SUSE LINUX Enterprise Server 9 Administrators Handbook

The File Transfer Protocol (FTP) is probably the most common means of copying files between servers over the Internet. Most web-based download sites use the built-in FTP capabilities of web browsers, and consequently, most server-oriented operating systems usually include an FTP server application as part of the software suite. Linux is no exception. There are a large number of different commercial and free FTP servers available for Linux/Unix. The following are some examples:

• NcFTP Server (http://www.ncftp.com/ncftpd); commercial

• ProFTPD (http://www.proftpd.org); free, GPL-licensed

• Pure-FTPd (http://www.pureftpd.org); free, BSD-licensed

• glFTPd (http://www.glftpd.com); free

• vsftpd (http://vsftpd.beasts.org); free, GPL-licensed

• wu-ftpd (http://www.wu-ftpd.org); free

The Trivial File Transfer Protocol (TFTP) also is often used to supply boot images on the network to facilitate remote booting of diskless workstations. TFTP servers are also used to provide images for network devices (such as routers and switches) to obtain firmware updates. You can save device configuration data to a TFTP server as well. Similar to FTP servers, a number of TFTP servers, such as atftp by Jean-Pierre Lefebvre (ftp://ftp.mamalinux.com/pub/atftp) and tftp-hpa (http://www.kernel.org/pub/software/network/tftp), are available for various Linux/Unix distributions.

This section shows you how to set up an FTP server using the Very Secure FTP Daemon (vsftpd) and Pure-FTPd (pure-ftpd) packages included in SLES 9. In addition, we cover ways to set up a TFTP server using the standard TFTP server, in.tftpd, included with SLES 9; atftp is also included with SLES 9 but is not discussed here.

Using Pure-FTPd

Pure-FTPd is pretty much a command-linedriven application. All its options are to be specified on the command line. You can get a full listing from its man page (man pure-ftpd) or by typing the following at a terminal prompt:

pure-ftpd --help

You'll find that Pure-FTPd uses all 26 letters (both upper- and lowercase) plus a few numerals for switches. The following list briefly explains some of the more commonly used options:

• -A will chroot everyone but root.

• -b tells pure-ftpd to ignore some standards to deal with broken clients such as Internet Explorer.

• -B starts the standalone server in the background (that is, in "daemonized" mode), which is the same as running ./pure-ftpd &.

• -c # limits the maximum number of clients to #; the default is 50.

• -C # limits the number of simultaneous connections from the same IP address to #; the default is 50 (or the maximum number of clients).

• -e allows only anonymous users. This option is mutually exclusive with -E.

• -E allows only authenticated users (that is, disables anonymous FTP access).

• -H prevents resolving a client's IP address into a DNS name (so 10.58.2.5 will be logged instead of ws2.UniversalExports.ca). This can speed up connections significantly, and it helps to reduce (reverse-DNS) bandwidth usage on busy servers, especially on public FTP servers.

• -j creates the user's home directory if one doesn't exist. This allows home directories to be created on demand. This option is especially useful when used in conjunction with something other than Unix-based authentication, such as LDAP (see -l option next): Just insert a new entry in the database, and the account is ready to go. No need to create any directory for that user: It will be automatically created the first time he or she logs in.

• -l authentication_method:filename enables a new authentication method and specifies the file containing authentication data. The method can be one of the following:

  • unix for standard (/etc/passwd) authentication

  • pam for PAM authentication

  • ldap:LDAP_config_file for LDAP directories

  • mysql:MySQL_config_file for MySQL databases

  • pgsql:Postgres_config_file for Postgres databases

  • puredb:PureDB_database_file for PureDB virtual user databases

  • extauth:path to pure-authd socket for external authentication handlers

  PAM is assumed by default if the server was compiled with PAM support, and Unix is assumed by default otherwise. The SUSE version has PAM support included.

  Multiple authentication methods can be specified concurrently. For instance, you can run the server with -lpuredb:/etc/pwd.pdb -lmysql:/etc/my.cf -lunix. The users will first be authenticated from a PureDB database. If this method fails, a MySQL server will be queried. If the account is still not found, standard Linux accounts will be scanned. Authentication methods are tried in the order you give the -l options. Refer to the README.LDAP and README.MySQL files in /usr/share/doc/packages/pure-ftpd for information about the built-in LDAP and SQL directory support, or visit http://www.pureftpd.org/documentation.shtml.

