proftp-docs — List for documentation maintainers

[Proftpd-docs] CVS: www.proftpd.org wwwmirror.epl,1.119,1.120

[John M. <jw...@us...>]

Update of /cvsroot/pdd/www.proftpd.org
In directory sfp-cvsdas-2.v30.ch3.sourceforge.com:/tmp/cvs-serv32561

Modified Files:
	wwwmirror.epl 
Log Message:
update

Index: wwwmirror.epl
===================================================================
RCS file: /cvsroot/pdd/www.proftpd.org/wwwmirror.epl,v
retrieving revision 1.119
retrieving revision 1.120
diff -C2 -r1.119 -r1.120
*** wwwmirror.epl	29 Jun 2010 14:43:52 -0000	1.119
--- wwwmirror.epl	17 Aug 2010 14:07:56 -0000	1.120
***************
*** 41,45 ****
  	<a href="http://www.se.proftpd.org/">se</a>
  	<a href="http://www.sg.proftpd.org/">sg</a>
- 	<a href="http://www.si.proftpd.org/">si</a>
  	<a href="http://www.tw.proftpd.org/">tw</a>
  	<a href="http://www.uk.proftpd.org/">uk</a>
--- 41,44 ----
***************
*** 226,240 ****
  			</p>
  	<p>
- 		<a href="http://www2.si.proftpd.org">http://www2.si.proftpd.org/</a>
-         <br />
- 		<a href="http://mirrors.paknet.org/proftpd/">http://mirrors.paknet.org/proftpd/</a>
- 		<br />
- 
- 		Location: Slovenia					(Slovenia)
- 				<br />
- 
- 					Maintained by: Miha Novak<br />
- 			</p>
- 	<p>
  		<a href="http://www1.pl.proftpd.org">http://www1.pl.proftpd.org/</a>
          <br />
--- 225,228 ----

[Proftpd-docs] CVS: www.proftpd.org index.epl, 1.107, 1.108 md5_pgp.epl, 1.52, 1.53

[TJ S. <cas...@us...>]

Update of /cvsroot/pdd/www.proftpd.org
In directory sfp-cvsdas-2.v30.ch3.sourceforge.com:/tmp/cvs-serv14782

Modified Files:
	index.epl md5_pgp.epl 
Log Message:

Updating website for 1.3.3a release.


Index: index.epl
===================================================================
RCS file: /cvsroot/pdd/www.proftpd.org/index.epl,v
retrieving revision 1.107
retrieving revision 1.108
diff -C2 -r1.107 -r1.108
*** index.epl	24 Feb 2010 18:20:37 -0000	1.107
--- index.epl	1 Jul 2010 15:36:02 -0000	1.108
***************
*** 4,7 ****
--- 4,14 ----
  #include "header.epl"
  
+ <h1>1.3.3a released</h1>
+ [<i>01/Jul/2010</i>]
+ <p>The ProFTPD Project team is happy to release 1.3.3a to the community.
+ This is a maintenance release, containing backported fixes for bugs found
+ in the 1.3.3 release.  The <a href="docs/RELEASE_NOTES-1.3.3a">RELEASE_NOTES</a>
+ and <a href="docs/NEWS-1.3.3a">NEWS</a> files contain the full details.</p>
+ 
  <h1>1.3.2e, 1.3.3 released</h1>
  [<i>24/Feb/2010</i>]

Index: md5_pgp.epl
===================================================================
RCS file: /cvsroot/pdd/www.proftpd.org/md5_pgp.epl,v
retrieving revision 1.52
retrieving revision 1.53
diff -C2 -r1.52 -r1.53
*** md5_pgp.epl	24 Feb 2010 18:20:37 -0000	1.52
--- md5_pgp.epl	1 Jul 2010 15:36:02 -0000	1.53
***************
*** 11,16 ****
  018e0eb1757d9cea2a0e17f2c9b1ca2d <a href="ftp://ftp.proftpd.org/distrib/sources/proftpd-1.3.2e.tar.bz2">proftpd-1.3.2e.tar.bz2</a>
  4ecb82cb1050c0e897d5343f6d2cc1ed <a href="ftp://ftp.proftpd.org/distrib/sources/proftpd-1.3.2e.tar.gz">proftpd-1.3.2e.tar.gz</a>
! 3951244f1940f0a40e8af142a9cf67fe <a href="ftp://ftp.proftpd.org/distrib/sources/proftpd-1.3.3.tar.bz2">proftpd-1.3.3.tar.bz2</a>
! 97ad29f31f4fe633a9f8d021bab2df20 <a href="ftp://ftp.proftpd.org/distrib/sources/proftpd-1.3.3.tar.gz">proftpd-1.3.3.tar.gz</a>
  </pre>
  
--- 11,16 ----
  018e0eb1757d9cea2a0e17f2c9b1ca2d <a href="ftp://ftp.proftpd.org/distrib/sources/proftpd-1.3.2e.tar.bz2">proftpd-1.3.2e.tar.bz2</a>
  4ecb82cb1050c0e897d5343f6d2cc1ed <a href="ftp://ftp.proftpd.org/distrib/sources/proftpd-1.3.2e.tar.gz">proftpd-1.3.2e.tar.gz</a>
! 55ae8b32c9f5c00340188b7094c36ffc <a href="ftp://ftp.proftpd.org/distrib/sources/proftpd-1.3.3a.tar.bz2">proftpd-1.3.3a.tar.bz2</a>
! 841205173526af20c120208d4ae9446d <a href="ftp://ftp.proftpd.org/distrib/sources/proftpd-1.3.3a.tar.gz">proftpd-1.3.3a.tar.gz</a>
  </pre>
  
***************
*** 40,61 ****
  
  <pre>
! <strong>proftpd-1.3.3.tar.bz2.asc</strong>
  -----BEGIN PGP SIGNATURE-----
  Version: GnuPG v1.4.9 (GNU/Linux)
  
! iEYEABECAAYFAkuFajoACgkQt46JP6URl2ofMgCgwRGr6uIeypVlmuem8/Agxc/Q
! L9QAn0fNQ6qzt3Th1MLHI6CEobkUvFCA
! =kRcc
  -----END PGP SIGNATURE-----
  </pre>
  
  <pre>
! <strong>proftpd-1.3.3.tar.gz.asc</strong>
  -----BEGIN PGP SIGNATURE-----
  Version: GnuPG v1.4.9 (GNU/Linux)
  
! iEYEABECAAYFAkuFakAACgkQt46JP6URl2pgqwCfRBdul/Rt6REHJ6fqVBBhinmm
! mwQAn1LtacIL9TEj+fRc1zICa9jD1/+7
! =PNjF
  -----END PGP SIGNATURE-----
  </pre>
--- 40,61 ----
  
  <pre>
! <strong>proftpd-1.3.3a.tar.bz2.asc</strong>
  -----BEGIN PGP SIGNATURE-----
  Version: GnuPG v1.4.9 (GNU/Linux)
  
! iEYEABECAAYFAkwssfUACgkQt46JP6URl2qazwCfRlEHMbLln01o057zvMCSQ4jA
! /LgAoND72xcNJKUzlhoHGJqIce89/LTw
! =QuDn
  -----END PGP SIGNATURE-----
  </pre>
  
  <pre>
! <strong>proftpd-1.3.3a.tar.gz.asc</strong>
  -----BEGIN PGP SIGNATURE-----
  Version: GnuPG v1.4.9 (GNU/Linux)
  
! iEYEABECAAYFAkwssgAACgkQt46JP6URl2rehwCfe48fN8ny5D4xT0O+3y0Ibo0C
! gqYAoP1AzX9MPCTCPLxuYn0N5VSv0+7U
! =ax4f
  -----END PGP SIGNATURE-----
  </pre>

[Proftpd-docs] CVS: www.proftpd.org/include header.epl,1.41,1.42

[TJ S. <cas...@us...>]

Update of /cvsroot/pdd/www.proftpd.org/include
In directory sfp-cvsdas-2.v30.ch3.sourceforge.com:/tmp/cvs-serv14782/include

Modified Files:
	header.epl 
Log Message:

Updating website for 1.3.3a release.


