vsftpd support SSL / TLS encryption support?

[octopus]

vsftpd support SSL / TLS encryption support? NOW WORKING!

Rmerlin

Does your build support vsftpd support SSL / TLS based encryption?
Is this support enabled, is the ssl_enable? (I have tried to add additional config) vsftpd.conf.add
And I have generated pem-cert

this in vsftpd.conf (in original file)

anonymous_enable=NO
nopriv_user=root
write_enable=YES
local_enable=YES
chroot_local_user=YES
local_umask=000
dirmessage_enable=NO
xferlog_enable=NO
syslog_enable=NO
connect_from_port_20=YES
use_localtime=YES
listen=YES
pasv_enable=YES
ssl_enable=NO
tcp_wrappers=NO
max_clients=5
ftp_username=anonymous
ftpd_banner=Welcome to ASUS RT-AC68U FTP service.

This in my .add file

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
pasv_enable=Yes
pasv_min_port=9970
pasv_max_port=10000
rsa_cert_file=/mnt/vsftpd/vsftpd.pem

PASV firewall rule:

iptables -I INPUT -p tcp -m tcp --dport 9970:10000 -j ACCEPT

 

[octopus]

Nope can't get this working, something is missing when complie VSFTPD.

I have tested with this config, "vsftpd.conf" file and no go, seems that PASV port newer reach WAN side. In orginal mode without any SSL/TLS testing I can se PASV port is working and using port 44863 (175*256)+63 = 44863

anonymous_enable=NO
nopriv_user=root
write_enable=YES
local_enable=YES
chroot_local_user=YES
local_umask=000
dirmessage_enable=NO
xferlog_enable=NO
syslog_enable=NO
connect_from_port_21=YES
use_localtime=YES
listen=YES
tcp_wrappers=NO
max_clients=5
ftp_username=anonymous
ftpd_banner=Welcome to ASUS RT-AC68U FTP service.
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
pasv_enable=Yes
pasv_min_port=9970
pasv_max_port=10000
rsa_cert_file=/mnt/vsftpd/vsftpd.pem

 

[octopus]

SSL_Enable vsftpd must be compiled against OpenSSL.

Default: NO
.TP
.B ssl_enable
If enabled, and vsftpd was compiled against OpenSSL, vsftpd will support secure
connections via SSL. This applies to the control connection (including login)
and also data connections. You'll need a client with SSL support too. NOTE!!
Beware enabling this option. Only enable it if you need it. vsftpd can make no
guarantees about the security of the OpenSSL libraries. By enabling this
option, you are declaring that you trust the security of your installed
OpenSSL library.

 

[octopus]

To support this, you only need build proftpd with mod_sftp support. Nothing from OpenSSH is required at all; mod_sftp does NOT use OpenSSH's sftp-server binary, or anything else from OpenSSH. The mod_sftp module is a complete, standalone implementation of the SFTP and SCP protocols.

 

[hggomes]

It's VSFTPD not PROFTPD. mod_sftp does not exist on that server, no more wine for that table

If you really want SSL support on VSFTPD you need to change the Makefile/Config file from source.

 

[octopus]

RMerlin

I have started to test vsftpd with SSL.
I stored pem key in "/mnt/rt-ac68u/openvpn/vsftpd/vsftpd.pem"
Is this right key name: "rsa_cert_file" ?
rsa_cert_file=/mnt/rt-ac68u/openvpn/vsftpd/vsftpd.pem

rsa_cert_file
This option specifies the location of the RSA certificate to use for SSL encrypted connections.

Default: /usr/share/ssl/certs/vsftpd.pem

I haven't got it to work yet................

 

[RMerlin]

RMerlin

I have started to test vsftpd with SSL.
I stored pem key in "/mnt/rt-ac68u/openvpn/vsftpd/vsftpd.pem"
Is this right key name: "rsa_cert_file" ?
rsa_cert_file=/mnt/rt-ac68u/openvpn/vsftpd/vsftpd.pem


Default: /usr/share/ssl/certs/vsftpd.pem

I haven't got it to work yet................

No idea. I just enabled the switch at compile time, I have no idea how the functionality works.

 

[octopus]

No idea. I just enabled the switch at compile time, I have no idea how the functionality works.

Okey no problem, I find out soon. I post back when I have it working.

Octopus

 

[Stefan1200]

Is someone able to use encrypted FTP with Merlin 376.48_3 now? If yes, how I get it working?

 

[octopus]

Okey no problem, I find out soon. I post back when I have it working.

Octopus

I have tested this forward and backwards and can't get it to work. Testing inside LAN so I'm not having problem with firewall.
Manually set PASV port working. That must be some more setting when compiling.
(I have this working with other software and testing with same setup here)

Rmerlin: I know you have other things to fix, can you have another look when you have time?

