Version information
This version is compatible with:
- Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2016.4.x
- Puppet >= 4.10.0 < 7.0.0
- , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'pseiler-vsftpd', '8.1.0'Learn more about managing modules with a PuppetfileDocumentation
vsftpd Module
Overview
This module installs, configures and manages the vsftpd FTP server. Original module by aneesh. Forked and improved by pseiler
Description
A more Puppety way of managing the vsftpd daemon. Where possible, as many of the configuration options have remained the same with a couple of notable exceptions:
- Booleans are now used instead of
YES/NO. e.g.local_enable=YES==local_enable => true,local_enable=NO==local_enable => false. - parameter values seperated by a comma are now arrays. This also applies to parameters with surrounding curly brackets.
These parameters are affected:
cmds_allowed,cmds_denied,deny_fileandhide_file. Examples below
All configuration parameters vsftpd.conf supports, are also supported by this module. Please read the manpage of vsftpd for more informations about every parameter.
These additional parameters have a default and can be overwritten
package_name(String) - The name of the package from your package manager for your operating systemservice_name(String) - the service name. (e.g. systemd service, etc...)config_path(String) - The path where vsftpd.conf should be written totemplate(String) - path to the erb template used, if you want to provide your ownmanage_service(Boolean) - Control if the service should be started and enabled The defaults can be found in the params.pp
Usage
Default configuration (pretty empty configuration file with no parameter set is written and not recommended):
include vsftpd
Custom configuration:
class { 'vsftpd':
anonymous_enable => false,
anon_mkdir_write_enable => false,
anon_other_write_enable => false,
local_enable => true,
download_enable => true,
write_enable => true,
local_umask => '022',
dirmessage_enable => true,
xferlog_enable => true,
connect_from_port_20 => true,
xferlog_std_format => true,
chroot_local_user => true,
chroot_list_enable => true,
file_open_mode => '0666'
ftp_data_port => 20,
listen => true,
listen_ipv6 => false,
listen_port => 21,
pam_service_name => 'vsftpd',
tcp_wrappers => true,
allow_writeable_chroot => true,
pasv_enable => true,
pasv_min_port => 1024,
pasv_max_port => 1048,
pasv_address => '127.0.0.1',
}
A few advanced Configuration parameter examples
anon_umask => '077',
anon_root => '/var/ftp/anonymous',
anon_max_rate => 0,
ftpd_banner => 'My custom banner',
banner_file => '/etc/vsftpd/my_banner.txt',
max_clients => 0,
max_per_ip => 0,
ftp_username => 'ftp',
guest_enable => false,
guest_username => 'ftp',
anon_world_readable_only => false,
ascii_download_enable => false,
ascii_upload_enable => false,
chown_uploads => true,
chown_username => 'linux',
chroot_list_file => '/etc/vsftpd/my_chroot_list',
secure_chroot_dir => '/usr/share/empty',
user_config_dir => '/etc/vsftpd/user_config',
userlist_deny => true,
userlist_enable => true,
userlist_file => '/etc/vsftpd/my_userlist',
delete_failed_uploads => false,
cmds_allowed => ['PASV','RETR','QUIT'],
cmds_denied => ['PASV','RETR','QUIT'],
deny_file => ['*.mp3','*.mov','.private'],
hide_file => ['*.mp3','.hidden','hide*','h?'],
syslog_enable => false,
dual_log_enable => false,
hide_ids => false,
use_localtime => false,
local_max_rate => 0,
SSL integration (not a rocksolid configuration)
rsa_cert_file => '/etc/ssl/private/vsftpd.pem',
rsa_private_key_file => '/etc/ssl/private/vsftpd.pem',
ca_certs_file => '/etc/ssl/private/ca.pem',
ssl_enable => true,
allow_anon_ssl => true,
force_local_data_ssl => true,
force_local_logins_ssl => true,
ssl_tlsv1 => true,
ssl_sslv2 => false,
ssl_sslv3 => false,
require_ssl_reuse => true,
ssl_ciphers => 'HIGH',
Reference
Table of Contents
Classes
vsftpd: A more Puppety way of installing and managing the vsftpd daemon.
Classes
vsftpd
feature. Additionally, this feature is awkward to handle, so it is disabled by default. Unfortunately, some FTP clients will hang when cancelling a transfer unless this feature is available, so you may wish to enable it.
