1VSFTPD.CONF(5) File Formats Manual VSFTPD.CONF(5)
2
6 vsftpd.conf - config file for vsftpd
7
9 vsftpd.conf may be used to control various aspects of vsftpd's behav‐
10 iour. By default, vsftpd looks for this file at the location
11 /etc/vsftpd/vsftpd.conf. However, you may override this by specifying
12 a command line argument to vsftpd. The command line argument is the
13 pathname of the configuration file for vsftpd. This behaviour is useful
14 because you may wish to use an advanced inetd such as xinetd to launch
15 vsftpd with different configuration files on a per virtual host basis.
16 Systemd changes the vsftpd daemon start-up. The vsftpd package contains
18 vsftpd-generator script generating symbolic links to /var/run/sys‐
19 temd/generator/vsftpd.target.wants directory. The generator is called
20 during e. g. 'systemctl --system daemon-reload'. All these symbolic
21 links link /usr/lib/systemd/system/vsftpd@.service file. The vsftpd
22 daemon(s) is/are controlled by one of following ways:
23 1. Single daemon using default /etc/vsftpd/vsftpd.conf configuration
25 file
26 # systemctl {start,stop,...} vsftpd[.service]
27 2. Single daemon using /etc/vsftpd/<config-filename>.conf
29 # systemctl {start,stop,...} vsftpd@<config-filename-without-exten‐
30 sion>[.service]
31 3. All instances together
33 # systemctl {restart,stop} vsftpd.target
34 See systemd.unit(5), systemd.target(5) for further details.
36
38 The format of vsftpd.conf is very simple. Each line is either a comment
39 or a directive. Comment lines start with a # and are ignored. A direc‐
40 tive line has the format:
41 option=value
43 It is important to note that it is an error to put any space between
45 the option, = and value.
46 Each setting has a compiled in default which may be modified in the
48 configuration file.
49
52 Below is a list of boolean options. The value for a boolean option may
53 be set to YES or NO.
54 allow_anon_ssl
57 Only applies if ssl_enable is active. If set to YES, anonymous
58 users will be allowed to use secured SSL connections.
59 Default: NO
61 allow_writeable_chroot
63 Allow chroot()'ing a user to a directory writable by that user.
64 Note that setting this to YES is potentially dangerous. For
65 example, if the user creates an 'etc' directory in the new root
66 directory, they could potentially trick the C library into load‐
67 ing a user-created configuration file from the /etc/ directory.
68 Default: NO
70 better_stou
72 Use a better file name generation algorithm for the STOU com‐
73 mand. The default original algorithm simply adds an increasing
74 number suffix to the file name, which is prone to race condi‐
75 tions if multiple uploaders use the STOU command with the same
76 file name simultaneously, which can result in failure of the
77 command. The new algorithm adds a unique random six character
78 suffix to the file name, which works much better in face of con‐
79 current uploads.
80 Default: NO
82 anon_mkdir_write_enable
84 If set to YES, anonymous users will be permitted to create new
85 directories under certain conditions. For this to work, the
86 option write_enable must be activated, and the anonymous ftp
87 user must have write permission on the parent directory.
88 Default: NO
90 anon_other_write_enable
92 If set to YES, anonymous users will be permitted to perform
93 write operations other than upload and create directory, such as
94 deletion and renaming. This is generally not recommended but
95 included for completeness.
96 Default: NO
98 anon_upload_enable
100 If set to YES, anonymous users will be permitted to upload files
101 under certain conditions. For this to work, the option
102 write_enable must be activated, and the anonymous ftp user must
103 have write permission on desired upload locations. This setting
104 is also required for virtual users to upload; by default, vir‐
105 tual users are treated with anonymous (i.e. maximally
106 restricted) privilege.
107 Default: NO
109 anon_world_readable_only
111 When enabled, anonymous users will only be allowed to download
112 files which are world readable. This is recognising that the ftp
113 user may own files, especially in the presence of uploads.
114 Default: YES
116 anonymous_enable
118 Controls whether anonymous logins are permitted or not. If
119 enabled, both the usernames ftp and anonymous are recognised as
120 anonymous logins.
121 Default: YES
123 ascii_download_enable
125 When enabled, ASCII mode data transfers will be honoured on
126 downloads. When disabled, the server will pretend to allow
127 ASCII mode but in fact ignore requests to activate it. So the
128 client will think the ASCII mode is active and therefore may
129 still translate any <CRLF> character sequences in the received
130 file. See the following article for a detailed explanation of
131 the behaviour: https://access.redhat.com/articles/3250241.
132 Turn this option on to have the server actually do ASCII man‐
134 gling on files when in ASCII mode.
