Hi,

I see the ProFTPD setup on Iworx is:

- Module: mod_core.c
- Module: mod_xfer.c
- Module: mod_auth_unix.c
- Module: mod_auth_file.c
- Module: mod_auth.c
- Module: mod_ls.c
- Module: mod_log.c
- Module: mod_site.c
- Module: mod_auth_pam.c
- Module: mod_ratio.c
- Module: mod_readme.c
- Module: mod_sql.c
- Module: mod_sql_mysql.c
- Module: mod_cap/1.0

I want to add SSL to it because I feel like it makes sense as FTP passwords (and files) are passed in clear text. I would want both the passwords and files transfer to be secure when I need them to be without having to use the web based file managment in siteworx.

Is there any problem adding this manually before Iworx supports it following the following instructions: http://www.castaglia.org/proftpd/modules/mod_tls.html

I wanted to ask first as this is a production server and dont want to break anything.

Thanks in advance for your help

:D

I assume all I need to do is:

./configure \
--with-modules=mod_sql:mod_sql_mysql:mod_tls \
--with-includes=/usr/include/mysql/:/usr/include/openssl/ \
--with-libraries=/usr/lib/mysql/

make;make install

Is there supposed to be library file I need to include for openssl?

I did a "find / -name 'openssl'" and the only thing it came up with was:
/usr/bin/openssl
/usr/include/openssl (I have included this above)

Also, I had to do some extra things last time I manually upgraded ProFTPD on a recomendation from Sago (Thanks Sago-Dan). Will I still have to do the following steps to complete the configuration?

There's a few things which you have to mod to get it to work in interworx.
The default configuration build of proftpd is pointing to another location (after the make install ) /usr/local/etc/proftpd.conf

If you remove that file with:
10. rm /usr/local/etc/proftpd.conf
then link it to the current one

11. ln -s /etc/proftpd.conf /usr/local/etc/proftpd.conf

You should have the configuration part set.
You may also have to copy the files to the proper location because the rpm'ed version of proftpd is stored in /usr/sbin and not /usr/local

Just copy the files which were compiled to the /usr/sbin
12. cp proftpd /usr/sbin
13. cp ftp* /usr/sbin

Then proceed with starting the proftpd service

14. service proftpd start
-----------------------------------------------------------
Sago-Dan :: http://sagonet.com/forums/viewtopic.php?t=373
-----------------------------------------------------------

Justin,

I'd try this instead as it's a bit cleaner and you don't have to do any special compiling outside of the RPM infrastructure.

If you're on RH9, which I'm assumign you are just do:



rpmbuild --rebuild --with rht90 --with mod_tls http://updates.interworx.info/iworx/SRPMS/proftpd-1.2.10-100.iworx.src.rpm


When that's done building you can simply



rpm -Uvh --force /usr/src/redhat/RPMS/i386/proftpd-1.2.10-100.iworx.rpm


The --force is needed since the same version (without tls) is already installed.

Regarding the proftpd.conf you *DO NOT* want to overwrite or other not use the proftpd.conf that comes with iworx. It has the DB connection strings in the conf file that are needed for proftpd to connect to the SQL auth backend. I'd just hand copy any TLS stuff that is needed to the /etc/proftpd.conf.

Chris

[SEE POST #14 FOR UPDATED STEPS ]
http://interworx.info/forums/showpost.php?p=3464&postcount=14




Thanks for the info Chris.

I have followed your instructions and everything went perfect.
The RPM file name was a little different then the one you specified, but it wasn't hard to figure out the correct one for my server. There was a '.i386' after the iworx (proftpd-1.2.10-100.iworx.i386.rpm).

I ran the force and it it went okay:


[root@server1 i386]# rpm -Uvh --force /usr/src/redhat/RPMS/i386/proftpd-1.2.10-100.iworx.i386.rpm
Preparing... ########################################### [100%]
1:proftpd warning: /etc/proftpd.conf created as /etc/proftpd.conf.rpmnew
########################################### [100%]
Starting proftpd: [ OK ]


I tried connecting securely using SmartFTP (http://www.smartftp.com/support/kb/index.php/166) but it failed to connect.

