A base install of Debian squeeze does not include some of the tools required to establish a secure FTP server.
I started at
http://www.debian-administration.org/article/228/Setting_up_an_FTP_server_on_Debian
The ProFTP reference for TLS is somewhat sparse for step-by-step requiring some degree of thinking. Which is fine except if I am in a hurry.
How-to-Forge regarding Debian Etch gave some information that was relevant but missing a couple of steps that apply in the later Squeeze version of Debian (6.0.2).
So my steps for future reference are as follows:
Start by installing and establishing a basic FTP server. Not secured but functioning is the goal.
[bash]
#apt-get install proftpd-basic proftpd-doc
[/bash]
During the ProFTP install it will prompt for inetd or stand-alone, select stand-alone.
Create a test user account and password with adduser on the Debian system.
Test with a FileZilla install for a basic FTP connection on port 21. If this is working a basic connection will allow the user to see the entire server.
Based on the config /etc/proftpd/proftpd.conf setting to chroot the user to their /home/ directory will restrict the user login to only their home directory. Enable the line by removing the # sign at the start of the line in /etc/proftpd/proftpd.conf
[text]
DefaultRoot
[/text]
Stop and restart the proftpd service
[bash]
#service proftpd restart
[/bash]
Test again with a FileZilla install for a chroot FTP connection on port 21. It will probably fail unless the next step was done previously.
Check tail /var/log/proftpd/proftpd.log for errors like this:
[text]
Aug 09 16:30:44 server_name proftpd[9625] fq_server_name (::ffff:ip_address[::ffff:ip_address]): Preparing to chroot to directory ‘/home/username/’
Aug 09 16:30:44 server_name proftpd[9625] fq_server_name (::ffff:ip_address[::ffff:ip_address]): chroot to ‘/home/username/’ failed for user ‘username’: Operation not permitted
Aug 09 16:30:44 server_name proftpd[9625] fq_server_name (::ffff:ip_address[::ffff:ip_address]): error: unable to set default root directory
[/text]
The issue is that chroot is not installed by default and therefore a Filezilla connection should fail.
[bash]
apt-get install chrootuid
[/bash]
Stop and restart the proftpd service
[bash]
#service proftpd restart
[/bash]
Test again with a FileZilla install for a basic FTP connection on port 21 to the users home directory.
Once that is working adding TLS takes a few more steps.
Find and enable the following line by removing the # sign at the start of the line in
/etc/proftpd/proftpd.conf
[text]
include /etc/proftpd/tls.conf
[/text]
Install openssl
[bash]
# apt-get install openssl
[/bash]
Follow the details on How-to-Forge for creating a self-signed certificate for the FTP server in Step 3 Creating The SSL Certificate For TLS.
Step 4 Enabling TLS In ProFTPd is no longer correct for this version of Debian. The tls section is no longer in the /etc/proftpd/proftpd.conf but as a separate file in the same directory
Edit /etc/proftpd/tls.conf instead of /etc/proftpd/proftpd.conf
Turn on the appropriate sections and edit the relevant paths to suit your certificate locations.
Stop and restart the proftpd service
[bash]
#service proftpd restart
[/bash]
Modify the Filezilla settings to use Require explicit FTP over TLS and test again. The prompt for the certificate acceptance is because it is self-signed and tick the box to retain the certificate so that the prompt disappears.
Note that the self-signed certificate is valid only for 365 days and in a year it will need to be renewed.
I also referenced http://www.delphi3000.com/articles/article_4881.asp regarding the differences between SFTP and FTPS.
And this section of the ProFTP documentation for chroot information.