twbsd.org
 
  Select Language: Home  SmbFTPD Forum 

SmbFTPD

Introduction

Document

Download


SmbFTPD

SmbFTPD Handbook

Priv
Installation
  Next
Virtual User

Chapter 3 smbftpd.conf

Table of Contents

System Section

Option: ServerName

Syntax:

ServerName "Server Name"

Description:

Define the name of server. This will show when user login:

Connected to localhost.com.
220 Server Name FTP server (SmbFTPD Ver 2.0) ready.
Name (localhost:alex):

If ServerName is not set, we will use hostname which is get by gethostname(3).

Default:

None (Use hostname)


Option: ShowProgramVersion

Syntax:

ShowProgramVersion    Yes|No

Description:

Whether show the SmbFTPD program name and version. You can disable this to avoid it is showed when login.

Connected to localhost.com.
220 Server Name FTP server (SmbFTPD Ver 2.0) ready.
Name (localhost:alex):

If ServerName is not set, we will use hostname which is get by gethostname(3).

Default:

ShowProgramVersion    Yes


Option: ListenOnAddress

Syntax:

ListenOnAddress 192.168.0.1

Description:

When -D is specified (standalone), accept connections only on the specified address only. For example, if you have two network address, one is 172.16.1.1, the other is 61.62.63.64. You can set the ListenOnAddress 172.16.1.1 to accept traffic from intranet only.

If you would like to accept traffic from all interface, just remove this option.

Default:

None (Listen on all interfaces)


Option: Port

Syntax:

Port prot_num|service

Deacription:

Set the FTP port for listening connections. When -D (daemon mode) is specified, accept connections at port, specified as a numeric value or service name, instead of at the default ``ftp'' port.

Default:

Port ftp


Option: Umask

Syntax:

Umask umask

Description:

The default file creation mode mask is set to umask, which is expected to be an octal numeric value.

For example, if you would like file's mode to be 644 on creation, just set the umask to 022. Refer to umask(2) for details.

Default:

Umask 022


Option: PidFile

Syntax:

PidFile /some/where/file

Description:

The pid file for ftp daemon. When using daemon mode, the ftp daemon will write it's pid to pid file if set.

Default:

None (don't write pid)


Option: DebugMode

Syntax:

DebugMode Yes|No

Description:

og more information for debug.

Default:

DebugMode No


Option: LogCommand

Syntax:

LogCommand Yes|No

Description:

Each successful and failed ftp(1) session is logged using syslog with a facility of LOG_FTP. If this option is set to "Yes", the retrieve (get), store (put), append, delete, make directory, remove directory and rename operations and their filename arguments are also logged. By default, syslogd(8) logs these to /var/log/xferlog on FreeBSD.

Default:

LogCommand No


Option: DoWtmpLog

Syntax:

DoWtmpLog Yes|No

Description:

Log FTP session to /var/log/wtmp

Default:

DoWtmpLog No


Option: DisableEPSV

Syntax:

DisableEPSV Yes|No

Description:

Disable the EPSV command. This is useful for servers behind older firewalls.

Default:

DisableEPSV No


Option: RestrictedPorts

Syntax:

RestrictedPorts Yes|No

Description:

With this option set to "No", ftpd will revert to historical behavior with regard to security checks on user operations and restrictions on PORT requests. Currently, ftpd will only honor PORT commands directed to unprivileged ports (which is > 1024 in most OS) on the remote user's host (which violates the FTP protocol specification but closes some security holes).

Default:

RestrictedPorts Yes


Option: PassiveModePortRange

Syntax:

PassiveModePortRange    low-high

Description:

Set the port range used in passive mode data connection. If your FTP server is behind NAT, you might want to forward passive mode port range on router.

For example, if you would like to use port range 40000 to 50000:

PassiveModePortRange    40000-50000

The range should be >=1024 and <=65535 (1023 < range < 65536).