Index: header.epl
===================================================================
RCS file: /cvsroot/pdd/www.proftpd.org/include/header.epl,v
retrieving revision 1.41
retrieving revision 1.42
diff -C2 -r1.41 -r1.42
*** header.epl	24 Feb 2010 18:20:37 -0000	1.41
--- header.epl	1 Jul 2010 15:36:02 -0000	1.42
***************
*** 18,29 ****
  <div id="menu">
    <h1>Current Versions</h1>
!   Stable: <strong>1.3.3</strong>
    <div class="indent">
!     <span class="nowrap">[ <a href="/docs/RELEASE_NOTES-1.3.3">RELEASE_NOTES</a> ]</span>
    </div>
    <div class="indent">
!     <span class="nowrap">[ <a href="/docs/NEWS-1.3.3">NEWS</a> ]</span>
!     <span class="nowrap">[ <a href="ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.3.tar.gz">gz</a> ]</span>
!     <span class="nowrap">[ <a href="ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.3.tar.bz2">bz2</a> ]</span>
    </div>
    Release Candidate: <strong>None</strong>
--- 18,29 ----
  <div id="menu">
    <h1>Current Versions</h1>
!   Stable: <strong>1.3.3a</strong>
    <div class="indent">
!     <span class="nowrap">[ <a href="/docs/RELEASE_NOTES-1.3.3a">RELEASE_NOTES</a> ]</span>
    </div>
    <div class="indent">
!     <span class="nowrap">[ <a href="/docs/NEWS-1.3.3a">NEWS</a> ]</span>
!     <span class="nowrap">[ <a href="ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.3a.tar.gz">gz</a> ]</span>
!     <span class="nowrap">[ <a href="ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.3a.tar.bz2">bz2</a> ]</span>
    </div>
    Release Candidate: <strong>None</strong>

[Proftpd-docs] CVS: www.proftpd.org/docs NEWS-1.3.3a, NONE, 1.1 RELEASE_NOTES-1.3.3a, NONE, 1.1

[TJ S. <cas...@us...>]

Update of /cvsroot/pdd/www.proftpd.org/docs
In directory sfp-cvsdas-2.v30.ch3.sourceforge.com:/tmp/cvs-serv14782/docs

Added Files:
	NEWS-1.3.3a RELEASE_NOTES-1.3.3a 
Log Message:

Updating website for 1.3.3a release.


--- NEW FILE ---
$Id: NEWS-1.3.3a,v 1.1 2010/07/01 15:36:02 castaglia Exp $

-----------------------------------------------------------------------------
  More details on the bugs listed below can be found by using the bug number
  indicated in the following URL:

    http://bugs.proftpd.org/show_bug.cgi?id=N

  where `N' is the bug number.
-----------------------------------------------------------------------------

1.3.3a - Released 01-Jul-2010
--------------------------------
- Bug 3400 - Add Japanese translation.
- Bug 3401 - mod_sftp does not compile with pre-0.9.7 OpenSSL.
- Bug 3402 - mod_tls does not compile with pre-0.9.7 OpenSSL due to Bug#3349.
- Bug 3403 - File upload followed by MLSD leads to wrong file size entries in
  TransferLog.
- Bug 3405 - Multiple SFTPAuthorizedUserKeys stores causes segfault on 64-bit
[...2280 lines suppressed...]
- sendfile() deprecates politely on Linux 2.0.x.
- AuthPAMAuthoritative now defaults to False.  This should clear up any
  confusion on using PAM with AuthUserFile and friends.
- Removed Bandwidth from the documentation.
- Fixed a rare segfault in mod_auth.
- Logging has changed slightly to be more informative and more consistent.
    All messages that get logged are now preceded with
    <virtualhost> (remote host[remote ip]).
- mod_ldap for authentication against LDAP directories is now in place.
- ftpwho/ftpcount -- a grammatical error corrected, and they now build
    as seperate binaries.
- Fixed the 'no names, just UIDs' bug.
- Added genuser.pl to facilitate AuthUserFile entry creation.
- Umask now takes an optional second argument, specifying a directory umask.
- Work around FreeBSD's broken setpassent(), and a new option to override
    this in fixed versions of FreeBSD's libc (--enable-force-setpassent).
- Generate RPMs for both inetd and standalone versions of ProFTPD.
- Added AuthUsingAlias to allow for more fine-grain control of anonymous
    logins.
- Added support for 'TYPE L 8' and 'TYPE L 7' per RFC 959.

--- NEW FILE ---
                    1.3.3 Release Notes
                  ------------------------

This file contains a description of the major changes to ProFTPD for the
1.3.3 release cycle, from the 1.3.3rc1 release to the 1.3.3 maintenance
releases.  More information on these changes can be found in the NEWS and
ChangeLog files.

1.3.3a
---------

  + Added Japanese translation
  + Many mod_sftp bugfixes
  + Fixed SSL_shutdown() errors caused by OpenSSL 0.9.8m and later
  + Fixed handling of utmp/utmpx format changes on FreeBSD

1.3.3
---------

  + Fixed mod_ban whitelisting using mod_ifsession.
  + Fixed per-user/group/class "HideFiles none" configurations.

1.3.3rc4
---------

  + Fixed mod_tls compilation using OpenSSL installations older than 0.9.7.
  + Fixed mod_sftp compilation on AIX.
  + Fixed RADIUS authentication on 64-bit platforms
  + Fixed memory leak in SCP downloads.

  + New configuration directives

    SQLPasswordUserSalt

      The SQLPasswordUserSalt directive can be used to configure per-user
      salt data to be added to the encrypted password for a user.  The salt
      can be the user name, or it can be the result of a SQL query.  More
      information can be found in
      doc/contrib/mod_sql_passwd.html#SQLPasswordUserSalt.


1.3.3rc3
---------

  + Added Taiwan translation.

  + Added support in mod_sftp for the following SFTP extensions:

      check-file
      copy-file
      vendor-id
      version-select
      pos...@op...
      fst...@op...
      st...@op...

  + Added a workaround in mod_tls to deal with the vulnerability found in
    SSL/TLS protocol during renegotiation (CVE-2009-3555).  Good
    descriptions of this vulnerability can be found here:

      http://extendedsubset.com/?p=8
      http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html

    The workaround implemented in mod_tls (Bug#3324) is one of the suggested
    mitigation approaches: the server now refuses all client-initiated
    SSL/TLS session renegotiations.

