1VSFTPD.CONF(5) File Formats Manual VSFTPD.CONF(5)
2
6 vsftpd.conf - config file for vsftpd
7
9 vsftpd.conf may be used to control various aspects of vsftpd's behav‐
10 iour. By default, vsftpd looks for this file at the location /etc/vs‐
11 ftpd/vsftpd.conf. However, you may override this by specifying a com‐
12 mand line argument to vsftpd. The command line argument is the pathname
13 of the configuration file for vsftpd. This behaviour is useful because
14 you may wish to use an advanced inetd such as xinetd to launch vsftpd
15 with different configuration files on a per virtual host basis.
16 Systemd changes the vsftpd daemon start-up. The vsftpd package contains
18 vsftpd-generator script generating symbolic links to /var/run/sys‐
19 temd/generator/vsftpd.target.wants directory. The generator is called
20 during e. g. 'systemctl --system daemon-reload'. All these symbolic
21 links link /usr/lib/systemd/system/vsftpd@.service file. The vsftpd
22 daemon(s) is/are controlled by one of following ways:
23 1. Single daemon using default /etc/vsftpd/vsftpd.conf configuration
25 file
26 # systemctl {start,stop,...} vsftpd[.service]
27 2. Single daemon using /etc/vsftpd/<config-filename>.conf
29 # systemctl {start,stop,...} vsftpd@<config-filename-without-exten‐
30 sion>[.service]
31 3. All instances together
33 # systemctl {restart,stop} vsftpd.target
34 See systemd.unit(5), systemd.target(5) for further details.
36
38 The format of vsftpd.conf is very simple. Each line is either a comment
39 or a directive. Comment lines start with a # and are ignored. A direc‐
40 tive line has the format:
41 option=value
43 It is important to note that it is an error to put any space between
45 the option, = and value.
46 Each setting has a compiled in default which may be modified in the
48 configuration file.
49
52 Below is a list of boolean options. The value for a boolean option may
53 be set to YES or NO.
54 allow_anon_ssl
57 Only applies if ssl_enable is active. If set to YES, anonymous
58 users will be allowed to use secured SSL connections.
59 Default: NO
61 allow_writeable_chroot
63 Allow chroot()'ing a user to a directory writable by that user.
64 Note that setting this to YES is potentially dangerous. For ex‐
65 ample, if the user creates an 'etc' directory in the new root
66 directory, they could potentially trick the C library into load‐
67 ing a user-created configuration file from the /etc/ directory.
68 Default: NO
70 better_stou
72 Use a better file name generation algorithm for the STOU com‐
73 mand. The default original algorithm simply adds an increasing
74 number suffix to the file name, which is prone to race condi‐
75 tions if multiple uploaders use the STOU command with the same
76 file name simultaneously, which can result in failure of the
77 command. The new algorithm adds a unique random six character
78 suffix to the file name, which works much better in face of con‐
79 current uploads.
80 Default: NO
82 anon_mkdir_write_enable
84 If set to YES, anonymous users will be permitted to create new
85 directories under certain conditions. For this to work, the op‐
86 tion write_enable must be activated, and the anonymous ftp user
87 must have write permission on the parent directory.
88 Default: NO
90 anon_other_write_enable
92 If set to YES, anonymous users will be permitted to perform
93 write operations other than upload and create directory, such as
94 deletion and renaming. This is generally not recommended but in‐
95 cluded for completeness.
96 Default: NO
98 anon_upload_enable
100 If set to YES, anonymous users will be permitted to upload files
101 under certain conditions. For this to work, the option write_en‐
102 able must be activated, and the anonymous ftp user must have
103 write permission on desired upload locations. This setting is
104 also required for virtual users to upload; by default, virtual
105 users are treated with anonymous (i.e. maximally restricted)
106 privilege.
107 Default: NO
109 anon_world_readable_only
111 When enabled, anonymous users will only be allowed to download
112 files which are world readable. This is recognising that the ftp
113 user may own files, especially in the presence of uploads.
114 Default: YES
116 anonymous_enable
118 Controls whether anonymous logins are permitted or not. If en‐
119 abled, both the usernames ftp and anonymous are recognised as
120 anonymous logins.
121 Default: YES
123 ascii_download_enable
125 When enabled, ASCII mode data transfers will be honoured on
126 downloads. When disabled, the server will pretend to allow
127 ASCII mode but in fact ignore requests to activate it. So the
128 client will think the ASCII mode is active and therefore may
129 still translate any <CRLF> character sequences in the received
130 file. See the following article for a detailed explanation of
131 the behaviour: https://access.redhat.com/articles/3250241.
132 Turn this option on to have the server actually do ASCII man‐
134 gling on files when in ASCII mode.
135 Default: NO
137 ascii_upload_enable
139 When enabled, ASCII mode data transfers will be honoured on up‐
140 loads. When disabled, the server will pretend to allow ASCII
141 mode but in fact ignore requests to activate it. So the client
142 will think the ASCII mode is active and will translate native
143 line terminators to the standard <CRLF> line terminators for
144 transmission, but the server will not do any translation. See
145 the following article for a detailed explanation of the behav‐
146 iour: https://access.redhat.com/articles/3250241.