135 Default: NO
137 ascii_upload_enable
139 When enabled, ASCII mode data transfers will be honoured on
140 uploads. When disabled, the server will pretend to allow ASCII
141 mode but in fact ignore requests to activate it. So the client
142 will think the ASCII mode is active and will translate native
143 line terminators to the standard <CRLF> line terminators for
144 transmission, but the server will not do any translation. See
145 the following article for a detailed explanation of the behav‐
146 iour: https://access.redhat.com/articles/3250241.
147 Turn this option on to have the server actually do ASCII man‐
149 gling on files when in ASCII mode.
150 Default: NO
152 async_abor_enable
154 When enabled, a special FTP command known as "async ABOR" will
155 be enabled. Only ill advised FTP clients will use this feature.
156 Additionally, this feature is awkward to handle, so it is dis‐
157 abled by default. Unfortunately, some FTP clients will hang when
158 cancelling a transfer unless this feature is available, so you
159 may wish to enable it.
160 Default: NO
162 background
164 When enabled, and vsftpd is started in "listen" mode, vsftpd
165 will background the listener process. i.e. control will immedi‐
166 ately be returned to the shell which launched vsftpd.
167 Default: YES
169 check_shell
171 Note! This option only has an effect for non-PAM builds of
172 vsftpd. If disabled, vsftpd will not check /etc/shells for a
173 valid user shell for local logins.
174 Default: YES
176 chmod_enable
178 When enabled, allows use of the SITE CHMOD command. NOTE! This
179 only applies to local users. Anonymous users never get to use
180 SITE CHMOD.
181 Default: YES
183 chown_uploads
185 If enabled, all anonymously uploaded files will have the owner‐
186 ship changed to the user specified in the setting chown_user‐
187 name. This is useful from an administrative, and perhaps secu‐
188 rity, standpoint.
189 Default: NO
191 chroot_list_enable
193 If activated, you may provide a list of local users who are
194 placed in a chroot() jail in their home directory upon login.
195 The meaning is slightly different if chroot_local_user is set to
196 YES. In this case, the list becomes a list of users which are
197 NOT to be placed in a chroot() jail. By default, the file con‐
198 taining this list is /etc/vsftpd/chroot_list, but you may over‐
199 ride this with the chroot_list_file setting.
200 Default: NO
202 chroot_local_user
204 If set to YES, local users will be (by default) placed in a
205 chroot() jail in their home directory after login. Warning:
206 This option has security implications, especially if the users
207 have upload permission, or shell access. Only enable if you know
208 what you are doing. Note that these security implications are
209 not vsftpd specific. They apply to all FTP daemons which offer
210 to put local users in chroot() jails.
211 Default: NO
213 connect_from_port_20
215 This controls whether PORT style data connections use port 20
216 (ftp-data) on the server machine. For security reasons, some
217 clients may insist that this is the case. Conversely, disabling
218 this option enables vsftpd to run with slightly less privilege.
219 Default: NO (but the sample config file enables it)
221 debug_ssl
223 If true, OpenSSL connection diagnostics are dumped to the vsftpd
224 log file. (Added in v2.0.6).
225 Default: NO
227 delete_failed_uploads
229 If true, any failed upload files are deleted. (Added in
230 v2.0.7).
231 Default: NO
233 deny_email_enable
235 If activated, you may provide a list of anonymous password e-
236 mail responses which cause login to be denied. By default, the
237 file containing this list is /etc/vsftpd/banned_emails, but you
238 may override this with the banned_email_file setting.
239 Default: NO
241 dirlist_enable
243 If set to NO, all directory list commands will give permission
244 denied.
245 Default: YES
247 dirmessage_enable
249 If enabled, users of the FTP server can be shown messages when
250 they first enter a new directory. By default, a directory is
251 scanned for the file .message, but that may be overridden with
252 the configuration setting message_file.
253 Default: NO (but the sample config file enables it)
255 download_enable
257 If set to NO, all download requests will give permission denied.
258 Default: YES
260 dual_log_enable
262 If enabled, two log files are generated in parallel, going by
263 default to /var/log/xferlog and /var/log/vsftpd.log. The former
264 is a wu-ftpd style transfer log, parseable by standard tools.
265 The latter is vsftpd's own style log.
266 Default: NO
268 force_dot_files
270 If activated, files and directories starting with . will be
271 shown in directory listings even if the "a" flag was not used by
272 the client. This override excludes the "." and ".." entries.
273 Default: NO
275 force_anon_data_ssl
277 Only applies if ssl_enable is activated. If activated, all
278 anonymous logins are forced to use a secure SSL connection in
279 order to send and receive data on data connections.
280 Default: NO
282 force_anon_logins_ssl
284 Only applies if ssl_enable is activated. If activated, all
285 anonymous logins are forced to use a secure SSL connection in
286 order to send the password.
287 Default: NO
289 force_local_data_ssl
291 Only applies if ssl_enable is activated. If activated, all non-
292 anonymous logins are forced to use a secure SSL connection in
293 order to send and receive data on data connections.
