www.ProFTPD.de

Das bisschen Englisch kann ich euch wohl zumuten :-) Bin grad zu faul...

-------------------------------------------------------------------------------------------------------------------------------------
So You Want To Install Secure FTP on Proftpd in no Time, eh ?
(Mini-Howto v0.9) by Antitrack/Legend (antitrack@x-mail.net)

Required: Running Linux installation with openssl installed.
1.) get proftpd 1.2.8
  ./configure --with-modules=mod_tls  
  make
  su root  
  make install
 
2.) make local ssh keys : (as user root)
cp /usr/share/ssl/misc/CA.pl /etc/openldap
cd /etc/openldap
./CA.pl -newca               # create Certificate of Authority
./CA.pl -newreq              # FQDN name of server needed
openssl rsa -in newreq.pem -out ldapkey.pem     # remove password and produce key
mv newcert.pem ldapcert.pem                     # name the key properly

# three keys were now produced, you can use them in several similar
# situations, these keys are called:
# TLS (RSA) CertificateFile /etc/openldap/ldapcert.pem
# TLS (RSA) CertificateKeyFile /etc/openldap/ldapkey.pem
# TLS (RSA) CACertificateFile /etc/openldap/demoCA/cacert.pem

# ----- <OPTIONAL>: a different way to make only two of these keys:

openssl req -new -x509 -days 365 -nodes \
  -out /etc/ftpd/server.cert.pem -keyout /etc/ftpd/server.key.pem

# Note: this key will be valid for a year. You may want to chose more -days.
# ------ </OPTIONAL>

4.) edit /usr/local/etc/proftpd.conf:

  <IfModule mod_tls.c>
      TLSEngine on
      TLSLog /var/log/tls.log
      TLSProtocol SSLv23              # this selects the latest crypt version
         
      TLSOptions NoCertRequest     # this is REALLY important for WinClients
        
      # Are clients required to use FTP over TLS when talking to this server?
      TLSRequired on
           
      # Server's certificate
      TLSRSACertificateFile /etc/openldap/ldapcert.pem
      TLSRSACertificateKeyFile /etc/openldap/ldapkey.pem
      TLSCACertificateFile /etc/openldap/demoCA/cacert.pem
              
      # Authenticate clients that want to use FTP over TLS?
      TLSVerifyClient off
                    
    </IfModule>

5.) A good free secure ftp windows client is smartftp (www.smartftp.com).

6.) You may balk at me that I'm not using the CA-Certificate-File properly,
but I don't care, I just want to get this Secure FTP to run.

Explanation: Leaving out the " TLSOptions NoCertRequest" line results in very strange errors, for example: "mod_tls/2.0.5[25512]: unable to accept SSL connection: error:00000001:lib(0):func(0):reason(1)" in /var/log/tls.log.

This error is popping up for connections of Windows- and Unix clients and tunnels alike, if you do not use the "NoCertRequest" option. (Smartftp/Windows, TLSwrap/Linux).
 
------------ (End of Document)

Danke Dir. Kann das mal jemand testen ? Ich werde das denn in die Doku mit aufnehmen.

cu
stonki

funzt soweit ganz gut wenn man noch eine sache bedenkt

im abschnitt zwei muss nach
./CA.pl -newreq # FQDN name of server needed

noch folgendes gemacht werden
./CA.pl -signreq

sonst bekommt man die cert Datei nicht die man ein paar zeilen darunter mv
mv newcert.pem ldapcert.pem # name the key properly
[/quote]

nu gut, ...... dann nimms doch endlich in die Mini-Howto oder FAQ auf !!!!!

DONE

cu
stonki