VSFTPD.CONF man page on Scientific

Man page or keyword search:  
man Server   26626 pages
apropos Keyword Search (all sections)
Output format
Scientific logo
[printable version]

VSFTPD.CONF(5)							VSFTPD.CONF(5)

NAME
       vsftpd.conf - config file for vsftpd

DESCRIPTION
       vsftpd.conf  may	 be used to control various aspects of vsftpd's behav‐
       iour.  By  default,  vsftpd  looks  for	this  file  at	the   location
       /etc/vsftpd/vsftpd.conf.	  However, you may override this by specifying
       a command line argument to vsftpd. The command  line  argument  is  the
       pathname of the configuration file for vsftpd. This behaviour is useful
       because you may wish to use an advanced inetd such as xinetd to	launch
       vsftpd with different configuration files on a per virtual host basis.

FORMAT
       The format of vsftpd.conf is very simple. Each line is either a comment
       or a directive. Comment lines start with a # and are ignored. A	direc‐
       tive line has the format:

       option=value

       It  is  important  to note that it is an error to put any space between
       the option, = and value.

       Each setting has a compiled in default which may	 be  modified  in  the
       configuration file.

BOOLEAN OPTIONS
       Below  is a list of boolean options. The value for a boolean option may
       be set to YES or NO.

       allow_anon_ssl
	      Only applies if ssl_enable is active. If set to  YES,  anonymous
	      users will be allowed to use secured SSL connections.

	      Default: NO

       anon_mkdir_write_enable
	      If  set  to YES, anonymous users will be permitted to create new
	      directories under certain conditions.  For  this	to  work,  the
	      option  write_enable  must  be  activated, and the anonymous ftp
	      user must have write permission on the parent directory.

	      Default: NO

       anon_other_write_enable
	      If set to YES, anonymous users  will  be	permitted  to  perform
	      write operations other than upload and create directory, such as
	      deletion and renaming. This is  generally	 not  recommended  but
	      included for completeness.

	      Default: NO

       anon_upload_enable
	      If set to YES, anonymous users will be permitted to upload files
	      under  certain  conditions.  For	this  to  work,	  the	option
	      write_enable  must be activated, and the anonymous ftp user must
	      have write permission on desired upload locations. This  setting
	      is  also	required for virtual users to upload; by default, vir‐
	      tual  users  are	treated	  with	 anonymous   (i.e.   maximally
	      restricted) privilege.

	      Default: NO

       anon_world_readable_only
	      When  enabled,  anonymous users will only be allowed to download
	      files which are world readable. This is recognising that the ftp
	      user may own files, especially in the presence of uploads.

	      Default: YES

       anonymous_enable
	      Controls	whether	 anonymous  logins  are	 permitted  or not. If
	      enabled, both the usernames ftp and anonymous are recognised  as
	      anonymous logins.

	      Default: YES

       ascii_download_enable
	      When  enabled,  ASCII  mode  data	 transfers will be honoured on
	      downloads.

	      Default: NO

       ascii_upload_enable
	      When enabled, ASCII mode data  transfers	will  be  honoured  on
	      uploads.

	      Default: NO

       async_abor_enable
	      When  enabled,  a special FTP command known as "async ABOR" will
	      be enabled.  Only ill advised FTP clients will use this feature.
	      Additionally,  this  feature is awkward to handle, so it is dis‐
	      abled by default. Unfortunately, some FTP clients will hang when
	      cancelling  a  transfer unless this feature is available, so you
	      may wish to enable it.

	      Default: NO

       background
	      When enabled, and vsftpd is started  in  "listen"	 mode,	vsftpd
	      will  background the listener process. i.e. control will immedi‐
	      ately be returned to the shell which launched vsftpd.

	      Default: YES

       check_shell
	      Note! This option only has  an  effect  for  non-PAM  builds  of
	      vsftpd.  If  disabled,  vsftpd  will not check /etc/shells for a
	      valid user shell for local logins.

	      Default: YES

       chmod_enable
	      When enabled, allows use of the SITE CHMOD command.  NOTE!  This
	      only  applies  to	 local users. Anonymous users never get to use
	      SITE CHMOD.

	      Default: YES

       chown_uploads
	      If enabled, all anonymously uploaded files will have the	owner‐
	      ship  changed  to	 the user specified in the setting chown_user‐
	      name.  This is useful from an administrative, and perhaps	 secu‐
	      rity, standpoint.

	      Default: NO

       chroot_list_enable
	      If  activated,  you  may	provide	 a list of local users who are
	      placed in a chroot() jail in their home  directory  upon	login.
	      The meaning is slightly different if chroot_local_user is set to
	      YES. In this case, the list becomes a list of  users  which  are
	      NOT  to be placed in a chroot() jail.  By default, the file con‐
	      taining this list is /etc/vsftpd/chroot_list, but you may	 over‐
	      ride this with the chroot_list_file setting.

	      Default: NO

       chroot_local_user
	      If  set  to  YES,	 local	users will be (by default) placed in a
	      chroot() jail in their home  directory  after  login.   Warning:
	      This  option  has security implications, especially if the users
	      have upload permission, or shell access. Only enable if you know
	      what  you	 are doing.  Note that these security implications are
	      not vsftpd specific. They apply to all FTP daemons  which	 offer
	      to put local users in chroot() jails.

	      Default: NO

       connect_from_port_20
	      This  controls  whether  PORT style data connections use port 20
	      (ftp-data) on the server machine.	 For  security	reasons,  some
	      clients  may insist that this is the case. Conversely, disabling
	      this option enables vsftpd to run with slightly less privilege.

	      Default: NO (but the sample config file enables it)

       debug_ssl
	      If true, OpenSSL connection diagnostics are dumped to the vsftpd
	      log file.	 (Added in v2.0.6).

	      Default: NO

       delete_failed_uploads
	      If  true,	 any  failed  upload  files  are  deleted.   (Added in
	      v2.0.7).

	      Default: NO

       deny_email_enable
	      If activated, you may provide a list of  anonymous  password  e-
	      mail  responses  which cause login to be denied. By default, the
	      file containing this list is /etc/vsftpd/banned_emails, but  you
	      may override this with the banned_email_file setting.

	      Default: NO

       dirlist_enable
	      If  set  to NO, all directory list commands will give permission
	      denied.

	      Default: YES

       dirmessage_enable
	      If enabled, users of the FTP server can be shown	messages  when
	      they  first  enter  a  new directory. By default, a directory is
	      scanned for the file .message, but that may be  overridden  with
	      the configuration setting message_file.

	      Default: NO (but the sample config file enables it)

       download_enable
	      If set to NO, all download requests will give permission denied.

	      Default: YES

       dual_log_enable
	      If  enabled,  two	 log files are generated in parallel, going by
	      default to /var/log/xferlog and /var/log/vsftpd.log.  The former
	      is  a  wu-ftpd  style transfer log, parseable by standard tools.
	      The latter is vsftpd's own style log.

	      Default: NO

       force_dot_files
	      If activated, files and directories  starting  with  .  will  be
	      shown in directory listings even if the "a" flag was not used by
	      the client. This override excludes the "." and ".." entries.

	      Default: NO

       force_anon_data_ssl
	      Only applies if  ssl_enable  is  activated.  If  activated,  all
	      anonymous	 logins	 are  forced to use a secure SSL connection in
	      order to send and receive data on data connections.

	      Default: NO

       force_anon_logins_ssl
	      Only applies if  ssl_enable  is  activated.  If  activated,  all
	      anonymous	 logins	 are  forced to use a secure SSL connection in
	      order to send the password.

	      Default: NO

       force_local_data_ssl
	      Only applies if ssl_enable is activated. If activated, all  non-
	      anonymous	 logins	 are  forced to use a secure SSL connection in
	      order to send and receive data on data connections.

	      Default: YES

       force_local_logins_ssl
	      Only applies if ssl_enable is activated. If activated, all  non-
	      anonymous	 logins	 are  forced to use a secure SSL connection in
	      order to send the password.

	      Default: YES

       guest_enable
	      If enabled, all non-anonymous  logins  are  classed  as  "guest"
	      logins.  A  guest login is remapped to the user specified in the
	      guest_username setting.

	      Default: NO

       hide_ids
	      If enabled, all user and group information in directory listings
	      will be displayed as "ftp".

	      Default: NO

       implicit_ssl
	      If  enabled,  an	SSL handshake is the first thing expect on all
	      connections (the FTPS protocol). To support explicit SSL	and/or
	      plain  text  too,	 a  separate vsftpd listener process should be
	      run.

	      Default: NO

       listen If enabled, vsftpd will run in standalone mode. This means  that
	      vsftpd  must not be run from an inetd of some kind. Instead, the
	      vsftpd executable is run once directly. vsftpd itself will  then
	      take care of listening for and handling incoming connections.

	      Default: NO

       listen_ipv6
	      Like  the listen parameter, except vsftpd will listen on an IPv6
	      socket instead of an IPv4 one. This  parameter  and  the	listen
	      parameter are mutually exclusive.

	      Default: NO

       local_enable
	      Controls	whether local logins are permitted or not. If enabled,
	      normal user accounts in /etc/passwd (or wherever your PAM config
	      references)  may	be used to log in. This must be enable for any
	      non-anonymous login to work, including virtual users.

	      Default: NO

       lock_upload_files
	      When enabled, all uploads proceed	 with  a  write	 lock  on  the
	      upload  file.  All  downloads proceed with a shared read lock on
	      the download file. WARNING!  Before enabling this, be aware that
	      malicious readers could starve a writer wanting to e.g. append a
	      file.

	      Default: YES

       log_ftp_protocol
	      When enabled, all FTP requests and responses are logged, provid‐
	      ing  the	option	xferlog_std_format  is not enabled. Useful for
	      debugging.

	      Default: NO

       ls_recurse_enable
	      When enabled, this setting will allow the use of "ls  -R".  This
	      is  a minor security risk, because a ls -R at the top level of a
	      large site may consume a lot of resources.

	      Default: NO

       mdtm_write
	      When enabled, this setting will allow MDTM to set file modifica‐
	      tion times (subject to the usual access checks).

	      Default: YES

       no_anon_password
	      When  enabled, this prevents vsftpd from asking for an anonymous
	      password - the anonymous user will log straight in.

	      Default: NO

       no_log_lock
	      When enabled, this prevents vsftpd from taking a file lock  when
	      writing  to  log	files.	This  option  should  generally not be
	      enabled. It exists to workaround operating system bugs  such  as
	      the  Solaris  /  Veritas	filesystem  combination which has been
	      observed to sometimes exhibit hangs trying to lock log files.

	      Default: NO

       one_process_model
	      If you have a Linux 2.4 kernel, it is possible to use a  differ‐
	      ent  security  model which only uses one process per connection.
	      It is a less pure security model, but gains you performance. You
	      really  don't  want  to enable this unless you know what you are
	      doing, and your site supports  huge  numbers  of	simultaneously
	      connected users.

	      Default: NO

       passwd_chroot_enable
	      If  enabled, along with chroot_local_user , then a chroot() jail
	      location may be specified on a per-user basis. Each user's  jail
	      is  derived from their home directory string in /etc/passwd. The
	      occurrence of /./ in the home directory string denotes that  the
	      jail is at that particular location in the path.

	      Default: NO

       pasv_addr_resolve
	      Set  to  YES  if	you  want  to use a hostname (as opposed to IP
	      address) in the pasv_address option.

	      Default: NO

       pasv_enable
	      Set to NO if you want to disallow the PASV method of obtaining a
	      data connection.

	      Default: YES

       pasv_promiscuous
	      Set  to  YES if you want to disable the PASV security check that
	      ensures the data connection originates from the same IP  address
	      as the control connection.  Only enable if you know what you are
	      doing! The only legitimate use for  this	is  in	some  form  of
	      secure tunnelling scheme, or perhaps to facilitate FXP support.

	      Default: NO

       port_enable
	      Set to NO if you want to disallow the PORT method of obtaining a
	      data connection.

	      Default: YES

       port_promiscuous
	      Set to YES if you want to disable the PORT security  check  that
	      ensures  that  outgoing data connections can only connect to the
	      client. Only enable if you know what you are doing!

	      Default: NO

       require_cert
	      If set to yes,  all  SSL	client	connections  are  required  to
	      present  a  client certificate. The degree of validation applied
	      to this certificate is controlled	 by  validate_cert  (Added  in
	      v2.0.6).

	      Default: NO

       require_ssl_reuse
	      If  set to yes, all SSL data connections are required to exhibit
	      SSL session reuse (which proves that they know the  same	master
	      secret  as  the  control	channel).  Although  this  is a secure
	      default, it may break many FTP clients, so you may want to  dis‐
	      able it. For a discussion of the consequences, see http://scary‐
	      beastsecurity.blogspot.com/2009/02/vsftpd-210-released.html
	      (Added in v2.1.0).

	      Default: YES

       reverse_lookup_enable
	      Set  to  YES if you want vsftpd to transform the ip address into
	      the hostname, before pam authentication. This is useful  if  you
	      use pam_access including the hostname. If you want vsftpd to run
	      on the environment where the reverse lookup for some hostname is
	      available	 and  the name server doesn't respond for a while, you
	      should set this to NO to avoid a performance issue.

	      Default: YES

       run_as_launching_user
	      Set to YES if you want vsftpd to run as the user which  launched
	      vsftpd.  This is useful where root access is not available. MAS‐
	      SIVE WARNING! Do NOT enable this option unless you totally  know
	      what  you are doing, as naive use of this option can create mas‐
	      sive security problems. Specifically, vsftpd does not  /	cannot
	      use  chroot  technology to restrict file access when this option
	      is set (even if launched by root). A poor substitute could be to
	      use  a  deny_file setting such as {/*,*..*}, but the reliability
	      of this cannot compare to chroot, and should not be  relied  on.
	      If  using this option, many restrictions on other options apply.
	      For example, options requiring privilege such  as	 non-anonymous
	      logins,  upload  ownership changing, connecting from port 20 and
	      listen ports less than 1024 are  not  expected  to  work.	 Other
	      options may be impacted.

	      Default: NO

       secure_email_list_enable
	      Set to YES if you want only a specified list of e-mail passwords
	      for anonymous logins to be accepted. This is useful  as  a  low-
	      hassle way of restricting access to low-security content without
	      needing virtual users. When enabled, anonymous logins  are  pre‐
	      vented unless the password provided is listed in the file speci‐
	      fied by the email_password_file setting. The file format is  one
	      password	per line, no extra whitespace. The default filename is
	      /etc/vsftpd/email_passwords.

	      Default: NO

       session_support
	      This controls whether vsftpd attempts to maintain	 sessions  for
	      logins.  If  vsftpd  is  maintaining  sessions,  it will try and
	      update utmp and wtmp. It will also open a pam_session  if	 using
	      PAM  to  authenticate,  and only close this upon logout. You may
	      wish to disable this if you do not need session logging, and you
	      wish  to give vsftpd more opportunity to run with less processes
	      and / or less privilege. NOTE - utmp and wtmp  support  is  only
	      provided with PAM enabled builds.

	      Default: NO

       setproctitle_enable
	      If  enabled, vsftpd will try and show session status information
	      in the system process listing. In other words, the reported name
	      of  the  process will change to reflect what a vsftpd session is
	      doing (idle, downloading etc). You probably want to  leave  this
	      off for security purposes.

	      Default: NO

       ssl_enable
	      If enabled, and vsftpd was compiled against OpenSSL, vsftpd will
	      support secure connections via SSL. This applies to the  control
	      connection  (including  login) and also data connections. You'll
	      need a client with SSL support too. NOTE!!  Beware enabling this
	      option.  Only enable it if you need it. vsftpd can make no guar‐
	      antees about the security of the OpenSSL libraries. By  enabling
	      this  option,  you  are declaring that you trust the security of
	      your installed OpenSSL library.

	      Default: NO

       ssl_request_cert
	      If enabled, vsftpd will request (but  not	 necessarily  require;
	      see    require_cert)acertificateonincomingSSLconnections.Normal‐
	      lythis should not cause any trouble at all, but IBM zOS seems to
	      have issues.  (New in v2.0.7).

	      Default: YES

       ssl_sslv2
	      Only applies if ssl_enable is activated. If enabled, this option
	      will permit SSL v2 protocol connections.	TLS v1 connections are
	      preferred.

	      Default: NO

       ssl_sslv3
	      Only applies if ssl_enable is activated. If enabled, this option
	      will permit SSL v3 protocol connections.	TLS v1 connections are
	      preferred.

	      Default: NO

       ssl_tlsv1
	      Only applies if ssl_enable is activated. If enabled, this option
	      will permit TLS v1 protocol connections.	TLS v1 connections are
	      preferred.

	      Default: YES

       strict_ssl_read_eof
	      If  enabled, SSL data uploads are required to terminate via SSL,
	      not an EOF on the socket. This option is	required  to  be  sure
	      that  an attacker did not terminate an upload prematurely with a
	      faked TCP FIN. Unfortunately,  it	 is  not  enabled  by  default
	      because so few clients get it right. (New in v2.0.7).

	      Default: NO

       strict_ssl_write_shutdown
	      If  enabled,  SSL	 data  downloads are required to terminate via
	      SSL, not an EOF on the socket. This is off by default as	I  was
	      unable  to find a single FTP client that does this. It is minor.
	      All it affects is our ability to tell whether  the  client  con‐
	      firmed  full  receipt of the file. Even without this option, the
	      client is able to check the integrity of the download.  (New  in
	      v2.0.7).

	      Default: NO

       syslog_enable
	      If  enabled,  then  any  log  output  which  would  have gone to
	      /var/log/vsftpd.log goes to the system log instead.  Logging  is
	      done under the FTPD facility.

	      Default: NO

       tcp_wrappers
	      If  enabled,  and vsftpd was compiled with tcp_wrappers support,
	      incoming connections will be  fed	 through  tcp_wrappers	access
	      control. Furthermore, there is a mechanism for per-IP based con‐
	      figuration. If tcp_wrappers sets the  VSFTPD_LOAD_CONF  environ‐
	      ment  variable,  then  the  vsftpd session will try and load the
	      vsftpd configuration file specified in this variable.