  + Updated to the bundled libtool to 2.2.4 (plus patch) to deal with a
    libtool vulnerability (CVE-2009-3736).

  + Added support for SHA256 and SHA512 passwords to the mod_sql_passwd
    module.

  + New configuration directives

    SFTPExtensions

      The SFTPExtensions directive can be used to selectively enable/disable
      mod_sftp's support for specific SFTP extensions.  See
      doc/contrib/mod_sftp.html#SFTPExtensions for more details.

  + Changed configuration directives

    CapabilitiesSet

      The CAP_FOWNER capability can now be explicitly requested when
      using the mod_cap module:

        <IfModule mod_cap.c>
          CapabilitiesSet +CAP_FOWNER
        </IfModule>

      For operations allowed on files, this capability overrides the
      restriction that the file owner ID must match the process user ID.


1.3.3rc2
---------

  + When handling .ftpaccess files, proftpd was merging them into the
    main configuration such that the .ftpaccess files configurations would
    override the main configuration.  This was never the intended behavior,
    and has been fixed (Bug#3279).

    However, this does mean that sites which use .ftpaccess files may see
    a change in the behavior of their proftpd.

  + Changed scoreboard format (Bug#3286), need for "ServerType inetd"
    server to manually delete their old ScoreboardFiles.  Otherwise they
    will see "error opening scoreboard: bad version (too old)" errors.

  + Changed SQL connection policy (Bug#3290).  Important for clients which
    connect but don't authenticate (e.g. mod_ban, mod_dnsbl, mod_wrap2_sql,
    etc which will reject connected clients prior to authentication); saves
    on unnecessary database connections in such cases.  For sites which
    require the old behavior, there is a new "PERCONNECTION" connection
    policy.

    NOTE: If you are using mod_sql for logging purposes only, e.g. you have
    the following in your mod_sql config:

      SQLEngine log

    then this connection policy change may affect you.  If the database
    connection is opened after a chroot has occurred (via DefaultRoot or
    <Anonymous> login), the database connection may fail.  And since now
    the connection is delayed until first use, and the first use for logging
    may occur after the chroot, the logging may fail.  For such sites, then,
    you will need to use the "PERCONNECTION" connection policy explicitly.

  + Support for "implicit" FTPS.  To enable this, use:

      TLSOptions UseImplicitSSL

    WARNING: Using this setting will cause mod_tls to handle ALL connections
    to the vhost as implicit FTPS connections.  It is NOT possible to support
    both plain FTP (or explicit FTPS) clients AND implicit FTPS clients on the
    same address/port.  Therefore this setting should ONLY ever be used in
    order to support braindead/broken FTPS clients, and then only for as long
    as it takes to fix/replace those broken clients.

    Note that "implicit" FTPS was explicitly DROPPED from the RFC which
    defines FTP over SSL/TLS; the only clients which use this feature are
    outdated clients based on older, now-invalidated versions of the
    specification.  Please update your FTPS clients to one which uses
    explicit FTPS as soon as possible.

  + Re-enable turning off the Nagle algorithm; this drastically helps speed
    up transfers of multiple small files.

  + New modules

    mod_sql_passwd
      This module supports MD5 and SHA1 passwords, encoding using base64 or
      hex, from SQL tables.  See doc/contrib/mod_sql_passwd.html for details.

  + New configuration directives

    AuthUnixOptions

      In Bug#1896, support for checking some AIX-specific functions for
      whether a login should be accepted was added; this happens only on AIX
      server, of course.

      However, some AIX admins like to configure "rlogin=false", yet still
      want to allow FTP logins.  To enable this specific behavior, a new
      AuthUnixOptions directive was added, with a setting which is only
      honored on AIX:

        AuthUnixOptions aixNoRLogin

      If this setting is used on any other server, it is silently ignored.
      Bug#3300 has the full details.

  + Changed configuration directives

    ExtendedLog

      You can now disable logging in an <Anonymous> section to an ExtendedLog
      which was opened outside of the <Anonymous> section, i.e.:

        ExtendedLog /path/to/ext.log ALL

        <Anonymous /path/to/anon>
          ...
          ExtendedLog /path/to/anon-ext.log ALL

          # Disable the logging to the higher-level ExtendedLog by
          # configuring again here, but changing the command class to 'NONE'
          ExtendedLog /path/to/ext.log NONE
          ...
        </Anonymous>

    HiddenStores

      The HiddenStores directive can now be used to customize and change
      the prefix which is prepended to the HiddenStore files.  The default
      prefix is ".in.", but if you wish to use a different prefix for any
      reason, you can use something like:

        HiddenStores foo

      This will cause the prefix to be ".foo.".

    SQLOptions

      When the connection to the database is lost, mod_sql now will try
      only once to automatically reconnect (if such reconnect functionality
      is supported by the database, e.g. MySQL or Postgres).  To disable this
      reconnect behavior, there is a new "noReconnect" SQLOptions setting:

        SQLOptions noReconnect

      See Bug#3270 for the full details of this behavior change.  It should
      be transparent for most sites.


1.3.3rc1
---------

  + Added French, Bulgarian, Korean translations.

  + RPM 4.2 or later is required by the proftpd.spec file provided in the
    distribution.

  + If the --localstatedir configure option is used, proftpd's build system
    used to automatically append "/proftpd" to the configured path.  This
    behavior has been fixed; proftpd's build system will now use the
    configured --localstatedir path as is.

    Note that this may cause issues if you have an existing build script
    for compling proftpd; the expected locations of files under the
    --localstatedir path will change.

  + New command-line options:

    The -S, --serveraddr command-line option has been added.  This option
    can be used to specify the IP address of the host machine.  By
    default, proftpd attempts to resolve the host IP address by using DNS
    resolution of the hostname.  However, in cases where DNS is not
    configured for the host machine, this approach does not work.

    To specify the desired IP address, use -S when starting proftpd, e.g.:

      /usr/local/sbin/proftpd -S 1.2.3.4 ...

    And if you want proftpd to listen on all interfaces, you can specify
    a wildcard socket using an IP address of 0.0.0.0:

      /usr/local/sbin/proftpd -S 0.0.0.0 ...

  + New modules:

    mod_exec

      This module enables execution of external scripts based on actions/events
      during a session.  See doc/contrib/mod_exec.html for details.

    mod_sftp

      This module implements the SSH2, SFTP, and SCP protocols.  See
      doc/contrib/mod_sftp.html for more information.

    mod_sftp_pam

      This module uses PAM to provide a 'keyboard-interactive' SSH2
      authentication method for mod_sftp.  More information can be found in
      the documentation for mod_sftp_pam, in doc/contrib/mod_sftp_pam.html.

    mod_sftp_sql

      This module uses SQL (via mod_sql) for looking up authorized SSH2 
      public keys for user and hostbased authentication.  More information
      is available in doc/contrib/mod_sftp_sql.html.

    mod_shaper

      This module can be used to provide data transfer rate "shaping"
      across the entire server.  See the documentation at
      doc/contrib/mod_shaper.html.

    mod_tls_shmcache

      This module provides an external SSL session cache using shared
      memory; see the TLSSessionCache configuration directive.  More
      information on this module can be found in
      doc/contrib/mod_tls_shmcache.html.

