1<html>
2<head>
3  <title>Config file options for bftpd.</title>
4</head>
5<body>
6Next
7<A HREF="bftpddoc-en-4.html">Previous</A>
8<A HREF="bftpddoc-en.html#toc5">Contents</A>
9<br><br><br>
10<h2>Config options for the bftpd configuration file</h2><br>
11Below are a list of options reconized by the bftpd server. These options
12and their values may be stored in the bftpd configureation file. This
13file is named /etc/bftpd.conf by default. Please note that all values
14must be given between quotation marks. For example, the following is
15correct:<br>
16<br>
17<b>PORT="21"</b><br>
18<br>
19However, this is <b>not</b> correct:<br>
20<br>
21<b>PORT=21</b><br>
22<br>
23Please also note that options should always be in UPPER CASE.<br>
24<br><br>
25There are two main parts to the bftpd.conf file. The first is the
26<b>global</b> section. This lays out the default values which are
27used by the server. The second section is the <b>users</b> section. This
28should always be appended at the bottom of the bftpd.conf file. The users
29section provides over-ride values for specific users. For example, by default
30the bftpd.conf file sets DENY_LOGIN to "no", which allows all users to login.
31This value is set in the global section. However, also by default, DENY_LOGIN
32is turned on in the users section for the user <i>root</i>. This prevents
33someone from logging in to your bftpd server using the <i>root</i> account.<br>
34<br><br>
35Now, without further delay, let's take a look at the options
36the bftpd server supports. These will be broken down by the
37name of the variable, a brief description and possible values.<br>
38<br><br>
39<b>Name:</b> DENY_LOGIN<br>
40<br>
41<b>Description:</b> This option instructs bftpd to either deny login
42attemps or to allow logins. It is recommended root
43access be restricted using this option.<br>
44<br>
45<b>Values:</b><br>
46"no" - allow login attempts<br>
47"yes" - prevent a user from logging in<br>
48"<i>Reason for denying access.</i>" - 
49Deny access to the server and tell the client why.<br>
50<br><br>
51  
52<b>Name:</b> PORT<br>
53<br>
54<b>Description:</b> This is the port number where the server should listen
55for incoming connections. This is for daemon mode only.<br>
56<br>
57<b>Values:</b><br>
58"21" - default<br>
59<br><br>
60
61<b>Name:</b> PASSIVE_PORTS<br>
62<br>
63<b>Description:</b>
64  You can force bftpd to use a specific port range in passive mode.
65  Passive mode means that the client will open data connections
66  and the server stays 'passive'.
67  This option can be very useful with some firewall configurations.
68  Seperate values with "," and define ranges with "-".
69  bftpd will try to bind one of these ports in ascending order as
70  you specify them here.
71  If none of the given ports could be bound, the connection is
72  is refused. If you want to bind any free port in that case, add
73  "0" to the list.<br>
74<br>
75<b>Values:</b><br>
76"0" - (zero) default<br>
77"10000-20000" - use ports 10,000 to 20,000<br>
78"15000-20000, 25000-30000" - use ports 15,000 to 20,000 and 25,000 to 30,000.<br>
79<br><br>
80
81<b>Name:</b> DATAPORT20<br>
82<br>
83<b>Description:</b>
84If PORT data connections should be opened from port 20, say yes here. You
85will probably need this if your server is behind a firewall that restricts
86outgoing packets from ports higher than 1024. Note that this may be a
87security hole, as the server can not drop its root privileges completely
88if you say yes here.<br>
89<br>
90<b>Values:</b><br>
91"no" - default. This is recommended for security reasons.<br>
92"yes" - enable data port 20. Recommended for dealing with firewalls which restrict
93out-going connections above port 1024.<br>
94<br><br>
95
96<b>Name:</b> ADMIN_PASS<br>
97<br>
98<b>Description:</b> The password which will be used by the system administrator
99to monitor and manage the bftpd server. The admin interface is not finished and,
100at this time, the password should remain as "x".<br>
101<br>
102<b>Values:</b><br>
103"x" - default and recommended.<br>
104<br><br>
105
106<b>Name:</b> INITIAL_CHROOT<br>
107<br>
108<b>Description:</b>
109With this option, you can put your entire FTP environment into a chroot
110jail. Apart from security, this offers you the possibility of having
111virtual users that don't exist in the system.