Default: NO
Default: YES
Examples
class { 'vsftpd':
pam_service_name => 'ftp',
pasv_enable => true,
pasv_min_port => 1024,
pasv_max_port => 1048,
pasv_address => '127.0.0.1',
}
Parameters
The following parameters are available in the vsftpd class:
config_pathpackage_nameservice_namemanage_serviceservice_enableservice_ensuretemplateallow_anon_sslallow_root_squashed_chrootallow_writeable_chrootanon_mkdir_write_enableanon_other_write_enableanon_upload_enableanon_world_readable_onlyanonymous_enableascii_download_enableascii_upload_enableasync_abor_enablebackgroundcheck_shellchmod_enablechown_uploadschroot_list_enablechroot_local_userconnect_from_port_20debug_ssldelete_failed_uploadsdeny_email_enabledirlist_enabledirmessage_enabledownload_enabledual_log_enableforce_dot_filesforce_anon_data_sslforce_anon_logins_sslforce_local_data_sslforce_local_logins_sslguest_enablehide_idsimplicit_ssllistenlisten_ipv6local_enablelock_upload_fileslog_ftp_protocolls_recurse_enablemdtm_writeno_anon_passwordno_log_lockone_process_modelpasswd_chroot_enablepasv_addr_resolvepasv_enablepasv_promiscuousport_enableport_promiscuousrequire_certrequire_ssl_reuserun_as_launching_usersecure_email_list_enablesession_supportsetproctitle_enablessl_enablessl_request_certssl_sslv2ssl_sslv3ssl_tlsv1strict_ssl_read_eofstrict_ssl_write_shutdownsyslog_enabletcp_wrapperstext_userdb_namestilde_user_enableuse_localtimeuse_sendfileuserlist_denyuserlist_enablevalidate_certvirtual_use_local_privswrite_enablexferlog_enablexferlog_std_formataccept_timeoutaddress_space_limitanon_max_rateanon_umaskchown_upload_modeconnect_timeoutdata_connection_timeoutdelay_failed_logindelay_successful_loginfile_open_modeftp_data_portidle_session_timeoutlisten_portlocal_max_ratelocal_umaskmax_clientsmax_login_failsmax_per_ippasv_min_portpasv_max_porttrans_chunk_sizeanon_rootbanned_email_filebanner_fileca_certs_filechown_usernamechroot_list_filecmds_allowedcmds_denieddeny_filedsa_cert_filedsa_private_key_fileemail_password_fileftp_usernameftpd_bannerguest_usernamehide_filelisten_addresslisten_address6local_rootmessage_filenopriv_userpam_service_namepasv_addressrsa_cert_filersa_private_key_filesecure_chroot_dirssl_ciphersuser_config_diruser_sub_tokenuserlist_filevsftpd_log_filexferlog_file
config_path
Data type: String
The path to the main configuration file of vsftpd. Defaults to the os specific path.
package_name
Data type: String
The name of the package.
Default value: vsftpd
service_name
Data type: String
The name of systemd service
Default value: vsftpd
manage_service
Data type: Boolean
Wether to manage the systemd service or not.
Default value: true
service_enable
Data type: Variant[Boolean, Enum['manual', 'mask']]
Wether to enable the service when booting or not.
Default value: true
service_ensure
Data type: Variant[Boolean, Enum['running', 'stopped']]
Control if the service is running or not
Default value: 'running'
template
Data type: String
Path to the template the file resource is using.
Default value: 'vsftpd/configfile.erb'
allow_anon_ssl
Data type: Optional[Boolean]
Only applies if ssl_enable is active. If set to YES, anonymous users will be allowed to use secured SSL connections.
Default when Boolean is undef: NO
Default value: undef
allow_root_squashed_chroot
Data type: Optional[Boolean]
Default value: undef
allow_writeable_chroot
Data type: Optional[Boolean]
Default value: undef
anon_mkdir_write_enable
Data type: Optional[Boolean]
If set to YES, anonymous users will be permitted to create new directories under certain conditions. For this to work, the option write_enable must be activated, and the anonymous ftp user must have write permission on the parent directory.
Default when Boolean is undef: NO
Default value: undef
anon_other_write_enable
Data type: Optional[Boolean]
If set to YES, anonymous users will be permitted to perform write operations other than upload and create directory, such as deletion and renaming. This is generally not recommended but included for completeness.
Default when Boolean is undef: NO
Default value: undef
anon_upload_enable
Data type: Optional[Boolean]
If set to YES, anonymous users will be permitted to upload files under certain conditions. For this to work, the option write_enable must be activated, and the anonymous ftp user must have write permission on desired upload locations. This setting is also required for virtual users to upload; by default, virtual users are treated with anonymous (i.e. maximally restricted) privilege.
Default when Boolean is undef: NO
Default value: undef
anon_world_readable_only
Data type: Optional[Boolean]
When enabled, anonymous users will only be allowed to download files which are world readable. This is recognising that the ftp user may own files, especially in the presence of uploads.