  + New configuration directives:

    RewriteHome

      The RewriteHome directive can be used to support rewriting the
      home directory for a user, based on regular expression rules.
      One such use case is where some portion of the home directory is
      retrieved e.g. from an LDAP directory, but you need to apply some
      custom prefix to the LDAP attribute.

      To enable this feature, first you need to add the following to your
      proftpd.conf:

        RewriteHome on

      Next, you need to configure the mod_rewrite rules for rewriting your home
      directory; this feature depends on mod_rewrite for the rewriting.
      The pseudo-command used by mod_rewrite for rewriting home directories is
      "REWRITE_HOME".  Thus would you use:

        <IfModule mod_rewrite.c>
          RewriteEngine on
          RewrlteLog /path/to/rewrite.log

          RewriteCondition %m REWRITE_HOME
          RewriteRule (.*) /my/new/prefix$1
        </IfModule>

    ScoreboardScrub

      The ScoreboardScrub directive can be used to turn on/off proftpd's
      periodic "scrubbing" of its ScoreboardFile, where the ScoreboardFile
      is scanned for entries of dead sessions:

        ScoreboardScrub on|off|secs

      Note that if scoreboard scrubbing is turned off, the ScoreboardFile
      can still be scrubbed on demand, either by using mod_ctrls_admin's
      "ftpdctl scoreboard scrub" action, or by using the new ftpscrub
      command-line utility.

    TLSControlsACLs

      With the addition of support for external session caches, the
      mod_tls module now supports some ftpdctl actions for interacting
      with those session caches.  The TLSControlsACLs directive can be
      used to configure ACLs for the ftpdctl actions supported by mod_tls,
      and is analogous to other ACLs directives for other modules which
      support ftpdctl actions.

    TLSPKCS12File

      The TLSPKCS12File directive of the mod_tls module is used to
      configure mod_tls to use the certificate and private key contained
      in the indicated PKCS#12 file.  Some sites already use PKCS#12 files
      for containing their other certificates, and thus find it useful to
      have PKCS#12 support in mod_tls.

    TLSSessionCache

      The TLSSessionCache directive configures an external SSL session
      cache, which can be used for storing and shared SSL sessions across
      multiple processes.  An external SSL session cache is an optional
      facility which speeds up parallel FTPS session connections.

      See doc/contrib/mod_tls.html#TLSSessionCache for more information.

  + Changed configuration directives:

    AllowOverride

      This directive no longer supports the optional user/group/class
      parameters.  If you wish to have per-user/group/class conditional
      use of the AllowOverride directive, you will need to use the
      mod_ifsession module.  For example, instead of:

        AllowOverride off user !admin

      you will need to use:

        <IfUser admin>
          AllowOverride on
        </IfUser>

        <IfUser !admin>
          AllowOverride off
        </IfUser>

      Note that the "!admin" section is necessary.  If you set
      "AllowOverride off" unconditionally, then use a mod_ifsession context,
      you would end up with two AllowOverride settings, and the code might not
      be able to distinguish properly which setting to use.  Thus you need to
      make both the "on" and "off" cases conditional, and mutually exclusive.

      Configurations which use the user/group/class conditional parameters
      to AllowOverride will now generate configuration errors.

    BanOnEvent

      The BanOnEvent directive of the mod_ban module now supports
      TimeoutLogin events.

    <VirtualHost>

      You can now specify an IP address of "0.0.0.0" in a <VirtualHost>
      definition.

    IdentLookups

      The default IdentLookups value is now 'off'.  The RFC1413 IDENT lookup
      adds latency to the login process, so much so that it is a FAQ to
      configure "IdentLookups off".  In addition, the IDENT protocol is not
      secure; it can easily be spoofed using man-in-the-middle attacks.  Sites
      that require IDENT lookups must now explicitly configure
      "IdentLookups on".

      Note that in order to use IdentLookups, you must compile proftpd with
      the mod_ident module.  If you use the --disable-ident configure
      option, then proftpd will not recognize the IdentLookups directive.
      Thus in your proftpd.conf, you should use something like:

        <IfModule mod_ident.c>
          IdentLookups on
        </IfModule>

      if you want to use RFC1413 lookups.

    LogFormat, SQLNamedQuery

      There is a new variable, %{protocol}, which describes the protocol
      that the client is using.  This variable can have values of "ftp",
      "ftps", "ssh2", "sftp", and "scp".

      Note that for SSH2 connections, the value will be "ssh2" until SFTP or
      SCP channels are opened; this means that during login, the %{protocol}
      value will be "ssh2".

      There is also a new %w variable which is only valid for RNTO commands.
      The %w value will be the original name of the file being renamed
      (mnemonic: "whence" a renamed file comes).

    RewriteCondition, RewriteRule

      Use of environment variables in mod_rewrite rules is now supported
      via the "%{ENV:var}" syntax.

    SQLGroupInfo

      The SQLGroupInfo now supports custom queries for retrieve group
      information.  Note that instead of a single custom query, several
      different queries are needed; different lookups are called for
      depending on the situation and configuration of mod_sql (e.g.
      using the 'groupset' or 'groupsetfast' SQLAuthenticate parameters).

      See doc/contrib/mod_sql.html#SQLGroupInfo and
      doc/howto/SQL.html#SQLUsersetfast for more details.

    SQLUserInfo

      The support for custom SQLUserInfo queries has been extended to
      support custom queries to be used when the 'userset' or 'usersetfast'
      SQLAuthenticate parameters are used.

      For more information, see doc/contrib/mod_sql.html#SQLUserInfo and 
      doc/howto/SQL.html#SQLUsersetfast.

    TLSOptions

      The NoSessionReuseRequired option has been added.  As of
      ProFTPD 1.3.3rc1, mod_tls only accepts SSL/TLS data connections
      that reuse the SSL session of the control connection, as a security
      measure.  Unfortunately, there are some clients (e.g. curl) which
      do not reuse SSL sessions.

      To relax the requirement that the SSL session from the control
      connection be reused for data connections, use the following in the
      proftpd.conf:

        <IfModule mod_tls.c>
          ...
          TLSOptions NoSessionReuseRequired
          ...
        </IfModule>

    TLSRequired

      The TLSRequired directive can now be used in <Directory> sections and
      in .ftpaccess files.  When used in these configuration contexts, only
      the TLSRequired values that require SSL/TLS protection on data transfers
      are honored.  With this, it is now possible to mark specific files or
      directories as requiring SSL/TLS protection to be accessed via data
      transfer.

    TransferLog

      The "service-name" field of the TransferLog usually contains just
      "ftp".  In order to support TransferLogs for SFTP and SCP transfers,
      the service-name field of the TransferLog format may now show
      "sftp" or "scp".  It may also show "ftps" instead of "ftp", if the
      data transfer occurred while the client is using FTP over SSL/TLS.

      NOTE: This change, while correct, may cause issues for log parsers.

  + Deprecated configuration directives:

    AnonymousGroup

      Support for this directive has been removed.

  + Developer Notes

    If you are a module developer, then you will want to know of the following
    API/internals changes:

      * The original USER value sent by the client is no longer stored in
        the config tree.  That is, the following no longer works:

          user = get_param_ptr(main_server->conf, C_USER, FALSE);

        Instead, the original USER value is stashes in the session.notes
        table.  Thus the above line of code can be replaced with:

          user = pr_table_get(session.notes, "mod_auth.orig-user", NULL);

        A similar change occurred for the anonymous "password" sent, but
        this will probably not apply to most modules.