Using Explicit:
220 FTP Server Ready
AUTH SSL
500 AUTH not understood

220 FTP Server Ready
AUTH TLS
500 AUTH not understood

Using Implicit:

Connected. Exchanging encryption keys...
SSL Error
The token supplied to the function is invalid
Connection closed.

Any ideas?

Thanks for the help! :D

[SEE POST #14 FOR UPDATED STEPS ]
http://interworx.info/forums/showpost.php?p=3464&postcount=14

I guess I thought the config file was magically going to add the module code and know where my SSL certificates are by itself.

After adding the following code (based on the sample below) it connected:

<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/tls.log
TLSProtocol SSLv23 # this selects the latest crypt version

TLSOptions NoCertRequest # this is REALLY important for WinClients

# Are clients required to use FTP over TLS when talking to this server?
TLSRequired on

# Server's certificate
TLSRSACertificateFile /etc/openldap/ldapcert.pem
TLSRSACertificateKeyFile /etc/openldap/ldapkey.pem
TLSCACertificateFile /etc/openldap/demoCA/cacert.pem

# Authenticate clients that want to use FTP over TLS?
TLSVerifyClient off
</IfModule>

Thanks for you help, this should come in handy when trasnfer PHP scripts that I don't want other people seeing!

Also, is there any benefit to running the SSL version on port 990 version both on port 21?

Sorry, I should have mentioned that there was "extra setup" to be done. But you got it :).

Regarding your 2nd question there's no real benefit. Port 21 = un-secured FTP so I'd stick with it on 990 personally.

Chris

I'm using SmartFTP and there is two connection methods.

http://www.smartftp.com/support/kb/index.php/166

The Explicit connection works with Mod_TLS, but how would I go about making it work with Implicit?

Also, is there a way to make port 990 secure only? I added a virtual host to the proftpd config file and now it listens on 21 and 990, but conneting to either works with our with SSL.

Also, I'm trying to get DreamWeaver 2004 to connect via SSL and it doesn't so I'm thinking it is using the implicit method that I can't connect with when using SmartFTP.

Any ideas?
:confused:

From what I've read on the proftpd author's site (http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html) the current tls implementation doesn't support the 'implicit' method (the doc was updated on 10/9 so I'm assuming it's current).

I haven't setup tls on a proftpd server yet so without trying it out I am probably a bad source. But if you want me to login to your box and play around with it I'd be happy to just to see it working :).

Chris

I haven't setup tls on a proftpd server yet so without trying it out I am probably a bad source. But if you want me to login to your box and play around with it I'd be happy to just to see it working :).

Chris
I have sent in a support ticket with the info.

EDIT:
I sent two tickets b/c the first one I had a typo in my email address.

Did you ever get a chance to check this out?

It works great using SmartFTP, but not when using dreamweaver

I haven't Justin and I apologize. It's been maddeningly busy over here getting the releases ready.

Chris

Last question! Speaking of SSL, to set up ProFTPD with SSL, i got through half the procedure up until that step you initially 'forgot' .. the one involving configuring certificates and stuff. Can you elaborate a bit on that? I'm kinda jumping across topics here, sorry =) Just figured you could answer all my concerns at once =)

It's pretty much the same as setting up SSL in the apache config file. I know you can now setup SSL with SiteWorx although I haven't tried it because I already set a manual way of doing it on my server that is really easy. But if you haven't set it up on Apache what I said probably didn't help you too much.

There are 3 parts to setup SSL:
1) The certificate, which I guess is just another term for public key. This is what the client uses to encrypt the first request to establish a secure connection. Everyone can encrypt with it, but only the person (hopefully just you) with the private key can decrypt it.

2) The private key

3) The certificate authority certificate. This is from whomever you buy your certificate from. I think it's what the browsers look at to see if that is a trust certificate.

So to set this up in ProFTPD you have these lines:

# Server's Certificate
TLSRSACertificateFile /path/to/ssl/yourcertificate.crt
TLSRSACertificateKeyFile /path/to/ssl/yourprivatekey.key
TLSCACertificateFile /path/to/ssl/CAcertificate.crt

I'm not sure if you could just create a private key / certificate and use it as unsigned (no CAcertificate.crt). Maybe you should try using the SiteWorx SSL feature and then make the /path/to/ssl point to where those are stored.

