1VSFTPD.CONF(5) File Formats Manual VSFTPD.CONF(5)
2
6 vsftpd.conf - config file for vsftpd
7
9 vsftpd.conf may be used to control various aspects of vsftpd's behav‐
10 iour. By default, vsftpd looks for this file at the location
11 /etc/vsftpd/vsftpd.conf. However, you may override this by specifying
12 a command line argument to vsftpd. The command line argument is the
13 pathname of the configuration file for vsftpd. This behaviour is useful
14 because you may wish to use an advanced inetd such as xinetd to launch
15 vsftpd with different configuration files on a per virtual host basis.
16 Systemd changes the vsftpd daemon start-up. The vsftpd package contains
18 vsftpd-generator script generating symbolic links to /var/run/sys‐
19 temd/generator/vsftpd.target.wants directory. The generator is called
20 during e. g. 'systemctl --system daemon-reload'. All these symbolic
21 links link /usr/lib/systemd/system/vsftpd@.service file. The vsftpd
22 daemon(s) is/are controlled by one of following ways:
23 1. Single daemon using default /etc/vsftpd/vsftpd.conf configuration
25 file
26 # systemctl {start,stop,...} vsftpd[.service]
27 2. Single daemon using /etc/vsftpd/<config-filename>.conf
29 # systemctl {start,stop,...} vsftpd@<config-filename-without-exten‐
30 sion>[.service]
31 3. All instances together
33 # systemctl {restart,stop} vsftpd.target
34 See systemd.unit(5), systemd.target(5) for further details.
36
38 The format of vsftpd.conf is very simple. Each line is either a comment
39 or a directive. Comment lines start with a # and are ignored. A direc‐
40 tive line has the format:
41 option=value
43 It is important to note that it is an error to put any space between
45 the option, = and value.
46 Each setting has a compiled in default which may be modified in the
48 configuration file.
49
52 Below is a list of boolean options. The value for a boolean option may
53 be set to YES or NO.
54 allow_anon_ssl
57 Only applies if ssl_enable is active. If set to YES, anonymous
58 users will be allowed to use secured SSL connections.
59 Default: NO
61 allow_writeable_chroot
63 Allow chroot()'ing a user to a directory writable by that user.
64 Note that setting this to YES is potentially dangerous. For
65 example, if the user creates an 'etc' directory in the new root
66 directory, they could potentially trick the C library into load‐
67 ing a user-created configuration file from the /etc/ directory.
68 Default: NO
70 better_stou
72 Use a better file name generation algorithm for the STOU com‐
73 mand. The default original algorithm simply adds an increasing
74 number suffix to the file name, which is prone to race condi‐
75 tions if multiple uploaders use the STOU command with the same
76 file name simultaneously, which can result in failure of the
77 command. The new algorithm adds a unique random six character
78 suffix to the file name, which works much better in face of con‐
79 current uploads.
80 Default: NO
82 anon_mkdir_write_enable
84 If set to YES, anonymous users will be permitted to create new
85 directories under certain conditions. For this to work, the
86 option write_enable must be activated, and the anonymous ftp
87 user must have write permission on the parent directory.
88 Default: NO
90 anon_other_write_enable
92 If set to YES, anonymous users will be permitted to perform
93 write operations other than upload and create directory, such as
94 deletion and renaming. This is generally not recommended but
95 included for completeness.
96 Default: NO
98 anon_upload_enable
100 If set to YES, anonymous users will be permitted to upload files
101 under certain conditions. For this to work, the option
102 write_enable must be activated, and the anonymous ftp user must
103 have write permission on desired upload locations. This setting
104 is also required for virtual users to upload; by default, vir‐
105 tual users are treated with anonymous (i.e. maximally
106 restricted) privilege.
107 Default: NO
109 anon_world_readable_only
111 When enabled, anonymous users will only be allowed to download
112 files which are world readable. This is recognising that the ftp
113 user may own files, especially in the presence of uploads.
114 Default: YES
116 anonymous_enable
118 Controls whether anonymous logins are permitted or not. If
119 enabled, both the usernames ftp and anonymous are recognised as
120 anonymous logins.
121 Default: YES
123 ascii_download_enable
125 When enabled, ASCII mode data transfers will be honoured on
126 downloads. When disabled, the server will pretend to allow
127 ASCII mode but in fact ignore requests to activate it. So the
128 client will think the ASCII mode is active and therefore may
129 still translate any <CRLF> character sequences in the received
130 file. See the following article for a detailed explanation of
131 the behaviour: https://access.redhat.com/articles/3250241.
132 Turn this option on to have the server actually do ASCII man‐
134 gling on files when in ASCII mode.