 
Last Updated: $Date: 2010/07/01 15:36:02 $

[Proftpd-docs] CVS: www.proftpd.org wwwmirror.epl,1.118,1.119

[John M. <jw...@us...>]

Update of /cvsroot/pdd/www.proftpd.org
In directory sfp-cvsdas-2.v30.ch3.sourceforge.com:/tmp/cvs-serv25513

Modified Files:
	wwwmirror.epl 
Log Message:
update

Index: wwwmirror.epl
===================================================================
RCS file: /cvsroot/pdd/www.proftpd.org/wwwmirror.epl,v
retrieving revision 1.118
retrieving revision 1.119
diff -C2 -r1.118 -r1.119
*** wwwmirror.epl	12 May 2010 13:21:54 -0000	1.118
--- wwwmirror.epl	29 Jun 2010 14:43:52 -0000	1.119
***************
*** 30,34 ****
  	<a href="http://www.bg.proftpd.org/">bg</a>
  	<a href="http://www.cz.proftpd.org/">cz</a>
- 	<a href="http://www.de.proftpd.org/">de</a>
  	<a href="http://www.ie.proftpd.org/">ie</a>
  	<a href="http://www.il.proftpd.org/">il</a>
--- 30,33 ----
***************
*** 205,219 ****
  			</p>
  	<p>
- 		<a href="http://www20.de.proftpd.org">http://www20.de.proftpd.org/</a>
-         <br />
- 		<a href="http://proftpd.online-mirror.de/">http://proftpd.online-mirror.de/</a>
- 		<br />
- 
- 		Location: Germany					(Cologne, Germany)
- 				<br />
- 
- 					Maintained by: Michael Weber<br />
- 			</p>
- 	<p>
  		<a href="http://www1.se.proftpd.org">http://www1.se.proftpd.org/</a>
          <br />
--- 204,207 ----

[Proftpd-docs] CVS: www.proftpd.org/docs/contrib mod_sftp.html, 1.2, 1.3

[TJ S. <cas...@us...>]

Update of /cvsroot/pdd/www.proftpd.org/docs/contrib
In directory sfp-cvsdas-2.v30.ch3.sourceforge.com:/tmp/cvs-serv27946

Modified Files:
	mod_sftp.html 
Log Message:

Updating website's copy of the mod_sftp doc.


Index: mod_sftp.html
===================================================================
RCS file: /cvsroot/pdd/www.proftpd.org/docs/contrib/mod_sftp.html,v
retrieving revision 1.2
retrieving revision 1.3
diff -C2 -r1.2 -r1.3
*** mod_sftp.html	21 Apr 2010 18:16:28 -0000	1.2
--- mod_sftp.html	21 Jun 2010 17:38:24 -0000	1.3
***************
*** 88,91 ****
--- 88,93 ----
    <li>SFTP extensions: check-file, copy-file, vendor-id, version-select, pos...@op..., st...@op..., fst...@op...
  </ul>
+ This module supports the SFTP and SCP file transfer protocols; it does
+ <b>not</b> support shell access.
  
  <p>
***************
*** 1195,1200 ****
    <li><a href="http://www.enterprisedt.com/products/edtftpj/">edtFTPj</a>
  </ul>
! For these clients, use this configuration (supported in ProFTPD 1.3.4rc1 and
! later) to disable the optimization:
  <pre>
    <font color=green># Disable the KEXINIT optimization at the cost of latency</font>
--- 1197,1201 ----
    <li><a href="http://www.enterprisedt.com/products/edtftpj/">edtFTPj</a>
  </ul>
! For these clients, use this configuration to disable the optimization:
  <pre>
    <font color=green># Disable the KEXINIT optimization at the cost of latency</font>
***************
*** 1604,1607 ****
--- 1605,1666 ----
  of the session.
  
+ <p><a name="SFTPShell">
+ <font color=red>Question</font>: Why can't I use <code>ssh</code> to connect
+ to my proftpd+mod_sftp server?  When I try, I see:
+ <pre>
+   # ssh <i>user</i>@<i>host</i>
+   Enter passphrase for key '/home/<i>user</i>/.ssh/id_rsa': 
+   PTY allocation request failed on channel 0
+   shell request failed on channel 0
+ </pre>
+ <font color=blue>Answer</font>: The <code>mod_sftp</code> module supports
+ file transfers via SFTP and SCP.  It does <b>not</b> support shell access,
+ which is what the <code>ssh</code> command-line client tries to use.  The
+ above error messages from <code>ssh</code> show that <code>mod_sftp</code>
+ refused the shell access requests.
+ 
+ <p><a name="SFTPTectiaHostKey">
+ <font color=red>Question</font>: When I try to start proftpd with
+ <code>mod_sftp</code> configured to use my existing host key, it fails with
+ one of the following error messages:
+ <pre>
+   error reading passphrase for SFTPHostKey '<i>hostkey</i>': Invalid argument
+   error reading passphrase for SFTPHostKey '<i>hostkey</i>': (unknown)
+ </pre>
+ The permissions on my hostkey are fine, and it is not passphrase-protected.
+ Is this a bug?<br><br>
+ <font color=blue>Answer</font>: You are probably trying to use a host key
+ generated by Tectia's SSH software (or an older <code>ssh.com</code> host key).
+ 
+ <p>
+ The <code>mod_sftp</code> module expects the configured
+ <code>SFTPHostKey</code> file to be in the same format as used by OpenSSH.
+ To check the format, run this command:
+ <pre>
+   # grep BEGIN <i>hostkey</i>
+ </pre>
+ If you see either of the following lines:
+ <pre>
+   -----BEGIN RSA PRIVATE KEY-----
+   -----BEGIN DSA PRIVATE KEY-----
+ </pre>
+ then the format should be correct.  If instead you see:
+ <pre>
+   ---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
+ </pre>
+ then the format is incorrect.  The above line indicates that your host key
+ was generated by Tectia (<i>nee</i> <code>ssh.com</code>), and needs to
+ be converted to a different format.
+ 
+ <p>
+ To convert the format of your Tectia host key, use OpenSSH's
+ <code>ssh-keygen</code> (<b>not</b> Tectia's <code>ssh-keygen</code>) and
+ do the following:
+ <pre>
+   # ssh-keygen -i -f <i>hostkey</i> &gt; /path/to/new-file
+ </pre>
+ The configure your <code>SFTPHostKey</code> directive with the path to the
+ new file.
+ 
  <p>
  <hr><br>

[Proftpd-docs] CVS: www.proftpd.org/docs rfc.epl,1.7,1.8

[TJ S. <cas...@us...>]

Update of /cvsroot/pdd/www.proftpd.org/docs
In directory sfp-cvsdas-2.v30.ch3.sourceforge.com:/tmp/cvs-serv1618

Modified Files:
	rfc.epl 
Log Message:

Some updates regarding FTP-related RFCs.  This page still needs some work.


