I use Pure-FTPd for my sites, but is does have a rather unusual configuration for Ubuntu. Instead of a single .conf file, each option is itself a separate file in the /etc/pure-ftp/conf directory.
I prefer to use pureDB authentication with virtual users. This is a security benefit that allows unlimited FTP users that have low privileges and no login shells on the server. You create virtual names and passwords which are assigned root directory’s and real uid:gid for writing files. Those ftp names do not exist as actual users on your server.
Create a generic FTP group and user
I do not allow anonymous FTP, I want all of my users data to be within the /home directory. Let’s now create the directory structure and then add the user test.
It is very important to run
pure-pw mkdb after making any useradd changes, without running that the pureDB authentication files are not updated. With the above done, there is an ftp user named test, their root directory is /home/ftpusers/test, files they save will have uid of ftpuser and gid of ftpgroup
Start the server
You should now be able to restart pure-ftpd and, using your FTP client, login as the test user with the password you supplied.
Additional Configuration Options
Do the following to create the remainder of the non-TLS configuration.
Note change the below values to meet your specific needs.
When this extra security is enabled, login and passwords are no longer sent cleartext. Neither are other commands sent by your client nor the replies made by the server. This can be a little more tricky to get working, but the added security is well worth it.
The TLS option accepts three values :
- 0 : Disable SSL/TLS encryption layer (default).
- 1 : Accept both traditional and encrypted sessions.
- 2 : Refuse connections that don’t use SSL/TLS security mechanisms, including anonymous sessions.
Do not use this blindly. Be sure that :
- Your server has been compiled with SSL/TLS support (–with-tls),
- A valid certificate is in place,
- Only compatible clients will log in.
Creating the SSL Certificate and Chain
See OpenSSL for information on creating self-signed or CA signed certificated. Once you have completed that you will have:
For self-signed certificates
- Private Key: /root/privatekeys/default.pem
- Primary SSL certificate: /root/privatekeys/default.crt
For CA signed certificates
- Private Key: /root/privatekeys/domain.pem
- Primary SSL certificate: from the CA
- Intermediate certificate: from the CA
- Root certificate: from the CA
By default, pure-ftpd looks for the certificate in /etc/ssl/private/pure-ftpd.pem. The format of the pem needed by pure-ftpd is:
—–BEGIN RSA PRIVATE KEY—– (Private Key) —–END RSA PRIVATE KEY—– —–BEGIN CERTIFICATE—– (Primary SSL certificate) —–END CERTIFICATE—– —–BEGIN CERTIFICATE—– (Intermediate certificate) —–END CERTIFICATE—– —–BEGIN CERTIFICATE—– (Root certificate) —–END CERTIFICATE—–
It is a simple matter to chain the key and certificates together using
cat. For a self-signed certificate:
pure-pw useradd VirtualUsername -u RealUsername -g RealGroupname -d /home/directory
pure-pw usermod VirtualUsername -u RealUsername -g RealGroupname -d /home/directory
pure-pw userdel VirtualUsername
pure-pw passwd VirtualUsername
pure-pw list # list all pureftpd users
pure-pw show VirtualUsername # show user details
pure-pw mkdb # make changes available