135 Default: NO
137 ascii_upload_enable
139 When enabled, ASCII mode data transfers will be honoured on
140 uploads. When disabled, the server will pretend to allow ASCII
141 mode but in fact ignore requests to activate it. So the client
142 will think the ASCII mode is active and will translate native
143 line terminators to the standard <CRLF> line terminators for
144 transmission, but the server will not do any translation. See
145 the following article for a detailed explanation of the behav‐
146 iour: https://access.redhat.com/articles/3250241.
147 Turn this option on to have the server actually do ASCII man‐
149 gling on files when in ASCII mode.
150 Default: NO
152 async_abor_enable
154 When enabled, a special FTP command known as "async ABOR" will
155 be enabled. Only ill advised FTP clients will use this feature.
156 Additionally, this feature is awkward to handle, so it is dis‐
157 abled by default. Unfortunately, some FTP clients will hang when
158 cancelling a transfer unless this feature is available, so you
159 may wish to enable it.
160 Default: NO
162 background
164 When enabled, and vsftpd is started in "listen" mode, vsftpd
165 will background the listener process. i.e. control will immedi‐
166 ately be returned to the shell which launched vsftpd.
167 Default: YES
169 check_shell
171 Note! This option only has an effect for non-PAM builds of
172 vsftpd. If disabled, vsftpd will not check /etc/shells for a
173 valid user shell for local logins.
174 Default: YES
176 chmod_enable
178 When enabled, allows use of the SITE CHMOD command. NOTE! This
179 only applies to local users. Anonymous users never get to use
180 SITE CHMOD.
181 Default: YES
183 chown_uploads
185 If enabled, all anonymously uploaded files will have the owner‐
186 ship changed to the user specified in the setting chown_user‐
187 name. This is useful from an administrative, and perhaps secu‐
188 rity, standpoint.
189 Default: NO
191 chroot_list_enable
193 If activated, you may provide a list of local users who are
194 placed in a chroot() jail in their home directory upon login.
195 The meaning is slightly different if chroot_local_user is set to
196 YES. In this case, the list becomes a list of users which are
197 NOT to be placed in a chroot() jail. By default, the file con‐
198 taining this list is /etc/vsftpd/chroot_list, but you may over‐
199 ride this with the chroot_list_file setting.
200 Default: NO
202 chroot_local_user
204 If set to YES, local users will be (by default) placed in a
205 chroot() jail in their home directory after login. Warning:
206 This option has security implications, especially if the users
207 have upload permission, or shell access. Only enable if you know
208 what you are doing. Note that these security implications are
209 not vsftpd specific. They apply to all FTP daemons which offer
210 to put local users in chroot() jails.
211 Default: NO
213 connect_from_port_20
215 This controls whether PORT style data connections use port 20
216 (ftp-data) on the server machine. For security reasons, some
217 clients may insist that this is the case. Conversely, disabling
218 this option enables vsftpd to run with slightly less privilege.
219 Default: NO (but the sample config file enables it)
221 debug_ssl
223 If true, OpenSSL connection diagnostics are dumped to the vsftpd
224 log file. (Added in v2.0.6).
225 Default: NO
227 delete_failed_uploads
229 If true, any failed upload files are deleted. (Added in
230 v2.0.7).
231 Default: NO
233 deny_email_enable
235 If activated, you may provide a list of anonymous password e-
236 mail responses which cause login to be denied. By default, the
237 file containing this list is /etc/vsftpd/banned_emails, but you
238 may override this with the banned_email_file setting.
239 Default: NO
241 dirlist_enable
243 If set to NO, all directory list commands will give permission
244 denied.
245 Default: YES
247 dirmessage_enable
249 If enabled, users of the FTP server can be shown messages when
250 they first enter a new directory. By default, a directory is
251 scanned for the file .message, but that may be overridden with
252 the configuration setting message_file.
253 Default: NO (but the sample config file enables it)
255 download_enable
257 If set to NO, all download requests will give permission denied.
258 Default: YES
260 dual_log_enable
262 If enabled, two log files are generated in parallel, going by
263 default to /var/log/xferlog and /var/log/vsftpd.log. The former
264 is a wu-ftpd style transfer log, parseable by standard tools.
265 The latter is vsftpd's own style log.
266 Default: NO
268 force_dot_files
270 If activated, files and directories starting with . will be
271 shown in directory listings even if the "a" flag was not used by
272 the client. This override excludes the "." and ".." entries.
273 Default: NO
275 force_anon_data_ssl
277 Only applies if ssl_enable is activated. If activated, all
278 anonymous logins are forced to use a secure SSL connection in
279 order to send and receive data on data connections.
280 Default: NO
282 force_anon_logins_ssl
284 Only applies if ssl_enable is activated. If activated, all
285 anonymous logins are forced to use a secure SSL connection in
286 order to send the password.
287 Default: NO
289 force_local_data_ssl
291 Only applies if ssl_enable is activated. If activated, all non-
292 anonymous logins are forced to use a secure SSL connection in
293 order to send and receive data on data connections.