Or you could just wait till the next update of Iworx ProFTPD because I guess there is a demand for it and they are right there to meet that demand (Good job guy's, like to see you stay ahead of the curve :D )
http://interworx.info/forums/showthread.php?p=3417

I just tried something that works and you won't have to create your own key and certificate!

Also, the compile code is a little different now. This is if you are on Redhat 9.0 box. If you are on another box then you change out the rht90 for your OS.

Step1:

rpmbuild --rebuild --with rht90 --with mod_tls http://updates.interworx.info/iworx/SRPMS/proftpd-1.2.10-100.iworx.src.rpm


Step2:

rpm -Uvh --force /usr/src/redhat/RPMS/i386/proftpd-1.2.10-100.rht90.iworx.i386.rpm

Step3:
Edit the /etc/proftpd.conf file. Just add the following to the very bottom of the file (After </GLOBAL>). Just copy and paste this in verbatim.

<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/tls.log
TLSProtocol SSLv3

TLSOptions NoCertRequest

# Server's Certificate
TLSRSACertificateFile /home/interworx/etc/ssl/iworx.crt
TLSRSACertificateKeyFile /home/interworx/etc/ssl/iworx.key

</IfModule>


Step4:

service proftpd restart

I just did this exact thing on my Red Hat 9 box since something got messed up when I rebooted about a week ago because I think Iworx change all the RPMs now for each linux OS.

Good luck and hopefully this should get you up and running with your SFTP server.

Edit the /etc/proftpd.conf.rpmnew. Just add the following to the very bottom of the file. Just copy and paste this in verbatim.

Did you mean proftpd.conf or proftpd.conf.rpmnew? I thought it would look at .conf and not the .rpmnew.

Do I add it AFTER the /GLOBAL?

Lastly, sadly, I have to ask - how do i choose to turn it on? I figured it would be on my default if i try to connect using TLS now. When I try to connect with TLS after following those steps, I still get:



[L] 220 FTP Server Ready
[L] AUTH TLS
[L] 500 AUTH not understood
[L] Failed SSL/TLS negotiation, disconnected
[L] Connection failed (Connection lost)


EDIT: Oh and:


[root@server etc]# proftpd -l
Compiled-in modules:
mod_core.c
mod_xfer.c
mod_auth_unix.c
mod_auth_file.c
mod_auth.c
mod_ls.c
mod_log.c
mod_site.c
mod_auth_pam.c
mod_ratio.c
mod_readme.c
mod_sql.c
mod_sql_mysql.c
mod_tls.c
mod_cap.c

proftpd.conf.rpmnew is the new config file the RPM creates so it doesn't overwrite your orignal config file. So that is why you need to edit that one.

I added mine after the </GLOBAL>

I think you may have everything setup right on the server, but you need to configure your client application correctly.

I use SmartFTP and it works, but one thing I noticed is you have it as Auth_TLS. Set up your client to use the AUTH SSL and not TLS.

Let me know if that works!

proftpd.conf.rpmnew is the new config file the RPM creates so it doesn't overwrite your orignal config file. So that is why you need to edit that one.

I added mine after the </GLOBAL>

I think you may have everything setup right on the server, but you need to configure your client application correctly.

I use SmartFTP and it works, but one thing I noticed is you have it as Auth_TLS. Set up your client to use the AUTH SSL and not TLS.

Let me know if that works!

Using FlashFXP:

Implicit SSL:
[L] Connected. Negotiating SSL session..
[L] SSL ERROR: unknown protocol
[L] Connection failed (Connection closed by client)

AUTH SSL:
[L] 220 FTP Server Ready
[L] AUTH SSL
[L] 500 AUTH not understood
[L] Failed SSL/TLS negotiation, disconnected
[L] Connection failed (Connection lost)

AUTH TLS:
[L] 220 FTP Server Ready
[L] AUTH TLS
[L] 500 AUTH not understood
[L] Failed SSL/TLS negotiation, disconnected
[L] Connection failed (Connection lost)


So no go =/ I have no trouble connecting with SSL with this app otherwise =/ I'm thinking I have to enable SSL on ProFTPD somewhere... somehow.

---------------------------------------------------------

EDIT: I modified the proftpd.conf file instead, since i was sure that's the one proftpd uses - and I got a somewhat different response. It looks like it's TRYING now. The .conf.rpmnew file was just created so that it wouldn't replace the .conf on us. It's not the one ProFTPD looks at/for.

