Pure-ftpd

From Gentoo Linux Wiki
Jump to: navigation, search

Contents

[edit] Introduction

Pure-FTPd is a free (BSD), secure, production-quality and standard-conformant FTP server. It doesn't provide useless bells and whistles, but focuses on efficiency and ease of use. It provides simple answers to common needs, plus unique useful features for personal users as well as hosting providers.

To install please emerge it directly.

emerge -va net-ftp/pure-ftpd

[edit] Use Flags

Before emerging please edit the use flag to suit your need.

Use flag available

Use Flags: mysql pam ssl -anondel -anonperm -anonren -anonres -caps -charconv -ldap -noiplog -paranoidmsg -postgres (-selinux) -vchroot -xinetd (?)

[edit] Configuration

After emerge is done, please edit the configuration file in /etc/conf.d/pure-ftpd.

File: /etc/conf.d/pure-ftpd
# Config file for /etc/init.d/pure-ftpd
##Comment variables out to disable its features, or change the values in it... ##

## This variable must be uncommented in order for the server to start ##
IS_CONFIGURED="yes"

## FTP Server,Port (separated by comma) ##
## If you prefer host names over IP addresses, it's your choice:
## SERVER="-S ftp.rtchat.com,21"
## IPv6 addresses are supported.
## !!! WARNING !!!
## Using an invalid IP will result in the server not starting,
## but reporting a correct start!
## SERVER="-S 192.168.0.1,21"
## By default binds to all available IPs.
SERVER="-S 21"

## Number of simultaneous connections in total, and per IP ##
MAX_CONN="-c 30"
MAX_CONN_IP="-C 10"

## Start daemonized in background ##
DAEMON="-B"

## Don't allow uploads if the partition is more full then this var ##
DISK_FULL="-k 90%"

## If your FTP server is behind a NAT box, uncomment this ##
#USE_NAT="-N"

## Authentication mechanisms (others are 'pam', ...) ##
## Further infos can be found in the README file.
AUTH="-l unix"

## Change the maximum idle time (in minutes) ##
## If this variable is not defined, it will default to 15 minutes.
#TIMEOUT="-I <timeout>'"

## Facility used for syslog logging ##
## If this variable is not defined, it will default to the 'ftp' facility.
## Logging can be disabled with '-f none'.
#LOG="-f <facility>"

## Charset conversion support *experimental* ##
## Only works if USE "charconv" is enabled (only Pure-FTPd >=1.0.21).
## Set the charset of the filesystem.
# CHARCONV="--fscharset <charset>"

## If you want to process each file uploaded through Pure-FTPd, enter the name
## of the script that should process the files below.
## man pure-uploadscript to learn more about how to write this script.
# UPLOADSCRIPT="/path/to/uploadscript"

## Misc. Others ##
MISC_OTHER="-A -x -j -R -Z"

#
# Use these inside $MISC_OTHER
# More can be found on "http://download.pureftpd.org/pub/pure-ftpd/doc/README"
#
# -A [ chroot() everyone, but root ]
# -e [ Only allow anonymous users ]
# -E [ Only allow authenticated users. Anonymous logins are prohibited. ]
# -i [ Disallow upload for anonymous users, whatever directory perms are ]
# -j [ If the home directory of a user doesn't exist, auto-create it ]
# -M [ Allow anonymous users to create directories. ]
# -R [ Disallow users (even non-anonymous ones) usage of the CHMOD command ]
# -x [ In  normal  operation mode, authenticated users can read/write
#       files beginning with a dot ('.'). Anonymous users can't, for security reasons
#       (like changing banners or a forgotten .rhosts). When '-x' is used, authenticated
#       users can download dot-files, but not overwrite/create  them,  even  if they own
#       them. ]
# -X [ This  flag  is  identical  to  the  previous one (writing
#       dot-files is prohibited), but in addition, users can't even *read* files and
#       directories beginning with a dot (like "cd .ssh"). ]
# -D [ List files beginning with a dot ('.') even when the client doesn't
#      append the '-a' option to the list command. A workaround for badly
#      configured FTP clients. ]
# -G [ Disallow renaming. ]
# -d [ Send various debugging messages to the syslog. ONLY for DEBUG ]
# -F <fortune file> [ Display a fortune cookie on login. Check the README file ]
# -H [ By default, fully-qualified host names are logged. The '-H' flag avoids host names resolution. ]

