Features

Overview

TurboFTP Server is a multi-protocol secure file transfer server. SFTP and SCP are two popular file transfer protocols that normally run on top of SSH secure layer. When it comes to user authentication in SSH, public key authentication is considered more secure in that no password is sent over the network. TurboFTP Server supports SSH public key authentication in two different configurations. The first one is quite simple and similar to that of OpenSSH server running on Linux: the server looks for the user's SSH public key in the ssh_key subfolder under the user's home folder. If a PEM format SSH public key exists it will be loaded to authenticate the user (the ssh_key folder is hidden from user's view then the user browses his/her home directory).

Alternatively, if Active Directory is the authentication method of a domain in TurboFTP Server, and you want to use SSH public key authentication for users to access SFTP/SCP service, the SSH public key needs to be stored as an Active Directory attribute. This guide assumes a valid AD user attribute sshPublicKey has been assigned for the purpose of storing user SSH public key, and shows how to configure TurboFTP Server and SFTP Client to make SSH public key authentication work.

Mapping SSH public key to AD users

To map SSH public key to AD user, we need to use ADSI Edit.

  1. Launch MMC and add ADSI Edit as a snap-in to MMC.

  2. Search for the user in the tree, right-click on it and select Properties. All attributes can be edited there.

  3. Select Attribute Editor, select sshPublicKey and double click on it. Copy and paste the user PEM format SSH public Key (only the Base64 key blob, excluding any delimiters or attributes) to here and click OK.

Configure TurboFTP Server to use AD as external authentication source

For this procedure please refer to article Set up Active Directory or LDAP Authentication in TurboFTP Server.

To enable SSH public key authentication, make sure to enter the name of AD attribute where the user public key is stored.

Configure SFTP Client for SSH public key authentication

We demonstrate SFTP client configuration with TurboFTP client.

  1. Launch TurboFTP client, and select the site to configure in Address Book.

  2. Go to Security tab and enable Use SSH public key authentication, provide the paths to public key and private key of the user.

Overview

TurboFTP Server allows you to quickly set up a file server to securely serve files through different protocols like HTTPS, FTPS or SFTP/SCP. This guide will show how to configure TurboFTP Server to use network share.

Impersonation configuration

TurboFTP Server needs to impersonate a logged on user to access network share in a Windows domain environment. To do so, click on the domain in the the left pane (FTP in this example), tick on Enable impersonation checkbox and provide User, Password and Domain.

Configuring VFolder

  1. To configure VFolder to use network share click on DirAccess in the left pane and then New VFolder button.

  2. Provide Virtual Folder Name and Associated physical folder path.

  3. As we have permissions inheritance disabled at the root level we need to add someone to the list of VFolder permissions.
    To do so, click on the newly created VFolder and then Add Rule button.

  4. Select a user and click OK.

  5. Click on the user again and press Select All button to give him all permissions to the VFolder.

  6. Save changes by pressing Apply button.

Configuring TurboFTP Client

  1. Open TurboFTP Client Address Book, select New Site -> Standard FTP, provide Site Name, Address, User ID, Password and Initial Remote Folder and click Connect.

  2. You will be connected to the FTP server and Initial directory is set to Files, which is a network share on the file server.

Overview

One of the approaches to strengthen the security of HTTPS/FTPS(secure FTP) server's logon process, is to use SSL client certificate authentication. This step-by-step guide will show you how to configure Active Directory, TurboFTP Server and Client to use certificates.

Export RootCA certificate from CA console

  1. Open Active Directory Certification Authority console.

  2. Right-click on the CA and choose Properties.

  3. On the General tab click View Certificate.

  4. Click on Copy to File button.

  5. Leave default file format and click Next.

  6. Click Browse and provide a path where to store CA certificate.

  7. Click Next, and confirm your export operation, once certificate is exported you will see an affirmative message.

Import RootCA certificate to TurboFTP Server

  1. In TurboFTP Server console click on Local Server.

  2. Switch to SSL Certs tab and click Import.

  3. Provide a name and path to the certificate and click OK.

Create TurboFTP SSL Server certificate

  1. Click on the New button to create an SSL certificate (on the server).

  2. Provide certificate name and passphrase (other options can be left with default values).

  3. Provide Certificate Subject Information.

  4. Click Next and certificate will be generated.

Configure TurboFTP Server to accept secure SSL connections

  • Click on FTP Server, go to Connection tab, Enable Allow Explicit SSL for FTP or Allow Explicit TLS for FTP check boxes and select appropriate certificates.

Configure TurboFTP Server to accept secure SSL connections

To automatically enroll clients for certificates in a Windows domain environment, use Group Policy certificates auto-enrollment by following the official guide from Microsoft.

Please note this is only an example of setting up SSL client certificate authentication for users in TurboFTP Server. This authentication function is not limited to Active Directory users or bound to Windows Certification Authority. You can use a third party CA certficate and create/distribute client certificates signed by the CA to users, who can be from any authentication source that is supported by TurboFTP Server.

Overview

This guide will show how to configure TurboFTP Server Dir Access.