147 Turn this option on to have the server actually do ASCII man‐
149 gling on files when in ASCII mode.
150 Default: NO
152 async_abor_enable
154 When enabled, a special FTP command known as "async ABOR" will
155 be enabled. Only ill advised FTP clients will use this feature.
156 Additionally, this feature is awkward to handle, so it is dis‐
157 abled by default. Unfortunately, some FTP clients will hang when
158 cancelling a transfer unless this feature is available, so you
159 may wish to enable it.
160 Default: NO
162 background
164 When enabled, and vsftpd is started in "listen" mode, vsftpd
165 will background the listener process. i.e. control will immedi‐
166 ately be returned to the shell which launched vsftpd.
167 Default: YES
169 check_shell
171 Note! This option only has an effect for non-PAM builds of vs‐
172 ftpd. If disabled, vsftpd will not check /etc/shells for a valid
173 user shell for local logins.
174 Default: YES
176 chmod_enable
178 When enabled, allows use of the SITE CHMOD command. NOTE! This
179 only applies to local users. Anonymous users never get to use
180 SITE CHMOD.
181 Default: YES
183 chown_uploads
185 If enabled, all anonymously uploaded files will have the owner‐
186 ship changed to the user specified in the setting chown_user‐
187 name. This is useful from an administrative, and perhaps secu‐
188 rity, standpoint.
189 Default: NO
191 chroot_list_enable
193 If activated, you may provide a list of local users who are
194 placed in a chroot() jail in their home directory upon login.
195 The meaning is slightly different if chroot_local_user is set to
196 YES. In this case, the list becomes a list of users which are
197 NOT to be placed in a chroot() jail. By default, the file con‐
198 taining this list is /etc/vsftpd/chroot_list, but you may over‐
199 ride this with the chroot_list_file setting.
200 Default: NO
202 chroot_local_user
204 If set to YES, local users will be (by default) placed in a ch‐
205 root() jail in their home directory after login. Warning: This
206 option has security implications, especially if the users have
207 upload permission, or shell access. Only enable if you know what
208 you are doing. Note that these security implications are not
209 vsftpd specific. They apply to all FTP daemons which offer to
210 put local users in chroot() jails.
211 Default: NO
213 connect_from_port_20
215 This controls whether PORT style data connections use port 20
216 (ftp-data) on the server machine. For security reasons, some
217 clients may insist that this is the case. Conversely, disabling
218 this option enables vsftpd to run with slightly less privilege.
219 Default: NO (but the sample config file enables it)
221 debug_ssl
223 If true, OpenSSL connection diagnostics are dumped to the vsftpd
224 log file. (Added in v2.0.6).
225 Default: NO
227 delete_failed_uploads
229 If true, any failed upload files are deleted. (Added in
230 v2.0.7).
231 Default: NO
233 deny_email_enable
235 If activated, you may provide a list of anonymous password e-
236 mail responses which cause login to be denied. By default, the
237 file containing this list is /etc/vsftpd/banned_emails, but you
238 may override this with the banned_email_file setting.
239 Default: NO
241 dirlist_enable
243 If set to NO, all directory list commands will give permission
244 denied.
245 Default: YES
247 dirmessage_enable
249 If enabled, users of the FTP server can be shown messages when
250 they first enter a new directory. By default, a directory is
251 scanned for the file .message, but that may be overridden with
252 the configuration setting message_file.
253 Default: NO (but the sample config file enables it)
255 download_enable
257 If set to NO, all download requests will give permission denied.
258 Default: YES
260 dual_log_enable
262 If enabled, two log files are generated in parallel, going by
263 default to /var/log/xferlog and /var/log/vsftpd.log. The former
264 is a wu-ftpd style transfer log, parseable by standard tools.
265 The latter is vsftpd's own style log.
266 Default: NO
268 force_dot_files
270 If activated, files and directories starting with . will be
271 shown in directory listings even if the "a" flag was not used by
272 the client. This override excludes the "." and ".." entries.
273 Default: NO
275 force_anon_data_ssl
277 Only applies if ssl_enable is activated. If activated, all
278 anonymous logins are forced to use a secure SSL connection in
279 order to send and receive data on data connections.
280 Default: NO
282 force_anon_logins_ssl
284 Only applies if ssl_enable is activated. If activated, all
285 anonymous logins are forced to use a secure SSL connection in
286 order to send the password.
287 Default: NO
289 force_local_data_ssl
291 Only applies if ssl_enable is activated. If activated, all non-
292 anonymous logins are forced to use a secure SSL connection in
293 order to send and receive data on data connections.
294 Default: YES
296 force_local_logins_ssl
298 Only applies if ssl_enable is activated. If activated, all non-
299 anonymous logins are forced to use a secure SSL connection in
300 order to send the password.
301 Default: YES
303 guest_enable
305 If enabled, all non-anonymous logins are classed as "guest" lo‐
306 gins. A guest login is remapped to the user specified in the
307 guest_username setting.
