Centos 5 Proftpd SSL TLS Chroot LDAP Active Directory Auth 2003 SBS

04Jun09

I needed to set up a secure way of transferring files without the hassle of connecting to the VPN yet still maintaining a secure encrypted connection, oh and it has to authenticate from our Windows 2003 SBS (small business server) via Active Directory!

Here is how I did it!

Install proftpd (from rpmforge) and openss if you need it (I already had openssl installed).

yum install proftpd

Couple of security tweaks and the chroot!

vim /etc/proftpd/proftpd.conf

DefaultRoot ~
IdentLookups off
ServerIdent on "FTP Server ready."

Create ssl cert

mkdir /etc/proftpd/ssl

openssl req -new -x509 -days 365 -nodes -out /etc/proftpd/ssl/proftpd.cert.pem -keyout /etc/proftpd/ssl/proftpd.key.pem

Country Name (2 letter code) [AU]: <– Enter your Country Name (e.g., “DE”).
State or Province Name (full name) [Some-State]:
<– Enter your State or Province Name.
Locality Name (eg, city) []:
<– Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
<– Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []:
<– Enter your Organizational Unit Name (e.g. “IT Department”).
Common Name (eg, YOUR name) []:
<– Enter the Fully Qualified Domain Name of the system (e.g. “server1.example.com”).
Email Address []:
<– Enter your Email Address.

Open upĀ  /etc/proftpd/proftpd.conf in your favorite editor (vi I hope?) and find the section:

<IfModule mod_tls.c>
TLSEngine                  off
</IfModule>

I personally commented it out and replaced it with the following:
<IfModule mod_tls.c>
TLSEngine                  on
TLSLog                     /var/log/proftpd/tls.log
TLSProtocol                SSLv23
TLSOptions                 NoCertRequest
TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
TLSVerifyClient            off
TLSRequired                on
</IfModule>

If you use TLSRequired on, then only TLS connections are allowed (this locks out any users with old FTP clients that don't have TLS support); by commenting out that line or using TLSRequired off both TLS and non-TLS connections are allowed, depending on what the FTP client supports.

Restart proftpd so it re-reads our config changes! 

/etc/init.d/proftpd restart

Test it with a client I highly recommend Filezilla http://filezilla-project.org/

Currently playing with the LDAP settings for Proftpd! Will post back as soon as I have cracked this one!

About these ads


One Response to “Centos 5 Proftpd SSL TLS Chroot LDAP Active Directory Auth 2003 SBS”

  1. 1 computerconsultant

    Nope, used vsftpd and pam auth to do it in the end, proftpd does not seem to use pam auth, which is annoying… Did you get it going in the end? :)


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Follow

Get every new post delivered to your Inbox.

%d bloggers like this: