FTP, SFTP, and TFTP
10 minute read.Last Modified 2021-04-05 14:25 EDT
The File Transfer Protocol (FTP) is a simple option for data transfers. The additional SSH and Trivial FTP options provide secure or simple config file transfer methods, respectively.
Options for configuring FTP, SSH, and TFTP are in the system Services. Click the edit to configure the related service.
FTP requires a new dataset and local user account.
Go to Storage > Pools to add a new dataset. ![StoragePoolsAddDataset](</images/CORE/12.0/StoragePoolsAddDataset.png “Adding a new Dataset”)
Next, go to Accounts > Users > Add to create a local user on the TrueNAS. ![AccountsUsersAdd](</images/CORE/12.0/AccountsUsersAdd.png “Adding a new User Account”)
Assign a user name, password, and link the newly created dataset for the FTP share as the home directory of the user. This can be done on a per user basis, or a global account for FTP can also be created, for example OurOrgFTPacnt, etc.
Return to Storage > Pools, find the new dataset, and click more_vert > Edit Permissions. Set the Owner fields (user and group) to the newly created user account. Be sure to click Apply User and Apply Group before saving.
To configure FTP, go to the Services page, find the FTP entry, and click the edit.
Configure the options according to your environment and security considerations.
|Port||Set the port the FTP service listens on.|
|Clients||The maximum number of simultaneous clients.|
|Connections||Set the maximum number of connections per IP address. 0 means unlimited.|
|Login Attempts||Enter the maximum number of attempts before client is disconnected. Increase this if users are prone to typos.|
|Timeout||Maximum client idle time in seconds before client is disconnected.|
|Certificate||The SSL certificate to be used for TLS FTP connections. To create a certificate, use System –> Certificates.|
|Always Chroot||When set, a local user is only allowed access to their home directory if they are a member of the wheel group. Setting this option is discouraged as it increases security risk.|
|Allow Root Login||Allow anonymous FTP logins with access to the directory specified in Path.|
|Allow Anonymous Login||Allow any local user to log in. By default, only members of the ftp group are allowed to log in.|
|Allow Local User Login||Setting this option results in timeouts when |
|Require IDENT Authentication||Sets default permissions for newly created files.|
|File Permissions||Sets default permissions for newly created directories.|
|Enable TLS||Allow encrypted connections. Requires a certificate created or imported with the System > Certificates menu.|
|TLS Policy||Define whether the control channel, data channel, both channels, or neither channel of an FTP session must occur over SSL/TLS. The policies are described here.|
|TLS Allow Client Renegotiations||Setting this option is not recommended as it breaks several security measures. Refer to mod_tls for more details.|
|TLS Allow Dot Login||If set, the user home directory is checked for a .tlslogin file which contains one or more PEM-encoded certificates. If not found, the user is prompted for password authentication.|
|TLS Allow Per User||If set, the password of the user can be sent unencrypted.|
|TLS Common Name Required||When set, the common name in the certificate must match the FQDN of the host.|
|TLS Enable Diagnostics||If set when troubleshooting a connection, logs more verbosely.|
|TLS Export Certificate Data||Set to export the certificate environment variables.|
|TLS No Certificate Request||Set if the client cannot connect, and it is suspected the client is poorly handling the server certificate request.|
|TLS No Empty Fragments||Enabling this option is not recommended as it bypasses a security mechanism.|
|TLS No Session Reuse Required||Setting this option reduces the security of the connection, so only use it if the client does not understand reused SSL sessions.|
|TLS Export Standard Vars||If selected, sets several environment variables.|
|TLS DNS Name Required||If set, the DNS name of the client must resolve to its IP address and the cert must contain the same DNS name.|
|TLS IP Address Required||If set, the client certificate must contain the IP address that matches the IP address of the client.|
|Local User Upload Bandwidth: (Examples: 500 KiB, 500M, 2 TB) *||In KiBs or greater. A default of 0 KiB means unlimited. This field accepts human-readable input (Ex. 50 GiB, 500M, 2 TB). If units are not specified, the value defaults to KiB.|
|Local User Download Bandwidth *||In KiBs or greater. A default of 0 KiB means unlimited. This field accepts human-readable input (Ex. 50 GiB, 500M, 2 TB). If units are not specified, the value defaults to KiB.|
|Anonymous User Upload Bandwidth *||In KiBs or greater. A default of 0 KiB means unlimited. This field accepts human-readable input (Ex. 50 GiB, 500M, 2 TB). If units are not specified, the value defaults to KiB.|
|Anonymous User Download Bandwidth *|
|Minimum Passive Port *||Used by clients in PASV mode. A default of 0 means any port above 1023.|
|Maximum Passive Port *||Used by clients in PASV mode. A default of 0 means any port above 1023.|
|Enable FXP||Set to enable the File eXchange Protocol. This option makes the server vulnerable to FTP bounce attacks so it is not recommended.|
|Allow Transfer Resumption||Set to allow FTP clients to resume interrupted transfers.|
|Perform Reverse DNS Lookups||Set to perform reverse DNS lookups on client IPs. This can cause long delays if reverse DNS is not configured.|
|Masquerade Address||Public IP address or hostname. Set if FTP clients cannot connect through a NAT device.|
|Display Login||Specify the message displayed to local login users after authentication. Not displayed to anonymous login users.|
|Auxiliary Parameters||Used to add additional proftpd(8 parameters.|
Ensure chroot is enabled as this helps confine FTP sessions to a local user’s home directory and allow Local User Login.
