Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[HOWTO] PureFtpd + Mysql Auth + TLS/SSL
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
gentoome
Tux's lil' helper
Tux's lil' helper


Joined: 18 Jul 2005
Posts: 78

PostPosted: Mon Jul 18, 2005 9:21 am    Post subject: [HOWTO] PureFtpd + Mysql Auth + TLS/SSL Reply with quote

Hi all. I just finished configurinf Pure-Ftpd and thought I would share my experience, since I ran into some problems.
I am aware that there already is a thread covering Pure-Ftpd + Mysql Auth, but I thought it would be nice to have everything in one place. Moreover, I do not use phpmyadmin, and thought it would be nice to have the actual SQL commands.

Here's the outline :

I. Create a Mysql DB for Pure-Ftpd

II. Setup Pure Ftpd to use that DB

III. Setup SSL/TLS
IV. Troubleshooting

I. Create a Mysql DB for Pure-Ftpd

I assume that you already have a mysql server running.
First off, please note that you do not have to setup a new DB in order to get Pure-Ftpd working, a simple new table should be sufficient.

In this example, I will create a new DB.

1) Log into Mysql :
Code:
mysql -u root -p

Punch in your mysql root password.

2) Create a new DB, called pureftpdb
Code:
CREATE DATABASE ftpd;


3) Set up the privileges :
Code:
GRANT ALL PRIVILEGES ON ftpd.* TO FTPUSER@localhost IDENTIFIED BY 'FTPPASS';


4) Logout and login as FTPUSER
Code:
quit;
mysql -u FTPUSER -p pureftpdb

When asked for it, punch in FTPPASS

3) Create a new table, called users (The meaning of the various fields is explained afterwards)
Code:

CREATE TABLE users(
user varchar(16) NOT NULL default '',
  password varchar(64) NOT NULL default '',
  uid int(11) NOT NULL default '-1',
  gid int(11) NOT NULL default '-1',
  dir varchar(128) NOT NULL default '',
  PRIMARY KEY  (user)
) TYPE=MyISAM;

Where :
user is the username, you might want to set into to a greater length than 16,
password is the password associated with the username
uid, and gid are self-explanatory,
dir is the directory where the user will be chrooted. Usually, the user's home directory.

4) Create a user :
Code:
INSERT INTO users (user,password,uid,gid,dir) VALUES ("test", encrypt("testpass"), 1015, 100, "/home/test");

NOTE : The double quotes are necessary !!
NOTE 2: I have chosen to encrypt the passwords, so that even if the DB is compromised, the attacker would not get access to the FTP server.
NOTE 3: PLEASE ! If you follow this howto and create a test user, DO NOT forget to delete the test account afterwards !! Like this :
Code:
DELETE FROM users WHERE user="test";


II. Configuring Pure-Ftpd

1) Where's the config File ???

When running Pure-Ftpd on gentoo, you have a choice you can either run it from xinetd or run it from the init script located in /etc/init.d/.
If you choose the former, then, you will need to specify startup options in /etc/xinetd.d/pure-ftpd.
If you choose the latter, then, you will need to specify startup options in /etc/conf.d/pure-ftpd.
If, you choose to enable both (which is pointless but can happen by accident), then xinetd.d will be the first executed, hence only the startup options specified in /etc/xinetd.d/pure-ftpd will be taken into account.

Here's how to do both :

1.1) The Init script way :

You have to edit /etc/conf.d/pure-ftpd. The file is extremely well documented, so here's only what you need to change with a view to enabling Mysql authentication and SSL/TLS.
Code:

AUTH="-l mysql:/etc/pureftpd-mysql.conf" ## NOTE This is an ell, not a one
## ADD -Y [1|2] to the MISC_OTHER variable (-Y 1 enables both cleartext and TLS/SSL, -Y 2 only TLS/SSL (cleartext sessions will be rejected))
MISC_OTHER="-Y 2"

NOTE : You might want to have a look at -E, -j, -X, -G and -R
NOTE : You should uncomment the IS_CONFIGURED variable.

1.2) The xinetd.d way :
Modify the server_args line
Code:

server_args = -c 5 -C 1 -I 10 -E -X -G -R -Y 2 -l mysql:/etc/pureftpd-mysql.conf

This sets up your ftp server to :
-c 5 : Accept a maximum of 5 connections simultaneously,
-C 1 : accept a maximum of 1 connection per IP address,
-I 10 : Timeout after 10 minutes of inactivity,
-E : only allow authenticated users to log in
-X : Users (even authenticated) cannot read/write file or directories starting with ".",
-G : Disallow reaming,
-R : disallow CHMOD,
-Y 2 : Only allow SSL/TLS session, (-Y 1 if you want to allow cleartext sessions as well as SSL/TLS sessions)
-l mysql:/etc/pureftpd-mysql.conf : Authenticate against mysql DB.
NOTE : Do not forget to set disable to no.