After adding the TLS code you pasted into proftpd.conf, i get:

Implicit SSL:
[L] Connected. Negotiating SSL session..
[L] SSL ERROR: unknown protocol
[L] Connection failed (Connection closed by client)

Auth SSL:
[L] AUTH SSL
[L] 234 AUTH SSL successful
[L] Connected. Negotiating SSL session..
[L] error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
[L] Connection failed (Connection closed by client)

Auth TLS:
[L] 234 AUTH TLS successful
[L] Connected. Negotiating TLSv1 session..
[L] error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
[L] Connection failed (Connection closed by client)

Sorry I forgot to mention it has to be "Explicit" and "Auth SSL" for it to work.

I would try that and if that doesn't work maybe you forgot to restart ProFTPD after you updated the config file?

If you want to create a temp dummy ftp account on your server I can see if I can connect to it, just send me a PM.

[EDIT]
Actually thats not true, it HAS TO be "Explicit" but you can use Auth TLS as well as Auth SSL.

Sorry about the mis-info on the .rpmnew, I have recompilied this a couple times and got confused on which one was which.

I just double checked putting the Interworx Certifcate code in the real .conf file on my server and it still works so the new error you have is probably something with your FTP program. Try using SmartFTP (www.smartftp.com).

And make sure to use Explicit.


[EDIT]
I just installed FlashFXP trial and was able to connect to my server using both Auth_TLS and Auth_SSL. I did get a warning about the InterWorx Certificate being self-signed, but thats it.

Sorry about the mis-info on the .rpmnew, I have recompilied this a couple times and got confused on which one was which.

I just double checked putting the Interworx Certifcate code in the real .conf file on my server and it still works so the new error you have is probably something with your FTP program. Try using SmartFTP (www.smartftp.com).

And make sure to use Explicit.

Pfft - as if you have any reason to apologize to me for ANYTHING! =)
I can see how it would be confusing - I remember seeing the message after it compiled.

I used CuteFTP Pro 7 and tried Explicit and that didn't work either. I'll try SmartFTP. I'll keep you posted.

Thanks again Justec!

Got it!

Works with FlashFXP AND CuteFTP now =)

It was just a small error in the code you pasted:


# Server's certificate
TLSRSACertificateFile /home/interworx/etc/ssl/iworx.key
TLSRSACertificateKeyFile /home/interworx/etc/ssl/iworx.key


Should have been:


# Server's certificate
TLSRSACertificateFile /home/interworx/etc/ssl/iworx.crt
TLSRSACertificateKeyFile /home/interworx/etc/ssl/iworx.key


Just the iworx.crt was the problem. My fault - I should have been reading what I was copy/pasting into the conf file!

Justec thanks for all the help =)

Take a look back at the first page where I listed steps 1 through 4. I have updated this. I made an error and somehow pasted bad code in Step3.

At the very top, the TLSProtocol should be SSLv3, not SSLv23

TLSProtocol SSLv3

Im almost positive this is the problem. I guess I should get more sleep :rolleyes:

[EDIT]
Just read you got it working. Glad to hear. Although its working you may want to use the newer version of the SSLv3 (which i guess wasn't the problem) anyway.

It's good to know I wasn't the only one that really wanted to have a secure FTP :D

I've got one last question for you Justec, before I leave you alone, hopefully for a long time =)

Do you know where ProFTPD chooses it's PASV ports? I had to add ports 411xx to 412xx to my APF firewall to allow the directories to list everytime.

Did you have to reconfigure your firewall too? I don't like having so many open ports on my server unless i really have to =/

It's random.
And it should be the same before you had the SSL setup.

Here is some info on Active vs. Passive:
http://slacksite.com/other/ftp.html

If you do passive it only uses port 21 and 20, but then clients behind firewalls would not be able to connect b/c the server tries to connect back from port 20 on the server to a random port on the client.

One thing it says is that it is >1024.

Int,

I have a question for you. I haven't setup APF before, but I was going to and I decided to do it now.

What ports do you have open?