Default when Boolean is undef: YES
Default value: undef
anonymous_enable
Data type: Optional[Boolean]
Controls whether anonymous logins are permitted or not. If enabled, both the usernames ftp and anonymous are recognised as anonymous logins.
Default: YES
Default value: undef
ascii_download_enable
Data type: Optional[Boolean]
When enabled, ASCII mode data transfers will be honoured on downloads.
Default: NO
Default value: undef
ascii_upload_enable
Data type: Optional[Boolean]
When enabled, ASCII mode data transfers will be honoured on uploads.
Default: NO
Default value: undef
async_abor_enable
Data type: Optional[Boolean]
When enabled, a special FTP command known as "async ABOR" will be enabled. Only ill advised FTP clients will use this
Default value: undef
background
Data type: Optional[Boolean]
When enabled, and vsftpd is started in "listen" mode, vsftpd will background the listener process. i.e. control will immediately be returned to the shell which launched vsftpd.
Default: YES
Default value: undef
check_shell
Data type: Optional[Boolean]
Note! This option only has an effect for non-PAM builds of vsftpd. If disabled, vsftpd will not check /etc/shells for a valid user shell for local logins.
Default: YES
Default value: undef
chmod_enable
Data type: Optional[Boolean]
When enabled, allows use of the SITE CHMOD command. NOTE! This only applies to local users. Anonymous users never get to use SITE CHMOD.
Default value: undef
chown_uploads
Data type: Optional[Boolean]
If enabled, all anonymously uploaded files will have the ownership changed to the user specified in the setting chown_username. This is useful from an administrative, and perhaps security, standpoint.
Default: NO
Default value: undef
chroot_list_enable
Data type: Optional[Boolean]
If activated, you may provide a list of local users who are placed in a chroot() jail in their home directory upon login. The meaning is slightly different if chroot_local_user is set to YES. In this case, the list becomes a list of users which are NOT to be placed in a chroot() jail. By default, the file containing this list is /etc/vsftpd/chroot_list, but you may override this with the chroot_list_file setting.
Default: NO
Default value: undef
chroot_local_user
Data type: Optional[Boolean]
If set to YES, local users will be (by default) placed in a chroot() jail in their home directory after login. Warning: This option has security implications, especially if the users have upload permission, or shell access. Only enable if you know what you are doing. Note that these security implications are not vsftpd specific. They apply to all FTP daemons which offer to put local users in chroot() jails.
Default: NO
Default value: undef
connect_from_port_20
Data type: Optional[Boolean]
This controls whether PORT style data connections use port 20 (ftp-data) on the server machine. For security reasons, some clients may insist that this is the case. Conversely, disabling this option enables vsftpd to run with slightly less privilege.
Default: NO (but the sample config file enables it)
Default value: undef
debug_ssl
Data type: Optional[Boolean]
Default value: undef
delete_failed_uploads
Data type: Optional[Boolean]
Default value: undef
deny_email_enable
Data type: Optional[Boolean]
Default value: undef
dirlist_enable
Data type: Optional[Boolean]
Default value: undef
dirmessage_enable
Data type: Optional[Boolean]
Default value: undef
download_enable
Data type: Optional[Boolean]
Default value: undef
dual_log_enable
Data type: Optional[Boolean]
Default value: undef
force_dot_files
Data type: Optional[Boolean]
Default value: undef
force_anon_data_ssl
Data type: Optional[Boolean]
Default value: undef
force_anon_logins_ssl
Data type: Optional[Boolean]
Default value: undef
force_local_data_ssl
Data type: Optional[Boolean]
Default value: undef
force_local_logins_ssl
Data type: Optional[Boolean]
Default value: undef
guest_enable
Data type: Optional[Boolean]
Default value: undef
hide_ids
Data type: Optional[Boolean]
Default value: undef
implicit_ssl
Data type: Optional[Boolean]
Default value: undef
listen
Data type: Optional[Boolean]
Default value: undef
listen_ipv6
Data type: Optional[Boolean]
Default value: undef
local_enable
Data type: Optional[Boolean]
Default value: undef
lock_upload_files
Data type: Optional[Boolean]
Default value: undef
log_ftp_protocol
Data type: Optional[Boolean]
Default value: undef
ls_recurse_enable
Data type: Optional[Boolean]
Default value: undef
mdtm_write
Data type: Optional[Boolean]
Default value: undef
no_anon_password
Data type: Optional[Boolean]
