macdevcenter.com
oreilly.comSafari Books Online.Conferences.

advertisement

AddThis Social Bookmark Button

Muscle Up Your Mac FTP
Pages: 1, 2

Disable Mac OS X Users

Mac OS X users have access to Pure-FTPd with their existing user names and passwords via a system called pam, which is used for authentication. You can disable access for all OS X users, not just a subset, through PureFTPd Manager. Here are the steps:



  1. Open the Authentication pane in PureFTPd Manager's preferences.
  2. Select the line whose type is PAM.
  3. Click Remove.
  4. Close the Preferences window.

Create (or Import) an SSL/TLS Certificate

One of PureFTPd Manager's neatest features is the ability to easily create (or import) an SSL/TLS certificate, which is required for a form of encrypted and secured FTP called FTP-SSL/TLS. (Find out what this is by reading the sidebar "Secure FTP (SFTP) Versus FTP-SSL/TLS.") Follow these steps to set up an SSL/TLS certificate:

Figure 6 Figure 6.
  1. Open the SSL/TLS Sessions preference pane (Figure 6).
  2. Click Create a Certificate to open the Create a Certificate dialog (Figure 7).

    Figure 7 Figure 7.
  3. If (and only if) you are importing an existing certificate, one that you created using your own software or a certification authority (CA) such as VeriSign, click Import a Certificate. After selecting the certificate file, you're done and you can skip the rest of these steps.
  4. To create a certificate that isn't validated by anyone else, but is perfectly fine for personal use or use with colleagues, click Go Self-Signed! (See "Checking the Self-Signed Certificate.")
  5. After clicking the Go Self-Signed! Button, fill out the dialog that appears, entering values in every field (Figure 8). These values aren't cross-checked by anyone but you--you can enter "nonsense" into every field but the two-letter ones and it will still work. But I recommend that you include useful details. When I create a certificate like this, I change the Certificate Validity (in Days) field from 30 to 3000, because I don't want to create a new one each month. You can also increase the number of bits in the certificate; this decreases the chance of the certificate being broken, as unlikely as that now seems.

    Figure 8 Figure 8.
  6. Click Generate My Certificate. On slower machines, it might take a moment before the certificate is finished and you're returned to the preference pane.
  7. From the TLS Sessions menu, leave Disabled selected, if you don't want to allow SSL/TLS sessions; otherwise, choose Mixed Mode to allow clients that support FTP-SSL/TLS to use it, or choose TLS Only in order to restrict access to just those clients with TLS support. That last option might be useful only for very specific projects in which security is paramount.

Checking the Self-Signed Certificate

If you use a self-signed certificate, the FTP client used to access your FTP server must allow self-signed certificates. And be aware that some of these FTP clients may prompt you to confirm that the certificate is valid before allowing a connection for the first time. (Web browsers using SSL/TLS bypass this by using a third party that has its own validity installed in the browser; this third party, a certificate authority, vouches for the certificate.)

Although PureFTPd Manager can show you the certificate--after you complete Step 7, click View My Certificate in the SSL/TLS preference pane--it doesn't show a fingerprint, which is a short sequence of hexadecimal numbers that sort of summarizes the certificate's contents (Figure 8). You can extract the fingerprint by following these steps:

  1. In PureFTPd Manager, open the SSL/TLS Sessions preference pane.
  2. Click View My Certificate.
  3. Copy the part that starts with the line that contains BEGIN CERTIFICATE all the way through the line that contains END CERTIFICATE.
  4. Launch Terminal.
  5. Type pico pureftpd.cert to run a simple Terminal text editor and create a file named pureftpd.cert.
  6. Press Command-V to paste in the text.
  7. Press Ctrl-O to write out the file; then press Ctrl-X to exit pico.
  8. Now, type at the Terminal prompt:
    openssl x509 -noout -in pureftpd.cert \
    -fingerprint

The resulting output is the fingerprint. You can distribute it to others in order to confirm that the FTP server that a user has connected to is really yours--not one disguised as yours.

Create Multiple Servers

Pure-FTPd can offer different files for different FTP server names that you set up. For instance, you could run Pure-FTPd on a single computer that acted as the FTP server for both ftp.glennf.com and ftp.oreillynet.com. The only limitation is that, unlike with a web server, each FTP server must have its own unique IP address. (Web server software can feed out a different web site at the same server IP address because the HTTP protocol lets a browser explain which server it wants. This feature is missing from FTP, so you must pair a host name for the FTP server with a unique IP address.)