Default:

Not set


Login Control

Option: MaxConnection

Syntax:

MaxConnection number

Description:

This option allows the number of simultaneous connections to a service to be limited. If max connections is greater than 0 then connections will be refused if this number of connections to the service are already open. A value of zero mean an unlimited number of connections may be made.

Default:

MaxConnection 0


Option: MaxConnectionPerIP

Syntax:

MaxConnectionPerIP number

Description:

This option set the max connection per ip address. To use this option, you must set the MaxConnection, too.

Set the value less then 2 is not recommended because many FTP clients open more then 1 connection in single session.

Default:

MaxConnectionPerIP 0 (unlimited)


Option: VirtualUserMapping

Syntax:

VirtualUserMapping    username

Description:

If you do not want to use real system user in the FTP, you have to ask SmbFTPD to read user/password from somewhere else (set VirtualUserAuthMethod). After pass authentication, map the user to a real user in the system. The real user will be the owner when file is uploaded. The option VirtualUserMapping is used to specify the real user.

For example, you can MySQL for user/password authentication. After user login, we can map the user to "ftp" user. So the file uploaded by the user will be owned by "ftp".

Please note that you have to set VirtualUserAuthMethod and VirtualUserAuthConfig if you enable VirtualUserMapping.

Default:

Not set


Option: VirtualUserAuthMethod

Syntax:

VirtualUserAuthMethod    mysql|pgsql|text

Description:

You can use MySQL, PostgreSQL, or text file to store virtual user's data (home, group, password).

You would have to set the VirtualUserAuthConfig to specify the path of auth method config.

Default:

Not set


Option: VirtualUserAuthConfig

Syntax:

VirtualUserAuthConfig    /path/to/the/VirtualUserAuthMethod.conf

Description:

The config file for the VirtualUserAuthMethod. For example, if you use MySQL:

VirtualUserAuthConfig    /usr/local/etc/smbftpd/smbftpd_mysql.conf

If you use PostgreSQL:

VirtualUserAuthConfig    /usr/local/etc/smbftpd/smbftpd_pgsql.conf

If you use text file:

VirtualUserAuthConfig    /usr/local/etc/smbftpd/smbftpd_user.conf

If you use text file to store virtual users, you can use the command "smbftpd-user" to create/edit/delete users.

Default:

Not set


Option: RequireValidShell

Syntax:

RequireValidShell Yes|No

Description:

When RequireValidShare=Yes, The user must have a standard shell returned by getusershell(3). In most system, the valid shells will appear in /etc/shells.

Default:

RequireValidShell No


Option: EmptyPasswdLogin

Syntax:

EmptyPasswdLogin Yes|No

Description:

Does the server allow users without password login.

Default:

EmptyPasswdLogin No


Option: NoLoginList

Syntax:

NoLoginList MinUID
NoLoginList /path/to/noo_login_ftp_users
NoLoginList user1,user2,@group1,@group2

Description:

List of unwelcome/restricted users. Users or groups in the list can not login to the system.

The arguments for NoLoginList can be one of the following format:

  • A user/@group string list. When using group, please add an prefix '@'.
  • A absolute path to a file that contains no login user/@group.
  • Minimum UID allowed. Users whose uid < MinUID is not allowed.

If using a string list, separate multi users/groups by ",". For example: user1, user2, @group1, @group2, user3

If using file, each user/group is a new line. For example, you can create a file named /etc/ftpusers which has the following content:

user1
user2
@group1
@group2
 

Default:

NoLoginList 500


Option: TimeOut

Syntax:

TimeOut seconds

Description:

The inactivity timeout period is set to timeout seconds. The default is 15 minutes.

Default:

TimeOut 900


Option: MaxTimeOut

Syntax:

MaxTimeOut seconds

Description:

A client may also request a different timeout period; the maximum period allowed may be set to MaxTimeOut. The default limit is 2 hours.

Default:

MaxTimeOut 7200


FTP Folder Control

Option: DefaultMode

Syntax:

DefaultMode SMB|Normal

Description:

here are two modes. The SMB mode or Normal mode. The smbftpd will use the share access rights in smb.conf under SMB mode. On the contrary, it will be normal FTP daemon under the Normal mode.

