Linux FTPS FTP-OVER-SSL Configuration experiment

This article is for personal practice full-text reference http://www.linuxidc.com/Linux/2012-09/71129.htm

FTPs is encrypted with the SSL protocol, and SSL is set for encryption such as HTTP/SMTP. SFTP is SSH encryption, SSH is for telnet/ftp and other encryption, the establishment of transmission channels and design

SSH to establish the channel is for encryption and transmission, FTPS from the principle is ftp-over-ssl meaning that FTP with SSL protocol encryption transmission, not only to use the FTP server and SSL

To encrypt the protocol. The SFTP protocol is an independent protocol in SSH that allows data to be transferred using an SFTP server.

Build & Test the CA server is on the same machine as the FTP server in this experiment

1. Install-Install directly with Yum, modify the configuration file to

2. Modify the configuration file.

1) Direct CP original configuration file (simple to make a backup)

CP vsftpd.conf Vsftpd.conf.bak

2) Modify the new configuration file, the contents of the configuration file are as follows:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Ftpd_banner=welcome Zhongyan FTP Server ^_^!
Download_enable=no #禁止下载
Anonymous_enable=no #禁止匿名用户登录
Local_enable=yes #允许实体用户登录
idle_session_timeout=600
Write_enable=yes
local_umask=022
Xferlog_enable=yes
Xferlog_std_format=yes
Xferlog_file=/var/log/vsftpd.log
Chroot_list_enable=yes #是否启用chroot文件
Chroot_list_file=/etc/vsftpd/chroot_list #指定chroot文件位置
Listen=yes
listen_port=3232
listen_address=0.0.0.0
Pasv_enable=yes #是否开启被动模式
pasv_min_port=22222
pasv_max_port=22228
PAM_SERVICE_NAME=VSFTPD #pam模块的名称
Userlist_enable=yes #启用userlist_enable
Userlist_deny=no #如果值为NO only the user name in the list can use FTP if the value is yes, the user in the table cannot access it.
Userlist_file=/etc/vsftpd/user_list #指定文件位置
#tcp_wrappers =yes

#如下配置文件内容设置ssl传输加密. The next section is detailed.
# # # #ssl #####
Ssl_enable=yes
Ssl_sslv2=yes

Ssl_tlsv1=yes
Ssl_sslv3=yes

Force_local_data_ssl=yes
Force_local_logins_ssl=yes
Rsa_cert_file=/etc/vsftpd/certs/vsftpd.cert
Rsa_private_key_file=/etc/vsftpd/certs/vsftpd.key

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

No comment version configuration file can be pasted directly!! ：

Ftpd_banner=welcome to Zhongyan FTP Server ^_^!
Download_enable=no
Anonymous_enable=no
Local_enable=yes
idle_session_timeout=600
Write_enable=yes
local_umask=022
Xferlog_enable=yes
Xferlog_std_format=yes
Xferlog_file=/var/log/vsftpd.log
Chroot_list_enable=yes
Chroot_list_file=/etc/vsftpd/chroot_list
Listen=yes
Listen_port=21
listen_address=0.0.0.0
Pasv_enable=yes
pasv_min_port=22222
pasv_max_port=22228
Pam_service_name=vsftpd
Userlist_enable=yes
Userlist_deny=no
Userlist_file=/etc/vsftpd/user_list
#tcp_wrappers =yes

# # # #ssl #####
Ssl_enable=yes
Ssl_sslv2=yes

Ssl_tlsv1=yes
Ssl_sslv3=yes

Force_local_data_ssl=yes
Force_local_logins_ssl=yes
Rsa_cert_file=/etc/vsftpd/certs/vsftpd.cert
Rsa_private_key_file=/etc/vsftpd/certs/vsftpd.key

################################################################

3, set the transport mode for SSL encrypted transmission (focus here) to build the CA server.

First check if OpenSSL is installed.

cd/etc/pki/tls/

Vim OPENSSL.CNF

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/73/3B/wKioL1X4Ip-RKaM_AAIg2jkfYc8242.jpg "title=" 1.png " alt= "Wkiol1x4ip-rkam_aaig2jkfyc8242.jpg"/>

cd/etc/pki/ca/#切换到与CA服务器有关的目录

mkdir certs #建立与证书有关的目录

mkdir newcerts #与新证书有关的目录

mkdir CRL #证书吊销列表

Touch Index.txt

Touch serial

echo "Serial" > #给serial一个初始值

OpenSSL genrsa 1024x768 > Private/cakey.pem #使用非对称加密算法rsa, using 1024 as the algorithm, to get a key stored in the PRIVATE/CAKEY.PEM

chmod Private/cakey.pem #私钥不允许别人查看, so change the permissions of the Cakey.pem file to 600, only the owning user can read and write

OpenSSL req-new-key private/cakey.pem-x509-out cacert.pem-days 3650 #使用CA服务器自己的私钥cakey. PEM generates a certificate Cacert.pem

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/73/3B/wKioL1X4IsfBwLLhAABcn0bVjvY246.jpg "title=" 2.png " alt= "Wkiol1x4isfbwllhaabcn0bvjvy246.jpg"/>

The site of this CA server is filled in here, and the other uses default

Mkdir-pv/etc/vsftpd/certs #创建一个目录, stored in vsftp related certificates, certificate requests, keys

cd/etc/vsftpd/certs/

        #非对称加密算法rsa, use 1024 bits to figure out a key vsftp.key

OpenSSL req-new-key vsftpd.key-out vsftpd.csr #利用私钥vsftp. Key generates a certificate request file VSFTP.CSR

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/73/3B/wKioL1X4Iuihpf_UAABXTrs-2hk895.jpg "title=" 3.png " alt= "Wkiol1x4iuihpf_uaabxtrs-2hk895.jpg"/>

The full FQDN of the FTP site is filled in here.

OpenSSL ca-in vsftpd.csr-out vsftpd.cert #利用证书请求文件的到一个证书vsftp. cert

chmod * #将该目录下的文件权限全部改为600, that is, the user can read and write

To modify a configuration file:

Add the configuration in the above configuration file for the SSL section.

4,. Start and set boot up

Chkconfig vsftpd on

/ETC/INIT.D/VSFTPD start

5. Verification

The client-side way to verify

Download: FlashFXP 5

The configuration is as follows:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/73/3B/wKioL1X4Iy_xOhGNAAGprfglRuo444.jpg "title=" 4.png " alt= "Wkiol1x4iy_xohgnaagprfglruo444.jpg"/>

When you click the link button:

will display the issued certificate and click Save or save once to verify the upload download effect. (Specific configurations vary according to requirements)

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/73/3E/wKiom1X4ISeC-bQuAAHfiEiEum4228.jpg "title=" 5.png " alt= "Wkiom1x4isec-bquaahfieieum4228.jpg"/>

This concludes that the installation is complete and you can log in.

This article is from the "Wen Zhao" blog, please be sure to keep this source http://zhaowencheng.blog.51cto.com/7821671/1695119

Linux FTPS FTP-OVER-SSL Configuration experiment