FTP, SFTP, and TFTP
9 minute read.Last Modified 2021-10-06 16:49 EDT
The File Transfer Protocol (FTP) is a simple option for data transfers. The additional SSH and Trivial FTP options provide secure or simple config file transfer methods, respectively.
Options for configuring FTP, SSH, and TFTP are in the system Services. Click the edit to configure the related service.
FTP requires a new dataset and local user account.
Go to Storage > Pools to add a new dataset.
![StoragePoolsAddDataset](</images/CORE/12.0/StoragePoolsAddDataset.png “Adding a new Dataset”)
Next, go to Accounts > Users > Add to create a local user on the TrueNAS.
![AccountsUsersAdd](</images/CORE/12.0/AccountsUsersAdd.png “Adding a new User Account”)
Assign a user name, password, and link the newly created dataset for the FTP share as the home directory of the user. This can be done on a per user basis, or a global account for FTP can also be created, for example OurOrgFTPacnt, etc.
Return to Storage > Pools, find the new dataset, and click more_vert > Edit Permissions. Set the Owner fields (user and group) to the newly created user account. Be sure to click Apply User and Apply Group before saving.
To configure FTP, go to the Services page, find the FTP entry, and click the edit.
Configure the options according to your environment and security considerations.
|Port||Set the port the FTP service listens on.|
|Clients||The maximum number of simultaneous clients.|
|Connections||Set the maximum number of connections per IP address. 0 is unlimited.|
|Login Attempts||Enter the maximum attempts before client is disconnected. Increase if users are prone to typos.|
|Timeout||Maximum client idle time in seconds before disconnect.|
|Certificate||The SSL certificate to be used for TLS FTP connections. To create a certificate, go to Certificates.|
|Always Chroot||Set to only let users access their home directory if they are in the wheel group. This option increases security risk.|
|Allow Root Login||Allow anonymous FTP logins with access to the directory specified in Path.|
|Allow Anonymous Login||Allow any local user to log in. By default, only members of the ftp group are allowed to log in.|
|Allow Local User Login||Setting this option results in timeouts when |
|Require IDENT Authentication||Sets default permissions for newly created files.|
|File Permissions||Sets default permissions for newly created directories.|
|Enable TLS||Allow encrypted connections. Requires a certificate (created or imported in Certificates.|
|TLS Policy||Define whether the control channel, data channel, both channels, or neither channel of an FTP session must occur over SSL/TLS. The policies are described here.|
|TLS Allow Client Renegotiations||We don’t recommend this, since it breaks security measures. See mod_tls for details.|
|TLS Allow Dot Login||If set, TrueNAS checks the user home directory for a .tlslogin file containing one or more PEM-encoded certificates. If not found, the user is prompted for password authentication.|
|TLS Allow Per User||If set, allows user password to be sent unencrypted.|
|TLS Common Name Required||When set, the common name in the certificate must match the FQDN of the host.|
|TLS Enable Diagnostics||If set when troubleshooting a connection, logs more verbosely.|
|TLS Export Certificate Data||Set to export the certificate environment variables.|
|TLS No Certificate Request||Set if the client cannot connect from poorly handling the server certificate request.|
|TLS No Empty Fragments||We don’t recommend this option, since it bypasses a security mechanism.|
|TLS No Session Reuse Required||This option reduces connection security. Only use it if the client does not understand reused SSL sessions.|
|TLS Export Standard Vars||If selected, sets several environment variables.|
|TLS DNS Name Required||If set, the client DNS name must resolve to its IP address and the cert must contain the same DNS name.|
|TLS IP Address Required||If set, the client certificate IP address must match the client IP address.|
|Local User Upload Bandwidth: (Examples: 500 KiB, 500M, 2 TB) *||This field accepts human-readable input in KiBs or greater (M, GiB, TB, etc.). Default 0 KiB is unlimited.|
|Local User Download Bandwidth||This field accepts human-readable input in KiBs or greater (M, GiB, TB, etc.). Default 0 KiB is unlimited.|
|Anonymous User Upload Bandwidth||This field accepts human-readable input in KiBs or greater (M, GiB, TB, etc.). Default 0 KiB is unlimited.|
|Anonymous User Download Bandwidth|
|Minimum Passive Port||Used by clients in PASV mode. A default of 0 means any port above 1023.|
|Maximum Passive Port||Used by clients in PASV mode. A default of 0 means any port above 1023.|
|Enable FXP||Enable File eXchange Protocol. We don’t recommend this, since it leaves the server vulnerable to FTP bounce attacks.|
|Allow Transfer Resumption||Set to allow FTP clients to resume interrupted transfers.|
|Perform Reverse DNS Lookups||Performs reverse DNS lookups on client IPs. Causes long delays if reverse DNS isn’t configured.|
|Masquerade Address||Public IP address or hostname. Set if FTP clients cannot connect through a NAT device.|
|Display Login||The message shown to local login users after authentication. Not shown to anonymous login users.|
|Auxiliary Parameters||Used to add additional proftpd(8 parameters.|
Ensure chroot is enabled as this helps confine FTP sessions to a local user’s home directory and allow Local User Login.