• -R disallows the use of the chmod command. This is a nice security feature because users are not able to change file permissions on files uploaded by others or those that are available for download.

• -S host,port specifies the IP address and port that will accept incoming connections. This option is useful if the server has multiple NICs and you wish to limit FTP traffic to just one. This option can be used only in standalone mode.

• -u # doesn't allow UIDs below #. If you specify -u 1, the root user will be denied access, which may be a good idea.

• -U umask_for_files:umask_for_dirs changes the mask used when creating new files or directories. The defaults are 133 for files (readable but not writable by other users) and 022 for directories (same as files but with the execute bit on). For instance, if new files should be readable only by the user that uploaded those files, use 177:077.

• -X disallows user access to files and directories whose name begins with a period (.), such as .hosts.

As you can imagine, all these possible command-line switches equate into a very long, hard-to-remember command-line string. Therefore, the best way to set things up is to use the "configuration" file, /etc/pure-ftpd/pure-ftpd.conf.

The pure-ftpd.conf file isn't used as a configuration file in the traditional sense. That is, pure-ftpd doesn't read this file on startup. Instead, you specify the desired options, using keywords instead of command-line switches, and their settings in the file. And then you run a Perl script, /usr/sbin/pure-config.pl, which reads the configuration file, translates the options into the equivalent switches, and then launches pure-ftpd with those parameters. Alternatively, you can use /etc/init.d/pure-ftpd start to run pure-ftpd, which uses /usr/sbin/pure-config-args instead to parse the configuration file.

Other than the fact that keywords are easier to understand than the command-line switches, the use of pure-ftpd.conf also offers some security. The ps aux command would reveal the command-line switches used to launch an application, so the use of a configuration file will hide from the users what settings are being used for pure-ftpd.

NOTE

Both /usr/sbin/pure-config.pl and /usr/sbin/pure-config-args are Perl scripts. The only difference between the two is the instruction at the end of the files. /usr/sbin/pure-config.pl launches pure-ftpd using the exec command, while /usr/sbin/pure-config-args simply returns the parsed switches; instead, the launching of pure-ftpd is accomplished by the startproc command in /etc/init.d/pure-ftpd.

TIP

Instead of /etc/init.d/pure-ftpd, you can use /usr/sbin/rcpure-ftpd because it is just a symbolic link to /etc/init.d/pure-ftpd. Using it instead is probably more convenient because /usr/sbin is in root's PATH setting, while /etc/init.d is not.

After you have established which switches to use, you need to decide how to run pure-ftpd: Do you want to launch it from xinetd or have it run automatically, independent of the super-server, at server startup? On a lightweight, multipurpose system on which you don't anticipate large numbers of concurrent FTP users, you may want to run pure-ftpd from xinetd; this way, the daemon will be started only when an FTP user tries to connect. This means pure-ftpd won't consume any system resources except when being used. Also, whenever you modify /etc/pure-ftpd/pure-ftpd.conf, the changes will automatically be applied the next time a user connects, without your having to perform additional administrative tasks because the daemon will run with the new settings when it is invoked by xinetd. The other advantage is that you can use the access control and logging features of xinetd to provide additional security.

TIP

Your specific needs may vary, but a good set of command-line switches for pure-ftpd is

-A -B -b -C 5 -c 25 -E -H -R -u 1 -X

There are two disadvantages of using a super-server here. The first, and foremost, drawback is the performance hit. For a busy FTP server, it is very inefficient to start pure-ftpd repeatedly in a short period of time and parse the configuration file every time. Users will notice a delay when trying to connect. The other disadvantage is that some of the pure-ftpd features, such as -S, are available only in standalone mode. Therefore, on a dedicated FTP server or one on which there will be frequent or numerous FTP connections, standalone mode works best.

