9/29/2015

FTPServer
Ubuntu.com

OfficialDocumentation

CommunityHelpWiki

Community

Support

Partners

Contribute
Search

Ubuntu14.04UbuntuServerGuideFileServers

FTPServer

Previous

Next

FileTransferProtocol(FTP)isaTCPprotocolfordownloadingfilesbetweencomputers.Inthepast,ithasalso
beenusedforuploadingbut,asthatmethoddoesnotuseencryption,usercredentialsaswellasdatatransferredintheclearandareeasily
intercepted.Soifyouareherelookingforawaytouploadanddownloadfilessecurely,seethesectiononOpenSSHinRemoteAdministration
instead.
FTPworksonaclient/servermodel.TheservercomponentiscalledanFTPdaemon.ItcontinuouslylistensforFTPrequestsfromremoteclients.
Whenarequestisreceived,itmanagestheloginandsetsuptheconnection.Forthedurationofthesessionitexecutesanyofcommandssentby
theFTPclient.
AccesstoanFTPservercanbemanagedintwoways:
1. Anonymous
2. Authenticated
IntheAnonymousmode,remoteclientscanaccesstheFTPserverbyusingthedefaultuseraccountcalled"anonymous"or"ftp"andsendingan
emailaddressasthepassword.IntheAuthenticatedmodeausermusthaveanaccountandapassword.Thislatterchoiceisveryinsecureand
shouldnotbeusedexceptinspecialcircumstances.IfyouarelookingtotransferfilessecurelyseeSFTPinthesectiononOpenSSHServer.User
accesstotheFTPserverdirectoriesandfilesisdependentonthepermissionsdefinedfortheaccountusedatlogin.Asageneralrule,theFTP
daemonwillhidetherootdirectoryoftheFTPserverandchangeittotheFTPHomedirectory.Thishidestherestofthefilesystemfromremote
sessions.
vsftpdFTPServerInstallation
AnonymousFTPConfiguration
UserAuthenticatedFTPConfiguration
SecuringFTP
References

vsftpdFTPServerInstallation
vsftpdisanFTPdaemonavailableinUbuntu.Itiseasytoinstall,setup,andmaintain.Toinstallvsftpdyoucanrunthefollowingcommand:
sudoaptgetinstallvsftpd

AnonymousFTPConfiguration
Bydefaultvsftpdisnotconfiguredtoallowanonymousdownload.Ifyouwishtoenableanonymousdownloadedit/etc/vsftpd.confbychanging:
anonymous_enable=Yes
Duringinstallationaftpuseriscreatedwithahomedirectoryof/srv/ftp.ThisisthedefaultFTPdirectory.
Ifyouwishtochangethislocation,to/srv/files/ftpforexample,simplycreateadirectoryinanotherlocationandchangetheftpuser'shome
directory:
sudomkdir/srv/files/ftp
sudousermodd/srv/files/ftpftp
Aftermakingthechangerestartvsftpd:
sudorestartvsftpd
Finally,copyanyfilesanddirectoriesyouwouldliketomakeavailablethroughanonymousFTPto/srv/files/ftp,or/srv/ftpifyouwishtouse
thedefault.

UserAuthenticatedFTPConfiguration
https://help.ubuntu.com/lts/serverguide/ftpserver.html

1/3

9/29/2015

UserAuthenticatedFTPConfiguration

FTPServer

Bydefaultvsftpdisconfiguredtoauthenticatesystemusersandallowthemtodownloadfiles.Ifyouwantuserstobeabletouploadfiles,edit
/etc/vsftpd.conf:
write_enable=YES
Nowrestartvsftpd:
sudorestartvsftpd
NowwhensystemuserslogintoFTPtheywillstartintheirhomedirectorieswheretheycandownload,upload,createdirectories,etc.
Similarly,bydefault,anonymoususersarenotallowedtouploadfilestoFTPserver.Tochangethissetting,youshoulduncommentthefollowing
line,andrestartvsftpd:
anon_upload_enable=YES
EnablinganonymousFTPuploadcanbeanextremesecurityrisk.Itisbesttonotenableanonymousuploadonserversaccesseddirectly
fromtheInternet.
Theconfigurationfileconsistsofmanyconfigurationparameters.Theinformationabouteachparameterisavailableintheconfigurationfile.
Alternatively,youcanrefertothemanpage, man5vsftpd.conf fordetailsofeachparameter.