294 Default: YES
296 force_local_logins_ssl
298 Only applies if ssl_enable is activated. If activated, all non-
299 anonymous logins are forced to use a secure SSL connection in
300 order to send the password.
301 Default: YES
303 guest_enable
305 If enabled, all non-anonymous logins are classed as "guest"
306 logins. A guest login is remapped to the user specified in the
307 guest_username setting.
308 Default: NO
310 hide_ids
312 If enabled, all user and group information in directory listings
313 will be displayed as "ftp".
314 Default: NO
316 implicit_ssl
318 If enabled, an SSL handshake is the first thing expect on all
319 connections (the FTPS protocol). To support explicit SSL and/or
320 plain text too, a separate vsftpd listener process should be
321 run.
322 Default: NO
324 listen If enabled, vsftpd will run in standalone mode. This means that
326 vsftpd must not be run from an inetd of some kind. Instead, the
327 vsftpd executable is run once directly. vsftpd itself will then
328 take care of listening for and handling incoming connections.
329 Default: NO
331 listen_ipv6
333 Like the listen parameter, except vsftpd will listen on an IPv6
334 socket instead of an IPv4 one. Note that a socket listening on
335 the IPv6 "any" address (::) will accept both IPv6 and IPv4 con‐
336 nections by default. This parameter and the listen parameter are
337 mutually exclusive.
338 Default: NO
340 local_enable
342 Controls whether local logins are permitted or not. If enabled,
343 normal user accounts in /etc/passwd (or wherever your PAM config
344 references) may be used to log in. This must be enable for any
345 non-anonymous login to work, including virtual users.
346 Default: NO
348 lock_upload_files
350 When enabled, all uploads proceed with a write lock on the
351 upload file. All downloads proceed with a shared read lock on
352 the download file. WARNING! Before enabling this, be aware that
353 malicious readers could starve a writer wanting to e.g. append a
354 file.
355 Default: YES
357 log_die
359 Log an error to syslog when some error condition occurs and
360 vsftpd decides to quit. Internally, the error messages given to
361 the functions die(), die2() and bug() are passed to syslog. Cur‐
362 rently this functionality requires waiting for a short amount of
363 time (1 second is used) after logging the message and before
364 exiting. This is a workaround for the following systemd bug:
365 https://github.com/systemd/systemd/issues/2913
366 Default: NO
368 log_ftp_protocol
370 When enabled, all FTP requests and responses are logged, provid‐
371 ing the option xferlog_std_format is not enabled. Useful for
372 debugging.
373 Default: NO
375 ls_recurse_enable
377 When enabled, this setting will allow the use of "ls -R". This
378 is a minor security risk, because a ls -R at the top level of a
379 large site may consume a lot of resources.
380 Default: NO
382 mdtm_write
384 When enabled, this setting will allow MDTM to set file modifica‐
385 tion times (subject to the usual access checks).
386 Default: YES
388 no_anon_password
390 When enabled, this prevents vsftpd from asking for an anonymous
391 password - the anonymous user will log straight in.
392 Default: NO
394 no_log_lock
396 When enabled, this prevents vsftpd from taking a file lock when
397 writing to log files. This option should generally not be
398 enabled. It exists to workaround operating system bugs such as
399 the Solaris / Veritas filesystem combination which has been
400 observed to sometimes exhibit hangs trying to lock log files.
401 Default: NO
403 one_process_model
405 If you have a Linux 2.4 kernel, it is possible to use a differ‐
406 ent security model which only uses one process per connection.
407 It is a less pure security model, but gains you performance. You
408 really don't want to enable this unless you know what you are
409 doing, and your site supports huge numbers of simultaneously
410 connected users.
411 Default: NO
413 passwd_chroot_enable
415 If enabled, along with chroot_local_user , then a chroot() jail
416 location may be specified on a per-user basis. Each user's jail
417 is derived from their home directory string in /etc/passwd. The
418 occurrence of /./ in the home directory string denotes that the
419 jail is at that particular location in the path.
420 Default: NO
422 pasv_addr_resolve
424 Set to YES if you want to use a hostname (as opposed to IP
425 address) in the pasv_address option.
426 Default: NO
428 pasv_enable
430 Set to NO if you want to disallow the PASV method of obtaining a
431 data connection.
432 Default: YES
434 pasv_promiscuous
436 Set to YES if you want to disable the PASV security check that
437 ensures the data connection originates from the same IP address
438 as the control connection. Only enable if you know what you are
439 doing! The only legitimate use for this is in some form of
440 secure tunnelling scheme, or perhaps to facilitate FXP support.
441 Default: NO
443 port_enable
445 Set to NO if you want to disallow the PORT method of obtaining a
446 data connection.
447 Default: YES
449 port_promiscuous
451 Set to YES if you want to disable the PORT security check that
452 ensures that outgoing data connections can only connect to the
453 client. Only enable if you know what you are doing!