2) Configuring Pure-Ftpd to use Mysql :
create the /etc/pureftpd-mysql.conf file.
Code:

MYSQLServer localhost
MYSQLPort 3306
MYSQLSocket     /tmp/mysql.sock
MYSQLUser       FTPUSER ## Change this to the username allowed to read the pureftpdb database
MYSQLPassword   FTPPASS ## Change this to the password
MYSQLDatabase   pureftpdb
MYSQLCrypt      crypt ## This is necessary because we used the encrypt function in Mysql to encrypt the users' passwords

## \L is expanded into the name of the user trying to log into the ftp server.
MYSQLGetPW      SELECT password FROM users WHERE user="\L"
MYSQLGetUID     SELECT uid FROM users WHERE user="\L"
MYSQLGetGID     SELECT gid FROM users WHERE user="\L"
MYSQLGetDir     SELECT dir FROM users WHERE user="\L"


III. SSL/TLS

1) General discussion abour certificates.

In order to use SSL/TLS, you need a certificate, you can buy one on the internet, but it's quite expensive. You can also generate one yourself, the only problem then is that your SSL certificate will then be slef-signed, which means that some clients will ask the user for confirmation before accepting your certificate. This becomes an issue only if you plan to use your ftp server commercially, since it can scare some customers away.

2) Generating your ceritficate :
If you've never generated a SSL certificate, you need to do the following :
edit /etc/ssl/openssl.cnf, and change the following lines (after[ req_distinguished_name ]) :
Code:

countryNAME                         = FR #2 letter code country name
countryName_default             = FR #2 letter code country name

stateOrProvinceName             = France # For the US, put in your state name
stateOrProvinceName_default     = France # For the US, put in your state name

localityName                    = Paris # City name

0.organizationName              =  ## Domain Name (not FQDN, just domain.tld)
0.organizationName_default      =
commonName                      =  # Your name
commonName_max                  = 64

emailAddress                    = ## Your email address
emailAddress_max                = 64

[ req_attributes ]
challengePassword               = ## Password used for certificate generation
challengePassword_min           = 4
challengePassword_max           = 20

unstructuredName                = ## Anything meaningful you like


Then you have to actually generate the ccertificate :
Code:
openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

Change the permissions as follows :
Code:
chmod 600 /etc/ssl/private/pure-ftpd.pem


You'r all set !! You can now use your newly configured ftp server !

IV. Troubleshooting

1) I modify my config options, but pure-ftpd does not seem to notice :

You might be configuring the wrong configuration file, remember, if you're using the init script, you have to edit /etc/conf.d/pure-ftpd, if xinetd, /etc/xinetd.d/pure-ftpd !
You might be trying to set up pure-ftpd the inti script way with a working xinetd.d pure-ftpd set-up. Check that the disable variable is set to 'yes' in /etc/xinetd.d/pure-ftpd.

2) Clients can't connect !

2.1) I receive an error saying : 421 Sorry, cleartext sessions are not accepted on this server.
If you're using -Y 2, you must now that most clients will not work. On linux, neither ftp nor ncftp work, you can, however, use lftp, which is available in portage.

2.2) You might have an error in your mysql DB. Check that the username actually fits in the "user" field of the users table. Mysql will not warn you if it does not fit, but will truncate the name.
Back to top
View user's profile Send private message
ikaro
Advocate
Advocate


Joined: 14 Jul 2003
Posts: 2526
Location: Denmark

PostPosted: Mon Jul 18, 2005 9:38 am    Post subject: Reply with quote

there was one already :
https://forums.gentoo.org/viewtopic-t-112183-highlight-pureftpd.html

you could add to the thread instead.
_________________
linux: #232767
Back to top
View user's profile Send private message
gentoome
Tux's lil' helper
Tux's lil' helper


Joined: 18 Jul 2005
Posts: 78

PostPosted: Mon Jul 18, 2005 12:36 pm    Post subject: Reply with quote

I know, that's what I say at the beginning. I created a separate thread because the scope of this howto is slightly larger, and things are handled differently (I don't use phpmyadmin), since some people might have a mysql server running without having apache/phpmyadmin.
However, if the general policy of the forum is to add to the older thread, I will.

-- Jonathan
Back to top
View user's profile Send private message
mudrii
l33t
l33t


Joined: 26 Jun 2003
Posts: 789
Location: Singapore

PostPosted: Tue Aug 30, 2005 2:55 am    Post subject: Reply with quote

Nice BIG Thx for effort
_________________
www.gentoo.ro


Last edited by mudrii on Tue Aug 30, 2005 3:36 pm; edited 1 time in total
Back to top
View user's profile Send private message
kamikaze04
Guru
Guru


Joined: 28 Mar 2004
Posts: 366
Location: Valencia-Spain

PostPosted: Tue Aug 30, 2005 9:13 am    Post subject: Reply with quote

Really good post. I really like this way for pureftpd, i'll try it !!!
_________________
Todo lo que quisiste saber sobre google en: www.noticiasgoogle.es
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum