I am proud owner of TP-Link TL-WDR3500 router flashed with OpenWRT, which is really good custom firmware offering countless possibilities. Recently I’ve installed FTP server on it so I can access the attached external HDD drive remotely. This how-to is simple guide showing you to configure Pure-FTPd with TLS support on your OpenWRT enabled router, too.
Why Pure-FTPd
There are many reasons to prefer Pure-FTPd over other FTP servers available as OpenWRT packages:
- It is a secure FTP server
- It has FTPS support (offers optional TLS Encryption)
- You can use both real user accounts and virtual ones
- You can put every user in a chroot jail
Installation
Login to your router over SSH and issue the following command:
opkg update opkg pure-ftpd-tls
You can use any SSH client. On Windows I recommend using Xshell 5 while there is on Linux usually preinstalled SSH client. To learn how to login via SSH check out this article.
Configuration
There is no LuCI web interface for Pure-FTPd. Stop reading right now if you afraid of terminal commands.
Pure-FTPd uses a few configuration files to set itself up. Originally Pure-FTPd is designed to run without config files unlike many daemons. Instead, it uses command-line options – just run the binary with the correct switches and it should set itself up, but in OpenWRT there is a wrapper that reads config files and runs Pure-FTPd with the proper options.
To see the full switches on Pure-FTPd on OpenWRT simply cat the initialization scripts. The initialization script is located in /etc/init.d/pure-ftpd. Alternatively, you can check out the official documentation.
To start Pure-FTPd run
/etc/init.d/pure-ftpd start
1. Authentication
Pure-FTPd config file is located in /etc/config/pureftpd.
If you open it, you will see that by default the server uses unix type of authentication.
This means that every system user (excepts root, which is forbidden) is also FTP server user and his/her home directory is also his/her personal FTP root directory. Although the OpenWRT is not designed to be multi-user operating system, it is possible to create additional user accounts and use them to login via SSH or FTP. If you want to use this option even though it’s not a good idea, read how to create additional user account here.
Let’s change the default value from
option authentication 'unix'
to
option authentication 'puredb:/etc/pureftpd.pdb'
Pure-FTPd uses 2 database files as access-control lists. They are located at
– /etc/pureftpd.passwd – this is like your UNIX passwd file except it is for Pure-FTPd it contains user accounts, shell etc,
– /etc/pureftpd.pdb – It is Pure-FTPd database file I like to think of it as your UNIX shadow file.
The first step is creating systemgroup and systemuser as described here.
addgroup pure_ftpd_grp adduser -H -G pure_ftpd_grp <em>pure_ftpd_user</em>
The first command creates a systemgroup and the second one adds an user to previously created group, afterwards you will be asked for password for user (-H indicates that I don’t want to assign home directory – if you want to you need to change -H to -h /homedirectory).
Now it’s time to create virtual Pure-FtpD user and map it to the system user you just created.
pure-pw useradd FTP_LOGIN -u pure_ftpd_user -d /ftp_directory
Change FTP_LOGIN, pure_ftpd_user and /ftp_directory as you wish (pure_ftpd_user is same as you created in previous step).
I assign the home directory to the directory I want to be logging from FTP. In my case, this is a directory on the mounted USB HDD drive. FTP will fail if the directory change permission is not correct so you need to set it to the right directory.
We need to commit the changes with the following command in order to take place:
pure-pw mkdb
Enjoy!