	      Default: NO

       text_userdb_names
	      By default, numeric IDs are shown in the user and	 group	fields
	      of  directory  listings.	You  can get textual names by enabling
	      this parameter. It is off by default for performance reasons.

	      Default: NO

       tilde_user_enable
	      If enabled, vsftpd  will	try  and  resolve  pathnames  such  as
	      ~chris/pics,  i.e.  a  tilde  followed  by a username. Note that
	      vsftpd will always resolve the pathnames ~ and  ~/something  (in
	      this  case  the ~ resolves to the initial login directory). Note
	      that ~user paths will only resolve if the file  /etc/passwd  may
	      be found within the _current_ chroot() jail.

	      Default: NO

       use_localtime
	      If enabled, vsftpd will display directory listings with the time
	      in your local time zone. The default  is	to  display  GMT.  The
	      times returned by the MDTM FTP command are also affected by this
	      option.

	      Default: NO

       use_sendfile
	      An internal setting used for testing  the	 relative  benefit  of
	      using the sendfile() system call on your platform.

	      Default: YES

       userlist_deny
	      This  option is examined if userlist_enable is activated. If you
	      set this setting to NO, then users will be denied	 login	unless
	      they   are   explicitly	listed	 in   the  file	 specified  by
	      userlist_file.  When login  is  denied,  the  denial  is	issued
	      before the user is asked for a password.

	      Default: YES

       userlist_enable
	      If enabled, vsftpd will load a list of usernames, from the file‐
	      name given by userlist_file.  If a user tries to log in using  a
	      name in this file, they will be denied before they are asked for
	      a password. This may be useful in preventing cleartext passwords
	      being transmitted. See also userlist_deny.

	      Default: NO

       validate_cert
	      If  set  to yes, all SSL client certificates received must vali‐
	      date OK.	Self-signed certs do  not  constitute  OK  validation.
	      (New in v2.0.6).

	      Default: NO

       userlist_log
	      This  option  is	examined  if  userlist_enable is activated. If
	      enabled, every login denial based	 on  the  user	list  will  be
	      logged.

	      Default: NO

       virtual_use_local_privs
	      If  enabled, virtual users will use the same privileges as local
	      users. By default, virtual users will use the same privileges as
	      anonymous	 users, which tends to be more restrictive (especially
	      in terms of write access).

	      Default: NO

       write_enable
	      This controls whether any FTP commands which change the filesys‐
	      tem  are	allowed	 or not. These commands are: STOR, DELE, RNFR,
	      RNTO, MKD, RMD, APPE and SITE.

	      Default: NO

       xferlog_enable
	      If enabled, a log file will be maintained detailling uploads and
	      downloads.    By	 default,   this   file	  will	be  placed  at
	      /var/log/vsftpd.log, but this location may be  overridden	 using
	      the configuration setting vsftpd_log_file.

	      Default: NO (but the sample config file enables it)

       xferlog_std_format
	      If  enabled,  the	 transfer log file will be written in standard
	      xferlog format, as used by wu-ftpd. This is useful  because  you
	      can  reuse  existing transfer statistics generators. The default
	      format is more readable, however. The default location for  this
	      style  of	 log  file  is /var/log/xferlog, but you may change it
	      with the setting xferlog_file.

	      Default: NO

       isolate_network
	      If enabled, use CLONE_NEWNET to isolate the untrusted  processes
	      so  that	they  can't do arbitrary connect() and instead have to
	      ask the privileged process for sockets (	port_promiscuous  have
	      to be disabled).

	      Default: YES

       isolate
	      If  enabled,  use	 CLONE_NEWPID and CLONE_NEWIPC to isolate pro‐
	      cesses to their ipc and pid namespaces. So  separated  processes
	      can not interact with each other.

	      Default: YES

NUMERIC OPTIONS
       Below  is  a list of numeric options. A numeric option must be set to a
       non negative integer. Octal numbers are supported, for  convenience  of
       the umask options. To specify an octal number, use 0 as the first digit
       of the number.

       accept_timeout
	      The timeout, in seconds, for a remote client to  establish  con‐
	      nection with a PASV style data connection.

	      Default: 60

       anon_max_rate
	      The  maximum  data transfer rate permitted, in bytes per second,
	      for anonymous clients.

	      Default: 0 (unlimited)

       anon_umask
	      The value that the umask for file creation is set to for	anony‐
	      mous  users. NOTE! If you want to specify octal values, remember
	      the "0" prefix otherwise the value will be treated as a base  10
	      integer!