Default value: undef
no_log_lock
Data type: Optional[Boolean]
Default value: undef
one_process_model
Data type: Optional[Boolean]
Default value: undef
passwd_chroot_enable
Data type: Optional[Boolean]
Default value: undef
pasv_addr_resolve
Data type: Optional[Boolean]
Default value: undef
pasv_enable
Data type: Optional[Boolean]
Default value: undef
pasv_promiscuous
Data type: Optional[Boolean]
Default value: undef
port_enable
Data type: Optional[Boolean]
Default value: undef
port_promiscuous
Data type: Optional[Boolean]
Default value: undef
require_cert
Data type: Optional[Boolean]
Default value: undef
require_ssl_reuse
Data type: Optional[Boolean]
Default value: undef
run_as_launching_user
Data type: Optional[Boolean]
Default value: undef
secure_email_list_enable
Data type: Optional[Boolean]
Default value: undef
session_support
Data type: Optional[Boolean]
Default value: undef
setproctitle_enable
Data type: Optional[Boolean]
Default value: undef
ssl_enable
Data type: Optional[Boolean]
Default value: undef
ssl_request_cert
Data type: Optional[Boolean]
Default value: undef
ssl_sslv2
Data type: Optional[Boolean]
Default value: undef
ssl_sslv3
Data type: Optional[Boolean]
Default value: undef
ssl_tlsv1
Data type: Optional[Boolean]
Default value: undef
strict_ssl_read_eof
Data type: Optional[Boolean]
Default value: undef
strict_ssl_write_shutdown
Data type: Optional[Boolean]
Default value: undef
syslog_enable
Data type: Optional[Boolean]
Default value: undef
tcp_wrappers
Data type: Optional[Boolean]
Default value: undef
text_userdb_names
Data type: Optional[Boolean]
Default value: undef
tilde_user_enable
Data type: Optional[Boolean]
Default value: undef
use_localtime
Data type: Optional[Boolean]
Default value: undef
use_sendfile
Data type: Optional[Boolean]
Default value: undef
userlist_deny
Data type: Optional[Boolean]
Default value: undef
userlist_enable
Data type: Optional[Boolean]
Default value: undef
validate_cert
Data type: Optional[Boolean]
Default value: undef
virtual_use_local_privs
Data type: Optional[Boolean]
Default value: undef
write_enable
Data type: Optional[Boolean]
Default value: undef
xferlog_enable
Data type: Optional[Boolean]
Default value: undef
xferlog_std_format
Data type: Optional[Boolean]
Default value: undef
accept_timeout
Data type: Optional[Integer]
Default value: undef
address_space_limit
Data type: Optional[Integer]
Default value: undef
anon_max_rate
Data type: Optional[Integer]
Default value: undef
anon_umask
Data type: Optional[String]
Default value: undef
chown_upload_mode
Data type: Optional[String]
Default value: undef
connect_timeout
Data type: Optional[Integer]
Default value: undef
data_connection_timeout
Data type: Optional[Integer]
Default value: undef
delay_failed_login
Data type: Optional[Integer]
Default value: undef
delay_successful_login
Data type: Optional[Integer]
Default value: undef
file_open_mode
Data type: Optional[String]
Default value: undef
ftp_data_port
Data type: Optional[Integer]
Default value: undef
idle_session_timeout
Data type: Optional[Integer]
Default value: undef
listen_port
Data type: Optional[Integer]
Default value: undef
local_max_rate
Data type: Optional[Integer]
Default value: undef
local_umask
Data type: Optional[String]
Default value: undef
max_clients
Data type: Optional[Integer]
Default value: undef
max_login_fails
Data type: Optional[Integer]
Default value: undef
max_per_ip
Data type: Optional[Integer]
Default value: undef
pasv_min_port
Data type: Optional[Integer]
Default value: undef
pasv_max_port
Data type: Optional[Integer]
Default value: undef
trans_chunk_size
Data type: Optional[Integer]
Default value: undef
anon_root
Data type: Optional[String]
Default value: undef
banned_email_file
Data type: Optional[String]
Default value: undef
banner_file
Data type: Optional[String]
Default value: undef
ca_certs_file
Data type: Optional[String]
Default value: undef
chown_username
Data type: Optional[String]
Default value: undef
chroot_list_file
Data type: Optional[String]
Default value: undef
cmds_allowed
Data type: Optional[Array[Vsftpd::Cmd]]
Default value: undef
cmds_denied
Data type: Optional[Array[Vsftpd::Cmd]]
Default value: undef
deny_file
Data type: Optional[Array[String]]
Default value: undef
dsa_cert_file
Data type: Optional[String]
Default value: undef
dsa_private_key_file
Data type: Optional[String]
Default value: undef
email_password_file
Data type: Optional[String]
Default value: undef
ftp_username
Data type: Optional[String]
Default value: undef
ftpd_banner
Data type: Optional[String]
Default value: undef