Unless necessary, do NOT allow anonymous or root access. For better security, enable TLS when possible. This is effectively FTPS. When FTP is exposed to a WAN, enable TLS.
Use a browser or FTP client to connect to the TrueNAS FTP share. The images here show using FileZilla, a free option.
The user name and password are those of the local user account on the TrueNAS.
The default directory is the same as the user’s
SFTP or SSH File Transfer Protocol, is available by enabling SSH remote access to the TrueNAS system. SFTP is more secure than standard FTP as it applies SSL encryption on all transfers by default.
Go to Services, find the SSH entry, and click the edit.
Set Allow Password Authentication and decide if Log in as Root with Password is needed. SSH with root is a security vulnerability as it allows full remote control over the NAS with a terminal, not just SFTP transfer access. Review the remaining options and configure according to your environment or security needs.
|TCP Port||Open a port for SSH connection requests.|
|Log in as Root with Password||Root logins are discouraged. Allows root logins. A password must be set for the root user account.|
|Allow Password Authentication||Enabling allows using a password to authenticate the SSH login. Warning: when directory services are enabled, allowing password authentication can grant access to all users imported by the directory service.|
Disabling changes authentication to require keys for all users. This requires additional setup on both the SSH client and server.
|Allow Kerberos Authentication||Ensure valid entries exist in Directory Services > Kerberos Realms and Directory Services > Kerberos Keytabs and the system can communicate with the Kerberos Domain Controller before enabling this option.|
|Allow TCP Port Forwarding||Set to allow users to bypass firewall restrictions using the SSH port forwarding feature.|
|Bind Interfaces||Select interfaces for SSH to listen on. Leave all options unselected for SSH to listen on all interfaces.|
|Compress Connections||Select the syslog(3) level of the SFTP server.|
|SFTP Log Level||Select the syslog(3) facility of the SFTP server.|
|SFTP Log Facility||Allow more ciphers for sshd(8) in addition to the defaults in sshd_config(5). None allows unencrypted SSH connections and AES128-CBC allows the 128-bit Advanced Encryption Standard.|
|Weak Ciphers||WARNING: these ciphers are considered security vulnerabilities and should only be allowed in a secure network environment.|
|Auxiliary Parameters||Add any more sshd_config(5) options not covered in this screen. Enter one option per line. These options are case-sensitive. Misspellings can prevent the SSH service from starting.|
Similar to the FTP setup, open FileZilla or another FTP client, or command line. This article shows using FileZilla as an example. Using FileZilla, enter SFTP://‘TrueNAS IP’, ‘username’, ‘password’, and port 22 to connect.
SFTP does not have chroot locking. While chroot is not 100% secure, the lack of chroot allows users to easily move up to the root directory and view internal system information. If this level of access is a concern, FTP with TLS may be the more secure choice.
Another way to allow SFTP access without granting read access to other areas of the NAS itself is to set up a jail and enable SSH.
Go to Jails > Add. Provide a name for the jail and pick a target FreeBSD image. 11.3 was used for the purpose of this guide.
Set the networking options to either DHCP or a static IP and confirm to create.
After the is created, open the jail menu by clicking the expand icon > on the right-hand side of the jail. Click START and open the SHELL.
Similar to the initial FTP setup, create a user in the jail.
adduser and follow the prompts including the password and home directory location.
When complete, the jail asks to confirm the credentials.
Enable SSH by editing the
vi /etc/rc.conf or
ee /etc/rc.conf depending on preference, add
sshd_enable = "YES" to the file, save, and exit.
service sshd enabled to enable the service (enabled vs start indicates whether sshd starts one time or on every reboot).
Using an FTP client, such as FileZilla, log in with the jail IP address and user credentials. Like with SSH on TrueNAS, browsing to other folders and locations beyond the user’s home directory is possible, but unlike running on TrueNAS directly, only the components of the jail are available.
The Trivial File Transfer Protocol (TFTP) is a light-weight version of FTP typically used to transfer configuration or boot files between machines, such as routers, in a local environment. TFTP provides an extremely limited set of commands and provides no authentication.
When the TrueNAS system is only storing images and configuration files for network devices, configure and start the TFTP service. Starting the TFTP service opens UDP port 69.
|Directory||Browse to an existing directory to use for storage. Some devices can require a specific directory name. Consult the documentation for that device to see if there are any restrictions.|
|Host||The default host to use for TFTP transfers. Enter an IP address. Example: |
|Port||The UDP port number that listens for TFTP requests. Example: |
|Username||Select the account to use for TFTP requests. This account must have permission to the Directory.|
|File Permissions||Adjust the file permissions using the checkboxes.|
|Allow New Files||Set when network devices need to send files to the system.|
|Auxiliary Parameters||Add more options from tftpd. Add one option on each line.|