112Additionally, you can make some kind of 'file pool' by creating a directory
113with files which you can symlink from the users' homes (this means setting
114DO_CHROOT=no in order for the users to be able to access that dir.
115Note that you need the following files in your initial chroot directory:
116/etc/passwd, /etc/shadow, /etc/group
117On GNU systems, you will also need the NSS libraries in /lib.<br>
118<br>
119<b>Values:</b>
120This option is disabled by default. You should give an existing directory
121path if you wish to setup a traditional, secure ftp environment.<br>
122<br><br>
123
124<b>Name:</b> PATH_BFTPDUTMP<br>
125<br>
126<b>Description:</b> The bftpdutmp file allows you to record user logins and
127logouts. This is useful should you wish to restrict the number of users/computers
128logged in at the same time. Should you wish to run bftpd without these security
129features, you can set the path to an empty string.<br>
130<br>
131<b>Values:</b><br>
132"/var/run/bftpd/bftpdutmp" - default<br>
133"" - disable the log file.<br>
134<br><br>
135
136<b>Name:</b> XFER_BUFSIZE<br>
137<br>
138<b>Description:</b> This option controls the buffer size while transferring files.
139If you are on a very fast network (fast meaning 100 Mbit/s or more),
140you should set this to 64000 or something like that.
141Transferring from localhost to localhost, I had a transfer speed of
142approx. 15 MB/s with XFER_BUFSIZE=2048 and a speed of approx. 20 MB/s
143with XFER_BUFSIZE=64000. You should set smaller values for this if you have
144slow (dialup) clients.
145This option can also be used to (crudely) throttle back
146transfer speeds. Setting this to a very low value
147can slow transfer speeds.<br>
148<br>
149<b>Values:</b><br>
150"2048" - default<br>
151<br><br>
152
153<b>Name:</b> XFER_DELAY<br>
154<br>
155<b>Description:</b>
156This option allows you to add a delay (in microseconds) to
157the time between when one piece of data was sent
158and when the next will be sent. This is to aid in
159throttling bandwidth and applies to each client. The
160throttling effects the DATA transfers only (not control
161connections).
162A value of zero (0) means there is no added delay.
163A value of about 500000 (five hundred thousand) should
164delay for about half a second.
165These delays should be kept low to avoid triggering
166data transfer timeouts.<br>
167<br>
168<b>Values:</b><br>
169"0" - default (no delay)<br>
170<br><br>
171
172<b>Name:</b> ALLOW_FXP<br>
173<br>
174<b>Description:</b>
175When set to yes, this option makes the server allow data connections which
176don't go to the client who initiated them.
177This is needed for FXP. It is recommended this option be left
178disabled.<br>
179<br>
180<b>Values:</b><br>
181"no" - default (recommended)<br>
182"yes" - allow data connections which go to third party clients.<br>
183<br><br>
184
185<b>Name:</b> CONTROL_TIMEOUT<br>
186<br>
187<b>Description:</b> This option sets the amount of time a client may
188be connected without sending any control commands. The value is
189the number of seconds bftpd will wait for a command before dropping
190the connection.<br>
191<br>
192<b>Values:</b><br>
193"300" - default (wait five minutes)<br>
194<br><br>
195
196<b>Name:</b> DATA_TIMEOUT<br>
197<br>
198<b>Description:</b> This option sets the amount of time a client
199can be idle during a file transfer. The value is given in seconds.
200This option should usually be over ten,
201but below sixty. This allows for slow dial-up connections, without leaving
202stale connections too long.<br>
203<br>
204<b>Values:</b><br>
205"30" - default (wait thirty seconds)<br>
206<br><br>
207
208<b>Name:</b> RATIO<br>
209<br>
210<b>Description:</b>
211Use Ratio if you want the client to send a file before he can get a file.