To run pure-fptd under xinetd, ensure there is a configuration file for it in /etc/xinetd.d. A file called pure-ftpd should have been placed there during the installation, so you can simply edit it to reflect your needs. If it is not there, create one that contains the following information either manually within an editor or via YaST:

service ftp { socket_type = stream server = /usr/sbin/pure-ftpd server_args = `/usr/sbin/pure-config-args /etc/pure-ftpd/pure-ftpd.conf` protocol = tcp user = root wait = no disable = no # access control if needed # only_from = # no_access = # access_times = }

CAUTION

Depending on how you made package selections during the SLES server installation, you may have multiple FTP server packages installed. If this is the case, you will notice multiple FTP services listed in the inetd/xinetd configuration screen in YaST. Make sure you enable the correct service by first looking at the Server column and noting the name of the binary being used. It would make for a more secure and cleaner system if you uninstall the other unused FTP services.

Instead of using the configuration file, you can specify the necessary switches, such as server_args = -A -i -s -E. If you leave out or comment out the server_args keyword, pure-ftpd will run using its default settings by listening for incoming connections on every interface, all IP addresses, using the standard FTP control port (21).

CAUTION

Pure-FTPd's online documentation indicates signal SIGUSR2 is to be used for hard reconfiguration of xinetd. However, this hasn't been the case for versions of xinetd since 2.3.9 (released in October 2002). Because SLES 9 ships with xinetd-2.3.13-39.4, you should use SIGHUP for xinetd.

To set up pure-ftpd to run in standalone mode automatically upon SLES boot, use insserv as follows:

Athena:/home/admin # /sbin/insserv /etc/init.d/pure-ftpd

In this mode, you need to make use of the /etc/pure-ftpd/pure-ftpd.conf file.

One of the features of Pure-FTPd is its provision for users that are not defined in /etc/passwd. These users are called virtual users and can access the server via FTP only. This is a nice feature if you do not allow anonymous FTP access and don't want these FTP-only users to be able to log in to your SLES server via non-FTP means. Pure-FTPd virtual user information is stored in a PureDB database and is managed using the pure-pw utility. Refer to /usr/share/doc/packages/pure-ftpd/README.Virtual-Users or http://www.pureftpd.org/README.Virtual-Users for details.

Lastly, if you are tired of using command-line switches to manage Pure-FTPd, a couple of packages provide a nice GUI interface. For KDE users, there is KcmPureFTPd (http://lkr.sourceforge.net/kcmpureftpd); Figure 8.4 shows the Users configuration dialog box. For GNOME fans, take a look at PureAdmin (http://purify.sourceforge.net); Figure 8.5 shows an example of its User Manager dialog box.

There is also a browser-based virtual user administration tool called User Manager for PureFTPd (see Figure 8.6). Developed by Machiel Mastenbroek using PHP scripts, this tool makes it easy to create, modify, or delete virtual Pure-FTPd users from any type of client workstation. To download the software or for more information about this free software, visit http://machiel.generaal.net/index.php?subject=user_manager_pureftpd.

NOTE

At the time of this writing, Pure-FTPd version 1.0.16 has added experimental support for encryption of the control channel using SSL/TLS security mechanisms. With the option enabled, usernames and passwords are not sent as cleartext; neither are other commands sent by your client nor replies made by the server. However, the data channel is not encrypted by SSL/TLS. Refer to /usr/share/doc/packages/pure-ftpd/README.TLS or http://www.pureftpd.org/README.TLS for details.

Using vsftpd

vsftpd (Very Secure FTP Daemon) is a secure and extremely fast FTP server. It has a rich feature set similar to that available in Pure-FTPd. For example, it provides the following:

• Virtual IP configurations

• Virtual user support

• The capability to run standalone or under a super-server

• Powerful per-user configurability

• Bandwidth throttling

• Per-source-IP configurability

• Per-source-IP limits

• IPv6 support

Beginning with v2.0.1 (v2.0.0 was not released), vsftpd includes SSL/TSL integration. Unlike the experimental SSL/TLS support for only the control channel (port 21) provided in Pure-FTPd, vsftpd offers full support for both the control and data channels. Therefore, if you need to offer a secure FTP server solution, vsftpd should be at the top of your list for consideration. Because of its high performance and tight security, vsftpd is in use by a large number of Internet sites, such as ftp.suse.com, ftp.redhat.com, ftp.gnu.org, and rpmfind.net. You can find out more at http://vsftpd.beasts.org/#performance and at http://vsftpd.beasts.org/#security.

NOTE

The version of vsftpd included on the SLES 9 media is 1.2.1, and you need at least version 2.0.1 (released in July 2004) for SSL/TSL support. You can download the latest version from http://vsftpd.beasts.org/#download, or you can find the latest RPMs for SUSE at http://rpmseek.com.