EDIT: I have tried once again tonight with no go, anything I can thought of is another modul must be loaded at same time maby nf_conntrack_ftp.ko and nf_nat_ftp.ko

Octopus

 

[Bohdan]

+1 interested person

I'm also interested to accept my server's rsnapshot backups to attached HDD via SSL'ed ftp. Your research is very promising. Thanks!

 

[RMerlin]

While vsftpd was linking against OpenSSL, it still needed an additional setting to compile with OpenSSL support. I have now compiled it with proper SSL support, however it generates a TLS error. I will have to find a different client in case it's a compatibility issue with Filezilla, since FIlezilla's error isn't very helpful:

Status:	Connecting to 192.168.10.237:21...
Status:	Connection established, waiting for welcome message...
Response:	220 Welcome to ASUS RT-AC56U FTP service.
Command:	AUTH TLS
Response:	234 Proceed with negotiation.
Status:	Initializing TLS...
Error:	GnuTLS error -12: A TLS fatal alert has been received.
Error:	Could not connect to server
Status:	Waiting to retry...

I don't want to devote too much time to this since, quite frankly, TLS support over FTP is pretty much a hack, and is very rarely used. If it's not easily fixable, you will have to use something more mainstream such as scp instead.

 

[octopus]

While vsftpd was linking against OpenSSL, it still needed an additional setting to compile with OpenSSL support. I have now compiled it with proper SSL support, however it generates a TLS error. I will have to find a different client in case it's a compatibility issue with Filezilla, since FIlezilla's error isn't very helpful:

Status:	Connecting to 192.168.10.237:21...
Status:	Connection established, waiting for welcome message...
Response:	220 Welcome to ASUS RT-AC56U FTP service.
Command:	AUTH TLS
Response:	234 Proceed with negotiation.
Status:	Initializing TLS...
Error:	GnuTLS error -12: A TLS fatal alert has been received.
Error:	Could not connect to server
Status:	Waiting to retry...

I don't want to devote too much time to this since, quite frankly, TLS support over FTP is pretty much a hack, and is very rarely used. If it's not easily fixable, you will have to use something more mainstream such as scp instead.

Does "vsftpd.chroot_list" exist ?
allow_writeable_chroot=YES
https://bbs.archlinux.org/viewtopic.php?id=162824

 

[RMerlin]

Does "vsftpd.chroot_list" exist ?
allow_writeable_chroot=YES
https://bbs.archlinux.org/viewtopic.php?id=162824

I had already seen this article, but it refers to a different error code. Creating the mentioned file doesn't help, this is only needed if you enable chroot.

And since the debug_ssl option was only added in a later vsftpd release, that leaves very little in the way of debugging capbilities... Based on filezilla, it seems to fail at TLS handshaking - could be because there is no matching cypher.

I wish programmers would stop returning cryptic numerical error codes without documenting what the hell they mean. I'm not going to dive through the filezilla and GnuTLS source code just to understand what "-12" means, and a quick Google search didn't return anything either.

 

[RMerlin]

It fails with Filezilla (seems to fail right at the TLS stage), but it works with WinSCP (however passive mode does not seem to work properly, I had to flush the firewall on the test router for it to work).

So looks like this is really buggy overall, support varying based on the used client. I will most likely drop the idea then, I don't want to have to deal with a handful of users wondering why their favorite client doesn't work, while it works fine with other clients.

 

[RMerlin]

As I suspected - Filezilla's GnuTLS has a limited subset of supported ciphers, and vsftpd for some odd reason defaults to supporting only one single cipher: DES-CBC3-SHA. Telling vsftpd to be a bit more flexible there allows Filezilla to finally complete the TLS handshaking. In vsftpd.conf:

ssl_ciphers=HIGH

Filezilla is now able to complete the handshake:

Trace:	Protocol: TLS1.0, Key exchange: RSA, Cipher: AES-256-CBC, MAC: SHA1

however it still fails to retrieve directory content (WinSCP works fine).

I'm afraid I'm not willing to devote any additional time to this, as this now seems to mostly be a client-specific issue. If you want to play with it before 376.49 gets released, here's the compiled binary, with TLS support properly enabled:

http://www.mediafire.com/download/tm6js1s6si2grrt/vsftpd_tls_arm.zip

Don't forget to adjust ssl_ciphers in vsftpd.conf (as the default one is very limited). I used HIGH, but you can use a lower-grade one for better performance.

 

[octopus]

Thank you RMerlin now vsftpd with SSL working! in build 3.0.0.4.376.49_alpha2

Here is how I config vsftpd with SSL.