Unless necessary, do NOT allow anonymous or root access. For better security, enable TLS when possible. This is effectively FTPS. When FTP is exposed to a WAN, enable TLS.
Use a browser or FTP client to connect to the TrueNAS FTP share. The images here show using FileZilla, a free option.
The user name and password are those of the local user account on the TrueNAS.
The default directory is the same as the user’s
SFTP or SSH File Transfer Protocol, is available by enabling SSH remote access to the TrueNAS system. SFTP is more secure than standard FTP as it applies SSL encryption on all transfers by default.
Go to Services, find the SSH entry, and click the edit.
Set Allow Password Authentication and decide if Log in as Root with Password is needed. SSH with root is a security vulnerability as it allows full remote control over the NAS with a terminal, not just SFTP transfer access. Review the remaining options and configure according to your environment or security needs.
|TCP Port||Open a port for SSH connection requests.|
|Log in as Root with Password||Root logins are discouraged. Allows root logins. A password must be set for the root user account.|
|Allow Password Authentication||Enabling allows SSH login authentication using a password. Warning: when directory services are enabled, this setting grants access to all users the directory service imported. When disabled, authentication requires keys for all users (requires additional SSH client and server setup).|
|Allow Kerberos Authentication||Before enabling, ensure valid entries exist in Directory Services (Kerberos Realms and Keytabs) and the system can communicate with the Kerberos Domain Controller .|
|Allow TCP Port Forwarding||Set to let users bypass firewall restrictions using the SSH port forwarding feature.|
|Bind Interfaces||Select interfaces for SSH to listen on. Leave all options unselected for SSH to listen on all interfaces.|
|Compress Connections||Select the syslog(3) level of the SFTP server.|
|SFTP Log Level||Select the syslog(3) facility of the SFTP server.|
|SFTP Log Facility||Allow more ciphers for sshd(8) in addition to the defaults in sshd_config(5). None allows unencrypted SSH connections and AES128-CBC allows the 128-bit Advanced Encryption Standard.|
|Weak Ciphers||WARNING: these ciphers are security vulnerabilities. Only allow them in a secure network environment.|
|Auxiliary Parameters||Add any more sshd_config(5) options not covered in this screen. Enter one option per line. These options are case-sensitive. Typos can prevent the SSH service from starting.|
Similar to the FTP setup, open FileZilla or another FTP client, or command line. This article shows using FileZilla as an example. Using FileZilla, enter SFTP://‘TrueNAS IP’, ‘username’, ‘password’, and port 22 to connect.
SFTP does not have chroot locking. While chroot is not 100% secure, the lack of chroot allows users to easily move up to the root directory and view internal system information. If this level of access is a concern, FTP with TLS may be the more secure choice.
Another way to allow SFTP access without granting read access to other areas of the NAS itself is to set up a jail and enable SSH.
Go to Jails > Add. Provide a name for the jail and pick a target FreeBSD image. 11.3 was used for the purpose of this guide.
Set the networking options to either DHCP or a static IP and confirm to create.
After the is created, open the jail menu by clicking the expand icon > on the right-hand side of the jail. Click START and open the SHELL.
Similar to the initial FTP setup, create a user in the jail.
adduser and follow the prompts including the password and home directory location.
When complete, the jail asks to confirm the credentials.
Enable SSH by editing the
vi /etc/rc.conf or
ee /etc/rc.conf depending on preference, add
sshd_enable = "YES" to the file, save, and exit.
service sshd enabled to enable the service (enabled vs start indicates whether sshd starts one time or on every reboot).
Using an FTP client, such as FileZilla, log in with the jail IP address and user credentials. Like with SSH on TrueNAS, browsing to other folders and locations beyond the user’s home directory is possible, but unlike running on TrueNAS directly, only the components of the jail are available.
The Trivial File Transfer Protocol (TFTP) is a light-weight version of FTP typically used to transfer configuration or boot files between machines, such as routers, in a local environment. TFTP provides an extremely limited set of commands and provides no authentication.
When the TrueNAS system is only storing images and configuration files for network devices, configure and start the TFTP service. Starting the TFTP service opens UDP port 69.
|Directory||Browse to an existing directory to use for storage. Some devices can require a specific directory name. Consult the documentation for that device to see if there are any restrictions.|
|Host||The default host to use for TFTP transfers. Enter an IP address. Example: |
|Port||The UDP port number that listens for TFTP requests. Example: |
|Username||Select the account to use for TFTP requests. This account must have permission to the Directory.|
|File Permissions||Adjust the file permissions using the checkboxes.|
|Allow New Files||Set when network devices need to send files to the system.|
|Auxiliary Parameters||Add more options from tftpd. Add one option on each line.|