This is what I have right now:
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="21,22,25,26,80,443,110,143,993,995,2080,2306,2443, 3306,6000_7000"

# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53,123"

# Common ICMP (inbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"


Right now I have EGF disabled, but what ports do you have on that one?

[EDIT]
Maybe you should start an APF thread to help others with InterWorx setup APF

Int,

I have a question for you. I haven't setup APF before, but I was going to and I decided to do it now.

What ports do you have open?

This is what I have right now:
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="21,22,25,26,80,443,110,143,993,995,2080,2306,2443, 3306,6000_7000"

# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53,123"

# Common ICMP (inbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"


Right now I have EGF disabled, but what ports do you have on that one?

[EDIT]
Maybe you should start an APF thread to help others with InterWorx setup APF

It's not all that random - the ports PASV uses always stays within a range of 100ish ports, i just don't know where those ports are set.

As for APF and Interworx, the ports I have open are:

# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="20,21,22,25,53,80,110,113,143,161,443,465,993,995, 2080,2306,2443,3306,3333,6667,6668,6999,7000,7029, 41150_42250"

NOTE: 41150_42250 is for PASV. I believe I had to add 6667-7000 for IRC, and 113 for IDENTD for IRC as well.

# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="20,21,53,1040"

# Common ICMP (inbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"

I have EGF disabled as well.

There's not much to setup for APF - I got the instructions off a website a long time ago and followed them to the letter. I then went through and added a couple of ports for Interworx =) If you need me to help you with anything for APF though, I can definately give it a try! Hope what i posted up there is enough. APF and Interworx has worked seamlessly with those settings for over 2 months now.

It's not all that random - the ports PASV uses always stays within a range of 100ish ports, i just don't know where those ports are set.
I think it's "random" by nature. But it will stay in that "random" range.
But guess what I found :D

A way to make it not so random...

PassivePorts 50000 55535

You add this line to your proftpd.conf.
I added mine here:
DefaultServer on
DeferWelcome on
PassivePorts 50000 55535

Then just add 50000_55535 to your conf.apf and you are all set.

Don't forget to "service proftpd restart" and "apf -r"

I found a thread on another forum that explained the install. Pretty easy to follow and I think I have all the ports you listed here, I will have to double check though. Thanx for the help!

I think it's "random" by nature. But it will stay in that "random" range.
But guess what I found :D

A way to make it not so random...

PassivePorts 50000 55535

You add this line to your proftpd.conf.
I added mine here:
DefaultServer on
DeferWelcome on
PassivePorts 50000 55535

Then just add 50000_55535 to your conf.apf and you are all set.

Don't forget to "service proftpd restart" and "apf -r"

I found a thread on another forum that explained the install. Pretty easy to follow and I think I have all the ports you listed here, I will have to double check though. Thanx for the help!

Nice Justec - the PASV port range thing really helped me out =) I much prefer a smaller range of open ports, and that allows me to do that.

As for the APF install, yea it's really easy!

A couple of other security measures - i suggest you disable direct root login, install a rootkit checker, change the default SSH port from 22, and use SSH V2. Remember to add the new port to the conf.apf =) If you need any help doing any of these, let me know. I remember most of it, and I can dig up a website or two for you for the others.

Hello

I use APF for a while and you don't have to open the port for the PASV.

I do not use the EGress and my Ingress is



# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,990,993,995,2080,2306,2 443,3306,6277"

# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="20,21,53"

# Common ICMP (inbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"


And it works fine with PASV


Pascal
ps I also use bfd, ad, sim, from r-fx-network . So good !!!

I use APF for a while and you don't have to open the port for the PASV.
I dont see how that is possible? The only way I would see it working is if the connection is ACTIVE and not PASSIVE even though Passive is enabled on the server.

Also, Int, not sure if you figure out your other post I got to my email (I dont see it here anymore), but the secure ProFTPD isn't a requirement. You can still connect without SSL. Let me know if this is still an issue with this.

I dont see how that is possible? The only way I would see it working is if the connection is ACTIVE and not PASSIVE even though Passive is enabled on the server.

Also, Int, not sure if you figure out your other post I got to my email (I dont see it here anymore), but the secure ProFTPD isn't a requirement. You can still connect without SSL. Let me know if this is still an issue with this.

You have to open the port - for sure. I don't see how PASV could work without it. My guess is that pascal's APF isn't really running right, or his PASV is set to a single port (or a couple) which he has forwarded but doesn't realize.