454 Default: NO
456 require_cert
458 If set to yes, all SSL client connections are required to
459 present a client certificate. The degree of validation applied
460 to this certificate is controlled by validate_cert (Added in
461 v2.0.6).
462 Default: NO
464 require_ssl_reuse
466 If set to yes, all SSL data connections are required to exhibit
467 SSL session reuse (which proves that they know the same master
468 secret as the control channel). Although this is a secure
469 default, it may break many FTP clients, so you may want to dis‐
470 able it. For a discussion of the consequences, see http://scary‐
471 beastsecurity.blogspot.com/2009/02/vsftpd-210-released.html
472 (Added in v2.1.0).
473 Default: YES
475 reverse_lookup_enable
477 Set to YES if you want vsftpd to transform the ip address into
478 the hostname, before pam authentication. This is useful if you
479 use pam_access including the hostname. If you want vsftpd to run
480 on the environment where the reverse lookup for some hostname is
481 available and the name server doesn't respond for a while, you
482 should set this to NO to avoid a performance issue.
483 Default: YES
485 run_as_launching_user
487 Set to YES if you want vsftpd to run as the user which launched
488 vsftpd. This is useful where root access is not available. MAS‐
489 SIVE WARNING! Do NOT enable this option unless you totally know
490 what you are doing, as naive use of this option can create mas‐
491 sive security problems. Specifically, vsftpd does not / cannot
492 use chroot technology to restrict file access when this option
493 is set (even if launched by root). A poor substitute could be to
494 use a deny_file setting such as {/*,*..*}, but the reliability
495 of this cannot compare to chroot, and should not be relied on.
496 If using this option, many restrictions on other options apply.
497 For example, options requiring privilege such as non-anonymous
498 logins, upload ownership changing, connecting from port 20 and
499 listen ports less than 1024 are not expected to work. Other
500 options may be impacted.
501 Default: NO
503 secure_email_list_enable
505 Set to YES if you want only a specified list of e-mail passwords
506 for anonymous logins to be accepted. This is useful as a low-
507 hassle way of restricting access to low-security content without
508 needing virtual users. When enabled, anonymous logins are pre‐
509 vented unless the password provided is listed in the file speci‐
510 fied by the email_password_file setting. The file format is one
511 password per line, no extra whitespace. The default filename is
512 /etc/vsftpd/email_passwords.
513 Default: NO
515 session_support
517 This controls whether vsftpd attempts to maintain sessions for
518 logins. If vsftpd is maintaining sessions, it will try and
519 update utmp and wtmp. It will also open a pam_session if using
520 PAM to authenticate, and only close this upon logout. You may
521 wish to disable this if you do not need session logging, and you
522 wish to give vsftpd more opportunity to run with less processes
523 and / or less privilege. NOTE - utmp and wtmp support is only
524 provided with PAM enabled builds.
525 Default: NO
527 setproctitle_enable
529 If enabled, vsftpd will try and show session status information
530 in the system process listing. In other words, the reported name
531 of the process will change to reflect what a vsftpd session is
532 doing (idle, downloading etc). You probably want to leave this
533 off for security purposes.
534 Default: NO
536 ssl_enable
538 If enabled, and vsftpd was compiled against OpenSSL, vsftpd will
539 support secure connections via SSL. This applies to the control
540 connection (including login) and also data connections. You'll
541 need a client with SSL support too. NOTE!! Beware enabling this
542 option. Only enable it if you need it. vsftpd can make no guar‐
543 antees about the security of the OpenSSL libraries. By enabling
544 this option, you are declaring that you trust the security of
545 your installed OpenSSL library.
546 Default: NO
548 ssl_request_cert
550 If enabled, vsftpd will request (but not necessarily require;
551 see require_cert) a certificate on incoming SSL connections.
552 Normally this should not cause any trouble at all, but IBM zOS
553 seems to have issues. (New in v2.0.7).
554 Default: YES
556 ssl_sslv2
558 Only applies if ssl_enable is activated. If enabled, this option
559 will permit SSL v2 protocol connections. TLS v1.2 connections
560 are preferred.
561 Default: NO
563 ssl_sslv3
565 Only applies if ssl_enable is activated. If enabled, this option
566 will permit SSL v3 protocol connections. TLS v1.2 connections
567 are preferred.
568 Default: NO
570 ssl_tlsv1
572 Only applies if ssl_enable is activated. If enabled, this option
573 will permit TLS v1 protocol connections. TLS v1.2 connections
574 are preferred.
575 Default: NO
577 ssl_tlsv1_1
579 Only applies if ssl_enable is activated. If enabled, this option
580 will permit TLS v1.1 protocol connections. TLS v1.2 connections
581 are preferred.
582 Default: NO
584 ssl_tlsv1_2
586 Only applies if ssl_enable is activated. If enabled, this option
587 will permit TLS v1.2 protocol connections. TLS v1.2 connections
588 are preferred.