SecuringFTP
Thereareoptionsin/etc/vsftpd.conftohelpmakevsftpdmoresecure.Forexampleuserscanbelimitedtotheirhomedirectoriesby
uncommenting:
chroot_local_user=YES
Youcanalsolimitaspecificlistofuserstojusttheirhomedirectories:
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
Afteruncommentingtheaboveoptions,createa/etc/vsftpd.chroot_listcontainingalistofusersoneperline.Thenrestartvsftpd:
sudorestartvsftpd
Also,the/etc/ftpusersfileisalistofusersthataredisallowedFTPaccess.Thedefaultlistincludesroot,daemon,nobody,etc.TodisableFTP
accessforadditionaluserssimplyaddthemtothelist.
FTPcanalsobeencryptedusingFTPS.DifferentfromSFTP,FTPSisFTPoverSecureSocketLayer(SSL).SFTPisaFTPlikesessionoveran
encryptedSSHconnection.AmajordifferenceisthatusersofSFTPneedtohaveashellaccountonthesystem,insteadofanologinshell.Providing
alluserswithashellmaynotbeidealforsomeenvironments,suchasasharedwebhost.However,itispossibletorestrictsuchaccountstoonly
SFTPanddisableshellinteraction.SeethesectiononOpenSSHServerformore.
ToconfigureFTPS,edit/etc/vsftpd.confandatthebottomadd:
ssl_enable=Yes
Also,noticethecertificateandkeyrelatedoptions:
rsa_cert_file=/etc/ssl/certs/sslcertsnakeoil.pem
rsa_private_key_file=/etc/ssl/private/sslcertsnakeoil.key
Bydefaulttheseoptionsaresettothecertificateandkeyprovidedbythesslcertpackage.Inaproductionenvironmenttheseshouldbereplaced
withacertificateandkeygeneratedforthespecifichost.FormoreinformationoncertificatesseeCertificates.
Nowrestartvsftpd,andnonanonymoususerswillbeforcedtouseFTPS:
sudorestartvsftpd
Toallowuserswithashellof/usr/sbin/nologinaccesstoFTP,buthavenoshellaccess,edit/etc/shellsaddingthenologinshell:
#/etc/shells:validloginshells
/bin/csh
/bin/sh
/usr/bin/es
/usr/bin/ksh
/bin/ksh
/usr/bin/rc
/usr/bin/tcsh
/bin/tcsh
/usr/bin/esh
/bin/dash

https://help.ubuntu.com/lts/serverguide/ftpserver.html

2/3

9/29/2015

/bin/dash
/bin/bash
/bin/rbash
/usr/bin/screen
/usr/sbin/nologin

FTPServer

Thisisnecessarybecause,bydefaultvsftpdusesPAMforauthentication,andthe/etc/pam.d/vsftpdconfigurationfilecontains:
authrequiredpam_shells.so
TheshellsPAMmodulerestrictsaccesstoshellslistedinthe/etc/shellsfile.
MostpopularFTPclientscanbeconfiguredtoconnectusingFTPS.ThelftpcommandlineFTPclienthastheabilitytouseFTPSaswell.

References
1. Seethevsftpdwebsiteformoreinformation.
2. Fordetailed/etc/vsftpd.confoptionsseethevsftpd.confmanpage.

Previous

Next

Thematerialinthisdocumentisavailableunderafreelicense,seeLegalfordetails.
ForinformationoncontributingseetheUbuntuDocumentationTeamwikipage.Toreporterrorsinthisserverguidedocumentation,fileabugreport.

https://help.ubuntu.com/lts/serverguide/ftpserver.html

3/3