Index: rfc.epl
===================================================================
RCS file: /cvsroot/pdd/www.proftpd.org/docs/rfc.epl,v
retrieving revision 1.7
retrieving revision 1.8
diff -C2 -r1.7 -r1.8
*** rfc.epl	12 Jun 2005 15:48:49 -0000	1.7
--- rfc.epl	15 Jun 2010 14:47:16 -0000	1.8
***************
*** 8,13 ****
  closely related to the FTP protocol.</p>
  
! <p> ProFTPD 1.2 conforms to the FTP protocol standard as defined in RFC-959
! (STD-9) and RFC-1123 (STD-3).  It also implements RFC-2389 ("Feature
  negotiation mechanism for the File Transfer Protocol"). All the required
  commands are implemented, as are most of the optional commands appropriate
--- 8,13 ----
  closely related to the FTP protocol.</p>
  
! <p> ProFTPD 1.3.<i>x</i> conforms to the FTP protocol standard as defined in
! RFC-959 (STD-9) and RFC-1123 (STD-3).  It also implements RFC-2389 ("Feature
  negotiation mechanism for the File Transfer Protocol"). All the required
  commands are implemented, as are most of the optional commands appropriate
***************
*** 15,42 ****
  However, the ACCT (Account) command is not implemented.</p>
  
! <p>ProFTPD 1.2 implements the extended protocol commands MDTM (Modification
! Time) and size, and extends the REST (Restart) command to STREAM mode
! transfers. These extensions are for resuming interrupted file transfers and
! represent common existing practice, which is being codified in the IETF
! Draft "Extensions to FTP."</p>
! 
! <p>Future plans for ProFTPD include the gradual implementation of the recent
! standards track RFCs developed by the IETF CAT and FTPEXT Working Groups. It
! is likely that attention will first focus on RFC-2228 "FTP Security
! Extensions", and the MLST and MLSD commands from the IETF Draft "Extensions
! to FTP." RFC-2640 "Internationalization of the File Transfer Protocol" also
! may receive early attention.</p>
! 
! <p>The <a href="http://www.ietf.org/html.charters/cat-charter.html">IETF
! Common Authentication Technology (CAT) Working Group </a> has produced
! RFC-2228 and RFC-2773. The CAT WG has produced numerous other RFCs about
! various authentication and authorization topics, including Kerberos-5, SASL
! and GSS-API.</p>
! 
! <p>The <a href="http://www.ietf.org/html.charters/ftpext-charter.html">
! IETF Extensions to FTP (FTPEXT) Working Group</a> has produced RFC-2389,
! RFC-2428, RFC-2577, RFC-2640, and the "Extensions to FTP" Internet Draft,
! draft-ietf-ftpext-mlst-12.txt.</p>
! 
  <hr />
  <a name="rfcsummaries"></a>
--- 15,29 ----
  However, the ACCT (Account) command is not implemented.</p>
  
! <p>ProFTPD 1.3.<i>x</i> implements the extended protocol commands MDTM
! (Modification Time) and size, and extends the REST (Restart) command to STREAM
! mode transfers. These extensions are for resuming interrupted file transfers and
! represent common existing practice, now codified in RFC-3659 "Extensions to FTP."</p>
! 
! <p>In addition, ProFTPD 1.3.<i>x</i> implements other commands from RFC-3659,
! and supports RFC-2428 "FTP Extensions for IPv6 and NATs".  RFC-2650
! "Internationaliztion of FTP" is optionally supported via the
! <code>mod_lang</code> module.  An implementation of RFC-4217 "Securing FTP
! with TLS" is available in the <code>mod_tls</code> module.
!  
  <hr />
  <a name="rfcsummaries"></a>

[Proftpd-docs] CVS: www.proftpd.org wwwmirror.epl,1.117,1.118

[John M. <jw...@us...>]

Update of /cvsroot/pdd/www.proftpd.org
In directory sfp-cvsdas-2.v30.ch3.sourceforge.com:/tmp/cvs-serv31138

Modified Files:
	wwwmirror.epl 
Log Message:
update

Index: wwwmirror.epl
===================================================================
RCS file: /cvsroot/pdd/www.proftpd.org/wwwmirror.epl,v
retrieving revision 1.117
retrieving revision 1.118
diff -C2 -r1.117 -r1.118
*** wwwmirror.epl	17 Apr 2010 13:42:50 -0000	1.117
--- wwwmirror.epl	12 May 2010 13:21:54 -0000	1.118
***************
*** 205,219 ****
  			</p>
  	<p>
- 		<a href="http://www4.ar.proftpd.org">http://www4.ar.proftpd.org/</a>
-         <br />
- 		<a href="http://proftpd.patan.com.ar">http://proftpd.patan.com.ar</a>
- 		<br />
- 
- 		Location: Argentina					(Buenos Aires, Argentina)
- 				<br />
- 
- 					Maintained by: John Knoll<br />
- 			</p>
- 	<p>
  		<a href="http://www20.de.proftpd.org">http://www20.de.proftpd.org/</a>
          <br />
--- 205,208 ----

[Proftpd-docs] CVS: www.proftpd.org/docs/contrib mod_sftp.html, 1.1, 1.2

[TJ S. <cas...@us...>]

Update of /cvsroot/pdd/www.proftpd.org/docs/contrib
In directory sfp-cvsdas-2.v30.ch3.sourceforge.com:/tmp/cvs-serv24823

Modified Files:
	mod_sftp.html 
Log Message:

Update the mod_sftp docs on the website.


Index: mod_sftp.html
===================================================================
RCS file: /cvsroot/pdd/www.proftpd.org/docs/contrib/mod_sftp.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -C2 -r1.1 -r1.2
*** mod_sftp.html	24 Feb 2010 19:08:55 -0000	1.1
--- mod_sftp.html	21 Apr 2010 18:16:28 -0000	1.2
***************
*** 93,99 ****
  <ul>
    <li><code>&lt;Anonymous&gt;</code>
-   <li><code>DirFakeUser/DirFakeGroup</code>
    <li><code>MaxRetrieveFileSize/MaxStoreFileSize</code>
-   <li><code>UserOwner</code>, <code>GroupOwner</code>
  </ul>
  
--- 93,97 ----
***************
*** 751,754 ****
--- 749,761 ----
      have <code>mod_sftp</code> silently ignore any permissions sent by the
      SCP client, use this option.
+ 
+   <p>
+   <li><code>PessimisticKexinit</code><br>
+     <p>
+     As described <a href="#SFTPTelnetBanner">here</a>, the <code>mod_sftp</code>
+     module tries to reduce the connection latency by optimistically sending
+     the <code>KEXINIT</code> key exchange message.  However, some SSH clients
+     cannot handle this behavior.  Use this option to disable the optimistic
+     sending of the <code>KEXINIT</code> message.
  </ul>
  
