Centos 5 Proftpd SSL TLS Chroot LDAP Active Directory Auth 2003 SBS
I needed to set up a secure way of transferring files without the hassle of connecting to the VPN yet still maintaining a secure encrypted connection, oh and it has to authenticate from our Windows 2003 SBS (small business server) via Active Directory!
Here is how I did it!
Install proftpd (from rpmforge) and openss if you need it (I already had openssl installed).
yum install proftpd
Couple of security tweaks and the chroot!
DefaultRoot ~ IdentLookups off ServerIdent on "FTP Server ready."
Create ssl cert
openssl req -new -x509 -days 365 -nodes -out /etc/proftpd/ssl/proftpd.cert.pem -keyout /etc/proftpd/ssl/proftpd.key.pem
Country Name (2 letter code) [AU]: <– Enter your Country Name (e.g., “DE”).
State or Province Name (full name) [Some-State]: <– Enter your State or Province Name.
Locality Name (eg, city) : <– Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <– Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) : <– Enter your Organizational Unit Name (e.g. “IT Department”).
Common Name (eg, YOUR name) : <– Enter the Fully Qualified Domain Name of the system (e.g. “server1.example.com”).
Email Address : <– Enter your Email Address.
Open up /etc/proftpd/proftpd.conf in your favorite editor (vi I hope?) and find the section:
<IfModule mod_tls.c> TLSEngine off </IfModule> I personally commented it out and replaced it with the following:<IfModule mod_tls.c> TLSEngine on TLSLog /var/log/proftpd/tls.log TLSProtocol SSLv23 TLSOptions NoCertRequest TLSRSACertificateFile /etc/proftpd/ssl/proftpd.cert.pem TLSRSACertificateKeyFile /etc/proftpd/ssl/proftpd.key.pem TLSVerifyClient off TLSRequired on </IfModule> If you use TLSRequired on, then only TLS connections are allowed (this locks out any users with old FTP clients that don't have TLS support); by commenting out that line or using TLSRequired off both TLS and non-TLS connections are allowed, depending on what the FTP client supports. Restart proftpd so it re-reads our config changes! /etc/init.d/proftpd restart Test it with a client I highly recommend Filezilla http://filezilla-project.org/
Currently playing with the LDAP settings for Proftpd! Will post back as soon as I have cracked this one!Advertisements
Filed under: centos, Geek Stuff, Linux, Windows SBS 2003 | 1 Comment
Tags: centos, Centos 5, CentOS Linux, howto, proftp chroot SSL TLS LDAP Active Directory Auth 2003 SBS, proftp ldap auth, Proftpd 2003 sbs auth, proftpd active directory, proftpd active directory auth, Proftpd Chroot, Proftpd howto, Proftpd SSL, Proftpd TLS