Vsftpd with SSL
Few days back one of customer asked to have more security on their data transfer via ftp. I have heard of encryption,SSL and all. I know how to build the CA and create the certificates but don’t know how to integrate it with VSFTPD or alternatively I can say that I did not get such requirement. Vsftpd with SSL is pretty straight forward and very easy to configure just create the self sign certificate just like i did, if you can not buy the trusted certificate from registered CA. Procedure to configure the vsftpd with SSL supports is as given below:
vsftpd is the default FTP server supplied with CentOS. It should be installed by default (?) If it isn’t you may install it by one of these methods:
Using yum (if you’ve installed yum):
[root@Gladiator]#yum install vsftpd
Generate a Certificate:
You use OpenSSL to generate a certificate for vsftpd. The certificate is store on your server, in a location of your choice. Here I choose to put it in the /etc/vsftpd directory. As well, you specify a ‘lifetime’ for the certificate; here’s it set for a year (“-days 365”).
Note that the backslashes only signify line breaks. You should be able to copy/paste & run it as it is, or remove the backslashes and the line breaks. You may need to create this directory first (mkdir /etc/vsftpd).
[root@Gladiator]#openssl req -x509 -nodes -days 365 -newkey rsa:1024 \ -keyout /etc/vsftpd/vsftpd.pem \ -out /etc/vsftpd/vsftpd.pem
You will be prompted with a series of question, which you answer as they appear. When done the certificate will be installed in the /etc/vsftpd directory.
To configure vsftpd you edit the file /etc/vsftpd/vsftpd.conf and add the following lines:
ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=NO force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO rsa_cert_file=/etc/vsftpd/vsftpd.pem
Restart vsftpd for these settings to take effect:
”’NOTE:”’If you set “force_local_logins_ssl=YES” then your clients will be required to use an FTP client that supports AUTH TLS/SSL in order to connect. If you leave it at “NO” then people can connect securely or insecurely.