You need to have OpenSSL installed to be able to use the SSL/TSL options. If you don't already have OpenSSL installed on your serveryou should since it is part of the base runtime packageor want to use the most current version, you can download the latest tarball from http://www.openssl.org/source.

Unlike many other FTP daemons (and especially in contrast to Pure-FTPd), all aspects of vsftpd's behavior are governed by its configuration file, /etc/vsftpd.conf. Its sole command-line option is to specify a different configuration file.

vsftpd reads the contents of vsftpd.conf upon startup, so you have to restart vsftpd each time you edit the file for the changes to take effect. For a quick test drive, simply edit /etc/vsftpd.conf, remove the comment symbol (#) before listen=YES, and execute /usr/sbin/vsftpd. This launches the daemon in standalone mode, ready for immediate client connections. Without any other modifications, except for listen=YES, this file uses a number of default settings that you should be aware of:

• vsftpd runs as an anonymous FTP server. The configuration file's anonymous_enable directive can be set to NO to disable this feature. You also need to simultaneously enable local users to be able to log in by uncommenting the local_enable directive and set its value to YES.

• This file allows only anonymous FTP downloads, and not uploads. To allow uploads, uncomment the anon_upload_enable directive and ensure it is set to YES.

• This file doesn't allow anonymous users to create directories on your FTP server. You can change this by modifying the anon_mkdir_write_enable directive.

• This file logs FTP access to /var/log/vsftpd.log. To change this to a different file or location, modify the xferlog_file directive.

• vsftpd expects files for anonymous FTP to be placed in the /var/ftp directory. You can change this by modifying the anon_root directive.

CAUTION

With anonymous FTP, there is always the risk that users will discover a way to write files to your anonymous FTP directory. The result is that you risk filling up your /var filesystem if you use the default setting. It is best to make the anonymous FTP directory reside in its own dedicated filesystem.

The directives listed in /etc/vsftpd.conf are by no means exhaustive. For instance, the performance-tuning settings, such as the following, are not included:

• max_clients limits the maximum number of concurrent client connections.

• max_per_ip restricts the number of concurrent connections from the same source IP address.

• anon_max_rate determines the maximum rate of data transfer per anonymous login.

• local_max_rate governs the maximum rate of data transfer per nonanonymous login.

You can find detailed descriptions of all supported directives and their default values using man vsftpd.conf or online at http://vsftpd.beasts.org/vsftpd_conf.html.

WARNING

vsftpd is very strict about its command syntax. Putting any whitespace between the option keyword, the = sign, and the value is an error. For example, anonymous_enable=YES is valid, whereas anonymous_enable = YES is not.

As with the case of Pure-FTPd discussed earlier, you have to decide if vsftpd should be launched standalone upon server boot or via xinetd. Should you choose to use xinetd, a default configuration file is installed as /etc/xinetd.d/vsftpd, and its contents are as follows:

service ftp { socket_type = stream protocol = tcp wait = no user = root server = /usr/sbin/vsftpd # server_args = # log_on_success += DURATION USERID # log_on_failure += USERID # nice = 10 disable = yes }

To enable vsftpd for xinetd, change the disabled = yes enTRy to disable = no or comment out the entry. Also, ensure the listen=YES directive in /etc/vsftpd.conf is commented out. To run vsftpd as standalone, on the other hand, make sure you have set listen=YES and background=YES and then add /usr/sbin/vsftpd to the server startup script.

NOTE

There is no /etc/init.d/vsftpd or /usr/sbin/rcvsftpd shell script. To manually start vsftpd, simply run /usr/sbin/vsftpd. To stop it, you can use the kill or killproc command. You can create a custom init script for vsftpd using /etc/init.d/skeleton as a template. Save a copy of this file under a new name and edit the relevant program and filenames, paths, and other details as needed. After you do this, use insserv to install the new script.

Using the Standard TFTP Server

Setting up a TFTP server using in.tftpd is fairly easy and straightforward. Use the following steps to configure and secure your TFTP server settings:

TFTP server activities are recorded in /var/log/messages, and you can zero in on the in.tftpd-related entries by using grep:

Athena:/home/admin # grep -i tfptd /var/log/messages