589 Default: YES
591 strict_ssl_read_eof
593 If enabled, SSL data uploads are required to terminate via SSL,
594 not an EOF on the socket. This option is required to be sure
595 that an attacker did not terminate an upload prematurely with a
596 faked TCP FIN. (New in v2.0.7).
597 Default: YES
599 strict_ssl_write_shutdown
601 If enabled, SSL data downloads are required to terminate via
602 SSL, not an EOF on the socket. This is off by default as I was
603 unable to find a single FTP client that does this. It is minor.
604 All it affects is our ability to tell whether the client con‐
605 firmed full receipt of the file. Even without this option, the
606 client is able to check the integrity of the download. (New in
607 v2.0.7).
608 Default: NO
610 syslog_enable
612 If enabled, then any log output which would have gone to
613 /var/log/vsftpd.log goes to the system log instead. Logging is
614 done under the FTPD facility.
615 Default: NO
617 tcp_wrappers
619 If enabled, and vsftpd was compiled with tcp_wrappers support,
620 incoming connections will be fed through tcp_wrappers access
621 control. Furthermore, there is a mechanism for per-IP based con‐
622 figuration. If tcp_wrappers sets the VSFTPD_LOAD_CONF environ‐
623 ment variable, then the vsftpd session will try and load the
624 vsftpd configuration file specified in this variable.
625 Default: NO
627 text_userdb_names
629 By default, numeric IDs are shown in the user and group fields
630 of directory listings. You can get textual names by enabling
631 this parameter. It is off by default for performance reasons.
632 Note that textual names are not guaranteed when
633 chroot_local_user is set to YES.
634 Default: NO
636 tilde_user_enable
638 If enabled, vsftpd will try and resolve pathnames such as
639 ~chris/pics, i.e. a tilde followed by a username. Note that
640 vsftpd will always resolve the pathnames ~ and ~/something (in
641 this case the ~ resolves to the initial login directory). Note
642 that ~user paths will only resolve if the file /etc/passwd may
643 be found within the _current_ chroot() jail.
644 Default: NO
646 use_localtime
648 If enabled, vsftpd will display directory listings with the time
649 in your local time zone. The default is to display GMT. The
650 times returned by the MDTM FTP command are also affected by this
651 option.
652 Default: NO
654 use_sendfile
656 An internal setting used for testing the relative benefit of
657 using the sendfile() system call on your platform.
658 Default: YES
660 userlist_deny
662 This option is examined if userlist_enable is activated. If you
663 set this setting to NO, then users will be denied login unless
664 they are explicitly listed in the file specified by
665 userlist_file. When login is denied, the denial is issued
666 before the user is asked for a password.
667 Default: YES
669 userlist_enable
671 If enabled, vsftpd will load a list of usernames, from the file‐
672 name given by userlist_file. If a user tries to log in using a
673 name in this file, they will be denied before they are asked for
674 a password. This may be useful in preventing cleartext passwords
675 being transmitted. See also userlist_deny.
676 Default: NO
678 validate_cert
680 If set to yes, all SSL client certificates received must vali‐
681 date OK. Self-signed certs do not constitute OK validation.
682 (New in v2.0.6).
683 Default: NO
685 userlist_log
687 This option is examined if userlist_enable is activated. If
688 enabled, every login denial based on the user list will be
689 logged.
690 Default: NO
692 virtual_use_local_privs
694 If enabled, virtual users will use the same privileges as local
695 users. By default, virtual users will use the same privileges as
696 anonymous users, which tends to be more restrictive (especially
697 in terms of write access).
698 Default: NO
700 write_enable
702 This controls whether any FTP commands which change the filesys‐
703 tem are allowed or not. These commands are: STOR, DELE, RNFR,
704 RNTO, MKD, RMD, APPE and SITE.
705 Default: NO
707 xferlog_enable
709 If enabled, a log file will be maintained detailling uploads and
710 downloads. By default, this file will be placed at
711 /var/log/vsftpd.log, but this location may be overridden using
712 the configuration setting vsftpd_log_file.
713 Default: NO (but the sample config file enables it)
715 xferlog_std_format
717 If enabled, the transfer log file will be written in standard
718 xferlog format, as used by wu-ftpd. This is useful because you
719 can reuse existing transfer statistics generators. The default
720 format is more readable, however. The default location for this
721 style of log file is /var/log/xferlog, but you may change it
722 with the setting xferlog_file.
723 Default: NO
725 isolate_network
727 If enabled, use CLONE_NEWNET to isolate the untrusted processes
728 so that they can't do arbitrary connect() and instead have to
729 ask the privileged process for sockets ( port_promiscuous have
730 to be disabled).
731 Default: YES
733 isolate
735 If enabled, use CLONE_NEWPID and CLONE_NEWIPC to isolate pro‐
736 cesses to their ipc and pid namespaces. So separated processes
737 can not interact with each other.