294 Default: YES
296 force_local_logins_ssl
298 Only applies if ssl_enable is activated. If activated, all non-
299 anonymous logins are forced to use a secure SSL connection in
300 order to send the password.
301 Default: YES
303 guest_enable
305 If enabled, all non-anonymous logins are classed as "guest"
306 logins. A guest login is remapped to the user specified in the
307 guest_username setting.
308 Default: NO
310 hide_ids
312 If enabled, all user and group information in directory listings
313 will be displayed as "ftp".
314 Default: NO
316 implicit_ssl
318 If enabled, an SSL handshake is the first thing expect on all
319 connections (the FTPS protocol). To support explicit SSL and/or
320 plain text too, a separate vsftpd listener process should be
321 run.
322 Default: NO
324 listen If enabled, vsftpd will run in standalone mode. This means that
326 vsftpd must not be run from an inetd of some kind. Instead, the
327 vsftpd executable is run once directly. vsftpd itself will then
328 take care of listening for and handling incoming connections.
329 Default: NO
331 listen_ipv6
333 Like the listen parameter, except vsftpd will listen on an IPv6
334 socket instead of an IPv4 one. Note that a socket listening on
335 the IPv6 "any" address (::) will accept both IPv6 and IPv4 con‐
336 nections by default. This parameter and the listen parameter are
337 mutually exclusive.
338 Default: NO
340 local_enable
342 Controls whether local logins are permitted or not. If enabled,
343 normal user accounts in /etc/passwd (or wherever your PAM config
344 references) may be used to log in. This must be enable for any
345 non-anonymous login to work, including virtual users.
346 Default: NO
348 lock_upload_files
350 When enabled, all uploads proceed with a write lock on the
351 upload file. All downloads proceed with a shared read lock on
352 the download file. WARNING! Before enabling this, be aware that
353 malicious readers could starve a writer wanting to e.g. append a
354 file.
355 Default: YES
357 log_die
359 Log an error to syslog when some error condition occurs and
360 vsftpd decides to quit. Internally, the error messages given to
361 the functions die(), die2() and bug() are passed to syslog. Cur‐
362 rently this functionality requires waiting for a short amount of
363 time (1 second is used) after logging the message and before
364 exiting. This is a workaround for the following systemd bug:
365 https://github.com/systemd/systemd/issues/2913
366 Default: NO
368 log_ftp_protocol
370 When enabled, all FTP requests and responses are logged, provid‐
371 ing the option xferlog_std_format is not enabled. Useful for
372 debugging.
373 Default: NO
375 ls_recurse_enable
377 When enabled, this setting will allow the use of "ls -R". This
378 is a minor security risk, because a ls -R at the top level of a
379 large site may consume a lot of resources.
380 Default: NO
382 mdtm_write
384 When enabled, this setting will allow MDTM to set file modifica‐
385 tion times (subject to the usual access checks).
386 Default: YES
388 no_anon_password
390 When enabled, this prevents vsftpd from asking for an anonymous
391 password - the anonymous user will log straight in.
392 Default: NO
394 no_log_lock
396 When enabled, this prevents vsftpd from taking a file lock when
397 writing to log files. This option should generally not be
398 enabled. It exists to workaround operating system bugs such as
399 the Solaris / Veritas filesystem combination which has been
400 observed to sometimes exhibit hangs trying to lock log files.
401 Default: NO
403 one_process_model
405 If you have a Linux 2.4 kernel, it is possible to use a differ‐
406 ent security model which only uses one process per connection.
407 It is a less pure security model, but gains you performance. You
408 really don't want to enable this unless you know what you are
409 doing, and your site supports huge numbers of simultaneously
410 connected users.
411 Default: NO
413 passwd_chroot_enable
415 If enabled, along with chroot_local_user , then a chroot() jail
416 location may be specified on a per-user basis. Each user's jail
417 is derived from their home directory string in /etc/passwd. The
418 occurrence of /./ in the home directory string denotes that the
419 jail is at that particular location in the path.
420 Default: NO
422 pasv_addr_resolve
424 Set to YES if you want to use a hostname (as opposed to IP
425 address) in the pasv_address option.
426 Default: NO
428 pasv_enable
430 Set to NO if you want to disallow the PASV method of obtaining a
431 data connection.
432 Default: YES
434 pasv_promiscuous
436 Set to YES if you want to disable the PASV security check that
437 ensures the data connection originates from the same IP address
438 as the control connection. Only enable if you know what you are
439 doing! The only legitimate use for this is in some form of
440 secure tunnelling scheme, or perhaps to facilitate FXP support.
441 Default: NO
443 port_enable
445 Set to NO if you want to disallow the PORT method of obtaining a
446 data connection.
447 Default: YES
449 port_promiscuous
451 Set to YES if you want to disable the PORT security check that
452 ensures that outgoing data connections can only connect to the
453 client. Only enable if you know what you are doing!
