Ftps server configuration on the Centos Linux and vsftpd

Once upon a time we needed to configure ftps server with login/pass access.
We chose vsftpd like ftps server and OS - Linux Centos 5.8

1. Install packages

yum install vsftpd openssl 

2. Generate self-signed SSL certificates

openssl genrsa -out key.pem 1024

openssl req -new -key key.pem -out req.pem
 
 Country Name (2 letter code) [AU]:RU
 State or Province Name (full name) [Some-State]:
 Locality Name (eg, city) []:Moscow
 Organization Name (eg, company) [Internet Widgits Pty Ltd]:Test Company
 Organizational Unit Name (eg, section) []:IT dept
 Common Name (eg, YOUR name) []:ftps.example.ru
 Email Address []:adm@example.ru
 
 Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []:
 An optional company name []:

openssl req -x509 -days 365 -key key.pem -in req.pem -out cert.pem

Move certificate to vsftpd configuration directory.

mv cert.pem /etc/vsftpd/cert.pem

3. Configure vsftpd

File /etc/vsftpd/vsftpd.conf

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
require_ssl_reuse=NO
implicit_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
rsa_cert_file=/etc/vsftpd/cert.pem
listen=YES
listen_address=212.1.1.1
listen_port=990
background=YES
log_ftp_protocol=YES
guest_enable=YES
guest_username=ftp
syslog_enable=YES
xferlog_enable=YES
vsftpd_log_file=/var/log/vsftpd.log
local_enable=YES
chroot_local_user=YES
pam_service_name=vsftpd
secure_chroot_dir=/usr/share/vsftpd
user_config_dir=/etc/vsftpd/vsftpd_user_conf
virtual_use_local_privs=YES

Create test user login/password

File /etc/vsftpd/login

test
password

Create Berkley DB

db_load -T -t hash -f login login.db
chmod 600 login.db

Create a PAM file which uses login.db
File: /etc/pam.d/vsftpd

#%PAM-1.0
auth required pam_userdb.so db=/etc/vsftpd/login
account required pam_userdb.so db=/etc/vsftpd/login
session    required     pam_loginuid.so

Create FTP directory for test user and configure write rules.

mkdir /test_ftp
chmod 775 /test_ftp
chgrp nobody /test_ftp

File /etc/vsftpd/vsftpd_user_conf/

write_enable=YES
local_root=/test_ftp

Star service and check out staring at boot.

service vsftpd start
temp=`chkconfig --list | grep vsftp | grep on`;if [ "$temp" ]; then echo ok; else chkconfig vsftp on; fi  

PS: If you will have the access problem try to configure selinux (chcon semanage) or just disable selinux

For example use winSCP client. (Also you can use filezilla and etc)

Configuration example:

Push login button and enjoy.

Profile of the author