As for SSL being an option - i erased that post minutes after writing it because I realized that there's an option in the conf which I copy/pasted as ON... which I changed:



# Are clients required to use FTP over TLS when talking to this server?
TLSRequired off


In your post, it was set to 'on', so it made it required =) It's sorted now, thanks for the reply/concern =)


---------

EDIT: Last thing Justec, please make sure that you add PORT 22 to your APF. I had previously erased it from the default conf.apf file since i have changed the default SSH port on my server. Don't forget to have that port included (or whatever your SSH port is) or you'll be locked out of your server!

There is some defaults rules in APF like the one for port 20 by example. I agree that normally you'll have to open these ports but I promise you that I've tested with filezilla using PASV mode and I do not have any pbms and as yu may see my rules didn't open any specific ports for PASV mode.I didn't investigate so more, so maybe I've wrong. Make a try yourself

Pascal

ps I also use bfd, ad, sim, from r-fx-network . So good !!!
Pascal,

What is the difference between BFD and DOS for APF that comes with the standard APF install?

Going to interject here slightly.

-- I had several problems with my APF (and associated apps) install. I'm *sure* there are many people using is successfully, but it was causing me great amounts of grief. I'm also the type of person who likes to know *exactly* what a script is doing. So, I took a day and learned IPTables and wrote my own firewall. Honestly, given the minds of Pascal, Justec and Int -- you could do it yourself easilly in a couple of hours of research, at which point, you'd know exactly what you've implemented.

-- In this process, I did a bunch of research on the difference between PASV and Active, and the repercussions of either. Active is *much* more secure from the server side (obviously). I was happy to discover that most client routers/firewalls, etc these days are "FTP aware/savvy" and will on-the-fly do the hoop-jumping to negotiate an Active FTP connection. We tested the Active FTP connections to the server from several clients, each with different hardware (Westell, Linksys, D-Link, etc) and had NO issues connecting to an Active session. (Understandably, this would not have been the case several years ago).

In our case, we chose Active connections only, and put the burden of the connectivity back on the clients -- and haven't had one complaint. Nada.

Adjustments would have to be made of course for forcing the secure connections, but conceptually, it should be the same.

JB

I just tried something that works and you won't have to create your own key and certificate!

Also, the compile code is a little different now. This is if you are on Redhat 9.0 box. If you are on another box then you change out the rht90 for your OS.
Minor resurrection. When running this on CentOS 4.1 x86_64 using the following command:


rpmbuild --rebuild --with rhe4x --with mod_tls http://updates.interworx.info/iworx/SRPMS/proftpd-1.2.10-100.iworx.src.rpm

I get the following output at the end once everything's compiled and setting up to install for the creation of the RPM:


