pure-ftpd can be setup with virtual users, that exist outside of the PAM and Unix authentication methods. They can be linked to system accounts, if desired.
First, setup and configure pure-ftpd.
Here's the generic list of settings being applied:
ln -s /etc/pure-ftpd/conf/UnixAuthentication /etc/pure-ftpd/auth/65unix ln -s /etc/pure-ftpd/conf/PAMAuthentication /etc/pure-ftpd/auth/70pam ln -s /etc/pure-ftpd/conf/PureDB /etc/pure-ftpd/auth/75puredb
You can see the configuration options in the pure-ftpd-wrapper
man page.
cd /etc/pure-ftpd/conf echo clf:/var/log/pure-ftpd/transfer.log > AltLog echo yes > BrokenClientsCompatibility echo yes > ChrootEveryone echo yes > CustomerProof echo yes > DontResolve echo UTF-8 > FSCharset echo 20 > MaxClientsNumber echo 4 > MaxClientsPerIP echo 1000 > MinUID echo yes > NoAnonymous echo yes > NoChmod echo yes > NoTruncate echo no > PAMAuthentication echo 40000 50000 > PassivePortRange echo yes > ProhibitDotFilesRead echo yes > ProhibitDotFilesWrite echo /etc/pure-ftpd/pureftpd.pdb > PureDB echo 0 > TLS echo no > UnixAuthentication
rm /etc/pure-ftpd/auth/{65unix,70pam} ln -s /etc/pure-ftpd/conf/PureDB /etc/pure-ftpd/auth/75puredb
TLS support works in tandem with normal FTP, being optional to use the extra security.
pure-ftpd needs a PEM file located at /etc/ssl/private/pure-ftpd.pem
. The file must contain the contents of both the private key generated, and the wildcard CRT file.
cat /etc/ssl/private/private.key /etc/ssl/private/domain_dot_com.crt > /etc/ssl/private/pure-ftpd.pem
Enable optional TLS support:
echo 1 > /etc/pure-ftpd/conf/TLS
You can create users separate from system accounts so that they each have their own login and password. You can also create separate or connect the users to system users if you want.
Always run pure-pw mkdb
after every user command.
pure-pw useradd ftp-steve -u steve -g users -d /home/steve pure-pw mkdb
pure-pw userdel ftp-steve pure-pw mkdb
pure-pw show ftp-steve
iptables must have a rule set for a port range for passive ports.
iptables -A INPUT -p tcp --match multiport --dports 40000:50000 -j ACCEPT
pure-ftpd - all directives passed to binary as switches - FTP accounts can be distinct from system accounts!!! - Can setup separate FTP user passwords from system account!! - MySQL support - quota support - bandwidth throttling - CLI app to see connections, bandwidth, etc. - restrict access to IP address ranges, or only to it's own virtual host!! - chroot - connection during configured time-ranges - .ftpaccess support - Restrict access to dot files - can disable chmod completely - allows symbolic links, even when chrooted - directory aliases supported - uploads are atomic!! More: RFC conformance is great, but in the real-life, there are a lot of buggy clients. It’s why Pure-FTPd has also workarounds for some versions of popular Windows clients that totally violates the FTP protocol. Pure-FTPd also works with broken home-made clients that don’t properly terminate lines. So if your current setup works with another FTP server, you can safely move to Pure-FTPd without breaking anything or receiving customers complaints: things will work as before for them, and the migration will be transparent. Firewalling is easy: Pure-FTPd can restrict the port range for passive connections, force the announced IP for masquerading gateways, or disable passive connections to deal with broken port forwarders. /usr/sbin/pure-ftpd -l pam -u 1000 -E -8 UTF-8 -O clf:/var/log/pure-ftpd/transfer.log -B -0 (zero) - while uploading a file, don't overwrite it until it's finished uploading -A chroot everyone -B start in background (daemon mode) -E authenticated users only (no anonymous) -l <auth> authentication method -N NAT mode -- use if remote connections can't get a directory listing -O output to file -p <first>:<last> ports in range for passive-mode downloads -R don't let users use chmod (for their own protection) -u <uid> - don't allow users under uid to login -c - max number of sessions -C - max number of connections from one IP address -y - max number of connections with the same user name -Y 1 - Accept standard and encrypted sessions -Z enable options for ISPs to protect users from doing stupid stuff (no chmod) -0 --notruncate -A --chrooteveryone -B --daemonize -E --noanonymous -l --login pam | puredb:/etc/pureftpd.pdb -N --natmode -O --altlog -p --passiveportrange <minport:maxport> -R --nochmod -u --minuid <uid> -c --maxclientsnumber <number> -C --maxclientsperip <number> -y --peruserlimits <per user max> -x --prohibitdotfileswrite -X --prohibitdotfilesread -Y --tls 1 -Z --customerproof
Finder does not allow anonymous ftp write access.
Gentoo configuration for pure-ftpd is located at /etc/conf.d/pure-ftpd
. IS_CONFIGURED
must be set to yes
, and additional options can be put in MISC_OTHER
.