I choose to use "vsftpd.conf" so everything is in same file, but you can use "vsftpd.conf.add and only put your adds.
Restart vsftpd with "service restart_vsftpd"

anonymous_enable=NO
nopriv_user=root
write_enable=YES
local_enable=YES
chroot_local_user=YES
local_umask=022
chmod_enable=no
dirmessage_enable=NO
xferlog_enable=NO
syslog_enable=NO
connect_from_port_20=NO
use_localtime=YES
listen=YES
ssl_enable=[B]YES[/B]
max_clients=5
max_per_ip=5
idle_session_timeout=300
ftp_username=anonymous
ftpd_banner=[B]YOU WELCOME TEXT HERE RT-AC68U FTP service.
listen_port=21
use_sendfile=NO
ssl_ciphers=HIGH
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
pasv_enable=YES
port_enable=YES
pasv_min_port=10500
pasv_max_port=10520
rsa_cert_file=/jffs/configs/vsftpd.pem
[/B]

I have added things in bold text in vsftpd.conf file.


Some ftp clients have trouble to use this commad

The default SSL ciphers is DES-CBC3-SHA, but FileZilla regards it as
unsafe and rejects it. Therefore you should modify it.
ssl_ciphers=HIGH

require_ssl_reuse=NO/YES

If set to yes, all SSL data connections are required to exhibit
SSL session reuse (which proves that they know the same master
secret as the control channel). Although this is a secure default,
it may break many FTP clients, so you may want to disable it.
For a discussion of the consequences,
see http://scarybeastsecurity.blogspot.com/2009/02/vsftpd-210-released.html (Added in v2.1.0).

Then you need iptables rule to get PASV work from wanside, put rule in "firewall-start" and restart firewall with "service restart_firewall"

iptables -I INPUT -p tcp --dport 10500:10520 -j ACCEPT

To create the vsftpd.pem certificate and the key in a single file, we can use this command, modify links to suite your keystore.

openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out [B]/jffs/configs/vsftpd.pem[/B]

Good luck everyone, feel free to aske if I have missed something in this guide.

Octopus

 

[shooter40sw]

Hi guys, is this working on the latest merlin build? 378.50, I'm kind of new to theses config files, I already got entware installed and on the GUI the FTP server running, but I want to get on the WAN side on a secure way. So any additional help will come in handy, thanks

Thank you RMerlin now vsftpd with SSL working! in build 3.0.0.4.376.49_alpha2

Here is how I config vsftpd with SSL.

I choose to use "vsftpd.conf" so everything is in same file, but you can use "vsftpd.conf.add and only put your adds.
Restart vsftpd with "service restart_vsftpd"

anonymous_enable=NO
nopriv_user=root
write_enable=YES
local_enable=YES
chroot_local_user=YES
local_umask=022
chmod_enable=no
dirmessage_enable=NO
xferlog_enable=NO
syslog_enable=NO
connect_from_port_20=NO
use_localtime=YES
listen=YES
ssl_enable=[B]YES[/B]
max_clients=5
max_per_ip=5
idle_session_timeout=300
ftp_username=anonymous
ftpd_banner=[B]YOU WELCOME TEXT HERE RT-AC68U FTP service.[/B]
[B]listen_port=21
use_sendfile=NO
ssl_ciphers=HIGH
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
pasv_enable=YES
port_enable=YES
pasv_min_port=10500
pasv_max_port=10520
rsa_cert_file=/jffs/configs/vsftpd.pem
[/B]

I have added things in bold text in vsftpd.conf file.


Some ftp clients have trouble to use this commad

require_ssl_reuse=NO/YES

If set to yes, all SSL data connections are required to exhibit 
SSL session reuse (which proves that they know the same master 
secret as the control channel). Although this is a secure default, 
it may break many FTP clients, so you may want to disable it. 
For a discussion of the consequences, 
see http://scarybeastsecurity.blogspot.com/2009/02/vsftpd-210-released.html (Added in v2.1.0).

Then you need iptables rule to get PASV work from wanside, put rule in "firewall-start" and restart firewall with "service restart_firewall"

iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 10500:10520 -j ACCEPT

To create the vsftpd.pem certificate and the key in a single file, we can use this command, modify links to suite your keystore.

openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out [B]/jffs/configs/vsftpd.pem[/B]

Good luck everyone, feel free to aske if I have missed something in this guide.

Octopus

 

[cronner]

Edited: vsftpd.conf acccordingly

can't find "firewall-start" ?

did service restart_vsftpd no change
tried service stop_vsftpd can still login?

 

[octopus]

http://www.mediafire.com/view/u9u9t2dj69h2ws4/README-merlin.txt

** User scripts **
These are shell scripts that you can create, and which will be run when
certain events occur. Those scripts must be saved in /jffs/scripts/ ,
so, JFFS must be enabled, as well as the option to use custom
scripts and configs. This can be configured under Administration -> System.

* firewall-start: Firewall is started (filter rules have been applied)
The WAN interface will be passed as argument (for
example. "eth0")

Don't forget to set them as executable:
chmod a+rx /jffs/scripts/*
And like any Linux script, they need to start with a shebang:
#!/bin/sh