FTP Servers

FTP server software consists of an FTP daemon and configuration files. The daemon is a program that continuously checks for FTP requests from remote users. When a request is received, it manages a login, sets up the connection to the requested user account, and executes any FTP commands the remote user sends. For anonymous FTP access, the FTP daemon allows the remote user to log in to the FTP account using anonymous or ftp as the username. The user then has access to the directories and files set up for the FTP account. As a further security measure, however, the daemon changes the root directory for that session to be the FTP home directory. This hides the rest of the system from the remote user. Normally, any user on a system can move around to any directories open to him or her. A user logging in with anonymous FTP can see only the FTP home directory and its subdirectories. The remainder of the system is hidden from that user. This effect is achieved by the chroot operation (discussed later) that literally changes the system root directory for that user to that of the FTP directory. By default, the FTP server also requires a user be using a valid shell. It checks for a list of valid shells in the /etc/shells file. Most daemons have options for turning off this feature.

Available Servers

Several FTP servers are available for use on Red Hat systems (see Table 21-1). Red Hat comes with the Very Secure FTP server, vsftpd. You can download RPM package updates for particular distributions from their FTP sites, such as ftp.redhat.com. The software package contains the term ftpd. The Very Secure FTP Server provides a simple and more secure alternative to WU-FTPD, though it lacks the security options and configurability of ProFTPD.

ProFTPD is a popular FTP daemon based on an Apache Web server design. It features simplified configuration and support for virtual FTP hosts. Although it is not currently included with most distributions, you can download RPM packages from distribution sites, as well as the ProFTPD site. The package begins with the term proftpd. The compressed archive of the most up-to-date version, along with documentation, is available at the ProFTPD Web site at www.proftpd.net. Another FTP daemon, NcFTPd, is a commercial product produced by the same programmers who did the NcFTP FTP client. NcFTPd is free for academic use and features a reduced fee for small networks. Check www.ncftpd.org for more information.

Several security-based FTP servers are also available, including SSLFTP and SSH sftpd, along with gssftpd. SSLFTP uses SSL (Secure Sockets Layer) to encrypt and authenticate transmissions, as well as MD5 digests to check the integrity of transmitted files. SSH sftpd is an FTP server that is now part of the Open SSH package, using SSH encryption and authentication to establish secure FTP connections. The gssftpd server is part of the Kerberos 5 package and provides Kerberos-level security for FTP operations.

Red Hat FTP Server Directories

Red Hat currently installs the vsftpd server package along with anonymous FTP support during installation. At that time, an ftp directory is created along with several subdirectories where you can place files for FTP access. The directories have already been configured to control access by remote users, restricting use to only the ftp directories and any subdirectories. The ftp directory is placed in different directories by different distributions. On Red Hat, the ftp directory is placed in the /var directory, /var/ftp. Place the files you want to allow access to in the /var/ftp/pub directory. For example, on Red Hat this would be at /var/ftp/pub.

You can also create subdirectories and place files there. Once you are connected to a network, a remote user can connect to your system and download files you placed in /var/ftp/pub or any of its subdirectories. The vsftpd FTP package implements a default configuration for those directories and their files. You can change these if you want. If you are installing an FTP server yourself, you need to know the procedures detailed in the following sections to install an FTP server and create its data directories.

The vsftpd FTP package does not create a directory where users can upload files to the FTP site. Such a directory is usually named the incoming directory, located at ftp/pub/incoming. If you want such a directory, you will have to create it, make it part of the ftp group, and then set its permissions to allow users write access.

chgrp ftp /var/ftp/pub/incoming chmod g+w /var/ftp/pub/incoming

FTP Users

Normal users with accounts on an FTP server can gain full FTP access simply by logging into their accounts. Such users can access and transfer files directly from their own accounts or any directories they may have access to. You can also create users, known as guest users, that have restricted access to the FTP publicly accessible directories. This involves setting standard user restrictions, with the FTP public directory as their home directory.