	      Default: 077

       chown_upload_mode
	      The  file	 mode to force for chown()ed anonymous uploads. (Added
	      in v2.0.6).

	      Default: 0600

       connect_timeout
	      The timeout, in seconds, for a remote client to respond  to  our
	      PORT style data connection.

	      Default: 60

       data_connection_timeout
	      The  timeout,  in	 seconds, which is roughly the maximum time we
	      permit data transfers to stall for  with	no  progress.  If  the
	      timeout triggers, the remote client is kicked off.

	      Default: 300

       delay_failed_login
	      The  number  of  seconds	to  pause  prior to reporting a failed
	      login.

	      Default: 1

       delay_successful_login
	      The number of seconds to pause prior to  allowing	 a  successful
	      login.

	      Default: 0

       file_open_mode
	      The  permissions	with  which uploaded files are created. Umasks
	      are applied on top of this value. You may wish to change to 0777
	      if you want uploaded files to be executable.

	      Default: 0666

       ftp_data_port
	      The port from which PORT style connections originate (as long as
	      the poorly named connect_from_port_20 is enabled).

	      Default: 20

       idle_session_timeout
	      The timeout, in seconds, which is	 the  maximum  time  a	remote
	      client  may spend between FTP commands. If the timeout triggers,
	      the remote client is kicked off.

	      Default: 300

       listen_port
	      If vsftpd is in standalone mode, this is the port it will listen
	      on for incoming FTP connections.

	      Default: 21

       local_max_rate
	      The  maximum  data transfer rate permitted, in bytes per second,
	      for local authenticated users.

	      Default: 0 (unlimited)

       local_umask
	      The value that the umask for file creation is set to  for	 local
	      users.  NOTE!  If you want to specify octal values, remember the
	      "0" prefix otherwise the value will be  treated  as  a  base  10
	      integer!

	      Default: 077

       max_clients
	      If  vsftpd  is in standalone mode, this is the maximum number of
	      clients which may be connected. Any additional clients  connect‐
	      ing  will	 get  an  error message.  The value 0 switches off the
	      limit.

	      Default: 2000

       max_login_fails
	      After this many login failures, the session is killed.

	      Default: 3

       max_per_ip
	      If vsftpd is in standalone mode, this is the maximum  number  of
	      clients  which  may  be  connected from the same source internet
	      address. A client will get an error message if they go over this
	      limit. The value 0 switches off the limit.

	      Default: 50

       pasv_max_port
	      The  maximum  port  to allocate for PASV style data connections.
	      Can be used to specify a	narrow	port  range  to	 assist	 fire‐
	      walling.

	      Default: 0 (use any port)

       pasv_min_port
	      The  minimum  port  to allocate for PASV style data connections.
	      Can be used to specify a	narrow	port  range  to	 assist	 fire‐
	      walling.

	      Default: 0 (use any port)

       trans_chunk_size
	      You  probably  don't  want to change this, but try setting it to
	      something like 8192 for a much smoother bandwidth limiter.

	      Default: 0 (let vsftpd pick a sensible setting)

STRING OPTIONS
       Below is a list of string options.

       anon_root
	      This option represents a directory  which	 vsftpd	 will  try  to
	      change  into  after  an  anonymous  login.  Failure  is silently
	      ignored.

	      Default: (none)

       banned_email_file
	      This option is the name of a file containing a list of anonymous
	      e-mail passwords which are not permitted. This file is consulted
	      if the option deny_email_enable is enabled.

	      Default: /etc/vsftpd/banned_emails

       banner_file
	      This option is the name of a file	 containing  text  to  display
	      when  someone  connects  to the server. If set, it overrides the
	      banner string provided by the ftpd_banner option.

	      Default: (none)

       ca_certs_file
	      This option is the name of a file to load Certificate  Authority
	      certs  from,  for	 the  purpose  of validating client certs. The
	      loaded certs are also advertised to the  client,	to  cater  for
	      TLSv1.0  clients	such as the z/OS FTP client.  Regrettably, the
	      default SSL CA cert paths are not used, because of vsftpd's  use
	      of restricted filesystem spaces (chroot). (Added in v2.0.6).

	      Default: (none)

       chown_username
	      This  is	the  name of the user who is given ownership of anony‐
	      mously uploaded files. This option is only relevant  if  another
	      option, chown_uploads, is set.

	      Default: root

       chroot_list_file
	      The  option  is  the  name  of a file containing a list of local
	      users which will be placed in a  chroot()	 jail  in  their  home
	      directory.   This	  option   is  only  relevant  if  the	option
	      chroot_list_enable is enabled. If the  option  chroot_local_user
	      is  enabled,  then  the list file becomes a list of users to NOT
	      place in a chroot() jail.