212The format for this option is "<i>upload</i>/<i>download</i>". For
213example, "2/1" will allow the client to download 1MB of data if they
214first upload 2MB of data.<br>
215<br>
216<b>Values:</b><br>
217"none" - default. Do not restrict downloading.<br>
218"2/1" - allow 1MB download for every 2MB uploaded to the server.<br>
219<br><br>
220
221<b>Name:</b> ROOTDIR<br>
222<br>
223<b>Description:</b>
224ROOTDIR specifies the root directory of the client. It defaults to %h
225(the user's home directory). "%u" is replaced by the user name. This
226is handy if you have a set of sub-folders for bftpd to use. For example,
227/var/ftp/<i>username</i>/<br>
228This value should probably be set to some special value in the
229anonymous user's specific settings at the bottom of the config
230file.<br>
231<br>
232<b>Values:</b><br>
233"%h" - (default) login to the user's home directory.<br>
234"%u" - this symbol will be replaced by the client's username.<br>
235<br><br>
236
237<b>Name:</b> UMASK<br>
238<br>
239<b>Description:</b>
240Umask for the files or directories users create.<br>
241<br>
242<b>Values:</b><br>
243"022" - (default) New files are created with the permissions 755.<br>
244<br><br>
245
246<b>Name:</b> LOGFILE<br>
247<br>
248<b>Description:</b> This option gives the path of the file where
249bftpd will log general information. This includes files sent or received,
250login attempts and logouts. It is possible to use the system log by
251using the keyword "syslog" here.<br>
252<br>
253<b>Values:</b><br>
254"/var/log/bftpd.log" - default<br>
255"syslog" - send log data into system log.<br>
256"" - do not save log information to a file.<br>
257<br><br>
258
259<b>Name:</b> HELLO_STRING<br>
260<br>
261<b>Description:</b>
262This option tells bftpd what greeting to send clients when they
263first login to the server. You can use any string which fits on one
264line. Also, you can use three embedded symbols (%h, %i, %v) to
265provide extra information. The %h symbol will be replaced by the
266server's host name, %i is replaced by your IP address and %v
267will display bftpd's version number.<br>
268<br>
269Note: If you use the "%h" option and you do an inital CHROOT, then
270you'll need to copy your /etc/hosts and /etc/host.conf files into
271the chroot jail.<br>
272<br>
273<b>Values:</b><br>
274"bftpd %v at %i ready." - default (Show version and server's IP address)<br>
275"Welcome to bftpd at %h" - display welcome message with server's name.<br>
276<br><br>
277
278<b>Name:</b> AUTO_CHDIR<br>
279<br>
280<b>Description:</b> This option tells the bftpd server in which directory
281it should start. The directory path is relative to any chroot jail.<br>
282<br>
283<b>Values:</b><br>
284"/" - (default) go to the root directory of the current environment.<br>
285"/ftp" - start in the ftp directory<br>
286<br><br>
287
288<b>Name:</b> AUTH<br>
289<br>
290<b>Description:</b> This option tells bftpd which type of password
291authentication to use. Currently PAM and standard passwords are availible.<br>
292<br>
293<b>Values:</b><br>
294"PASSWD" - (default) use basic password checking.<br>
295"PAM" - use PAM verification.<br>
296<br><br>
297
298<b>Name:</b> FILE_AUTH<br>
299<br>
300<b>Description:</b> This option, when set, tells bftpd to ignore the <b>AUTH</b>
301variable and use a plain text file to authenticate users. The value
302should point to a text file, readable to the bftpd server. See the
303<i>values</i> section for the file format. The bftpd server will search
304through the text file for names matching the client's username. If
305a match is found, the client's password is checked against the one in
306the local text file.<br>
307WARNING: This option should be used very carefully and only in
308situations where you wish to over-ride your regular system security!<br>
309<br>
310<b>Values:</b><br>
311The text file should contain the format shown here:<br>
312<i>username password group home_directory</i><br>
313<br>
314Where username and password must match those sent by the client. Otherwise
