installing an alternative ftp daemon – proftpd

installing an alternative ftp daemon – proftpd

I decided to install another ftp server.  Mainly because I was having a small
problem with the default ftp server which I didn’t want to spend the time fixing.  
The problem was with chroot.  If I placed a user in /etc/ftpchroot, they
were unable to use the ls command.  I understand this is because the ls
executable must be placed within the chroot tree.  That makes sense.  However, I
didn’t want to do that.  I also liked the idea that proftpd does not depend
upon any external executables.  It is entirely independent.

See also Creating a chroot ftpd.

Another selling point for me, with respect to proftpd, was the apache-like
configuration.  If you are familiar with the httpd.conf, the proftp.conf file
concepts will be easy for you to pick up.

home page  

http://www.proftpd.org/

mailing list archives  

http://www.proftpd.org/proftpd-l-archive/

FAQ  

http://hamster.wibble.org/proftpd

The Install

And since I have the entire ports tree, all I needed to do
was:

# cd /usr/ports/ftp/proftpd
su: cd: /usr/ports/ftp/proftpd: No such file or directory

Oh oh!  Why don’t I have that?  I checked the http://www.freebsd.org/ports/ page to see if
proftpd was listed in the ftp section.  It was.  So my ports were out of date.
  Time to fix that.  It was pretty easy.  I used the instructions found in Updating the ports collection.  When doing this, I could have
modified my ports-supfile and commented out everything except the ftp section.  But I
didn’t.  I wanted all my ports updated.

So I started again:

# cd /usr/ports/ftp/proftpd
# make

Again, I started getting errors.  This time it was complaining about not being
able to get autoconf-2.12.tar.gz I think.  Hmmm, where does that live?  A quick:

# locate autoconf

shows it’s from /usr/ports/devel/.  A quick check again at http://www.freebsd.org/ports/ finds that the
current version is 2.13. So my ports are out of date.  I had not been updating the
devel directory.  So I uncommented that line from the ports-supfile and ran cvsup
again.  After that, I started with the install again:

# make
# make install

Of note was this output from the install:

===>  Installing for proftpd-1.2.0p8
###
As of proftpd 1.2.0p5 and later, you need to edit /etc/pam.conf to add
support for ftp.  To do so, add the following two lines to this file:

ftp auth    required    pam_unix.so         try_first_pass
ftp account required    pam_unix.so         try_first_pass
###
===>   Generating temporary packing list
===>   Compressing manual pages for proftpd-1.2.0p8
===>   Registering installation for proftpd-1.2.0p8

I’m not sure if this will be relevant or not.  It turned out it was.

Configuration

The main configuration file is /usr/local/etc/proftpd.conf.

I was running
this daemon standalone.  That’s the default configuration.  So I commented out
the line in /etc/inetd.conf for ftp.  Don’t forget to HUP inetd
(like I did):

# killall -HUP inetd

After making changes to the config file so as to enable anonymous ftp (see config file and below), I started the server:

# /usr/local/libexec/proftpd

Then I checked to see if it was running:

# ps -auwx | grep ftp
#

Hmmm, there’s nothing there.  Time to check for error messages:

# tail /var/log/messages
Nov 10 23:14:20 ducky proftpd[17601]: attempted bind to 0.0.0.0, port 21
Nov 10 23:14:20 ducky proftpd[17601]: bind() failed in
                inet_create_connection(): Address already in use
Nov 10 23:14:20 ducky proftpd[17601]: Check the ServerType directive to
                    ensure you are configured correctly.

DOH!  I forgot to HUP inetd.

# killall -hup inetd
# /usr/local/libexec/proftpd
# tail /var/log/messages
Nov 10 23:18:20 ducky proftpd[17640]: ProFTPD 1.2.0pre8 
                                               standalone mode STARTUP 

OK.  That’s looking much better!

Testing it

With my initial testing, I was unable to connect with any user/password combination.
Most annoying.  Checking the messages again, I find this:

Nov 10 23:25:35 ducky proftpd[17681]: USER dan: incorrect password from
           fred.yourdomain.org [10.0.0.1] to 10.0.0.2:21

Hmmm, but my password is correct.  I dunno.  But anonymous ftp is working.

Eventually I remembered the bit about PAM from the install process and added those bits
to the PAM configuration file.  But that didn’t fix it either.  At this point, I
went to bed.