	      Default: /etvsftpd.confc/vsftpd.chroot_list

       cmds_allowed
	      This options specifies a comma separated	list  of  allowed  FTP
	      commands	(post login. USER, PASS and QUIT and others are always
	      allowed pre-login). Other commands are rejected. This is a  pow‐
	      erful  method  of	 really	 locking  down an FTP server. Example:
	      cmds_allowed=PASV,RETR,QUIT

	      Default: (none)

       cmds_denied
	      This options specifies a comma separated list of denied FTP com‐
	      mands  (post  login.  USER,  PASS,  QUIT	and  others are always
	      allowed pre-login). If  a	 command  appears  on  both  this  and
	      cmds_allowed   then  the	denial	takes  precedence.  (Added  in
	      v2.1.0).

	      Default: (none)

       deny_file
	      This option can be used to set  a	 pattern  for  filenames  (and
	      directory names etc.) which should not be accessible in any way.
	      The affected items are not hidden, but any attempt  to  do  any‐
	      thing to them (download, change into directory, affect something
	      within directory etc.) will be denied. This option is very  sim‐
	      ple,  and	 should	 not  be used for serious access control - the
	      filesystem's permissions should be used in preference.  However,
	      this  option  may	 be  useful in certain virtual user setups. In
	      particular aware that if a filename is accessible by  a  variety
	      of  names	 (perhaps  due	to symbolic links or hard links), then
	      care must be taken to deny access to all the names.  Access will
	      be  denied  to  items if their name contains the string given by
	      hide_file, or if they match the regular expression specified  by
	      hide_file.   Note that vsftpd's regular expression matching code
	      is a simple implementation which is a  subset  of	 full  regular
	      expression  functionality.  Because  of  this,  you will need to
	      carefully and exhaustively test any application of this  option.
	      And  you	are  recommended to use filesystem permissions for any
	      important security policies due to  their	 greater  reliability.
	      Supported	 regex	syntax	is any number of *, ? and unnested {,}
	      operators. Regex matching is only supported on the  last	compo‐
	      nent of a path, e.g. a/b/? is supported but a/?/c is not.	 Exam‐
	      ple: deny_file={*.mp3,*.mov,.private}

	      Default: (none)

       dsa_cert_file
	      This option specifies the location of the DSA certificate to use
	      for SSL encrypted connections.

	      Default: (none - an RSA certificate suffices)

       dsa_private_key_file
	      This option specifies the location of the DSA private key to use
	      for SSL encrypted connections. If this option is	not  set,  the
	      private  key  is expected to be in the same file as the certifi‐
	      cate.

	      Default: (none)

       email_password_file
	      This option can be used to provide an alternate file  for	 usage
	      by the secure_email_list_enable setting.

	      Default: /etc/vsftpd/email_passwords

       ftp_username
	      This  is the name of the user we use for handling anonymous FTP.
	      The home directory of this user is the root of the anonymous FTP
	      area.

	      Default: ftp

       ftpd_banner
	      This  string  option  allows you to override the greeting banner
	      displayed by vsftpd when a connection first comes in.

	      Default: (none - default vsftpd banner is displayed)

       guest_username
	      See the boolean setting guest_enable for a description  of  what
	      constitutes  a  guest  login.  This setting is the real username
	      which guest users are mapped to.

	      Default: ftp

       hide_file
	      This option can be used to set  a	 pattern  for  filenames  (and
	      directory	 names	etc.)  which  should  be hidden from directory
	      listings. Despite being hidden, the files / directories etc. are
	      fully accessible to clients who know what names to actually use.
	      Items will be hidden if their names contain the string given  by
	      hide_file,  or if they match the regular expression specified by
	      hide_file. Note that vsftpd's regular expression	matching  code
	      is  a  simple  implementation  which is a subset of full regular
	      expression functionality.	 See deny_file for details of  exactly
	      what regex syntax is supported.  Example: hide_file={*.mp3,.hid‐
	      den,hide*,h?}

	      Default: (none)

       listen_address
	      If vsftpd is in standalone mode, the default listen address  (of
	      all local interfaces) may be overridden by this setting. Provide
	      a numeric IP address.

	      Default: (none)

       listen_address6
	      Like listen_address, but specifies a default listen address  for
	      the  IPv6 listener (which is used if listen_ipv6 is set). Format
	      is standard IPv6 address format.

	      Default: (none)

       local_root
	      This option represents a directory  which	 vsftpd	 will  try  to
	      change into after a local (i.e. non-anonymous) login. Failure is
	      silently ignored.