308 Default: NO
310 hide_ids
312 If enabled, all user and group information in directory listings
313 will be displayed as "ftp".
314 Default: NO
316 implicit_ssl
318 If enabled, an SSL handshake is the first thing expect on all
319 connections (the FTPS protocol). To support explicit SSL and/or
320 plain text too, a separate vsftpd listener process should be
321 run.
322 Default: NO
324 listen If enabled, vsftpd will run in standalone mode. This means that
326 vsftpd must not be run from an inetd of some kind. Instead, the
327 vsftpd executable is run once directly. vsftpd itself will then
328 take care of listening for and handling incoming connections.
329 Default: NO
331 listen_ipv6
333 Like the listen parameter, except vsftpd will listen on an IPv6
334 socket instead of an IPv4 one. Note that a socket listening on
335 the IPv6 "any" address (::) will accept both IPv6 and IPv4 con‐
336 nections by default. This parameter and the listen parameter are
337 mutually exclusive.
338 Default: NO
340 local_enable
342 Controls whether local logins are permitted or not. If enabled,
343 normal user accounts in /etc/passwd (or wherever your PAM config
344 references) may be used to log in. This must be enable for any
345 non-anonymous login to work, including virtual users.
346 Default: NO
348 lock_upload_files
350 When enabled, all uploads proceed with a write lock on the up‐
351 load file. All downloads proceed with a shared read lock on the
352 download file. WARNING! Before enabling this, be aware that ma‐
353 licious readers could starve a writer wanting to e.g. append a
354 file.
355 Default: YES
357 log_die
359 Log an error to syslog when some error condition occurs and vs‐
360 ftpd decides to quit. Internally, the error messages given to
361 the functions die(), die2() and bug() are passed to syslog. Cur‐
362 rently this functionality requires waiting for a short amount of
363 time (1 second is used) after logging the message and before ex‐
364 iting. This is a workaround for the following systemd bug:
365 https://github.com/systemd/systemd/issues/2913
366 Default: NO
368 log_ftp_protocol
370 When enabled, all FTP requests and responses are logged, provid‐
371 ing the option xferlog_std_format is not enabled. Useful for de‐
372 bugging.
373 Default: NO
375 ls_recurse_enable
377 When enabled, this setting will allow the use of "ls -R". This
378 is a minor security risk, because a ls -R at the top level of a
379 large site may consume a lot of resources.
380 Default: NO
382 mdtm_write
384 When enabled, this setting will allow MDTM to set file modifica‐
385 tion times (subject to the usual access checks).
386 Default: YES
388 no_anon_password
390 When enabled, this prevents vsftpd from asking for an anonymous
391 password - the anonymous user will log straight in.
392 Default: NO
394 no_log_lock
396 When enabled, this prevents vsftpd from taking a file lock when
397 writing to log files. This option should generally not be en‐
398 abled. It exists to workaround operating system bugs such as the
399 Solaris / Veritas filesystem combination which has been observed
400 to sometimes exhibit hangs trying to lock log files.
401 Default: NO
403 one_process_model
405 If you have a Linux 2.4 kernel, it is possible to use a differ‐
406 ent security model which only uses one process per connection.
407 It is a less pure security model, but gains you performance. You
408 really don't want to enable this unless you know what you are
409 doing, and your site supports huge numbers of simultaneously
410 connected users.
411 Default: NO
413 passwd_chroot_enable
415 If enabled, along with chroot_local_user , then a chroot() jail
416 location may be specified on a per-user basis. Each user's jail
417 is derived from their home directory string in /etc/passwd. The
418 occurrence of /./ in the home directory string denotes that the
419 jail is at that particular location in the path.
420 Default: NO
422 pasv_addr_resolve
424 Set to YES if you want to use a hostname (as opposed to IP ad‐
425 dress) in the pasv_address option.
426 Default: NO
428 pasv_enable
430 Set to NO if you want to disallow the PASV method of obtaining a
431 data connection.
432 Default: YES
434 pasv_promiscuous
436 Set to YES if you want to disable the PASV security check that
437 ensures the data connection originates from the same IP address
438 as the control connection. Only enable if you know what you are
439 doing! The only legitimate use for this is in some form of se‐
440 cure tunnelling scheme, or perhaps to facilitate FXP support.
441 Default: NO
443 port_enable
445 Set to NO if you want to disallow the PORT method of obtaining a
446 data connection.
447 Default: YES
449 port_promiscuous
451 Set to YES if you want to disable the PORT security check that
452 ensures that outgoing data connections can only connect to the
453 client. Only enable if you know what you are doing!
454 Default: NO
456 require_cert
458 If set to yes, all SSL client connections are required to
459 present a client certificate. The degree of validation applied
460 to this certificate is controlled by validate_cert (Added in
461 v2.0.6).
462 Default: NO
464 require_ssl_reuse
466 If set to yes, all SSL data connections are required to exhibit
467 SSL session reuse (which proves that they know the same master
468 secret as the control channel). Although this is a secure de‐
469 fault, it may break many FTP clients, so you may want to disable
470 it. For a discussion of the consequences, see http://scarybeast‐
471 security.blogspot.com/2009/02/vsftpd-210-released.html (Added in
472 v2.1.0).