315login is refused. The group should be the user's regular group and
316home_directory is where the client will be chrooted. For example:<Br>
317john secret users /home/john<br>
318jane mypassword users /home/jane/ftp<br>
319<br><br>
320<b>Name:</b> RESOLVE_CLIENT_IP<br>
321<br>
322<b>Description:</b>
323Enable this if you want the client's IP address to be resolved to a host
324name. Note that it increases the overhead and it may not work if your DNS
325is not configured correctly. Clients without a valid DNS name will take very
326long to connect.<br>
327<br>
328<b>Values:</b><br>
329"no" - default and recommended setting<br>
330"yes" - resolve client host names, when possible<br>
331<br><br>
332
333<b>Name:</b> MOTD_GLOBAL<br>
334<br>
335<b>Description:</b>
336This option tells bftpd where the "message of the day" file
337is stored. The content of this file (if it exists) is sent to the client
338before they login.<br>
339<br>
340<b>Values:</b>
341"/etc/ftpmotd" - default<br>
342<br><br>
343
344<b>Name:</b> MOTD_USER<br>
345<br>
346<b>Description:</b> The path to a "message of the day" file. The content
347of this file (if it exists) is sent to the client after a valid login. This
348path is relative to the user's root directory.<br>
349<br>
350<b>Values:</b><br>
351"/.ftpmotd" - default<br>
352<br><br>
353
354<b>Name:</b> RESOLVE_UIDS<br>
355<br>
356<b>Description:</b> If this option is enabled, user and group names
357are shown in directory listings instead of plain user/group ID numbers.
358This may slow down large directory listings.<br>
359<br>
360<b>Values:</b><br>
361"yes" - (default) show user and group names.<br>
362"no" - show user and group numbers.<br>
363<br><br>
364
365<b>Name:</b> DO_CHROOT<br>
366<br>
367<b>Description:</b> When this option is enabled ("yes") the client can
368not access any directories outside of the chroot jail. Disabling this
369feature ("no") is considered a serious security hole.<br>
370<br>
371<b>Values:</b><br>
372"yes" - (default) recommended to contain the user to their home directory.<br>
373"no" - (not recommended) this will allow the client to access any directory on the server.<br>
374<br><br>
375
376<b>Name:</b> LOG_WTMP<br>
377<br>
378<b>Description:</b>
379Enable this to log each login to wtmp. This
380can be useful for checking security issues.<br>
381<br>
382<b>Values:</b><br>
383"yes" - (default) Send login information to wtmp.<br>
384"no" - Do not log to wtmp.<br>
385<br><br>
386
387<b>Name:</b> BIND_TO_ADDR<br>
388<br>
389<b>Description:</b>
390If you would like bftpd to bind itself to one specific network interface,
391enter its IP address here. You can use the value "any" to take the
392first availible network interface. This option works in daemon mode
393only.<br>
394<br>
395<b>Values:</b><br>
396"any" - (default) Take the first availible network device.<br>
397"<i>your IP address here</i>" - try to bind to a specific address.<br>
398<br><br>
399
400<b>Name:</b> PATH_FTPUSERS<br>
401<br>
402<b>Description:</b>
403This option gives bftpd the path to a file (ftpusers) which
404contains a list of users which may <i>not</i> login to the server.
405If you want anyone to be able to login, you can put a non-existant
406filename here.<br>
407<br>
408<b>Values:</b><br>
409"/etc/ftpusers" - default<br>
410<br><br>
411
412<b>Name:</b> AUTH_ETCSHELLS<br>
413<br>
414<b>Description:</b>
415Enable this if you want to deny any user who has a shell which is not in
416/etc/shells.<br>
417<br>
418<b>Values:</b><br>
419"no" - (default) allow any user to login<br>
420"yes" - Deny login attemps to users with a shell not found in /etc/shells<br>
421<br><br>
422
423<b>Name:</b> ALLOWCOMMAND_<br>
424<br>
425<b>Description:</b>
426With the option ALLOWCOMMAND_<i>XXXX</i>, you can disable the command <i>XXXX</i>.
427For example, if you don't want any user to delete files, you can do
428ALLOWCOMMAND_DELE="no"
429You can also disable it for specific users by writing the appropiate
430lines into the user structures at the bottom of the config file.
