Installing pure-ftpd

[gatorparrots]

Apple's decision to switch ftp daemons from ftpd in 10.1 to lukemftpd in 10.2 is of questionable merit. Their lack of updated documentation to reflect that decision is truly lamentable. Most users upgrading from 10.1.x are left hobbled or with malfunctioning ftp servers (especially in regards to ftpchroot functionality), with no changes in the man pages to help them configure their new ftp daemon.

Rather than remaining in that state, I elected to replace the built-in ftp server with pure-ftpd, a robust and feature-rich ftp server that also boasts no root exploits.

The first step is to download and unpack the source. First, change directories to wherever you keep you downloads or source code:
cd /downloads
curl -O ftp://ftp.pureftpd.org/pub/pure-ftpd/releases/pure-ftpd-1.0.14.tar.gz
gnutar xzf pure-ftpd-1.0.14.tar.gz
cd pure-ftpd-1.0.14/
./configure --with-everything --without-banner --without-humor --with-virtualchroot
(This will configure a 'big server' with a plethora of options, including throttling, ratios, ftpwho, quotas, but will leave off the guady initial banner and the sprinkling of colorful banter in the error messages, etc.)
sudo make install-strip

At this point you will need to choose which server type you desire, as pure-ftpd can run in either standalone or xinetd mode:

Standalone Mode
You can run the server in standalone mode with this command:
sudo /usr/local/sbin/pure-ftpd &
or if you desire, use command line switches to configure the server at runtime:
sudo /usr/local/sbin/pure-ftpd -A -E -p 40000:50000 -c 5 -C 1 -I 5 -T 25 -u 1 &

The command line switches I have chosen tell the server the following:
-A chroots everyone
-E only allows authenticated users; anonymous users disallowed
-p 40000:50000 specifies the port range for passive connections
-c 5 specifies the number of clients
-C 1 specifies the number of connections per IP address
-I 5 changes the idle timeout; default 15 minutes seems excessive
-T 25 throttles the bandwidth to 25KB/sec per user
Many other switches are available. See the documentation for a complete list.

To get the standalone server to launch automagically at startup, you would have to write a Startup Item:
http://www.macfora.com/forums/showthread.p...=&threadid=6314
But I went with xinetd mode (as lukemftpd came defaulted from Apple):

xinetd Mode
(As always, before editing a system level file, it is wise to create a backup first.)
cd /etc/xinetd.d/
sudo -s
cp ftp ftp.default
pico ftp

Modify the server and server_args lines as folows:

Code:

service ftp
{
        disable = no
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/local/sbin/pure-ftpd
        server_args     = -A -E -p 40000:50000 -c 5 -C 1 -I 5 -T 25 -u 1
        groups          = yes
        flags           = REUSE
}

Restart xinetd to affect the changes (if you have another xinetd service running):
kill -1 `cat /var/run/xinetd.pid`
exit

Test to confirm that it is working:
ftp 0

If you get something like this:

Code:

[gatorparrots:] gator% ftp 0
Connected to 0.
220-FTP server ready.
220 This is a private system - No anonymous login
Name (0:gator):

Congratulations! Your new FTP server is working as advertised. To enable the chroot to a single directory, simply assign your ftp users' home directories to your ftp root directory via NetInfo (and possibly put them in a dedicated ftp user group for added flexibility). Otherwise, the individual users will be chrooted to their /Users/username home directory.

[Jadey]

Thanks for posting these instructions here, gatorparrots! I've already made the switch.

[gatorparrots]

Nice to run into you here as well, Jadey. Long time no hear!

Note that the directions above are updated for v.1.0.14. This version features a new privilege-separation scheme for heightened security. This should be the last 1.0 release for pure-ftpd as they head toward 2.0. This from the developers:

Quote: We're moving toward Pure-FTPd 2. This is a re-implementation with a new privilege separation scheme, cleaner design, better portability and new improvements for high performance. The first public release of Pure-FTPd 2 will be labeled 1.9.0, and is planned for April.

[at_sym]

First off, thanks for these instructions! My eyes were blearing over just reading the ProFTPd readme.

Anyway, thanks to you, I have Pure-FTPd up and running on a static IP. It's working fine locally (via ftp 0), but any attempt to log into it from other computers just results in hangs.

I just restarted the server and tested from a PB connected via AirPort. Using the Terminal, I can log in with no problem, but if I try to use ls, there's a long pause, then I get this error:

500 I won't open a connection to 10.0.1.41 (only to [the Base Station IP])

Meanwhile, Transmit says it "could not retrieve file listing, Server said: ?" (To which I replied "*#%@!")

I thought it was a NAT problem, but a friend just tried it from a static IP and had the same problem. Maybe it was a firewall thing? Doesn't seem to be -- The server's firewall is open on 20, 21, and the default upper ports.

As far as I can tell, everything is set correctly. I don't mind getting my hands dirty in the Terminal, but I just need a nudge in the right direction. Thanks for any help anyone can give.

[gatorparrots]

The choice between ProFTPd and pure-ftpd was obvious for me, hence the directions.

Are you running any firewall on the host machine? (ipfw or otherwise)? Are you running a firewall on the test client machine?

[at_sym]

Well dammit all, it was a firewall problem. Or maybe a firewall vs. Virtual PC problem.

I was running a firewall on the server, with Apple's preconfigured "FTP" holes opened. I turned it off, and I was able to ls, but it still choked on copying files. So I checked to make sure my laptop's firewall was off, and System Preferences griped about how I had some"other firewall" running. I progressively quit the apps I had open, and it turns out Virtual PC(!) was the "other firewall." Weird.

Anyway, it now uploads and downloads like a champ. I've got my chrooted ftp server and all's right with the world.

Thanks again for the walkthrough! If you're ever in L.A., I owe you a pint.

[kerim]

fink install pure-ftpd

[at_sym]

Quote: Originally posted by kerim fink install pure-ftpd

...if you've added the unstable trees. If not, then you'll need to copy /sw/fink/10.2/unstable/main/finkinfo/net/pure-ftpd-1.0.14-1.info into /sw/fink/dists/local/main/finkinfo.

More info from the Fink FAQ.

[kerim]

And see here for some more tips on using a FINK ftp install:

http://forums.macosxhints.com/showth...0976#post60976

[bustthis]

pure-ftpd server isn't working in 10.3 anymore. i get:

Connected to bustthis.homeftp.net.
220-FTP server ready.
220 This is a private system - No anonymous login
331 User charlesx OK. Password required
Password:
530 Authentication failed, sorry
ftp: Login failed.

my password is correct, does this not work in 10.3. it worked great in 10.2.8! did i mess things up by installing this in 10.3?

please help!

[jkp23]

FYI:

I just had a go at compiling and installing Pure-ftp on panther. All went fine except the fact that authentication does seem to be broken at the moment: check this thread from the developer...

What a pity ...

/me waits patiently for an upgrade.

[bustthis]

i decided to try ftp-config 1.5.2 from http://www.gritsch-soft.com/.

it works and works better than i ever had it in 10.2.8.

if you don't mind the ugly gui and the small fee, this might save you some time and headaches!

now if i could get imap working :}

[jkp23]

The other thing you can so is enable the unix authentication method on the server:

so add this switch on startup:

Code:

-l puredb:/etc/pureftp.pdb -l unix

and then to add a new user to the server:

Code:

pure-pw useradd (man pure-pw)

user entries will be put in /etc/pureftpd.passwd instead of /etc/passwd/.

Its pretty simple really, but I guess it does mean you have to manually add the users to the ftp server.