前提・実現したいこと
経路暗号化されたNAS環境を簡単に構築するために、
Ubuntuにおいて、ftpsの設定をしたvsftpdに対し、
iosアプリのftpmanagerからftps接続で完全なtls通信を
させたい。
発生している問題・エラーメッセージ
vsftpdのftpsには、tlsとしてimplicit,explicitの2つがあり、
vsftpd.confにおいて
・ implicit_ssl=YES # implicitなtls接続しかサーバは受け付けない
・ #implicit_ssl=YES explicitでも可
の各設定の場合に合うように、ftpmanagerのプロトコル設定も
・ require explicit ftp over tls
・ require implicit ftp over tls
と設定して試したが、ubuntu側でwiresharkによりパケットを見ると、
どちらの場合も、
ftpsの
制御用portの21 or 990はtls
データ用portの20はftp-data
と表示されて、データが暗号化されていません。
tls化しているにもかかわらず、ファイル転送が暗号化されないなら、意味ないです。
あと、匿名ユーザーとunixユーザーでのログインで比較しても結果は同じです。
ソフトの問題というより、ftpのデータ用ポートは非暗号化される仕様なのでしょうか。
vsftpd 3.0.3の/etc/vsftpd.confに対して加えた設定変更の差分は以下です。
(編集履歴を参照。
cipher_suites,pasv拒否、ftp-data port20のblockのみです。
)
diff -u vsftpd.conf.orig vsftpd.conf @@ -11,7 +11,8 @@ # # Run standalone? vsftpd can run either from an inetd or as a standalone # daemon started from an initscript. -listen=NO +#listen=NO +listen=YES # # This directive enables listening on IPv6 sockets. By default, listening # on the IPv6 "any" address (::) will accept connections from both IPv6 @@ -19,33 +20,36 @@ # sockets. If you want that (perhaps because you want to listen on specific # addresses) then you must run two copies of vsftpd with two configuration # files. -listen_ipv6=YES +#listen_ipv6=YES # # Allow anonymous FTP? (Disabled by default). -anonymous_enable=NO +anonymous_enable=YES # # Uncomment this to allow local users to log in. local_enable=YES # # Uncomment this to enable any form of FTP write command. -#write_enable=YES +write_enable=YES # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) -#local_umask=022 +local_umask=022 # # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. -#anon_upload_enable=YES +anon_upload_enable=YES # # Uncomment this if you want the anonymous FTP user to be able to create # new directories. -#anon_mkdir_write_enable=YES +anon_mkdir_write_enable=YES + +no_anon_password=YES + # # Activate directory messages - messages given to remote users when they # go into a certain directory. -dirmessage_enable=YES +dirmessage_enable=NO # # If enabled, vsftpd will display directory listings with the time # in your local time zone. The default is to display GMT. The @@ -57,7 +61,8 @@ xferlog_enable=YES # # Make sure PORT transfer connections originate from port 20 (ftp-data). -connect_from_port_20=YES +#connect_from_port_20=YES +connect_from_port_20=NO # # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not @@ -67,11 +72,11 @@ # # You may override where the log file goes if you like. The default is shown # below. -#xferlog_file=/var/log/vsftpd.log +xferlog_file=/var/log/vsftpd.log # # If you want, you can have your log file in standard ftpd xferlog format. # Note that the default log file location is /var/log/xferlog in this case. -#xferlog_std_format=YES +xferlog_std_format=NO # # You may change the default value for timing out an idle session. #idle_session_timeout=600 @@ -96,8 +101,8 @@ # predicted this attack and has always been safe, reporting the size of the # raw file. # ASCII mangling is a horrible feature of the protocol. -#ascii_upload_enable=YES -#ascii_download_enable=YES +ascii_upload_enable=YES +ascii_download_enable=YES # # You may fully customise the login banner string: #ftpd_banner=Welcome to blah FTP service. @@ -128,7 +133,7 @@ # default to avoid remote users being able to cause excessive I/O on large # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option, so there is a strong case for enabling it. -#ls_recurse_enable=YES +ls_recurse_enable=YES # # Customization # @@ -146,10 +151,36 @@ # # This option specifies the location of the RSA certificate to use for SSL # encrypted connections. -rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem -rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key -ssl_enable=NO +#rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem +#rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key +rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem +rsa_private_key_file=/etc/pki/tls/certs/vsftpd.pem +#ssl_enable=NO +ssl_enable=YES +ssl_sslv2=NO +ssl_sslv3=NO +ssl_tlsv1=NO +force_local_data_ssl=YES +force_local_logins_ssl=YES +force_dot_files=YES +allow_anon_ssl=YES +require_ssl_reuse=YES +ssl_ciphers=ECDHE:ECDSA:!aNULL:!eNULL:!EXPORT:!DES:!CAMELLIA:!RC4:!MD5:!SHA:!PSK:!aECDH:!EDH:!DH:!DSS:!CBC3:!CBC + +implicit_ssl=YES +listen_port=990 + +pasv_promiscuous=NO +#pasv_min_port=30000 +#pasv_max_port=30100 + +#syslog_enable=YES +log_ftp_protocol=YES + + # # Uncomment this to indicate that vsftpd use a utf8 filesystem. -#utf8_filesystem=YES +utf8_filesystem=YES
経路暗号化を実現するNAS用プロトコルの代替案について
NASに利用できるプロトコルは様々にありますが、
・sambaだと、ldapの設定無しに、tls/sslを利用できない。
・webdavはデータの破損が怖い (webdav vs ftpより)
・tls likeな通信がいいので、sftpは除外
という問題があり、ftpを試しました。非暗号接続でいいなら、sambaで十分なのですが。
補足情報(FW/ツールのバージョンなど)
ubuntu 18.04
vsftpd 3.0.3
iphone ios 11.4
ftpmanager 5.1.1