Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.allthingslinux.org/llms.txt

Use this file to discover all available pages before exploring further.

vsftpd provides FTP access with mandatory TLS encryption on port 21. Users log in with their shell credentials and land in their home directory.

How it works

FTP client → vsftpd (:21, Explicit TLS)
            → control channel (port 21)
            → passive data channels (ports 40000–40100)
            → user's home directory
Anonymous access is disabled. All connections require authentication and TLS — unencrypted FTP is rejected.

Connection details

SettingValue
Hostatl.sh
Port21
EncryptionExplicit FTP over TLS (FTPS)
UsernameShell username
PasswordShell password
Passive ports40000–40100
Root directoryUser’s home (~/)
Users are chrooted to their home directory — they cannot navigate above ~/.

SFTP alternative

SFTP (SSH File Transfer Protocol) is also available and often simpler since it uses your existing SSH key: 
sftp your-username@atl.sh
No separate password needed — it uses the same key-based auth as SSH.

FileZilla setup

  1. Site Manager → New Site
  2. Protocol: FTP - File Transfer Protocol
  3. Encryption: Require explicit FTP over TLS
  4. Host: atl.sh, Port: 21
  5. Logon Type: Normal, enter username and password

Configuration

vsftpd is configured via /etc/vsftpd.conf, templated from vsftpd.conf.j2:
SettingValue
anonymous_enableNO
local_enableYES
write_enableYES
chroot_local_userYES
ssl_enableYES
force_local_data_sslYES
force_local_logins_sslYES
ssl_ciphersHIGH

TLS certificates

  • Production/staging: Uses Let’s Encrypt certs shared with nginx
  • Dev: Uses the self-signed cert from the Gemini role (/etc/ssl/certs/molly-brown.crt)

Ansible configuration

FilePurpose
roles/ftp/tasks/main.ymlInstall vsftpd, deploy config, enable service
roles/ftp/templates/vsftpd.conf.j2Config template
roles/ftp/defaults/main.ymlDefault variables
Key variables:
VariableDefaultDescription
ftp_port21Control port
pasv_min_port40000Passive range start
pasv_max_port40100Passive range end
ftp_tls_certLet’s Encrypt fullchainTLS certificate path
ftp_tls_keyLet’s Encrypt privkeyTLS private key path
The dev environment overrides ftp_tls_cert and ftp_tls_key to use the self-signed Gemini cert.

Troubleshooting

“530 Login incorrect”
  • FTP uses PAM authentication — verify the user has a valid password set
  • SFTP (over SSH) is usually easier since it uses key-based auth
“SSL/TLS handshake failed”
  • Ensure your client is set to Explicit TLS, not Implicit
  • The server only supports TLSv1 and above (SSLv2/v3 disabled)
“425 Security: Bad IP connecting”
  • Some NAT configurations cause the data connection IP to differ from the control connection
  • Try active mode instead of passive, or use SFTP
Can’t write files
  • Check disk quota: quota -s
  • Verify file permissions in the target directory