738 Default: YES
740
743 Below is a list of numeric options. A numeric option must be set to a
744 non negative integer. Octal numbers are supported, for convenience of
745 the umask options. To specify an octal number, use 0 as the first digit
746 of the number.
747 accept_timeout
750 The timeout, in seconds, for a remote client to establish con‐
751 nection with a PASV style data connection.
752 Default: 60
754 anon_max_rate
756 The maximum data transfer rate permitted, in bytes per second,
757 for anonymous clients.
758 Default: 0 (unlimited)
760 anon_umask
762 The value that the umask for file creation is set to for anony‐
763 mous users. NOTE! If you want to specify octal values, remember
764 the "0" prefix otherwise the value will be treated as a base 10
765 integer!
766 Default: 077
768 bind_retries
770 Maximum number of attempts to find a free listening port in pas‐
771 sive mode.
772 Default: 9
774 chown_upload_mode
776 The file mode to force for chown()ed anonymous uploads. (Added
777 in v2.0.6).
778 Default: 0600
780 connect_timeout
782 The timeout, in seconds, for a remote client to respond to our
783 PORT style data connection.
784 Default: 60
786 data_connection_timeout
788 The timeout, in seconds, which is roughly the maximum time we
789 permit data transfers to stall for with no progress. If the
790 timeout triggers, the remote client is kicked off.
791 Default: 300
793 delay_failed_login
795 The number of seconds to pause prior to reporting a failed
796 login.
797 Default: 1
799 delay_successful_login
801 The number of seconds to pause prior to allowing a successful
802 login.
803 Default: 0
805 file_open_mode
807 The permissions with which uploaded files are created. Umasks
808 are applied on top of this value. You may wish to change to 0777
809 if you want uploaded files to be executable.
810 Default: 0666
812 ftp_data_port
814 The port from which PORT style connections originate (as long as
815 the poorly named connect_from_port_20 is enabled).
816 Default: 20
818 idle_session_timeout
820 The timeout, in seconds, which is the maximum time a remote
821 client may spend between FTP commands. If the timeout triggers,
822 the remote client is kicked off.
823 Default: 300
825 listen_port
827 If vsftpd is in standalone mode, this is the port it will listen
828 on for incoming FTP connections.
829 Default: 21
831 local_max_rate
833 The maximum data transfer rate permitted, in bytes per second,
834 for local authenticated users.
835 Default: 0 (unlimited)
837 local_umask
839 The value that the umask for file creation is set to for local
840 users. NOTE! If you want to specify octal values, remember the
841 "0" prefix otherwise the value will be treated as a base 10
842 integer!
843 Default: 077
845 max_clients
847 If vsftpd is in standalone mode, this is the maximum number of
848 clients which may be connected. Any additional clients connect‐
849 ing will get an error message. The value 0 switches off the
850 limit.
851 Default: 2000
853 max_login_fails
855 After this many login failures, the session is killed.
856 Default: 3
858 max_per_ip
860 If vsftpd is in standalone mode, this is the maximum number of
861 clients which may be connected from the same source internet
862 address. A client will get an error message if they go over this
863 limit. The value 0 switches off the limit.
864 Default: 50
866 pasv_max_port
868 The maximum port to allocate for PASV style data connections.
869 Can be used to specify a narrow port range to assist fire‐
870 walling.
871 Default: 0 (use any port)
873 pasv_min_port
875 The minimum port to allocate for PASV style data connections.
876 Can be used to specify a narrow port range to assist fire‐
877 walling.
878 Default: 0 (use any port)
880 trans_chunk_size
882 You probably don't want to change this, but try setting it to
883 something like 8192 for a much smoother bandwidth limiter.
884 Default: 0 (let vsftpd pick a sensible setting)
886
889 Below is a list of string options.
890 anon_root
893 This option represents a directory which vsftpd will try to
894 change into after an anonymous login. Failure is silently
895 ignored.
896 Default: (none)
898 banned_email_file
900 This option is the name of a file containing a list of anonymous
901 e-mail passwords which are not permitted. This file is consulted
902 if the option deny_email_enable is enabled.
903 Default: /etc/vsftpd/banned_emails
905 banner_file
907 This option is the name of a file containing text to display
908 when someone connects to the server. If set, it overrides the
909 banner string provided by the ftpd_banner option.
910 Default: (none)
912 ca_certs_file
914 This option is the name of a file to load Certificate Authority
915 certs from, for the purpose of validating client certs. The
916 loaded certs are also advertised to the client, to cater for
917 TLSv1.0 clients such as the z/OS FTP client. Regrettably, the
918 default SSL CA cert paths are not used, because of vsftpd's use
919 of restricted filesystem spaces (chroot). (Added in v2.0.6).
920 Default: (none)
922 chown_username
924 This is the name of the user who is given ownership of anony‐
925 mously uploaded files. This option is only relevant if another
926 option, chown_uploads, is set.
