Pure FTP

I use Pure-FTPd for my sites, but is does have a rather unusual configuration for Ubuntu. Instead of a single .conf file, each option is itself a separate file in the /etc/pure-ftp/conf directory.

Install

apt-get install pure-ftpd
cd /etc/pure-ftpd/conf

I prefer to use pureDB authentication with virtual users. This is a security benefit that allows unlimited FTP users that have low privileges and no login shells on the server. You create virtual names and passwords which are assigned root directory’s and real uid:gid for writing files. Those ftp names do not exist as actual users on your server.

Initial config

echo 'no' > PAMAuthentication
echo 'no' > UnixAuthentication
echo '/etc/pure-ftpd/pureftpd.pdb' > PureDB
ln -s ../conf/PureDB /etc/pure-ftpd/auth/50pure

Create a generic FTP group and user

groupadd -g 2001 ftpgroup
useradd -u 2001 -s /bin/false -d /bin/null -c "FTP user" -g ftpgroup ftpuser

I do not allow anonymous FTP, I want all of my users data to be within the /home directory. Let’s now create the directory structure and then add the user test.

mkdir -p /home/ftpusers/test
chown -R ftpuser:ftpgroup /home/ftpusers
pure-pw useradd test -u ftpuser -d /home/ftpusers/test
   => Enter a password of your choice when asked.
pure-pw mkdb

It is very important to run pure-pw mkdb after making any useradd changes, without running that the pureDB authentication files are not updated. With the above done, there is an ftp user named test, their root directory is /home/ftpusers/test, files they save will have uid of ftpuser and gid of ftpgroup

Start the server

You should now be able to restart pure-ftpd and, using your FTP client, login as the test user with the password you supplied.

/etc/init.d/pure-ftpd restart

Additional Configuration Options

Do the following to create the remainder of the non-TLS configuration.

The file names and values should be self explanatory. If not see PureFTP Readme and/or Ubuntu Community for further information.

Note change the below values to meet your specific needs.

echo 'yes' > ChrootEveryone
echo 'yes' > BrokenClientsCompatibility
echo '50' > MaxClientsNumber
echo '5' > MaxClientsPerIP
echo 'yes' > Daemonize
echo 'no' > VerboseLog
echo 'yes' > DisplayDotFiles
echo 'yes' > ProhibitDotFilesWrite
echo 'yes' > NoChmod
echo 'no' > AnonymousOnly
echo 'yes' > NoAnonymous
echo 'no' > PAMAuthentication
echo 'no' > UnixAuthentication
echo '/etc/pure-ftpd/pureftpd.pdb' > PureDB
echo 'yes' > DontResolve
echo '15' > MaxIdleTime
echo '2000 8' > LimitRecursion
echo 'yes' > AntiWarez
echo 'no' > AnonymousCanCreateDirs
echo '4' > MaxLoad
echo 'no' > AllowUserFXP
echo 'no' > AllowAnonymousFXP
echo 'no' > AutoRename
echo 'yes' > AnonymousCantUpload
echo 'yes' > NoChmod
echo '80' > MaxDiskUsage
echo 'yes' > CustomerProof
echo '0' > TLS

TLS/SSL support

When this extra security is enabled, login and passwords are no longer sent cleartext. Neither are other commands sent by your client nor the replies made by the server. This can be a little more tricky to get working, but the added security is well worth it.

Configure

The TLS option accepts three values :

  • 0 : Disable SSL/TLS encryption layer (default).
  • 1 : Accept both traditional and encrypted sessions.
  • 2 : Refuse connections that don’t use SSL/TLS security mechanisms, including anonymous sessions.

Do not use this blindly. Be sure that :

  • Your server has been compiled with SSL/TLS support (–with-tls),
  • A valid certificate is in place,
  • Only compatible clients will log in.
echo '1' > TLS

Creating the SSL Certificate and Chain

See OpenSSL for information on creating self-signed or CA signed certificated. Once you have completed that you will have:

For self-signed certificates

  • Private Key: /root/privatekeys/default.pem
  • Primary SSL certificate: /root/privatekeys/default.crt

For CA signed certificates

  • Private Key: /root/privatekeys/domain.pem
  • Primary SSL certificate: from the CA
  • Intermediate certificate: from the CA
  • Root certificate: from the CA

By default, pure-ftpd looks for the certificate in /etc/ssl/private/pure-ftpd.pem. The format of the pem needed by pure-ftpd is:

—–BEGIN RSA PRIVATE KEY—– (Private Key) —–END RSA PRIVATE KEY—– —–BEGIN CERTIFICATE—– (Primary SSL certificate) —–END CERTIFICATE—– —–BEGIN CERTIFICATE—– (Intermediate certificate) —–END CERTIFICATE—– —–BEGIN CERTIFICATE—– (Root certificate) —–END CERTIFICATE—–

It is a simple matter to chain the key and certificates together using cat. For a self-signed certificate:

cat /root/privatekeys/default.pem /root/privatekeys/default.crt  > /etc/ssl/private/pure-ftpd.pem

# Set the certificate to read only.

chmod 400 /etc/ssl/private/pure-ftpd.pem

Test it.

Basic Commands

pure-pw useradd VirtualUsername -u RealUsername -g RealGroupname -d /home/directory
pure-pw usermod VirtualUsername -u RealUsername -g RealGroupname -d /home/directory
pure-pw userdel VirtualUsername
pure-pw passwd VirtualUsername
pure-pw list # list all pureftpd users
pure-pw show VirtualUsername # show user details
pure-pw mkdb # make changes available