(408) 943-4100               V   Commercial Support Toggle between Light and Dark mode

FTP, SFTP, and TFTP

  9 minute read.

Last Modified 2021-10-06 16:49 EDT

The File Transfer Protocol (FTP) is a simple option for data transfers. The additional SSH and Trivial FTP options provide secure or simple config file transfer methods, respectively.

Options for configuring FTP, SSH, and TFTP are in the system Services. Click the to configure the related service.

FTP requires a new dataset and local user account.

Go to Storage > Pools to add a new dataset.

![StoragePoolsAddDataset](</images/CORE/12.0/StoragePoolsAddDataset.png “Adding a new Dataset”)

Next, go to Accounts > Users > Add to create a local user on the TrueNAS.

![AccountsUsersAdd](</images/CORE/12.0/AccountsUsersAdd.png “Adding a new User Account”)

Assign a user name, password, and link the newly created dataset for the FTP share as the home directory of the user. This can be done on a per user basis, or a global account for FTP can also be created, for example OurOrgFTPacnt, etc.

Return to Storage > Pools, find the new dataset, and click > Edit Permissions. Set the Owner fields (user and group) to the newly created user account. Be sure to click Apply User and Apply Group before saving.

StoragePoolsEditPermissionsBasic

Service Configuration

To configure FTP, go to the Services page, find the FTP entry, and click the .

Services FTP Options

Configure the options according to your environment and security considerations.

General Options

NameDescription
PortSet the port the FTP service listens on.
ClientsThe maximum number of simultaneous clients.
ConnectionsSet the maximum number of connections per IP address. 0 is unlimited.
Login AttemptsEnter the maximum attempts before client is disconnected. Increase if users are prone to typos.
TimeoutMaximum client idle time in seconds before disconnect.
CertificateThe SSL certificate to be used for TLS FTP connections. To create a certificate, go to Certificates.

Advanced

Access

NameDescription
Always ChrootSet to only let users access their home directory if they are in the wheel group. This option increases security risk.
Allow Root LoginAllow anonymous FTP logins with access to the directory specified in Path.
Allow Anonymous LoginAllow any local user to log in. By default, only members of the ftp group are allowed to log in.
Allow Local User LoginSetting this option results in timeouts when identd is not running on the client.
Require IDENT AuthenticationSets default permissions for newly created files.
File PermissionsSets default permissions for newly created directories.

TLS

NameDescription
Enable TLSAllow encrypted connections. Requires a certificate (created or imported in Certificates.
TLS PolicyDefine whether the control channel, data channel, both channels, or neither channel of an FTP session must occur over SSL/TLS. The policies are described here.
TLS Allow Client RenegotiationsWe don’t recommend this, since it breaks security measures. See mod_tls for details.
TLS Allow Dot LoginIf set, TrueNAS checks the user home directory for a .tlslogin file containing one or more PEM-encoded certificates. If not found, the user is prompted for password authentication.
TLS Allow Per UserIf set, allows user password to be sent unencrypted.
TLS Common Name RequiredWhen set, the common name in the certificate must match the FQDN of the host.
TLS Enable DiagnosticsIf set when troubleshooting a connection, logs more verbosely.
TLS Export Certificate DataSet to export the certificate environment variables.
TLS No Certificate RequestSet if the client cannot connect from poorly handling the server certificate request.
TLS No Empty FragmentsWe don’t recommend this option, since it bypasses a security mechanism.
TLS No Session Reuse RequiredThis option reduces connection security. Only use it if the client does not understand reused SSL sessions.
TLS Export Standard VarsIf selected, sets several environment variables.
TLS DNS Name RequiredIf set, the client DNS name must resolve to its IP address and the cert must contain the same DNS name.
TLS IP Address RequiredIf set, the client certificate IP address must match the client IP address.

Bandwidth

NameDescription
Local User Upload Bandwidth: (Examples: 500 KiB, 500M, 2 TB) *This field accepts human-readable input in KiBs or greater (M, GiB, TB, etc.). Default 0 KiB is unlimited.
Local User Download BandwidthThis field accepts human-readable input in KiBs or greater (M, GiB, TB, etc.). Default 0 KiB is unlimited.
Anonymous User Upload BandwidthThis field accepts human-readable input in KiBs or greater (M, GiB, TB, etc.). Default 0 KiB is unlimited.
Anonymous User Download BandwidthThis field accepts human-readable input in KiBs or greater (M, GiB, TB, etc.). Default 0 KiB is unlimited.

Other Options

NameDescription
Minimum Passive PortUsed by clients in PASV mode. A default of 0 means any port above 1023.
Maximum Passive PortUsed by clients in PASV mode. A default of 0 means any port above 1023.
Enable FXPEnable File eXchange Protocol. We don’t recommend this, since it leaves the server vulnerable to FTP bounce attacks.
Allow Transfer ResumptionSet to allow FTP clients to resume interrupted transfers.
Perform Reverse DNS LookupsPerforms reverse DNS lookups on client IPs. Causes long delays if reverse DNS isn’t configured.
Masquerade AddressPublic IP address or hostname. Set if FTP clients cannot connect through a NAT device.
Display LoginThe message shown to local login users after authentication. Not shown to anonymous login users.
Auxiliary ParametersUsed to add additional proftpd(8 parameters.