guest_username
Data type: Optional[String]
Default value: undef
hide_file
Data type: Optional[Array[String]]
Default value: undef
listen_address
Data type: Optional[String]
Default value: undef
listen_address6
Data type: Optional[String]
Default value: undef
local_root
Data type: Optional[String]
Default value: undef
message_file
Data type: Optional[String]
Default value: undef
nopriv_user
Data type: Optional[String]
Default value: undef
pam_service_name
Data type: Optional[String]
Default value: undef
pasv_address
Data type: Optional[String]
Default value: undef
rsa_cert_file
Data type: Optional[String]
Default value: undef
rsa_private_key_file
Data type: Optional[String]
Default value: undef
secure_chroot_dir
Data type: Optional[String]
Default value: undef
ssl_ciphers
Data type: Optional[String]
Default value: undef
user_config_dir
Data type: Optional[String]
Default value: undef
user_sub_token
Data type: Optional[String]
Default value: undef
userlist_file
Data type: Optional[String]
Default value: undef
vsftpd_log_file
Data type: Optional[String]
Default value: undef
xferlog_file
Data type: Optional[String]
Default value: undef
Changelog
8.0.1
- drop support for outdated Debian 7 and add Debian 10 instead
8.0.0
- reworked module to use puppet booleans instead of 'YES'/'NO'
- a lot rspec tests added
- tests if every parameter is written correctly into the configuration
- tests for umasks
- tests for parameters which depend on another
- basic tests for all supported operating systems
- test if the catalog compiling fails for an unsupported operating system
- umasks in the configuration file now being checked for validity
- allowed/denied ftp commands are now being checked for valid FTP commands and are now an array
deny_file/hide_fileis now an array- configuration file cleanup and generalizing
- more additional parameters can be used and overriden:
- control if the service should be running and enabled
manage_service
- control if the service should be running and enabled
- the package name
package_name
- the package name
- the config file path
config_path
- the config file path
- the service name
service_name
- the service name
- the erb template used to render the configuration file
template
- the erb template used to render the configuration file
- added support for Suse based operating systems
- Added support for the following/all remaining configuration parameters
Boolean parameters
async_abor_enableallow_root_squashed_chrootbackgroundcheck_shellchmod_enabledebug_ssldeny_email_enabledirlist_enableforce_dot_filesforce_anon_data_sslforce_anon_logins_sslimplicit_ssllock_upload_fileslog_ftp_protocolls_recurse_enablemdtm_writeno_anon_passwordno_log_lockone_process_modelpasswd_chroot_enablepasv_addr_resolvepasv_promiscuousport_enableport_promiscuousrequire_certrun_as_launching_usersecure_email_list_enablesession_supportsetproctitle_enablessl_request_certstrict_ssl_read_eofstrict_ssl_write_shutdowntext_userdb_namestilde_user_enableuse_sendfilevalidate_certvirtual_use_local_privs
Numeric/Integer parameters
anon_max_rateaccept_timeoutaddress_space_limitchown_upload_modedata_connect_timeoutdelay_failed_logindelay_successful_loginmax_login_failstrans_chunk_sizeidle_session_timeoutdata_connection_timeout
String parameters
banned_email_fileca_certs_filedsa_cert_filedsa_private_key_fileemail_password_filelisten_addresslisten_address6local_rootmessage_fileuser_sub_tokenvsftpd_log_filenopriv_userxferlog_file
7.0.3
- fixed breaking syntax mistake anon_root in config template (thanks pingram3030)
7.0.2
- made module compatible with PDK
7.0.1
- configuration changes now restarts the vsftpd daemon if it's a RedHat based system
- changed project name, urls, etc. (upstream doesn't care about contributions)
7.0.0
- moved comments for configuration parameter into the if block of the config template
- Added support for the following configuration parameters
anon_mkdir_write_enable
anon_other_write_enable
download_enable
chroot_list_enable
file_open_mode
ftp_data_port
listen_port
anon_umask
anon_root
ftpd_banner
banner_file
max_clients
max_per_ip
ftp_username
guest_enable
guest_username
anon_world_readable_only
ascii_download_enable
ascii_upload_enable
chown_uploads
chown_username
chroot_list_file
secure_chroot_dir
user_config_dir
userlist_deny
userlist_enable
userlist_file
delete_failed_uploads
cmds_allowed
cmds_denied
deny_file
hide_file
syslog_enable
dual_log_enable
hide_ids
use_localtime
local_max_rate
Copyright 2018 Aneesh C
Copyright 2018-2020 Philipp Seiler
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.