Default:

DefaultMode Normal


Option: ExceptionList

Syntax:

ExceptionList user1,user2,@group1,@group2

Description:

You can use the ExceptionList to set users/groups that do not use the default ftp mode that is set by DefaultMode. For example, if you would like to use SMB mode for all users execpt wheel group, you can set the DefaultMode to the SMB and add @wheel to the ExceptionList.

The arguments for ExceptionList can be user or group. When using group, please add an prefix '@'. When multi users/groups, seperate by ",". For example:

ExceptionList user1,user2,@group1,@group2

Default:

None


Option: ShareConfPath

Syntax:

ShareConfPath /some/where/smb.conf

Description:

Set the path of share configuration file "smbftp_share.conf". If DefaultMode is SMB or DefaultMode is Normal with ExceptionList, you must set the path of samba's config file.

I will check the following keywords in share folder setting:

  • path: The path of share.
  • rw: users/groups that have write privilege.
  • ro: users/groups that have read only privilege.
  • browseable: does the share is visible when ls in root directory. If it is set to "no", users will not be able to see the share. But they can still "cd" into the it.
  • disable_download: Set the users/groups that can perform download operation. If user has read only privilege on the share, you can also add the user in "disable_download" list to disable the download privilege for the user.
  • disable_ls: Set users/groups that can see directory contents when perform LIST command.
  • disable_modify: Users/groups in the list will not able to modify files/directories in the share. If users have read/write privilege and is in the "disable_modify" list, they can upload files and create new directories. But can not perform rename, delete, rmdir, chmod.

Example 1:

Here is an example that there is a share named "public" and the path is /home/public, users in samba group have read privilege, root has write privilege:

[public]
	path = /home/public
	rw = root
	ro = @samba

Example 2:

Share name is private only wheel group can write, and is not browseable when LIST, but you can cd to private share even you can see it when ls.

[private]
	path = /root/ftp
	rw = @wheel
	browseable = no

Example 3:

The share name is upload. Users "ftp" and "anonymous" can upload files or create new directories. But they are not able to see the files in the share. They can not download nor modify existed files. Users in "wheel" group have full privileges.

[upload]
	path=/home/upload"
	rw=ftp,@wheel
	disable_ls=ftp
	disable_modify=ftp
	disable_download=ftp

Notice that the anonymous users "ftp" and "anonymous" are mapped to real user "ftp". If you would like to set the privilege for these users, you would have to use user "ftp".

Default:

None


Option: ChrootSet

Syntax:

ChrootSet user path

ChrootSet @group path

ChrootSet @ path

Description:

Users/Groups in the list will be applied to this session by changing its root directory with chroot(2) to that specified on the "path".

The first field specifies a user or group name. If it is prefixed by an ``at'' sign, `@', it specifies a group name; the line will match each user who is a member of this group. As a special case, a single `@' in this field will match any user. A username is specified otherwise.

Notice: The chrooted users will use Normal mode rather then SMB mode even they are set to use SMB mode. See option "DefaultMode".

Here are some examples:

Example 1:

When user "anonymous" login, chroot to /var/spool/ftp

ChrootSet anonymous /var/spool/ftp

Example 2:

Members in "ftpgroup" group would be changed root directory to their home directory. For example, user alex's home directory is /home/alex, then it's root directory would be /home/alex. If user jack's home directory is /home/jack, its root directory would be /home/jack. We use "~" to represent user's home directory. The system will transfer it into real path.

ChrootSet @ftpgroup ~

Example 3:

Members of "webusers" group would be changed root directory to the "public_html" directory under their home directory, thus lowering possible impact on the system from intrinsic insecurity of FTP.

ChrootSet @webusers ~/public_html

Example 4:

All users (a single `@') will be chroot to their home directory.

ChrootSet @ ~

Default:

None


Option: ShowSymlinks

Syntax:

ShowSymlinks Yes|No

Description:

When ShowSymlinks is No, we won't show symbolic links when listing files.

