Need help setting up Apache Mina FTP server

[DaveHCYJ]

As the title says, I need some guidance on setting up an FTP server. I have gotten it to where it functions, but I need help getting it to a recommended configuration. Using the example config file with user/pass=admin/admin is probably not recommended

I will start with what I have been able to do on my own so far. I have changed the default listener and data ports and opened the new ports in my firewall. I have disabled the anonymous account, and changed admin/admin to some new user/password. Is using MD5 for storing user passwords in users.properties the recommended configuration? What is salted, is is better, do I need it? I've set up all my env variables etc. and whatever else I needed to do to get the ftp service to run.


So it is up and running and works, but I know more needs to be done. I would greatly appreciate any suggestions for things I need to change. The two major problems I already know of but am not sure how to fix are:
1. ssl/tls is turned off
2. in users.properties the only thing I've done is change the admin username and password -- I need to be able to add more users and probably set different permissions for each

I began looking into #1 and .jks files but it just made my head hurt.
These are the lines I need to change in the config file:

<ssl>
    <keystore file="keystore.jks" password="password"/>
    <truststore file="mytruststore.jks" password="secret"/>
 </ssl>

 

[petteyg359]

Why did you choose Mina over pure-ftpd, pro-ftpd, etc.? IMNSHO, any software that is uses XML for configuration files should be avoided. XML is a heavyweight markup language, not a key-value-pair configuration file...

 

[DaveHCYJ]

I don't know, I didn't really put much thought into it. I'm running it on Win7 for one thing so I didn't want something I had to compile etc. That and I don't really know what I'm doing so I really just picked the first thing that came up in google.

 

[petteyg359]

You could try pureftpd with Cygwin. Pureftpd uses command line switches, rather than a config file (unless you're using MySQL or LDAP for authentication).
Docs are at http://download.pureftpd.org/pub/pure-ftpd/doc/README
Virtual user docs are at http://download.pureftpd.org/pub/pure-ftpd/doc/README.Virtual-Users

 

[DaveHCYJ]

Trying something new kind of feels like opening a new different can of worms. I guess one benefit I failed to mention about mina is that it can run as a windows service.

The documentation on pureftp does seem better than mina, but where I'm getting lost isn't necessarily with the ftp software. It has to do with the keys, trusts, and certificates and what is the difference between them.

I think I found some good instructions to try to create the key and certificate when I get home from work.

EDIT: I also don't see the harm/don't mind using an xml config file.

 

[petteyg359]

Anything that runs in Cygwin can be run as a Windows service. I've never used any file jks, so can't help there. Why every programming groups insists on creating their own special format for SSL keys/certs, I have no idea.

There's no immediate "harm" done by using XML for configuration, other than complicating things for the person writing the configuration. XML was never designed to be easy/efficient with simple key-value pairs, which the vast majority of configuration files are. Plain text like blah1=0\nblah2=1\nblah3=c:\programs\blah\blah.dat, or if you're using a scripting language like PHP, a file already in PHP that can just be included (like phpMyAdmin config) is vastly more efficient for the user (in writing it, no need to make sure you've got clean compliant XML) and the programmer (no need to load a heavy XML parser, just parse plain text by = and \n, or if it is like PHP, just include the thing).

If you're just looking for "simple", what about FileZilla? GUI config, runs as a service, etc.

 

[Shelnutt2]

why not use filezilla?

 

[DaveHCYJ]

I actually looked at filezilla first, but quickly ignored it due to the version number being less than 1. It does sound like filezilla has a GUI for key creation and all; maybe I should just take the easy way out...

 

[petteyg359]

I actually looked at filezilla first, but quickly ignored it due to the version number being less than 1. It does sound like filezilla has a GUI for key creation and all; maybe I should just take the easy way out...

Version numbers below 1 don't mean it isn't production-ready. OpenSSL has been 0.x for a long time, and just recently released betas for 1.0.0.

 

[Shelnutt2]

Heck vlc only just with-in the last months went to v 1.0. Wine was version 0.9.x for years. Grub still is only version 0.9!

I'd take a second look at filezilla.

 

[DaveHCYJ]

So I ended up being stubborn and moving forward with mina rather than take the easy way out with filezilla -- how else will I learn new things? I am posting what I learned here for archival purposes in the event it helps someone else out in the future doing a search and running across this thread.

SSL/TLS Terminology:
A key is something that is used to en/decrypt data. Check out wikipedia or somewhere for the basics of public key encryption.
A certificate is something that contains information about you/your server such as your domain name, country, etc. It also contains your public key. When you use ssl your certificate is sent to users by your server so that 1. they know you are who you say you are and 2. they have your public key so they can encrypt data to send to you
A keystore is something that contains one or more certificates. It is basicly just a way of organizing certificates.
So, keystores contain certificates which contain keys.
A Trust or trust store is a list of certificates other people have given you (which contain their public keys) so that they can prove they are who they say they are when they contact you. This is all actually explained pretty well in Sun's documentation for their keystore tool.

Setting up SSL/TLS with mina xml config files:
You need to put this line (filling in your data of course) in your config file:

<ssl>
    <keystore file="keystore.jks" alias="my_ftp_certificate" password="password"/>
</ssl>

I will get to how to make a keystore file in a moment. The keystore tag tells the mina ftp server to use my_ftp_certificate as the certificate for securing communications. To force your users to use SSL to encrypt their username/pass (and all other ftp commands) you need to add implicit-ssl="true" to the nio-listener tag. If you leave that out the default is implicit-ssl="false", which lets your uses choose if they want to use SSL or not. Using implicit-ssl="true" in the nio-listener tag will encrypt all the ftp commands including the username/password, but it will not encrypt any files sent to/from your ftp server. To encrypt the file transfers also you need to encrypt the data channel. You do this by setting implicit-ssl in the data channel: <data-connection implicit-ssl="true"> If you encrypt the data channel be careful using a keysize greater than 1024 for a highbandwidth connection -- it can become CPU intensive doing all the en/decrypting.
You do not need the <truststore /> tag I had in post#1. The truststore tag is used if you want your users to prove who they are using certificates in addition to username/passwords. It works basicly the same way as the keystore tag, but instead of using a .jks file which contains your certificate you would use a .jks file which contained the certificates of all your users.

Creating a .jks keystore file using java's built in keytool:
I believe mina and keytool can both do .cer files also, but I did not try this.
Find where keytool lives (probably $JAVA_HOME/bin).
Run the command keytool -genkeypair -keystore filename.jks
The tool will prompt you for some information and then make a jks file for you.
Thats it! You just need to move the .jks file you made to the appropriate place for mina to find it. There are some more options you can use with keytool and the documentation is good. It is found on Sun's website here. This documentation will also tell you how to import your users certificates to a keystore if you do want to set up a truststore.

If you use implicit-ssl="true" and your ftp clients are timing out when connecting:
If you use implicit-ssl the ftp server will ignore non ssl requests, so you must tell your users to set the encryption type in their ftp clients. In filezilla for example under the site manager you set the encryption type to implicit.