Permissions

  1. To give particular user an access to FTP root directory click on the New Rule button.

  2. Select a user you want to give an access and click OK.

  3. Click on the user to set his(her) permissions.

  4. Please note that permissions are divided in three categories: File Permissions, Dir Permissions, Common Permissions, which can be set using the checkboxes accordingly.

Permissions inheritance

  1. Also note that by default "Subdirectories inherit permissions" checkbox is enabled. If this option is selected, all subfolders inherit the permissions of the current folder.
    Otherwise, there exists NO permissions by default for any subfolder and no user can access the contents of those subfolders, unless specific rules have been added.
    To demonstrate this disable inheritance and click Apply.

  2. Click on any subfolder and notice that access list isn't inherited no access is allowed to subdirectory.

  3. If we want to allow users to access subdirectory (for example "home" it this example) where inherited permissions are disabled we need to create new rule and add required users and set permissions.

Virtual Folders

  1. The Virtual Folder allows you add a link to any physical subfolder into the existing domain file system and make it appear as a subfolder under the domain root folder.
    To create new Virtual Folder click on the New V Folder button and provide a name and physical path.

  2. Once created Virtual Folder looks almost the same as usual with small note as a path to physycal folder location.

  3. Permissions manipulation of virtual folder works the same way as with a normal subfolder.
    Note that if you use Delete Folder button to delete a virtual folder, only the reference will be deleted and the physical folder it points to will remain intact.

Notes

Both File Permissions and Dir Permissions have "List" permission. If "List" is unchecked in File Permission, the folder shows no file in listing; when "List" is unchecked in Dir Permission, the folder shows no subfolders in listing.

AD/LDAP HomeDir option

If using AD/LDAP authentication, and "Use AD user home directory" or "Use LDAP user home directory" is enabled, the user will have FULL access to his/her home directory once logged on.

Overview

In order to make connection to FTP server more secure, several techniques can be used and one of them is to use Active Directory or LDAP integrated authentication.
This step-by-step guide will show you how to configure Active Directory and OpenLDAP to use as authentication provider.

Create AD Bind account for TurboFTP Server

  1. Right-click on Users OU and Select New => User.

  2. Provide First, Last, Display and login name and click Next.

  3. Specify a password, click Next and Finish.

  4. Using the same approach create New User account.

  5. Double-click on the newly created user and go to Profile tab.

  6. Specify path to user’s home directory.

Configure TurboFTP Server to use Active Directory authentication

  1. Create New Domain.

  2. Specify domain name and IP address.

  3. Select Active Directory Authentication method and fill all fields.

  4. You can "Use User Principal Name to log in", so domain user login name should be in UPN form rather than FQDN.
    For example, user (cn=jsmith, OU=Users, DC=test, DC=local) should login as jsmith@test.local.

  5. Click Test button and provide BindDN login and password.

  6. If connection is successful, you will see a confirmation message.

  7. Specify FTP server's root folder.

Create LDAP bind account

  1. Create an answer file named tbftpsrv.ldif

    dn: ou=Users,dc=test,dc=local
    objectClass: organizationalUnit
    ou: Users

    dn: uid=tbftpsrv,ou=Users,dc=test,dc=local
    objectClass: inetOrgPerson
    objectClass: posixAccount
    objectClass: shadowAccount
    uid: tbftpsrv
    sn: tbftpsrv
    givenName: tbftpsrv
    cn: tbftpsrv
    displayName: tbftpsrv
    uidNumber: 10000
    gidNumber: 5000
    userPassword: !TurboFTP_Bind_Account_Password!
    gecos: tbftpsrv
    loginShell: /bin/bash
    homeDirectory: /home/tbftpsrv

  2. Add bind account to the LDAP directory.

    ldapadd -x -D cn=admin,dc=test,dc=local -W -f tbftpsrv.ldif
  3. You will be asked for admin password.

    Enter LDAP Password: ********
  4. If password is correct you will see that info from the file has been added.

    adding new entry "ou=Users,dc=test,dc=local"
    adding new entry "uid=tbftpsrv,ou=Users,dc=test,dc=local"
  5. Using the same approach create New User account by creating new file jsmith.ldif

    dn: uid=jsmith,ou=Users,dc=test,dc=local
    objectClass: inetOrgPerson
    objectClass: posixAccount
    objectClass: shadowAccount
    uid: jsmith
    sn: Smith
    givenName: John
    cn: John Smith
    displayName: John Smith
    uidNumber: 10001
    gidNumber: 5001
    userPassword: !UserPassword!
    gecos: John Smith
    loginShell: /bin/bash
    homeDirectory: /home/jsmith

Configure TurboFTP Server to use LDAP authentication

  1. Create New Domain.

  2. Specify domain name and IP address.

  3. Select LDAP Authentication method and fill all fields.

  4. You can "Use User Principal Name to log in", so domain user login name should be in UPN form rather than FQDN.
    For example, user (cn=jsmith, OU=Users, DC=test, DC=local) should login as jsmith@test.local.

  5. Click Test button and provide BindDN login and password.

  6. If connection is successful, you will see a message.

  7. Specify FTP server root folder.

Refresh user list

  1. By default, TurboFTP Server doesn’t refresh AD users list, so it’s empty. To refresh user list click on the Refresh button.

  2. Now users list should be populated.