***************
*** 1145,1148 ****
--- 1152,1205 ----
  that are used for authentication.
  
+ <p><a name="ClientIssues"></a>
+ <b>Known Client Issues</b><br>
+ The following lists some of the various client interoperability issues that
+ have been encountered, and how to address them.
+ 
+ <p>
+ <i>SSH Channel Window Sizes</i><br>
+ Some SFTP client implementations do not support the large SSH channel window
+ size that the <code>mod_sftp</code> module uses by default.  These clients
+ include:
+ <ul>
+   <li><a href="http://www.ipswitch.com/WS_FTP">WS_FTP Pro</a>
+   <li>OpenSSH 3.0 and older
+ </ul>
+ This <a href="#SFTPBadWindowSize">FAQ</a> describes the configuration to use
+ for such clients.
+ 
+ <p> 
+ <i>SFTP Protocol Versions</i><br>
+ Some SFTP clients do not properly handle some of the newer SFTP protocol
+ versions.  These clients include:
+ <ul>
+   <li><a href="http://winscp.net/">WinSCP</a>
+   <li><a href="http://www.cuteftp.com/products/ftp_clients.aspx">CuteFTP</a>
+ </ul>
+ For these clients, use a
+ <a href="#SFTPClientMatch"><code>SFTPClientMatch</code></a> rule to restrict
+ the SFTP protocol versions offered by the <code>mod_sftp</code> module,
+ <i>e.g.</i>:
+ <pre>
+   <font color=green># Only support SFTP protocol version 1 through 3 for WinSCP and CuteFTP</font>
+   SFTPClientMatch WinSCP|ClientSftp sftpProtocolVersion 1-3
+ </pre>
+ 
+ <p>
+ <i><code>KEXINIT</code> Optimization</i><br>
+ Some SFTP clients do not like this
+ <a href="#SFTPTelnetBanner">KEXINIT optimization</a> that the
+ <code>mod_sftp</code> module uses.  These clients include:
+ <ul>
+   <li><code>Net::SSH::Perl</code>, <code>Net::SFTP</code> Perl modules
+   <li><a href="http://www.enterprisedt.com/products/edtftpj/">edtFTPj</a>
+ </ul>
+ For these clients, use this configuration (supported in ProFTPD 1.3.4rc1 and
+ later) to disable the optimization:
+ <pre>
+   <font color=green># Disable the KEXINIT optimization at the cost of latency</font>
+   SFTPOptions PessimisticKexinit
+ </pre>
+ 
  <p>
  <b>FIPS Compliance</b><br>
***************
*** 1357,1361 ****
  </pre>
  <font color=blue>Answer</font>: The issue, in short, involves that "-1" value
! you see, and the particular client implementation in question.
  
  <p>
--- 1414,1419 ----
  </pre>
  <font color=blue>Answer</font>: The issue, in short, involves that "-1" value
! you see, and the particular client implementation in question.  (The example
! error above is from an old OpenSSH client.)
  
  <p>
***************
*** 1370,1373 ****
--- 1428,1442 ----
  
  <p>
+ As another example, the <a href="http://www.ipswitch.com/WS_FTP">WS_FTP Pro</a>
+ client has this same problem; in the client, you will see something like
+ the following error:
+ <pre>
+   Started subsystem "sftp" on channel 0760a2ce
+   error 84350000 initializing sftp protocol
+   Sending channel close message for channel 0760a2ce
+   SSH Transport closed.
+ </pre>
+ 
+ <p>
  There are two approaches for handling such cases.  You can use the
  <a href="#SFTPClientMatch"><code>SFTPClientMatch</code></a> directive to
***************
*** 1411,1414 ****
--- 1480,1505 ----
  used for the SFTP/SCP sessions, <i>etc</i>.
  
+ <p><a name="SFTPAndFTP">
+ <font color=red>Question</font>: How can I configure <code>proftpd</code>
+ so that it can handle both FTP and SFTP at the same time?<br>
+ <font color=blue>Answer</font>:  The key to doing this is to create a
+ <code>&lt;VirtualHost&gt;</code> section just for the <code>mod_sftp</code>
+ configuration, listening on the address and port that you wish, <i>e.g.</i>:
+ <pre>
+   # The FTP configuration
+   DefaultAddress <i>a.b.c.d</i>
+   Port 21
+ 
+   &lt;IfModule mod_sftp.c&gt;
+     &lt;VirtualHost <i>a.b.c.d</i>&gt;
+       # The SFTP configuration
+       Port 22
+ 
+       SFTPEngine on
+       ...
+     &lt;/VirtualHost&gt;
+   &lt;/IfModule&gt;
+ </pre>
+ 
  <p><a name="SFTPOnly">
  <font color=red>Question</font>: How can I configure <code>proftpd</code>
***************
*** 1488,1491 ****
--- 1579,1607 ----
  in your <code>mod_sftp</code> configuration.
  
+ <p><a name="SFTPOwner">
+ <font color=red>Question</font>: I use <code>UserOwner</code> and
+ <code>GroupOwner</code> in my <code>mod_sftp</code> configuration, but they
+ are not being applied properly.  Is this a bug?<br>
+ <font color=blue>Answer</font>: No.
+ 
+ <p>
+ By default, the <code>mod_sftp</code> module drops root privileges as soon
+ as it can, which is just after the user has been authenticated.  Without
+ root privileges, <code>mod_sftp</code> cannot change the ownership of files
+ uploaded via SFTP/SCP as per <code>UserOwner</code>/<code>GroupOwner</code>
+ settings.
+ 
+ <p>
+ In ProFTPD 1.3.4rc1, honoring of the <code>UserOwner</code> and
+ <code>GroupOwner</code> directives was added to the <code>mod_sftp</code>
+ module.  <b>However</b>, you will <i>also</i> need to add the following to your
+ <code>mod_sftp</code> configuration to make them work properly:
+ <pre>
+   RootRevoke off
+ </pre>
+ This explicitly tells the <code>mod_sftp</code> to <b>not</b> drop root
+ privileges after authentication, and instead to keep them for the duration
+ of the session.
+ 
  <p>
  <hr><br>

[Proftpd-docs] CVS: www.proftpd.org wwwmirror.epl,1.116,1.117

[John M. <jw...@us...>]

Update of /cvsroot/pdd/www.proftpd.org
In directory sfp-cvsdas-2.v30.ch3.sourceforge.com:/tmp/cvs-serv17198

Modified Files:
	wwwmirror.epl 
Log Message:
update

Index: wwwmirror.epl
===================================================================
RCS file: /cvsroot/pdd/www.proftpd.org/wwwmirror.epl,v
retrieving revision 1.116
retrieving revision 1.117
diff -C2 -r1.116 -r1.117
*** wwwmirror.epl	23 Feb 2010 16:36:37 -0000	1.116
--- wwwmirror.epl	17 Apr 2010 13:42:50 -0000	1.117
***************
*** 32,35 ****
--- 32,36 ----
  	<a href="http://www.de.proftpd.org/">de</a>
  	<a href="http://www.ie.proftpd.org/">ie</a>
+ 	<a href="http://www.il.proftpd.org/">il</a>
  	<a href="http://www.it.proftpd.org/">it</a>
  	<a href="http://www.kr.proftpd.org/">kr</a>
***************
*** 270,273 ****
--- 271,285 ----
  			</p>
  	<p>
+ 		<a href="http://www2.il.proftpd.org">http://www2.il.proftpd.org/</a>
+         <br />
+ 		<a href="http://proftpd.interhost.co.il">http://proftpd.interhost.co.il</a>
+ 		<br />
+ 
+ 		Location: Israel					(ISRAEL)
+ 				<br />
+ 
+ 					Maintained by: Dmitry Sherman<br />
+ 			</p>
+ 	<p>
  		<a href="http://www1.tw.proftpd.org">http://www1.tw.proftpd.org/</a>
          <br />

[Proftpd-docs] CVS: www.proftpd.org/docs/howto CreateHome.html, 1.2, 1.3

[TJ S. <cas...@us...>]

Update of /cvsroot/pdd/www.proftpd.org/docs/howto
In directory sfp-cvsdas-2.v30.ch3.sourceforge.com:/tmp/cvs-serv10499

Modified Files:
	CreateHome.html 
Log Message:

Typo.


