ProFTPd: Enabling/Disabling TLS Based On User Or Group

Version 1.0
Author: Falko Timme
Follow me on Twitter

FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure. While this is a good thing, not all FTP clients support TLS. This article explains how to enable or disable TLS in ProFTPd based on the FTP user or group.

I do not issue any guarantee that this will work for you!

1 Preliminary Note

I assume that you have TLS set up already, for example as described in this tutorial: Setting Up ProFTPd + TLS On Debian Squeeze

Of course, you can use TLSRequired off in your ProFTPd configuration as this allows for TLS and non-TLS logins, but if you want to make your FTP setup as secure as possible, you should enforce the use of TLS and make exceptions only for the users or groups that use an FTP client that doesn't support TLS (if using another FTP client is not an option for those users).

2 TLS Configuration Based On User/Group

Let's assume you have the following TLS configuration in your ProFTPd configuration that enforces TLS for everybody:

[...]
<IfModule mod_tls.c>
          TLSEngine                  on
          TLSLog                     /var/log/proftpd/tls.log
          TLSProtocol                SSLv23
          TLSOptions                 NoCertRequest
          TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
          TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
          TLSVerifyClient            off
          TLSRequired                on
</IfModule>
[...]

We can now use IfUser and IfGroup sections to make exceptions, but these take effect only if we add the line TLSOptions AllowPerUser to our TLS configuration, like so:

[...]
<IfModule mod_tls.c>
          TLSEngine                  on
          TLSOptions                 AllowPerUser
          TLSLog                     /var/log/proftpd/tls.log
          TLSProtocol                SSLv23
          TLSOptions                 NoCertRequest
          TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
          TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
          TLSVerifyClient            off
          TLSRequired                on
</IfModule>
[...]

(Make sure you add the line right after the TLSEngine on line as order seems to count - in my first tries I added it before the TLSRequired line where it didn't seem to have any effect.)

If we want to allow the FTP user testuser to use plain FTP instead of FTP, we can configure this as follows:

[...]
<IfModule mod_tls.c>
          TLSEngine                  on
          TLSOptions                 AllowPerUser
          TLSLog                     /var/log/proftpd/tls.log
          TLSProtocol                SSLv23
          TLSOptions                 NoCertRequest
          TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
          TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
          TLSVerifyClient            off
          TLSRequired                on
</IfModule>

<IfUser testuser>
          TLSRequired off
</IfUser>
[...]

For the group testgroup, the configuration would look as follows:

[...]
<IfModule mod_tls.c>
          TLSEngine                  on
          TLSOptions                 AllowPerUser
          TLSLog                     /var/log/proftpd/tls.log
          TLSProtocol                SSLv23
          TLSOptions                 NoCertRequest
          TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
          TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
          TLSVerifyClient            off
          TLSRequired                on
</IfModule>

<IfGroup testgroup>
          TLSRequired off
</IfGroup>
[...]

It's also possible to negate users/groups, e.g. as follows:

[...]
<IfModule mod_tls.c>
          TLSEngine                  on
          TLSOptions                 AllowPerUser
          TLSLog                     /var/log/proftpd/tls.log
          TLSProtocol                SSLv23
          TLSOptions                 NoCertRequest
          TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
          TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
          TLSVerifyClient            off
          TLSRequired                on
</IfModule>

<IfUser testuser>
          TLSRequired off
</IfUser>

<IfUser !testuser>
          TLSRequired on
</IfUser>
[...]

This enforces TLS for all users other than testuser (this is just for demonstration purposes as in this example TLS is enabled globally in the <IfModule mod_tls.c> section). Likewise for groups:

[...]
<IfModule mod_tls.c>
          TLSEngine                  on
          TLSOptions                 AllowPerUser
          TLSLog                     /var/log/proftpd/tls.log
          TLSProtocol                SSLv23
          TLSOptions                 NoCertRequest
          TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
          TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
          TLSVerifyClient            off
          TLSRequired                on
</IfModule>

<IfGroup testgroup>
          TLSRequired off
</IfGroup>

<IfGroup !testgroup>
          TLSRequired on
</IfGroup>
[...]

That's all there is about this. You can find more details about IfUser/IfGroup in the ProFTPd documentation: http://www.proftpd.org/docs/contrib/mod_ifsession.html

As always, don't forget to restart ProFTPd after you've modified its configuration!

3 Links

ProFTPd: http://www.proftpd.org/
mod_ifsession: http://www.proftpd.org/docs/contrib/mod_ifsession.html

Log in or Sign up

On this page