The problem was PAM

After posting a message to the freebsd-questions@freebsd.org
I found the solution.  It appears that my version of FreeBSD  does not support
PAM.   What’s PAM you say?  If you check /etc/pam.conf, you’ll see
this: Pluggable Authentication Modules.  And from man pam:

PAM  Is  a system of libraries that handle the authentica-
tion tasks of applications (services) on the system.   The
library  provides  a stable general interface (Application
Programming Interface - API) that privilege granting  pro-
grams  (such  as  login(1)  and su(1)) defer to to perform
standard authentication tasks.

The solution was found at http://hamster.wibble.org/proftpd/
and it involves adding the following line to /usr/local/etc/proftpd.conf:

AuthPAMAuthoritative            off

Note: FreeBSD 3.3 does support PAM.  I know because that was the version I used
when Installing an ftp server.  And there I also used proftpd.

Anonymous

The first thing you might want to do is add an anonymous ftp user.  Look at http://hamster.wibble.org/proftpd/ for the
configuration options.  Here is more or less my anonymous settings:

<Anonymous ~ftp>
  DirFakeUser                   on ftpd
  DirFakeGroup                  on ftpd

  User                          ftp
  Group                         ftp
  ### We want clients to be able to login with "anonymous" as well as "ftp"
  UserAlias                     anonymous ftp

  ### Limit the maximum number of anonymous logins
  MaxClients                    10

  ### It is wise when making an 'ftp' user that you either block its
  ### ability to login either via /etc/login.access or my giving it
  ### an invalid shell.
  ### Uncomment this if the 'ftp' user you made has an invalid shell

  RequireValidShell             off

  ### We want 'welcome.msg' displayed at login, and '.message' displayed
  ### in each newly chdired directory.
  DisplayLogin                  welcome.msg
  DisplayFirstChdir             .message

  ### Limit WRITE everywhere in the anonymous chroot
  <Limit WRITE>
   DenyAll
  </Limit>

  <Directory incoming/*>
     <Limit READ DELE RMD RETR MKD>
        DenyAll
     </Limit>

     <Limit WRITE CWD>
        AllowAll
     </Limit>
  </Directory>

  <Directory bin>
      HideNoAccess
  </Directory>
</Anonymous>

Virtual servers

One of the  things which proftpd does, as do other daemons, is allow you
to have virtual ftp servers.  Much like virtual websites in apache, it allows a
single host to respond with different files for different server names.  See virtual ftp servers – proftpd for more detail.

Starting proftpd

I wanted to ensure that proftpd started at boot time.  So I created
this file

# cat /usr/local/etc/rc.d/proftpd.sh
#!/bin/sh
/bin/mkdir -p /var/run/proftpd
if [ -x /usr/local/libexec/proftpd ]; then
/usr/local/libexec/proftpd && echo -n ' proftpd'
fi

Remember to set the permissions correctly or it won’t be executed:

chmod 711 proftpd.sh

Non-anonymous users

Here is a non-anonymous user.  It assumes you have a user and group
called Susan.  Uploads will be done in the user’s home directory.

<Anonymous ~susan>
   user                  susan
   group                 susan

   AnonRequirePassword   on
</Anonymous>

Common shell problem

The login I created for Susan was an ftp-only login.  She is not allowed to use
telnet or ssh.  Therefore, when I created her, I assigned a shell of /nonexistent.
  But when I tested the connection I encountered a slight problem:

$ ftp ftp.mydomain.org
Connected to ftp.mydomain.org.
220 ftp.mydomain.org
Name (ftp.mydomain.org:dan): susan
331 Password required for susan.
Password:
530 Login incorrect.
ftp: Login failed.

In the logs for ftp.mydomain.org I found this

- USER susan (Login failed): Invalid shell.

There are two problems here. First, I gave Susan a login shell of /nonexistent.
  Second, this shell is not listed within /etc/shells.  It is the
latter issue which results in the above error message.  For more information about
nologin, please see this article.

To correct this problem, I changed Susan’s login shell to /sbin/nologin
after first ensuring this shell existed:

# ls -l /sbin/nologin
-r-xr-xr-x  1 root  wheel  1990 Dec  6 05:57 /sbin/nologin

And here is what was in /etc/shells after I added the /sbin/nologin entry.

# $FreeBSD: src/etc/shells,v 1.2.2.1 1999/08/29 14:19:02 peter Exp $
#
# List of acceptable shells for chpass(1).
# Ftpd will not allow users to connect who are not using
# one of these shells.

/bin/sh
/bin/csh
/usr/local/bin/bash
/sbin/nologin

After fixing the above, I found that Susan’s login worked and resulted in the following
log entry:

ANON susan: Login successful.

1 thought on “installing an alternative ftp daemon – proftpd”

Leave a Comment

Scroll to Top