454 Default: NO
456 require_cert
458 If set to yes, all SSL client connections are required to
459 present a client certificate. The degree of validation applied
460 to this certificate is controlled by validate_cert (Added in
461 v2.0.6).
462 Default: NO
464 require_ssl_reuse
466 If set to yes, all SSL data connections are required to exhibit
467 SSL session reuse (which proves that they know the same master
468 secret as the control channel). Although this is a secure
469 default, it may break many FTP clients, so you may want to dis‐
470 able it. For a discussion of the consequences, see http://scary‐
471 beastsecurity.blogspot.com/2009/02/vsftpd-210-released.html
472 (Added in v2.1.0).
473 Default: YES
475 reverse_lookup_enable
477 Set to YES if you want vsftpd to transform the ip address into
478 the hostname, before pam authentication. This is useful if you
479 use pam_access including the hostname. If you want vsftpd to run
480 on the environment where the reverse lookup for some hostname is
481 available and the name server doesn't respond for a while, you
482 should set this to NO to avoid a performance issue.
483 Default: YES
485 run_as_launching_user
487 Set to YES if you want vsftpd to run as the user which launched
488 vsftpd. This is useful where root access is not available. MAS‐
489 SIVE WARNING! Do NOT enable this option unless you totally know
490 what you are doing, as naive use of this option can create mas‐
491 sive security problems. Specifically, vsftpd does not / cannot
492 use chroot technology to restrict file access when this option
493 is set (even if launched by root). A poor substitute could be to
494 use a deny_file setting such as {/*,*..*}, but the reliability
495 of this cannot compare to chroot, and should not be relied on.
496 If using this option, many restrictions on other options apply.
497 For example, options requiring privilege such as non-anonymous
498 logins, upload ownership changing, connecting from port 20 and
499 listen ports less than 1024 are not expected to work. Other
500 options may be impacted.
501 Default: NO
503 secure_email_list_enable
505 Set to YES if you want only a specified list of e-mail passwords
506 for anonymous logins to be accepted. This is useful as a low-
507 hassle way of restricting access to low-security content without
508 needing virtual users. When enabled, anonymous logins are pre‐
509 vented unless the password provided is listed in the file speci‐
510 fied by the email_password_file setting. The file format is one
511 password per line, no extra whitespace. The default filename is
512 /etc/vsftpd/email_passwords.
513 Default: NO
515 session_support
517 This controls whether vsftpd attempts to maintain sessions for
518 logins. If vsftpd is maintaining sessions, it will try and
519 update utmp and wtmp. It will also open a pam_session if using
520 PAM to authenticate, and only close this upon logout. You may
521 wish to disable this if you do not need session logging, and you
522 wish to give vsftpd more opportunity to run with less processes
523 and / or less privilege. NOTE - utmp and wtmp support is only
524 provided with PAM enabled builds.
525 Default: NO
527 setproctitle_enable
529 If enabled, vsftpd will try and show session status information
530 in the system process listing. In other words, the reported name
531 of the process will change to reflect what a vsftpd session is
532 doing (idle, downloading etc). You probably want to leave this
533 off for security purposes.
534 Default: NO
536 ssl_enable
538 If enabled, and vsftpd was compiled against OpenSSL, vsftpd will
539 support secure connections via SSL. This applies to the control
540 connection (including login) and also data connections. You'll
541 need a client with SSL support too. NOTE!! Beware enabling this
542 option. Only enable it if you need it. vsftpd can make no guar‐
543 antees about the security of the OpenSSL libraries. By enabling
544 this option, you are declaring that you trust the security of
545 your installed OpenSSL library.
546 Default: NO
548 ssl_request_cert
550 If enabled, vsftpd will request (but not necessarily require;
551 see require_cert) a certificate on incoming SSL connections.
552 Normally this should not cause any trouble at all, but IBM zOS
553 seems to have issues. (New in v2.0.7).
554 Default: YES
556 ssl_sslv2
558 Only applies if ssl_enable is activated. If enabled, this option
559 will permit SSL v2 protocol connections. TLS v1.2 connections
560 are preferred.
561 Default: NO
563 ssl_sslv3
565 Only applies if ssl_enable is activated. If enabled, this option
566 will permit SSL v3 protocol connections. TLS v1.2 connections
567 are preferred.
568 Default: NO
570 ssl_tlsv1
572 Only applies if ssl_enable is activated. If enabled, this option
573 will permit TLS v1 protocol connections. TLS v1.2 connections
574 are preferred.
575 Default: NO
577 ssl_tlsv1_1
579 Only applies if ssl_enable is activated. If enabled, this option
580 will permit TLS v1.1 protocol connections. TLS v1.2 connections
581 are preferred.
582 Default: NO
584 ssl_tlsv1_2
586 Only applies if ssl_enable is activated. If enabled, this option
587 will permit TLS v1.2 protocol connections. TLS v1.2 connections
588 are preferred.