927 Default: root
929 chroot_list_file
931 The option is the name of a file containing a list of local
932 users which will be placed in a chroot() jail in their home
933 directory. This option is only relevant if the option
934 chroot_list_enable is enabled. If the option chroot_local_user
935 is enabled, then the list file becomes a list of users to NOT
936 place in a chroot() jail.
937 Default: /etvsftpd.confc/vsftpd.chroot_list
939 cmds_allowed
941 This options specifies a comma separated list of allowed FTP
942 commands (post login. USER, PASS and QUIT and others are always
943 allowed pre-login). Other commands are rejected. This is a pow‐
944 erful method of really locking down an FTP server. Example:
945 cmds_allowed=PASV,RETR,QUIT
946 Default: (none)
948 cmds_denied
950 This options specifies a comma separated list of denied FTP com‐
951 mands (post login. USER, PASS, QUIT and others are always
952 allowed pre-login). If a command appears on both this and
953 cmds_allowed then the denial takes precedence. (Added in
954 v2.1.0).
955 Default: (none)
957 deny_file
959 This option can be used to set a pattern for filenames (and
960 directory names etc.) which should not be accessible in any way.
961 The affected items are not hidden, but any attempt to do any‐
962 thing to them (download, change into directory, affect something
963 within directory etc.) will be denied. This option is very sim‐
964 ple, and should not be used for serious access control - the
965 filesystem's permissions should be used in preference. However,
966 this option may be useful in certain virtual user setups. In
967 particular aware that if a filename is accessible by a variety
968 of names (perhaps due to symbolic links or hard links), then
969 care must be taken to deny access to all the names. Access will
970 be denied to items if their name contains the string given by
971 hide_file, or if they match the regular expression specified by
972 hide_file. Note that vsftpd's regular expression matching code
973 is a simple implementation which is a subset of full regular
974 expression functionality. Because of this, you will need to
975 carefully and exhaustively test any application of this option.
976 And you are recommended to use filesystem permissions for any
977 important security policies due to their greater reliability.
978 Supported regex syntax is any number of *, ? and unnested {,}
979 operators. Regex matching is only supported on the last compo‐
980 nent of a path, e.g. a/b/? is supported but a/?/c is not. Exam‐
981 ple: deny_file={*.mp3,*.mov,.private}
982 Default: (none)
984 dsa_cert_file
986 This option specifies the location of the DSA certificate to use
987 for SSL encrypted connections.
988 Default: (none - an RSA certificate suffices)
990 dsa_private_key_file
992 This option specifies the location of the DSA private key to use
993 for SSL encrypted connections. If this option is not set, the
994 private key is expected to be in the same file as the certifi‐
995 cate.
996 Default: (none)
998 dh_param_file
1000 This option specifies the location of the custom parameters used
1001 for ephemeral Diffie-Hellman key exchange in SSL.
1002 Default: (none - use built in parameters appropriate for cer‐
1004 tificate key size)
1005 ecdh_param_file
1007 This option specifies the location of custom parameters for
1008 ephemeral Elliptic Curve Diffie-Hellman (ECDH) key exchange.
1009 Default: (none - use built in parameters, NIST P-256 with
1011 OpenSSL 1.0.1 and automatically selected curve based on client
1012 preferences with OpenSSL 1.0.2 and later)
1013 email_password_file
1015 This option can be used to provide an alternate file for usage
1016 by the secure_email_list_enable setting.
1017 Default: /etc/vsftpd/email_passwords
1019 ftp_username
1021 This is the name of the user we use for handling anonymous FTP.
1022 The home directory of this user is the root of the anonymous FTP
1023 area.
1024 Default: ftp
1026 ftpd_banner
1028 This string option allows you to override the greeting banner
1029 displayed by vsftpd when a connection first comes in.
1030 Default: (none - default vsftpd banner is displayed)
1032 guest_username
1034 See the boolean setting guest_enable for a description of what
1035 constitutes a guest login. This setting is the real username
1036 which guest users are mapped to.
1037 Default: ftp
1039 hide_file
1041 This option can be used to set a pattern for filenames (and
1042 directory names etc.) which should be hidden from directory
1043 listings. Despite being hidden, the files / directories etc. are
1044 fully accessible to clients who know what names to actually use.
1045 Items will be hidden if their names contain the string given by
1046 hide_file, or if they match the regular expression specified by
1047 hide_file. Note that vsftpd's regular expression matching code
1048 is a simple implementation which is a subset of full regular
1049 expression functionality. See deny_file for details of exactly
1050 what regex syntax is supported. Example: hide_file={*.mp3,.hid‐
1051 den,hide*,h?}
1052 Default: (none)
1054 listen_address
1056 If vsftpd is in standalone mode, the default listen address (of
1057 all local interfaces) may be overridden by this setting. Provide
1058 a numeric IP address.