/usr/bin/install -c -s -o root -g root -m 0755 proftpd /var/tmp/proftpd-1.2.10-root/usr/sbin/proftpd
if [ -f /var/tmp/proftpd-1.2.10-root/usr/sbin/in.proftpd ] ; then \
rm -f /var/tmp/proftpd-1.2.10-root/usr/sbin/in.proftpd ; \
fi
ln -s proftpd /var/tmp/proftpd-1.2.10-root/usr/sbin/in.proftpd
chown -h root:root /var/tmp/proftpd-1.2.10-root/usr/sbin/in.proftpd
/usr/bin/install -c -s -o root -g root -m 0755 ftpcount /var/tmp/proftpd-1.2.10-root/usr/bin/ftpcount
/usr/bin/install -c -s -o root -g root -m 0755 ftpdctl /var/tmp/proftpd-1.2.10-root/usr/bin/ftpdctl
/usr/bin/install -c -s -o root -g root -m 0755 ftpshut /var/tmp/proftpd-1.2.10-root/usr/sbin/ftpshut
/usr/bin/install -c -s -o root -g root -m 0755 ftptop /var/tmp/proftpd-1.2.10-root/usr/bin/ftptop
/usr/bin/install -c -s -o root -g root -m 0755 ftpwho /var/tmp/proftpd-1.2.10-root/usr/bin/ftpwho
if [ ! -f /var/tmp/proftpd-1.2.10-root/usr/etc/proftpd.conf ] ; then \
/usr/bin/install -c -o root -g root -m 0644 \
./sample-configurations/basic.conf \
/var/tmp/proftpd-1.2.10-root/usr/etc/proftpd.conf ; \
fi
/usr/bin/install -c -o root -g root -m 0644 ./src/ftpdctl.8 /var/tmp/proftpd-1.2.10-root/usr/man/man8
/usr/bin/install -c -o root -g root -m 0644 ./src/proftpd.8 /var/tmp/proftpd-1.2.10-root/usr/man/man8
/usr/bin/install -c -o root -g root -m 0644 ./utils/ftpshut.8 /var/tmp/proftpd-1.2.10-root/usr/man/man8
/usr/bin/install -c -o root -g root -m 0644 ./utils/ftpcount.1 /var/tmp/proftpd-1.2.10-root/usr/man/man1
/usr/bin/install -c -o root -g root -m 0644 ./utils/ftptop.1 /var/tmp/proftpd-1.2.10-root/usr/man/man1
/usr/bin/install -c -o root -g root -m 0644 ./utils/ftpwho.1 /var/tmp/proftpd-1.2.10-root/usr/man/man1
/usr/bin/install -c -o root -g root -m 0644 ./src/xferlog.5 /var/tmp/proftpd-1.2.10-root/usr/man/man5
+ mkdir -p /var/tmp/proftpd-1.2.10-root/etc/pam.d
+ mkdir -p /var/tmp/proftpd-1.2.10-root/var/log/ftpd
+ install -m 644 contrib/dist/rpm/ftp.pamd /var/tmp/proftpd-1.2.10-root/etc/pam.d/ftp
+ mkdir -p /var/tmp/proftpd-1.2.10-root/etc/rc.d/init.d
+ sed -e '/FTPSHUT=/c\' -e FTPSHUT=/usr/sbin/ftpshut contrib/dist/rpm/proftpd.init.d
+ mv --force contrib/dist/rpm/proftpd.init.d.tmp contrib/dist/rpm/proftpd.init.d
+ install -m 755 contrib/dist/rpm/proftpd.init.d /var/tmp/proftpd-1.2.10-root/etc/rc.d/init.d/proftpd
+ mkdir -p /var/tmp/proftpd-1.2.10-root/etc/logrotate.d/
+ install -m 644 contrib/dist/rpm/proftpd.logrotate /var/tmp/proftpd-1.2.10-root/etc/logrotate.d/proftpd
+ rm -f contrib/README.mod_sql
+ mkdir -p /var/tmp/proftpd-1.2.10-root/usr/doc
+ rm -f '/var/tmp/proftpd-1.2.10-root/usr/doc/*'
+ cp -f /usr/src/redhat/SOURCES/proftpd.conf /var/tmp/proftpd-1.2.10-root/usr/etc
+ exit 0
Processing files: proftpd-1.2.10-100.rhe4x.iworx
error: File not found: /var/tmp/proftpd-1.2.10-root/usr/etc/logrotate.d/proftpd
error: File not found: /var/tmp/proftpd-1.2.10-root/usr/etc/rc.d/init.d/proftpd
error: File not found: /var/tmp/proftpd-1.2.10-root/usr/etc/pam.d/ftp
error: File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man1/ftpcount.1*
error: File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man1/ftptop.1*
error: File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man1/ftpwho.1*
error: File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man5/xferlog.5*
error: File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man8/ftpshut.8*
error: File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man8/proftpd.8*
error: File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man8/ftpdctl.8*


RPM build errors:
File not found: /var/tmp/proftpd-1.2.10-root/usr/etc/logrotate.d/proftpd
File not found: /var/tmp/proftpd-1.2.10-root/usr/etc/rc.d/init.d/proftpd
File not found: /var/tmp/proftpd-1.2.10-root/usr/etc/pam.d/ftp
File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man1/ftpcount.1*
File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man1/ftptop.1*
File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man1/ftpwho.1*
File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man5/xferlog.5*
File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man8/ftpshut.8*
File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man8/proftpd.8*
File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man8/ftpdctl.8*
Admittedly, this is not something I've done much before. I did notice that the directories are not lining up properly (those throwing errors have extra "share" directories involved). Not sure how to fix those, though.