589 Default: YES
591 strict_ssl_read_eof
593 If enabled, SSL data uploads are required to terminate via SSL,
594 not an EOF on the socket. This option is required to be sure
595 that an attacker did not terminate an upload prematurely with a
596 faked TCP FIN. Unfortunately, it is not enabled by default
597 because so few clients get it right. (New in v2.0.7).
598 Default: NO
600 strict_ssl_write_shutdown
602 If enabled, SSL data downloads are required to terminate via
603 SSL, not an EOF on the socket. This is off by default as I was
604 unable to find a single FTP client that does this. It is minor.
605 All it affects is our ability to tell whether the client con‐
606 firmed full receipt of the file. Even without this option, the
607 client is able to check the integrity of the download. (New in
608 v2.0.7).
609 Default: NO
611 syslog_enable
613 If enabled, then any log output which would have gone to
614 /var/log/vsftpd.log goes to the system log instead. Logging is
615 done under the FTPD facility.
616 Default: NO
618 tcp_wrappers
620 If enabled, and vsftpd was compiled with tcp_wrappers support,
621 incoming connections will be fed through tcp_wrappers access
622 control. Furthermore, there is a mechanism for per-IP based con‐
623 figuration. If tcp_wrappers sets the VSFTPD_LOAD_CONF environ‐
624 ment variable, then the vsftpd session will try and load the
625 vsftpd configuration file specified in this variable.
626 Default: NO
628 text_userdb_names
630 By default, numeric IDs are shown in the user and group fields
631 of directory listings. You can get textual names by enabling
632 this parameter. It is off by default for performance reasons.
633 Note that textual names are not guaranteed when
634 chroot_local_user is set to YES.
635 Default: NO
637 tilde_user_enable
639 If enabled, vsftpd will try and resolve pathnames such as
640 ~chris/pics, i.e. a tilde followed by a username. Note that
641 vsftpd will always resolve the pathnames ~ and ~/something (in
642 this case the ~ resolves to the initial login directory). Note
643 that ~user paths will only resolve if the file /etc/passwd may
644 be found within the _current_ chroot() jail.
645 Default: NO
647 use_localtime
649 If enabled, vsftpd will display directory listings with the time
650 in your local time zone. The default is to display GMT. The
651 times returned by the MDTM FTP command are also affected by this
652 option.
653 Default: NO
655 use_sendfile
657 An internal setting used for testing the relative benefit of
658 using the sendfile() system call on your platform.
659 Default: YES
661 userlist_deny
663 This option is examined if userlist_enable is activated. If you
664 set this setting to NO, then users will be denied login unless
665 they are explicitly listed in the file specified by
666 userlist_file. When login is denied, the denial is issued
667 before the user is asked for a password.
668 Default: YES
670 userlist_enable
672 If enabled, vsftpd will load a list of usernames, from the file‐
673 name given by userlist_file. If a user tries to log in using a
674 name in this file, they will be denied before they are asked for
675 a password. This may be useful in preventing cleartext passwords
676 being transmitted. See also userlist_deny.
677 Default: NO
679 validate_cert
681 If set to yes, all SSL client certificates received must vali‐
682 date OK. Self-signed certs do not constitute OK validation.
683 (New in v2.0.6).
684 Default: NO
686 userlist_log
688 This option is examined if userlist_enable is activated. If
689 enabled, every login denial based on the user list will be
690 logged.
691 Default: NO
693 virtual_use_local_privs
695 If enabled, virtual users will use the same privileges as local
696 users. By default, virtual users will use the same privileges as
697 anonymous users, which tends to be more restrictive (especially
698 in terms of write access).
699 Default: NO
701 write_enable
703 This controls whether any FTP commands which change the filesys‐
704 tem are allowed or not. These commands are: STOR, DELE, RNFR,
705 RNTO, MKD, RMD, APPE and SITE.
706 Default: NO
708 xferlog_enable
710 If enabled, a log file will be maintained detailling uploads and
711 downloads. By default, this file will be placed at
712 /var/log/vsftpd.log, but this location may be overridden using
713 the configuration setting vsftpd_log_file.
714 Default: NO (but the sample config file enables it)
716 xferlog_std_format
718 If enabled, the transfer log file will be written in standard
719 xferlog format, as used by wu-ftpd. This is useful because you
720 can reuse existing transfer statistics generators. The default
721 format is more readable, however. The default location for this
722 style of log file is /var/log/xferlog, but you may change it
723 with the setting xferlog_file.
724 Default: NO
726 isolate_network
728 If enabled, use CLONE_NEWNET to isolate the untrusted processes
729 so that they can't do arbitrary connect() and instead have to
730 ask the privileged process for sockets ( port_promiscuous have
731 to be disabled).
732 Default: YES
734 isolate
736 If enabled, use CLONE_NEWPID and CLONE_NEWIPC to isolate pro‐
737 cesses to their ipc and pid namespaces. So separated processes
738 can not interact with each other.