473 Default: YES
475 reverse_lookup_enable
477 Set to YES if you want vsftpd to transform the ip address into
478 the hostname, before pam authentication. This is useful if you
479 use pam_access including the hostname. If you want vsftpd to run
480 on the environment where the reverse lookup for some hostname is
481 available and the name server doesn't respond for a while, you
482 should set this to NO to avoid a performance issue.
483 Default: YES
485 run_as_launching_user
487 Set to YES if you want vsftpd to run as the user which launched
488 vsftpd. This is useful where root access is not available. MAS‐
489 SIVE WARNING! Do NOT enable this option unless you totally know
490 what you are doing, as naive use of this option can create mas‐
491 sive security problems. Specifically, vsftpd does not / cannot
492 use chroot technology to restrict file access when this option
493 is set (even if launched by root). A poor substitute could be to
494 use a deny_file setting such as {/*,*..*}, but the reliability
495 of this cannot compare to chroot, and should not be relied on.
496 If using this option, many restrictions on other options apply.
497 For example, options requiring privilege such as non-anonymous
498 logins, upload ownership changing, connecting from port 20 and
499 listen ports less than 1024 are not expected to work. Other op‐
500 tions may be impacted.
501 Default: NO
503 secure_email_list_enable
505 Set to YES if you want only a specified list of e-mail passwords
506 for anonymous logins to be accepted. This is useful as a low-
507 hassle way of restricting access to low-security content without
508 needing virtual users. When enabled, anonymous logins are pre‐
509 vented unless the password provided is listed in the file speci‐
510 fied by the email_password_file setting. The file format is one
511 password per line, no extra whitespace. The default filename is
512 /etc/vsftpd/email_passwords.
513 Default: NO
515 session_support
517 This controls whether vsftpd attempts to maintain sessions for
518 logins. If vsftpd is maintaining sessions, it will try and up‐
519 date utmp and wtmp. It will also open a pam_session if using PAM
520 to authenticate, and only close this upon logout. You may wish
521 to disable this if you do not need session logging, and you wish
522 to give vsftpd more opportunity to run with less processes and /
523 or less privilege. NOTE - utmp and wtmp support is only provided
524 with PAM enabled builds.
525 Default: NO
527 setproctitle_enable
529 If enabled, vsftpd will try and show session status information
530 in the system process listing. In other words, the reported name
531 of the process will change to reflect what a vsftpd session is
532 doing (idle, downloading etc). You probably want to leave this
533 off for security purposes.
534 Default: NO
536 ssl_enable
538 If enabled, and vsftpd was compiled against OpenSSL, vsftpd will
539 support secure connections via SSL. This applies to the control
540 connection (including login) and also data connections. You'll
541 need a client with SSL support too. NOTE!! Beware enabling this
542 option. Only enable it if you need it. vsftpd can make no guar‐
543 antees about the security of the OpenSSL libraries. By enabling
544 this option, you are declaring that you trust the security of
545 your installed OpenSSL library.
546 Default: NO
548 ssl_request_cert
550 If enabled, vsftpd will request (but not necessarily require;
551 see require_cert) a certificate on incoming SSL connections.
552 Normally this should not cause any trouble at all, but IBM zOS
553 seems to have issues. (New in v2.0.7).
554 Default: YES
556 ssl_sslv2
558 Only applies if ssl_enable is activated. If enabled, this option
559 will permit SSL v2 protocol connections. TLS v1.2+ connections
560 are preferred.
561 Default: NO
563 ssl_sslv3
565 Only applies if ssl_enable is activated. If enabled, this option
566 will permit SSL v3 protocol connections. TLS v1.2+ connections
567 are preferred.
568 Default: NO
570 ssl_tlsv1
572 Only applies if ssl_enable is activated. If enabled, this option
573 will permit TLS v1.0 protocol connections. TLS v1.2+ connec‐
574 tions are preferred.
575 Default: NO
577 ssl_tlsv1_1
579 Only applies if ssl_enable is activated. If enabled, this option
580 will permit TLS v1.1 protocol connections. TLS v1.2+ connec‐
581 tions are preferred.
582 Default: NO
584 ssl_tlsv1_2
586 Only applies if ssl_enable is activated. If enabled, this option
587 will permit TLS v1.2 protocol connections. TLS v1.2+ connec‐
588 tions are preferred.
589 Default: YES
591 ssl_tlsv1_3
593 Only applies if ssl_enable is activated. If enabled, this option
594 will permit TLS v1.3 protocol connections. TLS v1.2+ connec‐
595 tions are preferred.
596 Default: YES
598 strict_ssl_read_eof
600 If enabled, SSL data uploads are required to terminate via SSL,
601 not an EOF on the socket. This option is required to be sure
602 that an attacker did not terminate an upload prematurely with a
603 faked TCP FIN. (New in v2.0.7).
