How To : FTPS Server Configuration

I used to astonish all the time when I see the FTP package name. vsftpd which abrivated to Very Secure File Transfer Demon(vsftpd). But when we see the security prospective of this package there is no much security included with this package. I mean when you login to server the credentials are transfered in plain text. So by defalut root user is not allowed to login to ftp server.

To eliminate transfering data in plain text and to encrypt the entire transmission we can take help from open ssl to generate a certificate and use SSL certificate when communicating with FTP server. This is nothing but a FTPS server.

Some file transfers you should know are.
1. TFTP(Trivial File Transfer Protocol which uses UDP for transmission) –high data rates/not secure
2. (This protocol uses SSH in backend, so you no need to run an FTP server) –secure
3. FTP(This is normal ftp transfer which uses TCP) –not secure

4. FTPS(FTP+SSL certificate to encrypt data transmission)
5. Over SSH(this is a kind of ftp tunnel on SSH protocol)

In this post we will see how you can configure SSL certificate for VSFTPD.

Step1 : Check the following packages on the server and if they are not install please install them.
#yum install openssl
#yum install vsftpd

Step2 : Generate rsa key in /etc/vsftpd folder as below.
#cd /etc/vsftpd
#/usr/bin/openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd.pem -out vsftpd.pem

The clipped output for your reference
[root@v-itig42 vsftpd]# /usr/bin/openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd.pem -out vsftpd.pem

Generating a 1024 bit RSA private key



writing new private key to 'vsftpd.pem'


You are about to be asked to enter information that will be incorporated.
into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank.

For some fields there will be a default value,

If you enter '.', the field will be left blank.


Country Name (2 letter code) [GB]:IN

State or Province Name (full name) [Berkshire]:Andhra Pradesh
Locality Name (eg, city) [Newbury]:Vijaywada
Organization Name (eg, company) [My Company Ltd]:Linuxnix Systems Limited
Organizational Unit Name (eg, section) []: IT admin Group
Common Name (eg, your name or your server's hostname) []

Email Address []:

Step3 : Once the Certificate is generated, certificate is kept in /etc/vsftpd folder. We have to provide this entry in vsftpd.conf along some ssl configurations.

Step4 : Edit vsftpd.conf and give enteris at the last of the file.
#vi /etc/vsftpd/vsftpd.conf
#For SSL on specify yes to below option.
# To allow anonysonomous users to use SSL
# if you want local users to use both ssl as well unsecure way of transmission of data plz specify no to below option.
#If you want to allow all the login credentials which are transmitted should be sent with encryption #pleas use below option to force them to use only ssl connection at the time of login.
# Permit TLS v1 protocol connections. TLS v1 connections are preferred
# Permit SSL v2 protocol connections. TLS v1 connections are preferred
# permit SSL v3 protocol connections. TLS v1 connections are preferred
#Please pecifies the location of the RSA certificate to use for SSL encrypted connections
, which we #created some time back.
Now save and exit the vsftpd file

Step5 : Restart the vsftpd service.
# service vsftpd restart
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]

Start accessing the ftp server with user name credentials with filezila or some other FTP clients which will support SSL/TSL. If you want to access ftps sites through browsers its not possible. We have to have addon called fireftp. Then only we can access ftps:// site. Here in this example I used filezila.

  • Like the post? Please Subscribe to free RSS feed to get updates
  • Related Posts by Categories



    Translate this page


    The Linux Juggernaut | Copyright 2006-2009 Surendra Kumar Anne | Surendra's Home Page | Give us feedback how we are doing, Click here