-   Linux - Software (
-   -   VSFTPD with secure & non-secure logins (

Ricci Graham 04-06-2005 09:00 AM

VSFTPD with secure & non-secure logins
I have VSFTPD set up on my Suse 9.1 professional server and I have SSL enabled. Is there a way to use a "non-secure" ftp client to do ftp when I have this setup?

As an example: I want to use a "secure ftp client" for people outside my network to hit my ftp server and put or get files, but I want to use a "non-secure ftp client" for people inside my network to be able to access those same files.

Is there a way I can do this? Any help or suggestions would be greatly appeciated.


phil.d.g 04-07-2005 02:51 AM

Don't know about restricting non-secure access to the local network and secure access from everywhere else but you can allow both secure and non-secure access using the same daemon - man vsftpd.conf

Ricci Graham 04-07-2005 01:07 PM

I looked at the man page document on vsftpd.conf extensively and tried several things with the "user_list", "Enable user_list" and
"Deny user_list" and that either allows or denies the users across the board and does not distinguish between secure and non-secure clients logging in.

How would I set this up to allow secure logins using a secure client and non-secure logins using a non-secure client?



Stick'n'Clutch 04-07-2005 02:15 PM

I can think of one way to do that.

First you have to run 2 copies of the vsftpd deamon. I suggest running the secure one from inetd and the local one as a standalone daemon.

Make a config file for the standalone daemon (ie the insecure one) with all the options you want, eg. run as standalone, no ssl, etc... and give it a non standard port option.

For restricting access to certain protocols or ports from certain places, look in the /etc/hosts.allow and /etc/hosts.deny file. You will need to look at the man pages as I have not much experience editing these files. You could for example allow all traffic on port 21, 20 from outside users to your secure vsftpd. Conversely you could allow only traffic from your internal ip to your insecure ftp port.

Hope that helps.

phil.d.g 04-07-2005 04:07 PM

Running as one deamon I don't think you can accomplish what your after, you can however setup your secure certificate paths and secure options and set force_local_data_ssl and force_local_logins_ssl to false. That way it is up to the client whether or not they use a secure login.

Running two deamons might be your only way. You could always research other ftp servers such as proftpd to see if they'll do what you want.

Ricci Graham 04-07-2005 04:12 PM

Thanks so much for the info, I think I am going to give the "running two deamons" a try and see how it goes.

All times are GMT -5. The time now is 10:39 AM.