604 Default: YES
606 strict_ssl_write_shutdown
608 If enabled, SSL data downloads are required to terminate via
609 SSL, not an EOF on the socket. This is off by default as I was
610 unable to find a single FTP client that does this. It is minor.
611 All it affects is our ability to tell whether the client con‐
612 firmed full receipt of the file. Even without this option, the
613 client is able to check the integrity of the download. (New in
614 v2.0.7).
615 Default: NO
617 syslog_enable
619 If enabled, then any log output which would have gone to
620 /var/log/vsftpd.log goes to the system log instead. Logging is
621 done under the FTPD facility.
622 Default: NO
624 tcp_wrappers
626 If enabled, and vsftpd was compiled with tcp_wrappers support,
627 incoming connections will be fed through tcp_wrappers access
628 control. Furthermore, there is a mechanism for per-IP based con‐
629 figuration. If tcp_wrappers sets the VSFTPD_LOAD_CONF environ‐
630 ment variable, then the vsftpd session will try and load the vs‐
631 ftpd configuration file specified in this variable.
632 Default: NO
634 text_userdb_names
636 By default, numeric IDs are shown in the user and group fields
637 of directory listings. You can get textual names by enabling
638 this parameter. It is off by default for performance reasons.
639 Note that textual names are not guaranteed when chroot_lo‐
640 cal_user is set to YES.
641 Default: NO
643 tilde_user_enable
645 If enabled, vsftpd will try and resolve pathnames such as
646 ~chris/pics, i.e. a tilde followed by a username. Note that vs‐
647 ftpd will always resolve the pathnames ~ and ~/something (in
648 this case the ~ resolves to the initial login directory). Note
649 that ~user paths will only resolve if the file /etc/passwd may
650 be found within the _current_ chroot() jail.
651 Default: NO
653 use_localtime
655 If enabled, vsftpd will display directory listings with the time
656 in your local time zone. The default is to display GMT. The
657 times returned by the MDTM FTP command are also affected by this
658 option.
659 Default: NO
661 use_sendfile
663 An internal setting used for testing the relative benefit of us‐
664 ing the sendfile() system call on your platform.
665 Default: YES
667 userlist_deny
669 This option is examined if userlist_enable is activated. If you
670 set this setting to NO, then users will be denied login unless
671 they are explicitly listed in the file specified by
672 userlist_file. When login is denied, the denial is issued be‐
673 fore the user is asked for a password.
674 Default: YES
676 userlist_enable
678 If enabled, vsftpd will load a list of usernames, from the file‐
679 name given by userlist_file. If a user tries to log in using a
680 name in this file, they will be denied before they are asked for
681 a password. This may be useful in preventing cleartext passwords
682 being transmitted. See also userlist_deny.
683 Default: NO
685 validate_cert
687 If set to yes, all SSL client certificates received must vali‐
688 date OK. Self-signed certs do not constitute OK validation.
689 (New in v2.0.6).
690 Default: NO
692 userlist_log
694 This option is examined if userlist_enable is activated. If en‐
695 abled, every login denial based on the user list will be logged.
696 Default: NO
698 virtual_use_local_privs
700 If enabled, virtual users will use the same privileges as local
701 users. By default, virtual users will use the same privileges as
702 anonymous users, which tends to be more restrictive (especially
703 in terms of write access).
704 Default: NO
706 write_enable
708 This controls whether any FTP commands which change the filesys‐
709 tem are allowed or not. These commands are: STOR, DELE, RNFR,
710 RNTO, MKD, RMD, APPE and SITE.
711 Default: NO
713 xferlog_enable
715 If enabled, a log file will be maintained detailling uploads and
716 downloads. By default, this file will be placed at /var/log/vs‐
717 ftpd.log, but this location may be overridden using the configu‐
718 ration setting vsftpd_log_file.
719 Default: NO (but the sample config file enables it)
721 xferlog_std_format
723 If enabled, the transfer log file will be written in standard
724 xferlog format, as used by wu-ftpd. This is useful because you
725 can reuse existing transfer statistics generators. The default
726 format is more readable, however. The default location for this
727 style of log file is /var/log/xferlog, but you may change it
728 with the setting xferlog_file.
729 Default: NO
731 isolate_network
733 If enabled, use CLONE_NEWNET to isolate the untrusted processes
734 so that they can't do arbitrary connect() and instead have to
735 ask the privileged process for sockets ( port_promiscuous have
736 to be disabled).
737 Default: YES
739 isolate
741 If enabled, use CLONE_NEWPID and CLONE_NEWIPC to isolate pro‐
742 cesses to their ipc and pid namespaces. So separated processes
743 can not interact with each other.
744 Default: YES
746 wc_logs_enable
748 If enabled, logs will be treated as wide-character strings and
749 not just ASCII strings when filtering out non-printable charac‐
750 ters.
751 Default: NO
753
756 Below is a list of numeric options. A numeric option must be set to a
757 non negative integer. Octal numbers are supported, for convenience of
758 the umask options. To specify an octal number, use 0 as the first digit
759 of the number.
760 accept_timeout
763 The timeout, in seconds, for a remote client to establish con‐
764 nection with a PASV style data connection.
