Table of Contents
Installing ProFTPd from pware
Intro
pware uses bff style packages which can be installed with installp or smitty install. These packages do not conflict or overwrite any AIX official packages as they are installed to /opt/pware/. However because of this, there are some prerequisites to set this file structure up.
Procedure
- Follow the instructions in Using AIX packages from Pware.
- Download the proftpd package (pware53-64.proftpd.1.3.3.0a.bff.gz) from b0045nim:/export/dsl/freeware/pware/ and the required packages (
& pware53-64.zlib.1.2.4.0.bff) to /opt/support/pware. - gunzip all the downloaded files (gunzip /opt/support/pware/*)
- Install the packages with snotty install.
pware puts it's config files in /opt/pware/etc, you will need to edit /opt/pware/etc/proftpd.conf,
ServerName "cstpjq.sap.brm.pri" ServerType inetd DefaultServer on
Change the group to nobody from nogroup
User nobody Group nobody
Add a logging line and check the permissions of the log file allow it to be written to:-
SystemLog /var/log/proftpd.log DisplayLogin /etc/ftpissue DisplayConnect /etc/ftpissue RequireValidShell off
See FTP warning
Update /etc/inetd.conf to change the ftp entry to the following value
ftp stream tcp nowait root /usr/sbin/proftpd proftpd
You may find that inetd.conf has tcp6 and not tcp. You can either change inetd.conf to read tcp or you can enable ipv6 in proftpf.conf (off to on):-
# Don't use IPv6 support by default. UseIPv6 on
Issue the following command to force inetd to re-read it’s configuration file:
# refresh –s inetd
- Verify that ftp works correctly and that it is now using proFTPd.
- Verify that the ftp user is now locked into their home directory.
SSL enabled version
i) Add the required TLS related statements to /etc/proftpd.conf for example:
# Turn on SSL support <IfModule mod_tls.c TlsEngine on TlsLog /var/log/tls.log TlsProtocol SSLv23 # Are clients required to use FTP over TLS when talking to this server? TlsRequired off # # Server certificates TLSRSACertificateFile /etc/ssl/docpsd.cert TLSRSACertificateKeyFile /etc/ssl/docpsd.key # # CA the server trusts #TLSCACertificateFile /etc/ssl/certs/ca.crt # # Authenticate clients that want to use FTP over TLS? TLSVerifyClient on TLSOptions NoCertRequest </IfModule>
j) Update your PATH to include /opt/freeware/bin to be used when running openssl to create certificates.
k) Create the SSL server key and an unencrypted version:
# cd /etc/ssl # openssl genrsa -des3 -out server.key 1024 # openssl rsa -in server.key -out ssl.key.pem
l) Create the SSL certificate signing request:
# openssl req -new -key server.key -out server.csr
m) Download the “server.csr” file to your PC and forward to the BCC Certificate Authority server for signing.
Point your browser at “ns0.brm.pri” Select the “c.a” tab then select the link to the secure ca page. Follow the instructions on the page to upload the “server.csr” file
n) You will receive an e-mail containing the signed certificate:
- Cut and paste the certificate text from the e-mail to a file on the server (e.g docpsd.cert).
- Move or copy the server.cert and server.key files to the /etc/ssl directory (Create the directory if required).
- Update the /etc/proftpd.conf file TLS statements to point to the SSL key and certificate file
h) Update /etc/inetd.conf to change the ftp entry to the following value
ftp stream tcp nowait root /usr/local/sbin/proftpd proftpd
i) Issue the following command to force inetd to re-read it’s configuration file:
# refresh –s inetd
j) Verify that the normal windows ftp client works correctly and that it is now using proFTPd.
k) Using an SSL capable ftp client (such as Filezilla or Core FTP Lite) verify that FTPS works correctly.
l) Verify that the ftp user is now locked into their home directory.
