Enabling/Disabling TLS Based On User Or Group

This article explains how to enable or disable TLS in ProFTPd based on the FTP user or group. FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure. While this is a good thing, not all FTP clients support TLS.

1 Preliminary Note

TLS set up already, for example as described in this tutorial: Setting Up ProFTPd + TLS On Debian Squeeze

you can use TLSRequired off in your ProFTPd configuration as this allows for TLS and non-TLS logins, but if you want to make your FTP setup as secure as possible, you should enforce the use of TLS and make exceptions only for the users or groups that use an FTP client that doesn’t support TLS

2 TLS Configuration Based On User/Group

TLS configuration in your ProFTPd configuration that enforces TLS for everybody

[...]
<IfModule mod_tls.c>
          TLSEngine                  on
          TLSLog                     /var/log/proftpd/tls.log
          TLSProtocol                SSLv23
          TLSOptions                 NoCertRequest
          TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
          TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
          TLSVerifyClient            off
          TLSRequired                on
</IfModule>
[...]
use IfUser and IfGroup sections to make exceptions, but these take effect only if we add the line TLSOptions AllowPerUser to our TLS configuration
[...]
<IfModule mod_tls.c>
          TLSEngine                  on
          TLSOptions                 AllowPerUser
          TLSLog                     /var/log/proftpd/tls.log
          TLSProtocol                SSLv23
          TLSOptions                 NoCertRequest
          TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
          TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
          TLSVerifyClient            off
          TLSRequired                on
</IfModule>
[...]
allow the FTP user testuser to use plain FTP instead of FTP
[...]
<IfModule mod_tls.c>
          TLSEngine                  on
          TLSOptions                 AllowPerUser
          TLSLog                     /var/log/proftpd/tls.log
          TLSProtocol                SSLv23
          TLSOptions                 NoCertRequest
          TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
          TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
          TLSVerifyClient            off
          TLSRequired                on
</IfModule>

<IfUser testuser>
          TLSRequired off
</IfUser>
[...]

testgroup

[...]
<IfModule mod_tls.c>
          TLSEngine                  on
          TLSOptions                 AllowPerUser
          TLSLog                     /var/log/proftpd/tls.log
          TLSProtocol                SSLv23
          TLSOptions                 NoCertRequest
          TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
          TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
          TLSVerifyClient            off
          TLSRequired                on
</IfModule>

negate users/groups

[...]
<IfModule mod_tls.c>
          TLSEngine                  on
          TLSOptions                 AllowPerUser
          TLSLog                     /var/log/proftpd/tls.log
          TLSProtocol                SSLv23
          TLSOptions                 NoCertRequest
          TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
          TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
          TLSVerifyClient            off
          TLSRequired                on
</IfModule>

<IfUser testuser>

TLS for all users other than testuser

[...]
<IfModule mod_tls.c>
          TLSEngine                  on
          TLSOptions                 AllowPerUser
          TLSLog                     /var/log/proftpd/tls.log
          TLSProtocol                SSLv23
          TLSOptions                 NoCertRequest
          TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
          TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
          TLSVerifyClient            off
          TLSRequired                on
</IfModule>

<IfGroup testgroup>
          TLSRequired off
</IfGroup>

<IfGroup !testgroup>
          TLSRequired on
</IfGroup>
[...]
restart ProFTPd after you've modified its configuration