765 Default: 60
767 anon_max_rate
769 The maximum data transfer rate permitted, in bytes per second,
770 for anonymous clients.
771 Default: 0 (unlimited)
773 anon_umask
775 The value that the umask for file creation is set to for anony‐
776 mous users. NOTE! If you want to specify octal values, remember
777 the "0" prefix otherwise the value will be treated as a base 10
778 integer!
779 Default: 077
781 bind_retries
783 Maximum number of attempts to find a free listening port in pas‐
784 sive mode.
785 Default: 9
787 chown_upload_mode
789 The file mode to force for chown()ed anonymous uploads. (Added
790 in v2.0.6).
791 Default: 0600
793 connect_timeout
795 The timeout, in seconds, for a remote client to respond to our
796 PORT style data connection.
797 Default: 60
799 data_connection_timeout
801 The timeout, in seconds, which is roughly the maximum time we
802 permit data transfers to stall for with no progress. If the
803 timeout triggers, the remote client is kicked off.
804 Default: 300
806 delay_failed_login
808 The number of seconds to pause prior to reporting a failed lo‐
809 gin.
810 Default: 1
812 delay_successful_login
814 The number of seconds to pause prior to allowing a successful
815 login.
816 Default: 0
818 file_open_mode
820 The permissions with which uploaded files are created. Umasks
821 are applied on top of this value. You may wish to change to 0777
822 if you want uploaded files to be executable.
823 Default: 0666
825 ftp_data_port
827 The port from which PORT style connections originate (as long as
828 the poorly named connect_from_port_20 is enabled).
829 Default: 20
831 idle_session_timeout
833 The timeout, in seconds, which is the maximum time a remote
834 client may spend between FTP commands. If the timeout triggers,
835 the remote client is kicked off.
836 Default: 300
838 listen_port
840 If vsftpd is in standalone mode, this is the port it will listen
841 on for incoming FTP connections.
842 Default: 21
844 local_max_rate
846 The maximum data transfer rate permitted, in bytes per second,
847 for local authenticated users.
848 Default: 0 (unlimited)
850 local_umask
852 The value that the umask for file creation is set to for local
853 users. NOTE! If you want to specify octal values, remember the
854 "0" prefix otherwise the value will be treated as a base 10 in‐
855 teger!
856 Default: 077
858 max_clients
860 If vsftpd is in standalone mode, this is the maximum number of
861 clients which may be connected. Any additional clients connect‐
862 ing will get an error message. The value 0 switches off the
863 limit.
864 Default: 2000
866 max_login_fails
868 After this many login failures, the session is killed.
869 Default: 3
871 max_per_ip
873 If vsftpd is in standalone mode, this is the maximum number of
874 clients which may be connected from the same source internet ad‐
875 dress. A client will get an error message if they go over this
876 limit. The value 0 switches off the limit.
877 Default: 50
879 pasv_max_port
881 The maximum port to allocate for PASV style data connections.
882 Can be used to specify a narrow port range to assist fire‐
883 walling.
884 Default: 0 (use any port)
886 pasv_min_port
888 The minimum port to allocate for PASV style data connections.
889 Can be used to specify a narrow port range to assist fire‐
890 walling.
891 Default: 0 (use any port)
893 trans_chunk_size
895 You probably don't want to change this, but try setting it to
896 something like 8192 for a much smoother bandwidth limiter.
897 Default: 0 (let vsftpd pick a sensible setting)
899
902 Below is a list of string options.
903 anon_root
906 This option represents a directory which vsftpd will try to
907 change into after an anonymous login. Failure is silently ig‐
908 nored.
909 Default: (none)
911 banned_email_file
913 This option is the name of a file containing a list of anonymous
914 e-mail passwords which are not permitted. This file is consulted
915 if the option deny_email_enable is enabled.
916 Default: /etc/vsftpd/banned_emails
918 banner_file
920 This option is the name of a file containing text to display
921 when someone connects to the server. If set, it overrides the
922 banner string provided by the ftpd_banner option.
923 Default: (none)
925 ca_certs_file
927 This option is the name of a file to load Certificate Authority
928 certs from, for the purpose of validating client certs. The
929 loaded certs are also advertised to the client, to cater for
930 TLSv1.0 clients such as the z/OS FTP client. Regrettably, the
931 default SSL CA cert paths are not used, because of vsftpd's use
932 of restricted filesystem spaces (chroot). (Added in v2.0.6).
933 Default: (none)
935 chown_username
937 This is the name of the user who is given ownership of anony‐
938 mously uploaded files. This option is only relevant if another
939 option, chown_uploads, is set.
940 Default: root
942 chroot_list_file
944 The option is the name of a file containing a list of local
945 users which will be placed in a chroot() jail in their home di‐
946 rectory. This option is only relevant if the option ch‐
947 root_list_enable is enabled. If the option chroot_local_user is
948 enabled, then the list file becomes a list of users to NOT place
949 in a chroot() jail.