Anyone? Anyone? Bueller?

Martin,

It's a very odd error. It looks like the macros for RPM aren't set "right". I'd edit /usr/lib/rpm/macros and find the following section:



%_prefix /usr
%_exec_prefix %{_prefix}
%_bindir %{_exec_prefix}/bin
%_sbindir %{_exec_prefix}/sbin
%_libexecdir %{_exec_prefix}/libexec
%_datadir %{_prefix}/share
%_sysconfdir %{_prefix}/etc
%_sharedstatedir %{_prefix}/com
%_localstatedir %{_prefix}/var
%_lib lib
%_libdir %{_exec_prefix}/%{_lib}
%_includedir %{_prefix}/include
%_oldincludedir /usr/include
%_infodir %{_prefix}/info
%_mandir %{_prefix}/man


and change it to:



%_prefix /usr
%_exec_prefix %{_prefix}
%_bindir %{_exec_prefix}/bin
%_sbindir %{_exec_prefix}/sbin
%_libexecdir %{_exec_prefix}/libexec
%_datadir %{_prefix}/share
%_sysconfdir /etc
%_sharedstatedir %{_prefix}/com
%_localstatedir %{_prefix}/var
%_lib lib
%_libdir %{_exec_prefix}/%{_lib}
%_includedir %{_prefix}/include
%_oldincludedir /usr/include
%_infodir %{_prefix}/info
%_mandir %{_prefix}/share/man


That *may* do it, but make a backup of the macros file in case you need the original.

Chris

It compiled, but then it prevented all new TCP connections from completing. Existing connections continued, but new ones would not SYN-ACK.

Backed it out (from the console) and that fixed it. Still, no SFTP for me yet.

Any word on whether this is going to coming along as a supported RPM? I'd like to add this in, especially since at work we've implemented (using completely separate products) FTP over SSL, and it works wonderfully clearly over standard FTP ports.

Well there are two different things, SFTP and FTP over SSL.

SFTP is availble already you just have to give shell access and use your linux username / password (port 22).

FTP over SSL is what I think you are referring to right? I thought that was already included by default now. :confused:

No mod_tls in there at all on my installation, and no updates listed available for proftp.

I'm generally uncomfortable providing any level of shell access to users. One does have it, but mostly because I promised him a secure channel for his work on the last server.

No mod_tls in there at all on my installation, and no updates listed available for proftp.For some reason I thought Iworx did this already, but I guess not.

I'm generally uncomfortable providing any level of shell access to users. One does have it, but mostly because I promised him a secure channel for his work on the last server.I agree completely, but I figured out a way that works on RH9 to allow only SFTP access with out regular shell access. Just set the user shell from /sbin/nologin to /usr/libexec/openssh/sftp-server for the user you want to give SFTP access to.

Ah, got it. Tested and works.

For those who would like to simplify this, add:

/usr/libexec/openssh/sftp-server

to /etc/shells. Refresh the Shell Accounts page, and it will be available to users. Set the shell appropriately on a trusted account and test using SFTP (listed as FTP over SSH or SSH2 on some clients).

This makes me much happier. Thanks.

Maybe a wiki might be useful for handling documentation of little things like this?

For some reason I thought Iworx did this already, but I guess not.


We did, but it may not be built for all systems. The SRPM has the updates I believe. Martin, if you'd like to open a ticket I can check out the problems you had after building.

Chris

Not at the moment. I need to get a remote access card in the server before I take that one on again -- the last time it happened, no TCP connections could be completed. I'm sure you can understand why I'm a little skittish. :)

How would I go about adding in mod_tls on a CentOS 4.2 x64 system?

rpmbuild --rebuild --with cnt4064 --with mod_tls http://updates.interworx.info/iworx/SRPMS/proftpd-1.2.10-101.iworx.src.rpm

Does not build it and errors out.

Justin,

Try: --with rhe4x instead of --with cnt4064

Chris

Chris,

rhe4x worked! Thanks. :D

Is that something that you setup when you make the RPM? I have only used RPMs, never made one so its a bit of a mystery to me.

I assume that when its a source RPM you can have some kind of if statement in the build part that check the --with "distro", where distro is just a varaible that SRPM author makes.

Am in the ball park?

Am in the ball park?


yep, that's all there is to it :)