739 Default: YES
741
744 Below is a list of numeric options. A numeric option must be set to a
745 non negative integer. Octal numbers are supported, for convenience of
746 the umask options. To specify an octal number, use 0 as the first digit
747 of the number.
748 accept_timeout
751 The timeout, in seconds, for a remote client to establish con‐
752 nection with a PASV style data connection.
753 Default: 60
755 anon_max_rate
757 The maximum data transfer rate permitted, in bytes per second,
758 for anonymous clients.
759 Default: 0 (unlimited)
761 anon_umask
763 The value that the umask for file creation is set to for anony‐
764 mous users. NOTE! If you want to specify octal values, remember
765 the "0" prefix otherwise the value will be treated as a base 10
766 integer!
767 Default: 077
769 bind_retries
771 Maximum number of attempts to find a free listening port in pas‐
772 sive mode.
773 Default: 9
775 chown_upload_mode
777 The file mode to force for chown()ed anonymous uploads. (Added
778 in v2.0.6).
779 Default: 0600
781 connect_timeout
783 The timeout, in seconds, for a remote client to respond to our
784 PORT style data connection.
785 Default: 60
787 data_connection_timeout
789 The timeout, in seconds, which is roughly the maximum time we
790 permit data transfers to stall for with no progress. If the
791 timeout triggers, the remote client is kicked off.
792 Default: 300
794 delay_failed_login
796 The number of seconds to pause prior to reporting a failed
797 login.
798 Default: 1
800 delay_successful_login
802 The number of seconds to pause prior to allowing a successful
803 login.
804 Default: 0
806 file_open_mode
808 The permissions with which uploaded files are created. Umasks
809 are applied on top of this value. You may wish to change to 0777
810 if you want uploaded files to be executable.
811 Default: 0666
813 ftp_data_port
815 The port from which PORT style connections originate (as long as
816 the poorly named connect_from_port_20 is enabled).
817 Default: 20
819 idle_session_timeout
821 The timeout, in seconds, which is the maximum time a remote
822 client may spend between FTP commands. If the timeout triggers,
823 the remote client is kicked off.
824 Default: 300
826 listen_port
828 If vsftpd is in standalone mode, this is the port it will listen
829 on for incoming FTP connections.
830 Default: 21
832 local_max_rate
834 The maximum data transfer rate permitted, in bytes per second,
835 for local authenticated users.
836 Default: 0 (unlimited)
838 local_umask
840 The value that the umask for file creation is set to for local
841 users. NOTE! If you want to specify octal values, remember the
842 "0" prefix otherwise the value will be treated as a base 10
843 integer!
844 Default: 077
846 max_clients
848 If vsftpd is in standalone mode, this is the maximum number of
849 clients which may be connected. Any additional clients connect‐
850 ing will get an error message. The value 0 switches off the
851 limit.
852 Default: 2000
854 max_login_fails
856 After this many login failures, the session is killed.
857 Default: 3
859 max_per_ip
861 If vsftpd is in standalone mode, this is the maximum number of
862 clients which may be connected from the same source internet
863 address. A client will get an error message if they go over this
864 limit. The value 0 switches off the limit.
865 Default: 50
867 pasv_max_port
869 The maximum port to allocate for PASV style data connections.
870 Can be used to specify a narrow port range to assist fire‐
871 walling.
872 Default: 0 (use any port)
874 pasv_min_port
876 The minimum port to allocate for PASV style data connections.
877 Can be used to specify a narrow port range to assist fire‐
878 walling.
879 Default: 0 (use any port)
881 trans_chunk_size
883 You probably don't want to change this, but try setting it to
884 something like 8192 for a much smoother bandwidth limiter.
885 Default: 0 (let vsftpd pick a sensible setting)
887
890 Below is a list of string options.
891 anon_root
894 This option represents a directory which vsftpd will try to
895 change into after an anonymous login. Failure is silently
896 ignored.
897 Default: (none)
899 banned_email_file
901 This option is the name of a file containing a list of anonymous
902 e-mail passwords which are not permitted. This file is consulted
903 if the option deny_email_enable is enabled.
904 Default: /etc/vsftpd/banned_emails
906 banner_file
908 This option is the name of a file containing text to display
909 when someone connects to the server. If set, it overrides the
910 banner string provided by the ftpd_banner option.
911 Default: (none)
913 ca_certs_file
915 This option is the name of a file to load Certificate Authority
916 certs from, for the purpose of validating client certs. The
917 loaded certs are also advertised to the client, to cater for
918 TLSv1.0 clients such as the z/OS FTP client. Regrettably, the
919 default SSL CA cert paths are not used, because of vsftpd's use
920 of restricted filesystem spaces (chroot). (Added in v2.0.6).