950 Default: /etvsftpd.confc/vsftpd.chroot_list
952 cmds_allowed
954 This options specifies a comma separated list of allowed FTP
955 commands (post login. USER, PASS and QUIT and others are always
956 allowed pre-login). Other commands are rejected. This is a pow‐
957 erful method of really locking down an FTP server. Example:
958 cmds_allowed=PASV,RETR,QUIT
959 Default: (none)
961 cmds_denied
963 This options specifies a comma separated list of denied FTP com‐
964 mands (post login. USER, PASS, QUIT and others are always al‐
965 lowed pre-login). If a command appears on both this and cmds_al‐
966 lowed then the denial takes precedence. (Added in v2.1.0).
967 Default: (none)
969 deny_file
971 This option can be used to set a pattern for filenames (and di‐
972 rectory names etc.) which should not be accessible in any way.
973 The affected items are not hidden, but any attempt to do any‐
974 thing to them (download, change into directory, affect something
975 within directory etc.) will be denied. This option is very sim‐
976 ple, and should not be used for serious access control - the
977 filesystem's permissions should be used in preference. However,
978 this option may be useful in certain virtual user setups. In
979 particular aware that if a filename is accessible by a variety
980 of names (perhaps due to symbolic links or hard links), then
981 care must be taken to deny access to all the names. Access will
982 be denied to items if their name contains the string given by
983 hide_file, or if they match the regular expression specified by
984 hide_file. Note that vsftpd's regular expression matching code
985 is a simple implementation which is a subset of full regular ex‐
986 pression functionality. Because of this, you will need to care‐
987 fully and exhaustively test any application of this option. And
988 you are recommended to use filesystem permissions for any impor‐
989 tant security policies due to their greater reliability. Sup‐
990 ported regex syntax is any number of *, ? and unnested {,} oper‐
991 ators. Regex matching is only supported on the last component of
992 a path, e.g. a/b/? is supported but a/?/c is not. Example:
993 deny_file={*.mp3,*.mov,.private}
994 Default: (none)
996 dsa_cert_file
998 This option specifies the location of the DSA certificate to use
999 for SSL encrypted connections.
1000 Default: (none - an RSA certificate suffices)
1002 dsa_private_key_file
1004 This option specifies the location of the DSA private key to use
1005 for SSL encrypted connections. If this option is not set, the
1006 private key is expected to be in the same file as the certifi‐
1007 cate.
1008 Default: (none)
1010 dh_param_file
1012 This option specifies the location of the custom parameters used
1013 for ephemeral Diffie-Hellman key exchange in SSL.
1014 Default: (none - use built in parameters appropriate for cer‐
1016 tificate key size)
1017 ecdh_param_file
1019 This option specifies the location of custom parameters for
1020 ephemeral Elliptic Curve Diffie-Hellman (ECDH) key exchange.
1021 Default: (none - use built in parameters, NIST P-256 with
1023 OpenSSL 1.0.1 and automatically selected curve based on client
1024 preferences with OpenSSL 1.0.2 and later)
1025 email_password_file
1027 This option can be used to provide an alternate file for usage
1028 by the secure_email_list_enable setting.
1029 Default: /etc/vsftpd/email_passwords
1031 ftp_username
1033 This is the name of the user we use for handling anonymous FTP.
1034 The home directory of this user is the root of the anonymous FTP
1035 area.
1036 Default: ftp
1038 ftpd_banner
1040 This string option allows you to override the greeting banner
1041 displayed by vsftpd when a connection first comes in.
1042 Default: (none - default vsftpd banner is displayed)
1044 guest_username
1046 See the boolean setting guest_enable for a description of what
1047 constitutes a guest login. This setting is the real username
1048 which guest users are mapped to.
1049 Default: ftp
1051 hide_file
1053 This option can be used to set a pattern for filenames (and di‐
1054 rectory names etc.) which should be hidden from directory list‐
1055 ings. Despite being hidden, the files / directories etc. are
1056 fully accessible to clients who know what names to actually use.
1057 Items will be hidden if their names contain the string given by
1058 hide_file, or if they match the regular expression specified by
1059 hide_file. Note that vsftpd's regular expression matching code
1060 is a simple implementation which is a subset of full regular ex‐
1061 pression functionality. See deny_file for details of exactly
1062 what regex syntax is supported. Example: hide_file={*.mp3,.hid‐
1063 den,hide*,h?}
1064 Default: (none)
1066 listen_address
1068 If vsftpd is in standalone mode, the default listen address (of
1069 all local interfaces) may be overridden by this setting. Provide
1070 a numeric IP address.
1071 Default: (none)
1073 listen_address6
1075 Like listen_address, but specifies a default listen address for
1076 the IPv6 listener (which is used if listen_ipv6 is set). Format
1077 is standard IPv6 address format.
1078 Default: (none)
1080 local_root
1082 This option represents a directory which vsftpd will try to
1083 change into after a local (i.e. non-anonymous) login. Failure is
1084 silently ignored.
1085 Default: (none)
1087 message_file
1089 This option is the name of the file we look for when a new di‐
1090 rectory is entered. The contents are displayed to the remote
1091 user. This option is only relevant if the option dirmessage_en‐
1092 able is enabled.