Default:

ShowSymlinks No


Option: ShowDotFiles

Syntax:

ShowDotFiles Yes|No

Description:

Do you want to show dot files (file/dir name start with ., e.g. ".cshrc") when list files.

Default:

ShowDotFiles Yes


Option: SupportUTF8Client

Syntax:

SupportUTF8Client Yes|No

Description:

Support UTF-8 client or not. Traditional FTP does not support UTF-8. It uses codepage for the filenames. In RFC 2640, it starts to support UTF-8 FTP client.

If you enable SupportUTF8Client, we will tell client this FTP server supports UTF-8. The client can choose to use UTF-8 or not by sending the OPTS UTF8 command.

You would have to set the CharsetEncoding. We will use the encoding to convert UTF-8 to codepage or codepage to UTF8.

Default:

SupportUTF8Client No


Option: UsingUTF8FileSystem

Syntax:

UsingUTF8FileSystem Yes|No

Description:

Whether the file system is UTF8 format or not. If the filesystem is using UTF-8 filename, we don't have to convert the filename from UTF-8 into codepage when client is using UTF-8 FTP.

If client is using non-UTF-8 FTP but our filesystem is UTF-8, we have to do some filename conversion. You would have to set the CharsetEncoding. We will use the encoding to convert UTF-8 to codepage or codepage to UTF8.

Please note that your smbftpd_share.conf should be in UTF-8 format if you are using UTF-8 filesystem.

Default:

UsingUTF8FileSystem No


Option: CharsetEncoding

Syntax:

CharsetEncoding    encoding

Description:

The charset encoding will be used to convert strings between codepage and utf8. We will have UTF8 or non-UTF8 client and UTF8 or non-UTF8 filesystem. We have to do some filename conversion.

Here are some suggested values for the encoding:

  • For English, French, German, Italian, Spanish, Portuguese, Danish, Norwegian, Swedish, Dutch, and other western Europe languages: CP1252
  • For Traditional Chinese: CP950
  • CharsetEncoding CP950
  • For Simplified Chinese: CP936
  • For Russian: CP1251
  • For Japanese: CP932
  • For Korean: CP949
  • For Greek: CP1253
  • For Czech: CP1250

Other posible values: http://www.gnu.org/software/libiconv/

MS Windows locale: http://msdn2.microsoft.com/en-us/library/ms903928.aspx

Default:

Not set


Anonymous Control

Option: AnonymousLogin

Syntax:

AnonymousLogin Yes|No

Description:

Does the server allow anonymous users login. The anonymous accounts are "anonymous" and "ftp". To enable anonymous account, you must add an user "ftp".

Default:

AnonymousLogin No


Option: AnonymousOnly

Syntax:

AnonymousOnly Yes|No

Description:

Does the server allow ONLY anonymous users login.

Default:

AnonymousOnly No


Option: AnonymousReadOnly

Syntax:

AnonymousReadOnly Yes|No

Description:

When anonymous user login, all commands which may modify the local file system are disabled.

Default:

AnonymousReadOnly No


File Transfer Control

Option: TransferLog

Syntax:

TransferLog path/to/logfile

Description:

The TransferLog is the file that will record download/upload log. When TransferLog is specified, we will log all download and upload information in the file.

We will log the following information: Current time, remote host, user, command, transfer type(ASCII or Binary), transfer time, bytes, and filename.

Default:

None


Option: MaxDownloadRate

Syntax:

MaxDownloadRate @grou|user rate

Description:

Configure transfer rate for download. The rate is in KB/s. You may set multiple MaxDownloadRate lines to control rates for different users and groups.

The first field specifies a user or group name. If it is prefixed by an ``at'' sign, `@', it specifies a group name; the line will match each user who is a member of this group. As a special case, a single `@' in this field will match any user. A username is specified otherwise. For example:

MaxDownloadRate @group100 100
MaxDownloadRate anonymous 20
MaxDownloadRate @friends 1000

Default:

unlimited


Option: MaxUploadRate

Syntax:

MaxUploadRate @grou|user rate

Description:

Configure transfer rate for users upload. The rate is in KB/s. You may set multiple MaxUploadRate lines to control rates for different users and groups.