Pure-FTPd calls these different servers virtual hosts, and you can configure them in PureFTPd Manager. To set up a virtual host, follow these steps:

Figure 9 Figure 9.
  1. Click the Virtual Hosts button on the toolbar to open the Virtual Hosts window (Figure 10).
  2. Click New (located just to the right of the Virtual Hosts button) to create an empty virtual host. An entry for it appears in the Virtual Hosts lists at the left.
  3. Enter the name (for reference only), the IP address, and the root directory of the virtual host. The root directory is the start of the path from which files will be fed on that virtual host. If the IP isn't set up on your computer, PureFTPd Manager will add the IP address to the network interface you select, like en0 for your primary Ethernet interface, or the one built into your computer. PureFTPd lets you add any IP address, not just legitimate ones for your network; see "Giant Warning!"

Giant Warning! In testing PureFTPd Manager, I invented an IP address to create a fake virtual server. I failed to delete this virtual server after testing it. Every time I rebooted my Macintosh thereafter, I could not reach any computers that were located on any address starting with the first number in that fake server's IP address! It took some figuring to understand what I'd done wrong. Deleting the fake virtual server eliminated the problem. This problem might bite you if you have a mobile machine that's using virtual servers.

Now click the Save button (on the toolbar).

Figure 10 Figure 10.

Other Options

Using PureFTPd Manager, you can control Pure-FTPd in a number of interesting ways; here are some that are worth reviewing, since they may be useful for your particular purpose:

  • Limiting usage: You can use the Settings preferences pane to restrict the number of simultaneous sessions, the number of users per IP address, and the timeout for an FTP session to expire.
  • Disable upload: In the Options preferences pane, you can limit how full your hard disk can become and halt uploads when that threshold is reached. If you put your FTP upload directory or directories on your boot disk, this limit can keep your system from becoming unusable--a full boot disk can crash or otherwise disable a system.
  • Use a database to manage virtual users: PureFTPd Manager has hooks in the Authentication preferences pane for configuring Pure-FTPd to talk to database (MySQL and PostgreSQL) and LDAP servers. You could tie FTP access into a web-based system that would create users along with web accounts, for instance, or control account features.

Secure FTP (SFTP) Versus FTP-SSL/TLS

FTP is an insecure protocol, meaning that by default, it sends all data, passwords, and other login information in the clear (that is, without scrambling them to hide their content). There are now two ways to secure FTP through encryption, both of which require servers and clients that support them. These methods aren't incompatible; some servers and clients can handle both. Here's more info about both techniques:

Secure FTP (SFTP): This more widely supported method is also known as "FTP over SSH" or "FTP-SSH." (SSH stands for "Secure Shell.") With SFTP, you open an encrypted tunnel using the Remote Login service in Mac OS X or the ssh service on other Unix systems. The tunnel is opened, and then an FTP connection is passed through the tunnel. To enable SFTP on any Mac, turn on the Remote Login service in the Services pane in System Preferences. Any FTP server should support SFTP, if ssh is enabled on that server computer. Many FTP clients support SFTP, including Interarchy. In Interarchy, choose File -> SFTP to start a secure FTP session.

FTP-SSL/TLS (Secure Sockets Layer/Transport Layer Security): SSL and TLS are the same thing; SSL is an older name for the standard from before its patent expired. With FTP-SSL/TLS, you use a server that has an SSL/TLS certificate installed. This certificate validates the server's identity, and is used to create an encrypted tunnel directly between the client and the FTP server. By contrast, with SFTP, the tunnel is more generically between the SSH software on both machines.

Pure-FTPd supports FTP-SSL/TLS, and PureFTPd Manager allows the simplest creation of a self-signed SSL/TLS certificate of any program I've seen. (Find the steps in "Create an SSL/TLS Certificate for FTP-SSL/TLS.")

FTP-SSL/TLS works only in a few clients on the Mac. I found that RBrowser handles a self-signed certificate correctly with Pure-FTPd (www.rbrowser.com, $29 license includes SSL/TLS). Interarchy's developer has put SSL/TLS support near the top of his future development list, and other FTP developers are considering it as well. If you find SSL/TLS compelling, tell your favorite FTP software company that you hope they'll add it.

To decide between SFTP and FTP-SSL/TLS, you'll need to consider ease-of-use versus security. SFTP is much simpler to set up and more widely supported in FTP software. On the other hand, if you use SSL/TLS, you don't need to run ssh or Remote Login on your server in order to have a secure connection. An SSL/TLS connection has more integrity, in the networking sense, because the encryption runs end to end from program to program; with SSH, data is routed in the clear on the client and server machines from separate programs to the SSH software. SSH is thus slightly less secure (but not by much).

Glenn Fleishman is a freelance technology journalist contributing regularly to The New York Times, The Seattle Times, Macworld magazine, and InfoWorld. He maintains a wireless weblog at wifinetnews.com.


Return to MacDevCenter.com.