====== Installing ProFTPd from pware ======

===== Intro =====

pware uses bff style packages which can be installed with installp or smitty install. These packages do not conflict or overwrite any AIX official packages as they are installed to /opt/pware/. However because of this, there are some prerequisites to set this file structure up.


===== Procedure =====

  - Follow the instructions in [[aix:aix_pware-setup|Using AIX packages from Pware]].
  - Download the proftpd package (pware53-64.proftpd.1.3.3.0a.bff.gz) from b0045nim:/export/dsl/freeware/pware/ and the required packages (FIXME & pware53-64.zlib.1.2.4.0.bff) to /opt/support/pware.
  - gunzip all the downloaded files (gunzip /opt/support/pware/*)
  - Install the packages with snotty install.

pware puts it's config files in /opt/pware/etc, you will need to edit /opt/pware/etc/proftpd.conf, 

  ServerName                      "cstpjq.sap.brm.pri"
  ServerType                      inetd
  DefaultServer                   on

Change the group to nobody from nogroup

  User                            nobody
  Group                           nobody

Add a logging line and check the permissions of the log file allow it to be written to:-

  SystemLog                       /var/log/proftpd.log
  
  DisplayLogin		/etc/ftpissue
  DisplayConnect	/etc/ftpissue
  RequireValidShell 	off

See [[aix:ftpissue-warning|FTP warning]] \\


Update /etc/inetd.conf to change the ftp entry to the following value

  ftp     stream  tcp     nowait  root    /usr/sbin/proftpd      proftpd

You may find that inetd.conf has tcp6 and not tcp. You can either change inetd.conf to read tcp or you can enable ipv6 in proftpf.conf (off to on):-

  # Don't use IPv6 support by default.
  UseIPv6                         on


Issue the following command to force inetd to re-read it’s configuration file:

  # refresh –s inetd

  * Verify that ftp works correctly and that it is now using proFTPd.
  * Verify that the ftp user is now locked into their home directory.

===== SSL enabled version =====


FIXME

i)	Add the required TLS related statements to /etc/proftpd.conf for example:

  # Turn on SSL support
  <IfModule mod_tls.c
  TlsEngine                           on
  TlsLog                                /var/log/tls.log
  TlsProtocol                         SSLv23
  # Are clients required to use FTP over TLS when talking to this server?
  TlsRequired                        off
  #
  # Server certificates
  TLSRSACertificateFile       /etc/ssl/docpsd.cert
  TLSRSACertificateKeyFile /etc/ssl/docpsd.key
  #
  # CA the server trusts
  #TLSCACertificateFile       /etc/ssl/certs/ca.crt
  #
  # Authenticate clients that want to use FTP over TLS?
  TLSVerifyClient                 on
  TLSOptions                       NoCertRequest
  </IfModule>

j)	Update your PATH to include /opt/freeware/bin to be used when running openssl to create certificates.

k)	Create the SSL server key and an unencrypted version:
  # cd /etc/ssl
  # openssl genrsa -des3 -out server.key 1024
  # openssl rsa -in server.key -out ssl.key.pem

l)	Create the SSL certificate signing request:
  # openssl req -new -key server.key -out server.csr

m)	Download the “server.csr” file to your PC and forward to the BCC Certificate Authority server for signing.
  Point your browser at “ns0.brm.pri”
  Select the “c.a” tab then select the link to the secure ca page.
  Follow the instructions on the page to upload the “server.csr” file

n)	You will receive an e-mail containing the signed certificate:
  * Cut and paste the certificate text from the e-mail to a file on the server (e.g docpsd.cert).
  * Move or copy the server.cert and server.key files to the /etc/ssl directory (Create the directory if required).
  * Update the /etc/proftpd.conf file TLS statements to point to the SSL key and certificate file
  
h)	Update /etc/inetd.conf to change the ftp entry to the following value
  ftp     stream  tcp     nowait  root    /usr/local/sbin/proftpd proftpd

i)	Issue the following command to force inetd to re-read it’s configuration file:
  # refresh –s inetd

j)	Verify that the normal windows ftp client works correctly and that it is now using proFTPd.

k)	Using an SSL capable ftp client (such as Filezilla or Core FTP Lite) verify that FTPS works correctly.

l)	Verify that the ftp user is now locked into their home directory.