431Please see the Values section for some examples.<br>
432<br>
433<b>Values:</b><br>
434ALLOWCOMMAND_DELE="no" - prevent users from deleting or over-writing files<br>
435ALLOWCOMMAND_STOR="yes" - allow users to store files on the server<br>
436ALLOWCOMMAND_SITE="yes" - allow use of the site command<br>
437ALLOWCOMMAND_RETR="no" - prevent user from downloading files<br>
438<br><br>
439
440<b>Name:</b> HIDE_GROUP<br>
441<br>
442<b>Description:</b>
443Files that belong to these groups (comma-separated) are hidden in LIST/NLST.
444This can help with security on systems where bftpd may have access to system
445files.<br>
446<br>
447<b>Values:</b><br>
448"" - (empty string) default. This does not hide any files.<br>
449"root" - hides any files belonging to the group root.<br>
450<br><br>
451
452<b>Name:</b> QUIT_MSG<br>
453<br>
454<b>Description:</b>
455When the client sends the "quit" command, this message is sent back.<br>
456<br>
457<b>Values:</b><br>
458"See you later..." - default.<br>
459Any message can be placed here in quotes as long as it fits on one line in
460the config file.<br>
461<br><br>
462
463<b>Name:</b> USERLIMIT_GLOBAL<br>
464<b>Description:</b>
465The number of users that can be logged in at the same time.
466If set to "0", an unlimited users will be able to connect. This is not
467recommended, as it makes DoS attacks possible, even if the clients are
468kicked after a short time.<br>
469<br>
470<b>Values:</b><br>
471"0" - (zero) default. This is not recommended.<br>
472On most small servers, the connection limit should probably be below twenty ("20")
473but above five ("5").<br>
474<br><br>
475
476<b>Name:</b> USERLIMIT_SINGLEUSER<br>
477<br>
478<b>Description:</b><br>
479This variable controls how often one user can be logged in at one time.
480This allows you to have a big connection limit (see above) and nevertheless
481prevent single users from having a lot of connections.<br>
482<br>
483<b>Values:</b><br>
484"0" - (zero) default. Allow an unlimited number of connections from a user.<br>
485<br><br>
486
487<b>Name:</b> USERLIMIT_HOST<br>
488<br>
489<b>Description:</b>
490This variable controls how many users are allowed to connect from the same IP
491address. This prvents one user (or machine) from taking all of the avail
492connections. If you want to allow unlimited connections, leave this option as "0".
493<br><br>
494<b>Values:</b><br>
495"0" - (zero) is the default, allowing unlimited connections from the same IP address.<br>
496<br><br>
497
498<b>Name:</b> GZ_UPLOAD<br>
499<br>
500<b>Description:</b>
501This option allows you to force files to be compressed
502on the fly during upload. A ".gz" extension will be given
503to the file. This should usually be turned off ("no"), but
504may be useful to servers with smaller storage space.
505To enable this option set the value to "yes".<br>
506<br>
507To use this option, bftpd must be configured using<br>
508"./configure --enable-libz" <i>before</i> running "make".<br>
509<br>
510<b>Values:</b><br>
511"no" - default (recommended for most setups)<br>
512"yes" - Force files to be zipped during uploads to the server.<br>
513<br><br>
514
515<b>Name:</b> GZ_DOWNLOAD<br>
516<br>
517<b>Description:</b>
518This options allows you to force gzipped files to
519be decompressed on the fly during download. A file
520with the extension ".gz" will be decompressed as it
521is sent to the client. This option should usually be
522turned off ("no"), but may be usefull on servers with
523many compressed files. To enable this option, set the
524value to "yes".<br>
525<br>
526To use this option, bftpd must be configured using<br>
527"./configure --enable-libz" <i>before</i> running "make".<br>
528<br>
529<b>Values:</b><br>
530"no" - default (recommended for most setups)<br>
531"yes" - Force files to be unzipped during downloads from the server.<br>
532<br><br>
533<br><br><br>
534Next
535<A HREF="bftpddoc-en-4.html">Previous</A>
536<A HREF="bftpddoc-en.html#toc5">Contents</A>
537
538</body>
539</html>
540
541