I'd like to authenticate FTP clients either via username+password or a client certificate. Only FTPS is allowed.
User/password works, but while testing with curl (I don't have another option) and a client certificate, I need to pass a user. Isn't it technically possible to authenticate only by providing a certificate?
vsftpd.conf
passwd_chroot_enable=YES
chroot_local_user=YES
ssl_enable=YES
rsa_cert_file=usrlocal/ssl/certs/vsftpd.pem
force_local_data_ssl=YES
force_local_logins_ssl=YES
Tested with curl -v -k -E client-crt.pem --ftp-ssl-reqd ftp://server:21/testfile
the output is:
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS handshake, CERT verify (15):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DES-CBC3-SHA
* Server certificate:
* SSL certificate verify result: self signed certificate (18), continuing anyway.
> USER anonymous
< 530 Anonymous sessions may not use encryption.
* Access denied: 530
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
curl: (67) Access denied: 530
This is theoretically ok, as i forbid anonymous access. If I specify a user with -u username:pass
it works, but it would without a certificate too.
The client certificate seems to be ok, it looks like this:
client-crt.pem
-----BEGIN RSA PRIVATE KEY-----
content
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
content
-----END CERTIFICATE-----
What am I missing? Thanks in advance. (The OS is Solaris 10 SPARC).
What you need is: mandatory cert validation. The relevant vsftpd directive is validate_cert, which by default is NO.
Add the following options:
Don't use self-signed certs, since the server checks the cert using one of ca's certs in that ca_certs_file.