By default SFTP Gateway uses SFTP, which leverages OpenSSH. FTPS is not configured by default, because it requires that you expose additional ports.
However, there are some situations where you might need FTPS:
Legacy clients that only support FTPS
FTPS supports X509 SSL certificates, which may be a requirement for securely identifying the server
Here are instructions on how to install and configure vsftp on SFTP Gateway to add FTPS functionality. It also covers how to add an SSL certificate.
Installation
Elevate privileges to root:
sudo suInstall vsftp with this command:
yum install vsftpd -yCreate certificates
As a preparatory step, you need to first create a self-signed certificate. This is to encrypt your FTPS traffic.
Run the following commands:
mkdir /etc/ssl/private/ && cd $_openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout vsftpd.key -out vsftpd.crt -subj "/C=NA/ST=NA/L=NA/O=NA/OU=NA/CN=NA"(Feel free to put in real values for your state, locality, organization, etc.)
This creates a directory /etc/ssl/private/
And then it creates two files:
vsftpd.crt: This is your SSL certificatevsftpd.key: This is the private key
Eventually, you want to use a real SSL certificate, but for now, a self-signed cert will do.
Configure vsftp
Edit /etc/vsftpd/vsftpd.conf
On line 12, change anonymous_enable from YES to NO:
anonymous_enable=NOOn line 96, uncomment the following line:
chroot_local_user=YESAppend the following to the end of the vsftpd.conf file:
rsa_cert_file=/etc/ssl/private/vsftpd.crtrsa_private_key_file=/etc/ssl/private/vsftpd.keyssl_enable=YESallow_anon_ssl=NOforce_local_data_ssl=NOforce_local_logins_ssl=NOssl_tlsv1=YESssl_sslv2=NOssl_sslv3=NOrequire_ssl_reuse=NOssl_ciphers=HIGHuser_sub_token=$USERlocal_root=/home/$USER/home/$USERpasv_enable=YESpasv_min_port=1024pasv_max_port=1048pasv_address=<Public IP of your instance> Note: remember to set the last line (pasv_address) to your Elastic IP
The first section configures SSL.
The second section sets the chroot directory.
And the third section configures your IP and ports.
Restart the service to apply your changes:
/etc/init.d/vsftpd restartMake sure vsftpd runs after a reboot:
chkconfig vsftpd onConfigure your Security Group
FTPS requires several ports, so you'll have to open them up on your EC2 Security Group.
In CloudFormation, click the Resources tab
Click the link next to
SFTPGatewayInstanceto open the EC2 instance detailsAt the bottom, click the link next to Security groups
Click the Inbound tab
Click Edit
Add a rule for Custom TCP, Port range 20-21, from Source Anywhere
Add a rule for Custom TCP, Port range 1024-1048, from Source Anywhere
Click Save
Integrate with SFTP Gateway
There are a few steps in order to get vsftp working with SFTP Gateway.
Create a new user:
addsftpuser robtestSet a password for this user:
passwd robtestThe addsftpuser command disable's the user's shell for security reasons. You need to re-enable the user's shell in order to use FTPS:
usermod -s /bin/bash robtestConnecting an FTPS client
To test, connect using FileZilla.
Protocol: Select
FTP - File Transfer ProtocolEncryption: Select
Require explicit FTP over TLS
Log in with your username and password.
Since you're using a self-signed certificate, you will be prompted with this window. Click OK to proceed.
If all goes well, you should see your /uploads and /local/ folders.
Where to go from here
For more details on installing vsftp, check out this Stack Overflow article.
For more on configuring SSL for vsftp, see this article.