It is important to note that it is an error to put any space between the
option, = and value.
Each setting has a compiled in default which may be modified in the
configuration file.
- anon_root
-
This option represents a directory which vsftpd will try to change into
after an anonymous login. Failure is silently ignored.
Default: (none)
- banned_email_file
-
This option is the name of a file containing a list of anonymous e-mail
passwords which are not permitted. This file is consulted if the option
deny_email_enable
is enabled.
Default: /etc/vsftpd.banned_emails
- banner_file
-
This option is the name of a file containing text to display when someone
connects to the server. If set, it overrides the banner string provided by
the
ftpd_banner
option.
Default: (none)
- chown_username
-
This is the name of the user who is given ownership of anonymously uploaded
files. This option is only relevant if another option,
chown_uploads,
is set.
Default: root
- chroot_list_file
-
The option is the name of a file containing a list of local users which
will be placed in a chroot() jail in their home directory. This option is
only relevant if the option
chroot_list_enable
is enabled. If the option
chroot_local_user
is enabled, then the list file becomes a list of users to NOT place in a
chroot() jail.
Default: /etc/vsftpd.chroot_list
- cmds_allowed
-
This options specifies a comma separated list of allowed FTP commands (post
login. USER, PASS and QUIT are always allowed pre-login). Other
commands are rejected. This is a powerful method of really locking down an
FTP server. Example: cmds_allowed=PASV,RETR,QUIT
Default: (none)
- deny_file
-
This option can be used to set a pattern for filenames (and directory names
etc.) which should not be accessible in any way. The affected items are not
hidden, but any attempt to do anything to them (download, change into
directory, affect something within directory etc.) will be denied. This option
is very simple, and should not be used for serious access control - the
filesystem's permissions should be used in preference. However, this option
may be useful in certain virtual user setups. In particular aware that if
a filename is accessible by a variety of names (perhaps due to symbolic
links or hard links), then care must be taken to deny access to all the names.
Access will be denied to items if their name contains the string given by
hide_file, or if they match the regular expression specified by hide_file.
Note that vsftpd's regular expression matching code is a simple implementation
which is a subset of full regular expression functionality. Because of this,
you will need to carefully and exhaustively test any application of this
option. And you are recommended to use filesystem permissions for any
important security policies due to their greater reliability. Example:
deny_file={*.mp3,*.mov,.private}
Default: (none)
- dsa_cert_file
-
This option specifies the location of the DSA certificate to use for SSL
encrypted connections.
Default: (none - an RSA certificate suffices)
- email_password_file
-
This option can be used to provide an alternate file for usage by the
secure_email_list_enable
setting.
Default: /etc/vsftpd.email_passwords
- ftp_username
-
This is the name of the user we use for handling anonymous FTP. The home
directory of this user is the root of the anonymous FTP area.
Default: ftp
- ftpd_banner
-
This string option allows you to override the greeting banner displayed
by vsftpd when a connection first comes in.
Default: (none - default vsftpd banner is displayed)
- guest_username
-
See the boolean setting
guest_enable
for a description of what constitutes a guest login. This setting is the
real username which guest users are mapped to.
Default: ftp
- hide_file
-
This option can be used to set a pattern for filenames (and directory names
etc.) which should be hidden from directory listings. Despite being hidden,
the files / directories etc. are fully accessible to clients who know what
names to actually use. Items will be hidden if their names contain the string
given by hide_file, or if they match the regular expression specified by
hide_file. Note that vsftpd's regular expression matching code is a simple
implementation which is a subset of full regular expression functionality.
Example: hide_file={*.mp3,.hidden,hide*,h?}
Default: (none)
- listen_address
-
If vsftpd is in standalone mode, the default listen address (of all local
interfaces) may be overridden by this setting. Provide a numeric IP address.
Default: (none)
- listen_address6
-
Like listen_address, but specifies a default listen address for the IPv6
listener (which is used if listen_ipv6 is set). Format is standard IPv6
address format.
Default: (none)
- local_root
-
This option represents a directory which vsftpd will try to change into
after a local (i.e. non-anonymous) login. Failure is silently ignored.
Default: (none)
- message_file
-
This option is the name of the file we look for when a new directory is
entered. The contents are displayed to the remote user. This option is
only relevant if the option
dirmessage_enable
is enabled.
Default: .message
- nopriv_user
-
This is the name of the user that is used by vsftpd when it wants to be
totally unprivileged. Note that this should be a dedicated user, rather
than nobody. The user nobody tends to be used for rather a lot of important
things on most machines.
Default: nobody
- pam_service_name
-
This string is the name of the PAM service vsftpd will use.
Default: ftp
- pasv_address
-
Use this option to override the IP address that vsftpd will advertise in
response to the PASV command. Provide a numeric IP address.
Default: (none - the address is taken from the incoming connected socket)
- rsa_cert_file
-
This option specifies the location of the RSA certificate to use for SSL
encrypted connections.
Default: /usr/share/ssl/certs/vsftpd.pem
- secure_chroot_dir
-
This option should be the name of a directory which is empty. Also, the
directory should not be writable by the ftp user. This directory is used
as a secure chroot() jail at times vsftpd does not require filesystem access.
Default: /usr/share/empty
- ssl_ciphers
-
This option can be used to select which SSL ciphers vsftpd will allow for
encrpyted SSL connections. See the
ciphers
man page for further details. Note that restricting ciphers can be a useful
security precaution as it prevents malicious remote parties forcing a cipher
which they have found problems with.
Default: DES-CBC3-SHA
- user_config_dir
-
This powerful option allows the override of any config option specified in
the manual page, on a per-user basis. Usage is simple, and is best illustrated
with an example. If you set
user_config_dir
to be
/etc/vsftpd_user_conf
and then log on as the user "chris", then vsftpd will apply the settings in
the file
/etc/vsftpd_user_conf/chris
for the duration of the session. The format of this file is as detailed in
this manual page! PLEASE NOTE that not all settings are effective on a
per-user basis. For example, many settings only prior to the user's session
being started. Examples of settings which will not affect any behviour on
a per-user basis include listen_address, banner_file, max_per_ip, max_clients,
xferlog_file, etc.
Default: (none)
- user_sub_token
-
This option is useful is conjunction with virtual users. It is used to
automatically generate a home directory for each virtual user, based on a
template. For example, if the home directory of the real user specified via
guest_username
is
/home/virtual/$USER,
and
user_sub_token
is set to
$USER,
then when virtual user fred logs in, he will end up (usually chroot()'ed) in
the directory
/home/virtual/fred.
This option also takes affect if
local_root
contains
user_sub_token.
Default: (none)
- userlist_file
-
This option is the name of the file loaded when the
userlist_enable
option is active.
Default: /etc/vsftpd.user_list
- vsftpd_log_file
-
This option is the name of the file to which we write the vsftpd style
log file. This log is only written if the option
xferlog_enable
is set, and
xferlog_std_format
is NOT set. Alternatively, it is written if you have set the option
dual_log_enable.
One further complication - if you have set
syslog_enable,
then this file is not written and output is sent to the system log instead.
Default: /var/log/vsftpd.log
- xferlog_file
-
This option is the name of the file to which we write the wu-ftpd style
transfer log. The transfer log is only written if the option
xferlog_enable
is set, along with
xferlog_std_format.
Alternatively, it is written if you have set the option
dual_log_enable.
Default: /var/log/xferlog