	      Default: (none)

       message_file
	      This option is the name of the file  we  look  for  when	a  new
	      directory	 is  entered. The contents are displayed to the remote
	      user. This  option  is  only  relevant  if  the  option  dirmes‐
	      sage_enable is enabled.

	      Default: .message

       nopriv_user
	      This  is	the  name  of  the user that is used by vsftpd when it
	      wants to be totally unprivileged. Note that  this	 should	 be  a
	      dedicated	 user, rather than nobody. The user nobody tends to be
	      used for rather a lot of important things on most machines.

	      Default: nobody

       pam_service_name
	      This string is the name of the PAM service vsftpd will use.

	      Default: ftp

       pasv_address
	      Use this option to override the  IP  address  that  vsftpd  will
	      advertise	 in response to the PASV command. Provide a numeric IP
	      address, unless pasv_addr_resolve is enabled, in which case  you
	      can  provide  a  hostname	 which will be DNS resolved for you at
	      startup.

	      Default: (none - the address is taken  from  the	incoming  con‐
	      nected socket)

       rsa_cert_file
	      This option specifies the location of the RSA certificate to use
	      for SSL encrypted connections.

	      Default: /usr/share/ssl/certs/vsftpd.pem

       rsa_private_key_file
	      This option specifies the location of the RSA private key to use
	      for  SSL	encrypted  connections. If this option is not set, the
	      private key is expected to be in the same file as	 the  certifi‐
	      cate.

	      Default: (none)

       secure_chroot_dir
	      This  option  should  be the name of a directory which is empty.
	      Also, the directory should not be writable by the ftp user. This
	      directory is used as a secure chroot() jail at times vsftpd does
	      not require filesystem access.

	      Default: /usr/share/empty

       ssl_ciphers
	      This option can be used to select which SSL ciphers vsftpd  will
	      allow  for  encrypted  SSL connections. See the ciphers man page
	      for further details. Note that restricting ciphers can be a use‐
	      ful  security precaution as it prevents malicious remote parties
	      forcing a cipher which they have found problems with.

	      Default: DES-CBC3-SHA

       user_config_dir
	      This powerful option allows the override of  any	config	option
	      specified in the manual page, on a per-user basis. Usage is sim‐
	      ple, and is  best	 illustrated  with  an	example.  If  you  set
	      user_config_dir  to  be /etc/vsftpd/user_conf and then log on as
	      the user "chris", then vsftpd will apply	the  settings  in  the
	      file  /etc/vsftpd/user_conf/chris	 for  the duration of the ses‐
	      sion. The format of this file is	as  detailed  in  this	manual
	      page!  PLEASE NOTE that not all settings are effective on a per-
	      user basis. For example, many settings only prior to the	user's
	      session  being  started.	Examples  of  settings	which will not
	      affect any behviour on a per-user basis include  listen_address,
	      banner_file, max_per_ip, max_clients, xferlog_file, etc.

	      Default: (none)

       user_sub_token
	      This  option  is useful is conjunction with virtual users. It is
	      used to automatically generate a home directory for each virtual
	      user, based on a template. For example, if the home directory of
	      the  real	 user  specified  via  guest_username  is   /home/vir‐
	      tual/$USER,  and	user_sub_token is set to $USER, then when vir‐
	      tual user fred logs in, he will end up (usually chroot()'ed)  in
	      the directory /home/virtual/fred.	 This option also takes affect
	      if local_root contains user_sub_token.

	      Default: (none)

       userlist_file
	      This  option  is	the  name  of  the  file   loaded   when   the
	      userlist_enable option is active.

	      Default: /etc/vsftpd/user_list

       vsftpd_log_file
	      This option is the name of the file to which we write the vsftpd
	      style log file. This log is only written	if  the	 option	 xfer‐
	      log_enable  is  set, and xferlog_std_format is NOT set. Alterna‐
	      tively,  it  is	written	  if   you   have   set	  the	option
	      dual_log_enable.	 One  further  complication  - if you have set
	      syslog_enable, then this file is not written and output is  sent
	      to the system log instead.

	      Default: /var/log/vsftpd.log

       xferlog_file
	      This  option  is	the name of the file to which we write the wu-
	      ftpd style transfer log. The transfer log is only written if the
	      option  xferlog_enable  is  set,	along with xferlog_std_format.
	      Alternatively,  it  is  written  if  you	have  set  the	option
	      dual_log_enable.

	      Default: /var/log/xferlog

AUTHOR
       scarybeasts@gmail.com

								VSFTPD.CONF(5)
[top]

List of man pages available for Scientific

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net