921 Default: (none)
923 chown_username
925 This is the name of the user who is given ownership of anony‐
926 mously uploaded files. This option is only relevant if another
927 option, chown_uploads, is set.
928 Default: root
930 chroot_list_file
932 The option is the name of a file containing a list of local
933 users which will be placed in a chroot() jail in their home
934 directory. This option is only relevant if the option
935 chroot_list_enable is enabled. If the option chroot_local_user
936 is enabled, then the list file becomes a list of users to NOT
937 place in a chroot() jail.
938 Default: /etvsftpd.confc/vsftpd.chroot_list
940 cmds_allowed
942 This options specifies a comma separated list of allowed FTP
943 commands (post login. USER, PASS and QUIT and others are always
944 allowed pre-login). Other commands are rejected. This is a pow‐
945 erful method of really locking down an FTP server. Example:
946 cmds_allowed=PASV,RETR,QUIT
947 Default: (none)
949 cmds_denied
951 This options specifies a comma separated list of denied FTP com‐
952 mands (post login. USER, PASS, QUIT and others are always
953 allowed pre-login). If a command appears on both this and
954 cmds_allowed then the denial takes precedence. (Added in
955 v2.1.0).
956 Default: (none)
958 deny_file
960 This option can be used to set a pattern for filenames (and
961 directory names etc.) which should not be accessible in any way.
962 The affected items are not hidden, but any attempt to do any‐
963 thing to them (download, change into directory, affect something
964 within directory etc.) will be denied. This option is very sim‐
965 ple, and should not be used for serious access control - the
966 filesystem's permissions should be used in preference. However,
967 this option may be useful in certain virtual user setups. In
968 particular aware that if a filename is accessible by a variety
969 of names (perhaps due to symbolic links or hard links), then
970 care must be taken to deny access to all the names. Access will
971 be denied to items if their name contains the string given by
972 hide_file, or if they match the regular expression specified by
973 hide_file. Note that vsftpd's regular expression matching code
974 is a simple implementation which is a subset of full regular
975 expression functionality. Because of this, you will need to
976 carefully and exhaustively test any application of this option.
977 And you are recommended to use filesystem permissions for any
978 important security policies due to their greater reliability.
979 Supported regex syntax is any number of *, ? and unnested {,}
980 operators. Regex matching is only supported on the last compo‐
981 nent of a path, e.g. a/b/? is supported but a/?/c is not. Exam‐
982 ple: deny_file={*.mp3,*.mov,.private}
983 Default: (none)
985 dsa_cert_file
987 This option specifies the location of the DSA certificate to use
988 for SSL encrypted connections.
989 Default: (none - an RSA certificate suffices)
991 dsa_private_key_file
993 This option specifies the location of the DSA private key to use
994 for SSL encrypted connections. If this option is not set, the
995 private key is expected to be in the same file as the certifi‐
996 cate.
997 Default: (none)
999 dh_param_file
1001 This option specifies the location of the custom parameters used
1002 for ephemeral Diffie-Hellman key exchange in SSL.
1003 Default: (none - use built in parameters appropriate for cer‐
1005 tificate key size)
1006 ecdh_param_file
1008 This option specifies the location of custom parameters for
1009 ephemeral Elliptic Curve Diffie-Hellman (ECDH) key exchange.
1010 Default: (none - use built in parameters, NIST P-256 with
1012 OpenSSL 1.0.1 and automatically selected curve based on client
1013 preferences with OpenSSL 1.0.2 and later)
1014 email_password_file
1016 This option can be used to provide an alternate file for usage
1017 by the secure_email_list_enable setting.
1018 Default: /etc/vsftpd/email_passwords
1020 ftp_username
1022 This is the name of the user we use for handling anonymous FTP.
1023 The home directory of this user is the root of the anonymous FTP
1024 area.
1025 Default: ftp
1027 ftpd_banner
1029 This string option allows you to override the greeting banner
1030 displayed by vsftpd when a connection first comes in.
1031 Default: (none - default vsftpd banner is displayed)
1033 guest_username
1035 See the boolean setting guest_enable for a description of what
1036 constitutes a guest login. This setting is the real username
1037 which guest users are mapped to.
1038 Default: ftp
1040 hide_file
1042 This option can be used to set a pattern for filenames (and
1043 directory names etc.) which should be hidden from directory
1044 listings. Despite being hidden, the files / directories etc. are
1045 fully accessible to clients who know what names to actually use.
1046 Items will be hidden if their names contain the string given by
1047 hide_file, or if they match the regular expression specified by
1048 hide_file. Note that vsftpd's regular expression matching code
1049 is a simple implementation which is a subset of full regular
1050 expression functionality. See deny_file for details of exactly
1051 what regex syntax is supported. Example: hide_file={*.mp3,.hid‐
1052 den,hide*,h?}
1053 Default: (none)
1055 listen_address
1057 If vsftpd is in standalone mode, the default listen address (of
1058 all local interfaces) may be overridden by this setting. Provide
1059 a numeric IP address.