1059 Default: (none)
1061 listen_address6
1063 Like listen_address, but specifies a default listen address for
1064 the IPv6 listener (which is used if listen_ipv6 is set). Format
1065 is standard IPv6 address format.
1066 Default: (none)
1068 local_root
1070 This option represents a directory which vsftpd will try to
1071 change into after a local (i.e. non-anonymous) login. Failure is
1072 silently ignored.
1073 Default: (none)
1075 message_file
1077 This option is the name of the file we look for when a new
1078 directory is entered. The contents are displayed to the remote
1079 user. This option is only relevant if the option dirmes‐
1080 sage_enable is enabled.
1081 Default: .message
1083 nopriv_user
1085 This is the name of the user that is used by vsftpd when it
1086 wants to be totally unprivileged. Note that this should be a
1087 dedicated user, rather than nobody. The user nobody tends to be
1088 used for rather a lot of important things on most machines.
1089 Default: nobody
1091 pam_service_name
1093 This string is the name of the PAM service vsftpd will use.
1094 Default: ftp
1096 pasv_address
1098 Use this option to override the IP address that vsftpd will
1099 advertise in response to the PASV command. Provide a numeric IP
1100 address, unless pasv_addr_resolve is enabled, in which case you
1101 can provide a hostname which will be DNS resolved for you at
1102 startup.
1103 Default: (none - the address is taken from the incoming con‐
1105 nected socket)
1106 rsa_cert_file
1108 This option specifies the location of the RSA certificate to use
1109 for SSL encrypted connections.
1110 Default: /usr/share/ssl/certs/vsftpd.pem
1112 rsa_private_key_file
1114 This option specifies the location of the RSA private key to use
1115 for SSL encrypted connections. If this option is not set, the
1116 private key is expected to be in the same file as the certifi‐
1117 cate.
1118 Default: (none)
1120 secure_chroot_dir
1122 This option should be the name of a directory which is empty.
1123 Also, the directory should not be writable by the ftp user. This
1124 directory is used as a secure chroot() jail at times vsftpd does
1125 not require filesystem access.
1126 Default: /usr/share/empty
1128 ssl_ciphers
1130 This option can be used to select which SSL ciphers vsftpd will
1131 allow for encrypted SSL connections. See the ciphers man page
1132 for further details. Note that restricting ciphers can be a use‐
1133 ful security precaution as it prevents malicious remote parties
1134 forcing a cipher which they have found problems with.
1135 By default, the system-wide crypto policy is used. See update-
1137 crypto-policies(8) for further details.
1138 Default: PROFILE=SYSTEM
1140 user_config_dir
1142 This powerful option allows the override of any config option
1143 specified in the manual page, on a per-user basis. Usage is sim‐
1144 ple, and is best illustrated with an example. If you set
1145 user_config_dir to be /etc/vsftpd/user_conf and then log on as
1146 the user "chris", then vsftpd will apply the settings in the
1147 file /etc/vsftpd/user_conf/chris for the duration of the ses‐
1148 sion. The format of this file is as detailed in this manual
1149 page! PLEASE NOTE that not all settings are effective on a per-
1150 user basis. For example, many settings only prior to the user's
1151 session being started. Examples of settings which will not
1152 affect any behviour on a per-user basis include listen_address,
1153 banner_file, max_per_ip, max_clients, xferlog_file, etc.
1154 Default: (none)
1156 user_sub_token
1158 This option is useful is conjunction with virtual users. It is
1159 used to automatically generate a home directory for each virtual
1160 user, based on a template. For example, if the home directory of
1161 the real user specified via guest_username is /home/vir‐
1162 tual/$USER, and user_sub_token is set to $USER, then when vir‐
1163 tual user fred logs in, he will end up (usually chroot()'ed) in
1164 the directory /home/virtual/fred. This option also takes affect
1165 if local_root contains user_sub_token.
1166 Default: (none)
1168 userlist_file
1170 This option is the name of the file loaded when the
1171 userlist_enable option is active.
1172 Default: /etc/vsftpd/user_list
1174 vsftpd_log_file
1176 This option is the name of the file to which we write the vsftpd
1177 style log file. This log is only written if the option xfer‐
1178 log_enable is set, and xferlog_std_format is NOT set. Alterna‐
1179 tively, it is written if you have set the option
1180 dual_log_enable. One further complication - if you have set
1181 syslog_enable, then this file is not written and output is sent
1182 to the system log instead.
1183 Default: /var/log/vsftpd.log
1185 xferlog_file
1187 This option is the name of the file to which we write the wu-
1188 ftpd style transfer log. The transfer log is only written if the
1189 option xferlog_enable is set, along with xferlog_std_format.
1190 Alternatively, it is written if you have set the option
1191 dual_log_enable.
1192 Default: /var/log/xferlog
1194
1197 scarybeasts@gmail.com
1198 VSFTPD.CONF(5)