Ensure chroot is enabled as this helps confine FTP sessions to a local user’s home directory and allow Local User Login.

Unless necessary, do NOT allow anonymous or root access. For better security, enable TLS when possible. This is effectively FTPS. When FTP is exposed to a WAN, enable TLS.

FTP Connection

Use a browser or FTP client to connect to the TrueNAS FTP share. The images here show using FileZilla, a free option.

The user name and password are those of the local user account on the TrueNAS. The default directory is the same as the user’s /home directory. After connecting, directories can be created and files uploaded and downloaded.

FilezillaFTPConnect

SFTP or SSH File Transfer Protocol, is available by enabling SSH remote access to the TrueNAS system. SFTP is more secure than standard FTP as it applies SSL encryption on all transfers by default.

Go to Services, find the SSH entry, and click the .

ServicesSSHOptions

Set Allow Password Authentication and decide if Log in as Root with Password is needed. SSH with root is a security vulnerability as it allows full remote control over the NAS with a terminal, not just SFTP transfer access. Review the remaining options and configure according to your environment or security needs.

General Options

NameDescription
TCP PortOpen a port for SSH connection requests.
Log in as Root with PasswordRoot logins are discouraged. Allows root logins. A password must be set for the root user account.
Allow Password AuthenticationEnabling allows SSH login authentication using a password. Warning: when directory services are enabled, this setting grants access to all users the directory service imported. When disabled, authentication requires keys for all users (requires additional SSH client and server setup).
Allow Kerberos AuthenticationBefore enabling, ensure valid entries exist in Directory Services (Kerberos Realms and Keytabs) and the system can communicate with the Kerberos Domain Controller .
Allow TCP Port ForwardingSet to let users bypass firewall restrictions using the SSH port forwarding feature.

Advanced Options

NameDescription
Bind InterfacesSelect interfaces for SSH to listen on. Leave all options unselected for SSH to listen on all interfaces.
Compress ConnectionsSelect the syslog(3) level of the SFTP server.
SFTP Log LevelSelect the syslog(3) facility of the SFTP server.
SFTP Log FacilityAllow more ciphers for sshd(8) in addition to the defaults in sshd_config(5). None allows unencrypted SSH connections and AES128-CBC allows the 128-bit Advanced Encryption Standard.
Weak CiphersWARNING: these ciphers are security vulnerabilities. Only allow them in a secure network environment.
Auxiliary ParametersAdd any more sshd_config(5) options not covered in this screen. Enter one option per line. These options are case-sensitive. Typos can prevent the SSH service from starting.

SFTP Connections

Similar to the FTP setup, open FileZilla or another FTP client, or command line. This article shows using FileZilla as an example. Using FileZilla, enter SFTP://‘TrueNAS IP’, ‘username’, ‘password’, and port 22 to connect.

SFTP does not have chroot locking. While chroot is not 100% secure, the lack of chroot allows users to easily move up to the root directory and view internal system information. If this level of access is a concern, FTP with TLS may be the more secure choice.

SFTP in a TrueNAS Jail

Another way to allow SFTP access without granting read access to other areas of the NAS itself is to set up a jail and enable SSH.

Go to Jails > Add. Provide a name for the jail and pick a target FreeBSD image. 11.3 was used for the purpose of this guide.

Set the networking options to either DHCP or a static IP and confirm to create.

JailsAddNetworking

After the is created, open the jail menu by clicking the expand icon > on the right-hand side of the jail. Click START and open the SHELL.

Similar to the initial FTP setup, create a user in the jail. Enter adduser and follow the prompts including the password and home directory location. When complete, the jail asks to confirm the credentials.

JailsShellUserAdd

Enable SSH by editing the /etc/rc.conf file. Type vi /etc/rc.conf or ee /etc/rc.conf depending on preference, add sshd_enable = "YES" to the file, save, and exit. Type service sshd enabled to enable the service (enabled vs start indicates whether sshd starts one time or on every reboot).

JailsShellEditRCConf

Using an FTP client, such as FileZilla, log in with the jail IP address and user credentials. Like with SSH on TrueNAS, browsing to other folders and locations beyond the user’s home directory is possible, but unlike running on TrueNAS directly, only the components of the jail are available.

FilezillaJailConnectSFTP

The Trivial File Transfer Protocol (TFTP) is a light-weight version of FTP typically used to transfer configuration or boot files between machines, such as routers, in a local environment. TFTP provides an extremely limited set of commands and provides no authentication.

When the TrueNAS system is only storing images and configuration files for network devices, configure and start the TFTP service. Starting the TFTP service opens UDP port 69.

ServicesTFTPOptions

Path

NameDescription
DirectoryBrowse to an existing directory to use for storage. Some devices can require a specific directory name. Consult the documentation for that device to see if there are any restrictions.

Connection

NameDescription
HostThe default host to use for TFTP transfers. Enter an IP address. Example: 192.0.2.1
PortThe UDP port number that listens for TFTP requests. Example: 8050
UsernameSelect the account to use for TFTP requests. This account must have permission to the Directory.

Access

NameDescription
File PermissionsAdjust the file permissions using the checkboxes.
Allow New FilesSet when network devices need to send files to the system.

Other Options

NameDescription
Auxiliary ParametersAdd more options from tftpd. Add one option on each line.