cause long delays if reverse DNS is not configured.
Masquerade AddressPublic IP address or hostname. Set if FTP clients cannot connect through a NAT device.
Display LoginSpecify the message displayed to local login users after authentication. Not displayed to anonymous login users.
Auxiliary ParametersUsed to add additional proftpd(8 parameters.

Ensure chroot is enabled as this helps confine FTP sessions to a local user’s home directory and allow Local User Login.

Unless necessary, do NOT allow anonymous or root access. For better security, enable TLS when possible. This is effectively FTPS. When FTP is exposed to a WAN, enable TLS.

FTP Connection

Use a browser or FTP client to connect to the TrueNAS FTP share. The images here show using FileZilla, a free option.

The user name and password are those of the local user account on the TrueNAS. The default directory is the same as the user’s /home directory. After connecting, directories can be created and files uploaded and downloaded.

FilezillaFTPConnect

SFTP or SSH File Transfer Protocol, is available by enabling SSH remote access to the TrueNAS system. SFTP is more secure than standard FTP as it applies SSL encryption on all transfers by default.

Go to Services, find the SSH entry, and click the .

ServicesSSHOptions

Set Allow Password Authentication and decide if Log in as Root with Password is needed. SSH with root is a security vulnerability as it allows full remote control over the NAS with a terminal, not just SFTP transfer access. Review the remaining options and configure according to your environment or security needs.

General Options

NameDescription
TCP PortOpen a port for SSH connection requests.
Log in as Root with PasswordRoot logins are discouraged. Allows root logins. A password must be set for the root user account.
Allow Password AuthenticationEnabling allows using a password to authenticate the SSH login. Warning: when directory services are enabled, allowing password authentication can grant access to all users imported by the directory service.

Disabling changes authentication to require keys for all users. This requires additional setup on both the SSH client and server.
Allow Kerberos AuthenticationEnsure valid entries exist in Directory Services > Kerberos Realms and Directory Services > Kerberos Keytabs and the system can communicate with the Kerberos Domain Controller before enabling this option.
Allow TCP Port ForwardingSet to allow users to bypass firewall restrictions using the SSH port forwarding feature.

Advanced Options

NameDescription
Bind InterfacesSelect interfaces for SSH to listen on. Leave all options unselected for SSH to listen on all interfaces.
Compress ConnectionsSelect the syslog(3) level of the SFTP server.
SFTP Log LevelSelect the syslog(3) facility of the SFTP server.
SFTP Log FacilityAllow more ciphers for sshd(8) in addition to the defaults in sshd_config(5). None allows unencrypted SSH connections and AES128-CBC allows the 128-bit Advanced Encryption Standard.
Weak CiphersWARNING: these ciphers are considered security vulnerabilities and should only be allowed in a secure network environment.
Auxiliary ParametersAdd any more sshd_config(5) options not covered in this screen. Enter one option per line. These options are case-sensitive. Misspellings can prevent the SSH service from starting.

SFTP Connections

Similar to the FTP setup, open FileZilla or another FTP client, or command line. This article shows using FileZilla as an example. Using FileZilla, enter SFTP://‘TrueNAS IP’, ‘username’, ‘password’, and port 22 to connect.

SFTP does not have chroot locking. While chroot is not 100% secure, the lack of chroot allows users to easily move up to the root directory and view internal system information. If this level of access is a concern, FTP with TLS may be the more secure choice.

SFTP in a TrueNAS Jail

Another way to allow SFTP access without granting read access to other areas of the NAS itself is to set up a jail and enable SSH.

Go to Jails > Add. Provide a name for the jail and pick a target FreeBSD image. 11.3 was used for the purpose of this guide.

Set the networking options to either DHCP or a static IP and confirm to create.

JailsAddNetworking

After the is created, open the jail menu by clicking the expand icon > on the right-hand side of the jail. Click START and open the SHELL.

Similar to the initial FTP setup, create a user in the jail. Enter adduser and follow the prompts including the password and home directory location. When complete, the jail asks to confirm the credentials.

JailsShellUserAdd

Enable SSH by editing the /etc/rc.conf file. Type vi /etc/rc.conf or ee /etc/rc.conf depending on preference, add sshd_enable = "YES" to the file, save, and exit. Type service sshd enabled to enable the service (enabled vs start indicates whether sshd starts one time or on every reboot).

JailsShellEditRCConf

Using an FTP client, such as FileZilla, log in with the jail IP address and user credentials. Like with SSH on TrueNAS, browsing to other folders and locations beyond the user’s home directory is possible, but unlike running on TrueNAS directly, only the components of the jail are available.

FilezillaJailConnectSFTP

The Trivial File Transfer Protocol (TFTP) is a light-weight version of FTP typically used to transfer configuration or boot files between machines, such as routers, in a local environment. TFTP provides an extremely limited set of commands and provides no authentication.

When the TrueNAS system is only storing images and configuration files for network devices, configure and start the TFTP service. Starting the TFTP service opens UDP port 69.

ServicesTFTPOptions

Path

NameDescription
DirectoryBrowse to an existing directory to use for storage. Some devices can require a specific directory name. Consult the documentation for that device to see if there are any restrictions.

Connection

NameDescription
HostThe default host to use for TFTP transfers. Enter an IP address. Example: 192.0.2.1
PortThe UDP port number that listens for TFTP requests. Example: 8050
UsernameSelect the account to use for TFTP requests. This account must have permission to the Directory.

Access

NameDescription
File PermissionsAdjust the file permissions using the checkboxes.
Allow New FilesSet when network devices need to send files to the system.

Other Options

NameDescription
Auxiliary ParametersAdd more options from tftpd. Add one option on each line.