The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Pure-FTPd TLS-Auth working (so far)

Discussion in 'General Discussion' started by NgtCrwlr, Dec 25, 2003.

  1. NgtCrwlr

    NgtCrwlr Registered

    Nov 26, 2003
    Likes Received:
    Trophy Points:
    This post is just a quick heads up for those that are looking for a secure FTP solution other than ProFTP. More testing is needed to say that this will work for everyone. If you have a test box and feel froggy this might make your day, it sure made mine.

    WHM 8.5.1 cPanel 8.5.3-S3
    RedHat - 2.4.20-24.9 WHM X v2.1.1

    I managed to upgrade Pure-FTPd to the latest RPM that includes TLS support, I used the i686 RPM from here: 1.0.17 HAS BEEN RELEASED/binaries/redhat/

    I know the following is a bit confusing... I'm trying to pull too much from memory here. If it doesn't make sense I suggest you wait for a formal how-to.

    service pure-ftpd stop

    Edit the new config files installed by the updated RPM:
    e.g. pure-ftpd.conf.rpmnew

    Add the following line to /etc/sysconfig/pure-ftpd


    Un-comment the last line of /etc/pure-ftpd.conf

    TLS 1

    PureFTP's instructions on how to create a self-signed certificate:

    mkdir -p /etc/ssl/private

    openssl req -x509 -nodes -newkey rsa:1024 -keyout \
    /etc/ssl/private/pure-ftpd.pem \
    -out /etc/ssl/private/pure-ftpd.pem

    chmod 600 /etc/ssl/private/*.pem

    service pure-ftpd start

    For all this to work you must use an SSL/TLS capable FTP client. The latest SmartFTP worked excellent.

    This had me smiling big time:

    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
    220-Your FTP server wishes you a merry Xmas!
    220-You are user number 1 of 50 allowed.
    220-Local time is now 03:49. Server port: 21.
    220 You will be disconnected after 15 minutes of inactivity.
    234 AUTH TLS OK.
    Connected. Exchanging encryption keys...
    Session Cipher: 128 bit RC4
    SSL encrypted session established.
    PBSZ 0
    200 PBSZ=0
    USER #######
    331 User ####### OK. Password required
    PASS (hidden)

    This was tested on three JAILSHELLED IP based sites, and it seems to be working great... so far. ;-) I could FTP all three sites using TLS-Auth using the server IP OR each sites independent IP.

    Keep in mind the end result of all this is AUTH encryption only, not AUTH/DATA. I believe this version of PureFTPd cannot support TLS DATA encryption?

    I have yet to test firewall rules and I'm not sure if cPanel auto update is going to be a thorn.

    Well there you have it, I am praying that this turns out to be a working solution for a glaring pain in the Bneck security issue.


    -Larry "NgtCrwlr" Mingus
    #1 NgtCrwlr, Dec 25, 2003
    Last edited: Dec 25, 2003
  2. Eric Martello

    Eric Martello Member

    Dec 30, 2003
    Likes Received:
    Trophy Points:
    Works great. Here's a bonus from me. :)

    You can take this a step further and give full SSL/TLS functionality to ANY FTP client using an SSL/TLS wrapper:

    Grab the SSL/TLS Wrapper here. For windows users, pick up the Cygwin DLLs as well:

    Set up the wrapper

    - These steps assume you will be using Windows.

    - Unzip the archive to a directory, along with the DLLs.

    - Create a shortcut for the .exe file.

    - Edit the shortcut properties and add:

    -l 21

    - This will tell the TLS/SSL wrapper to listen on port 21. That is a lowercase L, btw, not an I.

    - Run the wrapper, and you're all set to connect to your FTP server using SSL/TLS.

    How to set up your client.

    - For the FTP host, where you normally enter, enter localhost.

    - For the username, use the following format:

    - The # sign is optional. Adding it will speed up logon by not encrypting the data channel.

    - Enter your password normally.

    - Connect and enjoy your SSL secured FTP.

    This method is great for people like me who use Dreamweaver and do not want to use a dedicated FTP client which supports SSL natively. THis works much better than SSH tunneling.
    #2 Eric Martello, Jan 4, 2004
    Last edited: Jan 4, 2004
  3. mjost

    mjost Member

    Mar 7, 2003
    Likes Received:
    Trophy Points:
    The problem with this is that virtual ftp users doesn't work anymore..

    Waiting on darkorb to update their pure-ftpd and why not work on bandwidth monitoring.......
  4. azdanb

    azdanb Member

    Jul 15, 2003
    Likes Received:
    Trophy Points:
    I got it working with virtual sites :)

    Ok, here is what I did:

    first su -

    wget the newest TLS enabled RPM from

    The one I used was:

    once it's on the server:
    rpm -Uvh the rpm

    That should install the binaries to /usr/local/sbin/

    Make a directory in your home dir... for instance:
    mkdir /home/admin/pure

    Then copy all the pure binaries over:
    cp /usr/local/sbin/pure* /home/admin/pure/

    Go to WHM and have it install pure ftp, you may have to have it install proftp first and then switch back to pureftp

    Once you are done with that:
    whereis pure-ftpd

    It should list off the following:
    pure-ftpd: /usr/sbin/pure-ftpd /etc/pure-ftpd /etc/pure-ftpd.conf /usr/man/man8/pure-ftpd.8.gz

    Now we have our target...
    /sbin/service pure-ftpd stop

    cd /usr/sbin/pure-ftpd
    mkdir purebak
    cp pure* /usr/sbin/pureback
    cp /home/admin/pure/pure* /usr/sbin/

    It may ask you to confirm the file overwrites, hit y for all of them

    Now, go to /etc/init.d
    pico -w pure-ftpd

    scroll down a bit and find the following:

    start() {
            echo -n "Starting $prog: "
            daemon $fullpath -O clf:/var/log/xferlog -lextauth:/var/run/ftpd.sock $OPTIONS --daemonize
    Now at the end of the last line, hit the space bar ONCE and add --tls=1

    ctrl-x and save

    If you haven't done so already, follow the instructions in the first post on how to make a certificate.

    /sbin/service pure-ftpd restart

    everything should go ok....

    open up your favorite SSL enabled FTP client and give it a go.

Share This Page