The first field specifies a user or group name. If it is prefixed by an ``at'' sign, `@', it specifies a group name; the line will match each user who is a member of this group. As a special case, a single `@' in this field will match any user. A username is specified otherwise. For example:

MaxUploadRate @group100 100
MaxUploadRate anonymous 20
MaxUploadRate @friends 1000

Default:

unlimited


SSL/TLS Control

Option: SecurityPolicy

Syntax:

SecurityPolicy secure|nosecure|both

Description:

This option allow you to enable/disable SSL/TLS. There are three options - secure, nosecure, and both.

  • secure - Don't fall back into the non-secure mode if the TLS/SSL handshake fails.
  • nosecure - Disable the TLS/SSL encryption at all and allow only non-secure clients.
  • both - Allow both SSL/TLS encryption and non-secure clients.

The default is to allow both secure and non-secure connections.

Default:

SecurityPolicy nosecure


Option: EncryptionType

Syntax:

EncryptionType tls|ssl|both

Description:

We support TLS (RFC2228) and SSL encryptions. This option allow you to set the which encryption protocol you would like to use.

  • tls - Use only the RFC2228-compliant FTP-TLS negotiation mode; don't try to negotiate something different.
  • ssl - Use only the FTP-SSL compatibility mode (for early implementations of the FTP-SSL upgrade); don't try to negotiate something different.
  • both - Accept both FTP-TLS and FTP-SSL security extensions.

Default:

EncryptionType both


Option: NormalUserMustSecure

Syntax:

NormalUserMustSecure Yes|No

Description:

When NormalUserMustSecure is set to "Yes", it require the TLS/SSL encryption for non-anonymous users.

The propose of SSL/TLS encryption is to protect user's password and data travel in network. Set this option on to force users using secure connection is a good idea.

Default:

NormalUserMustSecure No


Option: AnonymDisableSecure

Syntax:

AnonymDisableSecure Yes|No

Description:

Set the AnonymDisableSecure to "Yes" if you would like to disable the TLS/SSL encryption for anonymous users. Since the SSL/TLS is used to protect private data, there is no reason to apply data encryption on anonymous users.

Set this to "Yes" to save CPU resource and speed up anonymous connections.

Default:

AnonymDisableSecure No


Option: SSLCertFile

Syntax:

SSLCertFile /path/to/server.crt

Description:

The certificate to use. This certificate will be passed to the client. If it is not specified, it will be default to /usr/local/etc/smbftpd/ssl.crt/server.crt.

You may use the Apache+SSL's certificate which is normally located in /usr/local/apache/conf/ssl.crt/server.crt.

Default:

SSLCertFile /usr/local/etc/smbftpd/ssl.crt/server.crt


Option: SSLKeyFile

Syntax:

SSLKeyFile /path/to/server.key

Description:

The private key that matches the certificate specified by the SSLCertFile option. Both SSLCertFile and SSLKeyFile files are assumed to be in PEM format. Default is /usr/local/etc/smbftpd/ssl.key/server.key

You may use the Apache+SSL's private key if you are using its certificate. The Apache+SSL's private key is usually in: /usr/local/apache/conf/ssl.key/server.key

Default:

SSLKeyFile /usr/local/etc/smbftpd/ssl.key/server.key


Option: SSLCACertFile

Syntax:

SSLCACertFile /path/to/ca-bundle.crt

Description:

Set the CA certificate verification file path. Same with Apache SSLCACertificateFile. Put your intermediate cert here.

Default:

None


Option: SSLCipherSuite

Syntax:

SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5

Description:

List the ciphers that the client is permitted to negotiate. See the Apach mod_ssl documentation for a complete list.

Default:

SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5


Priv
Installation

Index
This document can be downloaded from http://www.twbsd.org.

Next
Virtual User

Copyright © 2002-2018 Alex Wang from www.twbsd.org. All rights reserved.