1060 Default: (none)
1062 listen_address6
1064 Like listen_address, but specifies a default listen address for
1065 the IPv6 listener (which is used if listen_ipv6 is set). Format
1066 is standard IPv6 address format.
1067 Default: (none)
1069 local_root
1071 This option represents a directory which vsftpd will try to
1072 change into after a local (i.e. non-anonymous) login. Failure is
1073 silently ignored.
1074 Default: (none)
1076 message_file
1078 This option is the name of the file we look for when a new
1079 directory is entered. The contents are displayed to the remote
1080 user. This option is only relevant if the option dirmes‐
1081 sage_enable is enabled.
1082 Default: .message
1084 nopriv_user
1086 This is the name of the user that is used by vsftpd when it
1087 wants to be totally unprivileged. Note that this should be a
1088 dedicated user, rather than nobody. The user nobody tends to be
1089 used for rather a lot of important things on most machines.
1090 Default: nobody
1092 pam_service_name
1094 This string is the name of the PAM service vsftpd will use.
1095 Default: ftp
1097 pasv_address
1099 Use this option to override the IP address that vsftpd will
1100 advertise in response to the PASV command. Provide a numeric IP
1101 address, unless pasv_addr_resolve is enabled, in which case you
1102 can provide a hostname which will be DNS resolved for you at
1103 startup.
1104 Default: (none - the address is taken from the incoming con‐
1106 nected socket)
1107 rsa_cert_file
1109 This option specifies the location of the RSA certificate to use
1110 for SSL encrypted connections.
1111 Default: /usr/share/ssl/certs/vsftpd.pem
1113 rsa_private_key_file
1115 This option specifies the location of the RSA private key to use
1116 for SSL encrypted connections. If this option is not set, the
1117 private key is expected to be in the same file as the certifi‐
1118 cate.
1119 Default: (none)
1121 secure_chroot_dir
1123 This option should be the name of a directory which is empty.
1124 Also, the directory should not be writable by the ftp user. This
1125 directory is used as a secure chroot() jail at times vsftpd does
1126 not require filesystem access.
1127 Default: /usr/share/empty
1129 ssl_ciphers
1131 This option can be used to select which SSL ciphers vsftpd will
1132 allow for encrypted SSL connections. See the ciphers man page
1133 for further details. Note that restricting ciphers can be a use‐
1134 ful security precaution as it prevents malicious remote parties
1135 forcing a cipher which they have found problems with.
1136 Default: DES-CBC3-SHA
1138 user_config_dir
1140 This powerful option allows the override of any config option
1141 specified in the manual page, on a per-user basis. Usage is sim‐
1142 ple, and is best illustrated with an example. If you set
1143 user_config_dir to be /etc/vsftpd/user_conf and then log on as
1144 the user "chris", then vsftpd will apply the settings in the
1145 file /etc/vsftpd/user_conf/chris for the duration of the ses‐
1146 sion. The format of this file is as detailed in this manual
1147 page! PLEASE NOTE that not all settings are effective on a per-
1148 user basis. For example, many settings only prior to the user's
1149 session being started. Examples of settings which will not
1150 affect any behviour on a per-user basis include listen_address,
1151 banner_file, max_per_ip, max_clients, xferlog_file, etc.
1152 Default: (none)
1154 user_sub_token
1156 This option is useful is conjunction with virtual users. It is
1157 used to automatically generate a home directory for each virtual
1158 user, based on a template. For example, if the home directory of
1159 the real user specified via guest_username is /home/vir‐
1160 tual/$USER, and user_sub_token is set to $USER, then when vir‐
1161 tual user fred logs in, he will end up (usually chroot()'ed) in
1162 the directory /home/virtual/fred. This option also takes affect
1163 if local_root contains user_sub_token.
1164 Default: (none)
1166 userlist_file
1168 This option is the name of the file loaded when the
1169 userlist_enable option is active.
1170 Default: /etc/vsftpd/user_list
1172 vsftpd_log_file
1174 This option is the name of the file to which we write the vsftpd
1175 style log file. This log is only written if the option xfer‐
1176 log_enable is set, and xferlog_std_format is NOT set. Alterna‐
1177 tively, it is written if you have set the option
1178 dual_log_enable. One further complication - if you have set
1179 syslog_enable, then this file is not written and output is sent
1180 to the system log instead.
1181 Default: /var/log/vsftpd.log
1183 xferlog_file
1185 This option is the name of the file to which we write the wu-
1186 ftpd style transfer log. The transfer log is only written if the
1187 option xferlog_enable is set, along with xferlog_std_format.
1188 Alternatively, it is written if you have set the option
1189 dual_log_enable.
1190 Default: /var/log/xferlog
1192
1195 scarybeasts@gmail.com
1196 VSFTPD.CONF(5)