1093 Default: .message
1095 nopriv_user
1097 This is the name of the user that is used by vsftpd when it
1098 wants to be totally unprivileged. Note that this should be a
1099 dedicated user, rather than nobody. The user nobody tends to be
1100 used for rather a lot of important things on most machines.
1101 Default: nobody
1103 pam_service_name
1105 This string is the name of the PAM service vsftpd will use.
1106 Default: ftp
1108 pasv_address
1110 Use this option to override the IP address that vsftpd will ad‐
1111 vertise in response to the PASV command. Provide a numeric IP
1112 address, unless pasv_addr_resolve is enabled, in which case you
1113 can provide a hostname which will be DNS resolved for you at
1114 startup.
1115 Default: (none - the address is taken from the incoming con‐
1117 nected socket)
1118 rsa_cert_file
1120 This option specifies the location of the RSA certificate to use
1121 for SSL encrypted connections.
1122 Default: /usr/share/ssl/certs/vsftpd.pem
1124 rsa_private_key_file
1126 This option specifies the location of the RSA private key to use
1127 for SSL encrypted connections. If this option is not set, the
1128 private key is expected to be in the same file as the certifi‐
1129 cate.
1130 Default: (none)
1132 secure_chroot_dir
1134 This option should be the name of a directory which is empty.
1135 Also, the directory should not be writable by the ftp user. This
1136 directory is used as a secure chroot() jail at times vsftpd does
1137 not require filesystem access.
1138 Default: /usr/share/empty
1140 ssl_ciphers
1142 This option can be used to select which SSL ciphers vsftpd will
1143 allow for encrypted SSL connections. See the ciphers man page
1144 for further details. Note that restricting ciphers can be a use‐
1145 ful security precaution as it prevents malicious remote parties
1146 forcing a cipher which they have found problems with.
1147 By default, the system-wide crypto policy is used. See update-
1149 crypto-policies(8) for further details.
1150 Default: PROFILE=SYSTEM
1152 ssl_ciphersuites
1154 This option can be used to select which SSL cipher suites vsftpd
1155 will allow for encrypted SSL connections with TLSv1.3. See the
1156 ciphers man page for further details. Note that restricting ci‐
1157 phers can be a useful security precaution as it prevents mali‐
1158 cious remote parties forcing a cipher which they have found
1159 problems with.
1160 By default, the system-wide crypto policy is used. See update-
1162 crypto-policies(8) for further details.
1163 Default: TLS_AES_256_GCM_SHA384
1165 ssl_sni_hostname
1167 If set, SSL connections will be rejected unless the SNI hostname
1168 in the incoming handshakes matches this value.
1169 Default: (none)
1171 user_config_dir
1173 This powerful option allows the override of any config option
1174 specified in the manual page, on a per-user basis. Usage is sim‐
1175 ple, and is best illustrated with an example. If you set
1176 user_config_dir to be /etc/vsftpd/user_conf and then log on as
1177 the user "chris", then vsftpd will apply the settings in the
1178 file /etc/vsftpd/user_conf/chris for the duration of the ses‐
1179 sion. The format of this file is as detailed in this manual
1180 page! PLEASE NOTE that not all settings are effective on a per-
1181 user basis. For example, many settings only prior to the user's
1182 session being started. Examples of settings which will not af‐
1183 fect any behviour on a per-user basis include listen_address,
1184 banner_file, max_per_ip, max_clients, xferlog_file, etc.
1185 Default: (none)
1187 user_sub_token
1189 This option is useful is conjunction with virtual users. It is
1190 used to automatically generate a home directory for each virtual
1191 user, based on a template. For example, if the home directory of
1192 the real user specified via guest_username is /home/vir‐
1193 tual/$USER, and user_sub_token is set to $USER, then when vir‐
1194 tual user fred logs in, he will end up (usually chroot()'ed) in
1195 the directory /home/virtual/fred. This option also takes affect
1196 if local_root contains user_sub_token.
1197 Default: (none)
1199 userlist_file
1201 This option is the name of the file loaded when the userlist_en‐
1202 able option is active.
1203 Default: /etc/vsftpd/user_list
1205 vsftpd_log_file
1207 This option is the name of the file to which we write the vsftpd
1208 style log file. This log is only written if the option xfer‐
1209 log_enable is set, and xferlog_std_format is NOT set. Alterna‐
1210 tively, it is written if you have set the option dual_log_en‐
1211 able. One further complication - if you have set syslog_enable,
1212 then this file is not written and output is sent to the system
1213 log instead.
1214 Default: /var/log/vsftpd.log
1216 xferlog_file
1218 This option is the name of the file to which we write the wu-
1219 ftpd style transfer log. The transfer log is only written if the
1220 option xferlog_enable is set, along with xferlog_std_format.
1221 Alternatively, it is written if you have set the option
1222 dual_log_enable.
1223 Default: /var/log/xferlog
1225
1228 scarybeasts@gmail.com
1229 VSFTPD.CONF(5)