Don't forget to uncomment this line

File: /etc/conf.d/pure-ftpd
#IS_CONFIGURED="yes"

Choose the listen ip and port

File: /etc/conf.d/pure-ftpd
SERVER="-S ip,port"

[edit] Authentication modes

Pure-FTPd supports different types of authentication:

[edit] default: unix passwords

File: /etc/conf.d/pure-ftpd
AUTH="-l unix"

every unix login can access the ftp server.

[edit] pam

File: /etc/conf.d/pure-ftpd
AUTH="-l pam"

Note that PAM uses the rules from /etc/pam.d/ftp for Pure-FTPd.

[edit] virtual

File: /etc/conf.d/pure-ftpd
AUTH="-l puredb:/etc/pureftpd.pdb"

Virtual users is a simple mechanism to store a list of users, with their password, name, uid, directory, etc. It's just like /etc/passwd. But it's not /etc/passwd. It's a different file, only for FTP.

create a system user for virtual users

groupadd ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser

now you can create many virtual users, like this :

pure-pw useradd joe -u ftpuser -d /home/ftpusers/joe [-m]

Joe's password is asked twice. With -d, joe will be chrooted. If you want to give joe access to the whole filesystem, use -D instead of -d.

You can delete joe account:

pure-pw userdel joe [-m]

Change his password:

pure-pw passwd <login> [-m]

have a look at joe info:

pure-pw show <login>

and don't forget to commit changes. When you use -m argument, changes are commited automaticaly;

pure-pw mkdb

[edit] MYSQL support

File: /etc/conf.d/pure-ftpd
AUTH="-l mysql:/etc/pureftpd-mysql.conf"

edit /etc/pureftpd-mysql.conf

File: /etc/pureftpd-mysql.conf
#MYSQLServer     localhost
#MYSQLPort       3306
MYSQLSocket     /tmp/mysql.sock
MYSQLUser       pureftpduser
MYSQLPassword   pureftpdpassword
MYSQLDatabase   pureftpd
MYSQLCrypt      cleartext
MYSQLGetPW      SELECT Password FROM users WHERE User="\L"
MYSQLGetUID     SELECT Uid FROM users WHERE User="\L"
MYSQLGetGID     SELECT Gid FROM users WHERE User="\L"
MYSQLGetDir     SELECT Dir FROM users WHERE User="\L"

Create the table in mysql 

# mysql -u root -p

mysql> create database pureftpd;

mysql> GRANT ALL PRIVILEGES ON pureftpd.* TO 'pureftpduser'@'localhost' IDENTIFIED BY 'pureftpdpassword';

mysql> CREATE TABLE pureftpd.users(
 User VARCHAR(16) BINARY NOT NULL,
 Password VARCHAR(64) BINARY NOT NULL,
 Uid INT(11) NOT NULL default '-1',
 Gid INT(11) NOT NULL default '-1',
 Dir VARCHAR(128) BINARY NOT NULL,
 PRIMARY KEY  (User)
 );

and you can add user like this 

mysql> insert into pureftpd.users values('test','test',1000,1000,'/home/test');

[edit] SSL/TLS support

create a self-signed private certificate /etc/ssl/private/pure-ftpd.pem

mkdir -p /etc/ssl/private
openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
chmod 600 /etc/ssl/private/*.pem
File: /etc/conf.d/pure-ftpd
MISC_OTHER="-Y 2"

"-Y 0", support for SSL/TLS is disabled. This is the default.

"-Y 1", clients can connect either the traditional way or through an SSL/TLS layer.

"-Y 2", cleartext sessions are refused and only SSL/TLS compatible clients are accepted

[edit] Running Pure-ftpd

Then you can run the pure-ftpd server from init.

/etc/init.d/pure-ftpd start

and start it at boot

rc-update add pure-ftpd default
Retrieved from "http://en.gentoo-wiki.com/wiki/Pure-ftpd"
Personal tools
In other languages