Index: CreateHome.html
===================================================================
RCS file: /cvsroot/pdd/www.proftpd.org/docs/howto/CreateHome.html,v
retrieving revision 1.2
retrieving revision 1.3
diff -C2 -r1.2 -r1.3
*** CreateHome.html	5 Jan 2010 16:58:45 -0000	1.2
--- CreateHome.html	8 Apr 2010 22:59:54 -0000	1.3
***************
*** 100,105 ****
  <p>
  The <code>uid</code> and <code>gid</code> parameters can be used to set the
! ownership of the newly created parent directories, up to be <b>not</b>
! including the home directory.  By default, those created parent directories
  are owned by root (UID 0 and GID 0).
  
--- 100,105 ----
  <p>
  The <code>uid</code> and <code>gid</code> parameters can be used to set the
! ownership of the newly created parent directories, up to <b>but not
! including</b> the home directory.  By default, those created parent directories
  are owned by root (UID 0 and GID 0).
  

[Proftpd-docs] CVS: www.proftpd.org/docs/contrib mod_tls.html, 1.2, 1.3

[TJ S. <cas...@us...>]

Update of /cvsroot/pdd/www.proftpd.org/docs/contrib
In directory sfp-cvsdas-2.v30.ch3.sourceforge.com:/tmp/cvs-serv14659

Modified Files:
	mod_tls.html 
Log Message:

Updated mod_tls docs for website.


Index: mod_tls.html
===================================================================
RCS file: /cvsroot/pdd/www.proftpd.org/docs/contrib/mod_tls.html,v
retrieving revision 1.2
retrieving revision 1.3
diff -C2 -r1.2 -r1.3
*** mod_tls.html	5 Feb 2009 21:21:44 -0000	1.2
--- mod_tls.html	5 Apr 2010 16:20:33 -0000	1.3
***************
*** 24,28 ****
  
  <p>
! This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/).
  
  <p>
--- 24,28 ----
  
  <p>
! This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).
  
  <p>
***************
*** 51,54 ****
--- 51,55 ----
    <li><a href="#TLSCertificateChainFile">TLSCertificateChainFile</a>
    <li><a href="#TLSCipherSuite">TLSCipherSuite</a>
+   <li><a href="#TLSControlsACLs">TLSControlsACLs</a>
    <li><a href="#TLSCryptoDevice">TLSCryptoDevice</a>
    <li><a href="#TLSDHParamFile">TLSDHParamFile</a>
***************
*** 58,61 ****
--- 59,63 ----
    <li><a href="#TLSLog">TLSLog</a>
    <li><a href="#TLSOptions">TLSOptions</a>
+   <li><a href="#TLSPKCS12File">TLSPKCS12File</a>
    <li><a href="#TLSPassPhraseProvider">TLSPassPhraseProvider</a>
    <li><a href="#TLSProtocol">TLSProtocol</a>
***************
*** 65,68 ****
--- 67,71 ----
    <li><a href="#TLSRSACertificateFile">TLSRSACertificateFile</a>
    <li><a href="#TLSRSACertificateKeyFile">TLSRSACertificateKeyFile</a>
+   <li><a href="#TLSSessionCache">TLSSessionCache</a>
    <li><a href="#TLSTimeoutHandshake">TLSTimeoutHandshake</a>
    <li><a href="#TLSVerifyClient">TLSVerifyClient</a>
***************
*** 71,74 ****
--- 74,84 ----
  </ul>
  
+ <h2>Control Actions</h2>
+ <ul>
+   <li><a href="#tls_sesscache_clear"><code>tls sesscache clear</code></a>
+   <li><a href="#tls_sesscache_info"><code>tls sesscache info</code></a>
+   <li><a href="#tls_sesscache_remove"><code>tls sesscache remove</code></a>
+ </ul>
+ 
  <hr>
  <h2><a name="TLSCACertificateFile">TLSCACertificateFile</a></h2>
***************
*** 258,261 ****
--- 268,278 ----
  
  <p>
+ <b>Note</b>: If you use the <code>NoCertRequest</code>
+ <a href="#TLSOptions"><code>TLSOption</code></a>, then any configured
+ <code>TLSCertificateChainFile</code> directive will be ignored.  It is a waste
+ of time to construct a certificate chain to send to the client if the server
+ does not request that the client send a certificate to be verified.
+ 
+ <p>
  <hr>
  <h2><a name="TLSCipherSuite">TLSCipherSuite</a></h2>
***************
*** 351,354 ****
--- 368,407 ----
  <p>
  <hr>
+ <h2><a name="TLSControlsACLs">TLSControlsACLs</a></h2>
+ <strong>Syntax:</strong> TLSControlsACLs <em>actions|&quot;all&quot; &quot;allow&quot;|&quot;deny&quot; &quot;user&quot;|&quot;group&quot; list</em><br>
+ <strong>Default:</strong> None<br>
+ <strong>Context:</strong> server config<br>
+ <strong>Module:</strong> mod_tls<br>
+ <strong>Compatibility:</strong> 1.3.3rc1 and later
+ 
+ <p>
+ The <code>TLSControlsACLs</code> directive configures access lists of
+ <em>users</em> or <em>groups</em> who are allowed (or denied) the ability to
+ use the <em>actions</em> implemented by <code>mod_tls</code>. The default
+ behavior is to deny everyone unless an ACL allowing access has been explicitly
+ configured.
+ 
+ <p>
+ If &quot;allow&quot; is used, then <em>list</em>, a comma-delimited list
+ of <em>users</em> or <em>groups</em>, can use the given <em>actions</em>; all
+ others are denied.  If &quot;deny&quot; is used, then the <em>list</em> of
+ <em>users</em> or <em>groups</em> cannot use <em>actions</em> all others are
+ allowed.  Multiple <code>TLSControlsACLs</code> directives may be used to
+ configure ACLs for different control actions, and for both users and groups.
+ 
+ <p>
+ The <em>actions</em> provided by <code>mod_tls</code> are
+ &quot;sesscache clear&quot; , &quot;sesscache info&quot;, and
+ &quot;sesscache remove&quot;.
+ 
+ <p>
+ Examples:
+ <pre>
+   # Allow only user root to examine/update the external SSL session cache
+   TLSControlsACLs all allow user root
+ </pre>
+ 
+ <p>
+ <hr>
  <h2><a name="TLSCryptoDevice">TLSCryptoDevice</a></h2>
  <strong>Syntax:</strong> TLSCryptoDevice <em>driver|"all"|"none"</em><br>
***************
*** 419,423 ****
  If the contained private key is encrypted, the administrator will be
  prompted for the passphrase when the daemon starts up, and when the daemon
! is restarted.
  
  <p>
--- 472,477 ----
  If the contained private key is encrypted, the administrator will be
  prompted for the passphrase when the daemon starts up, and when the daemon
! is restarted.  Alternatively, the <code>TLSPassPhraseProvider</code>
! directive can be used to supply a source for that passphrase.
  
  <p>
***************
*** 514,517 ****
--- 568,586 ----
  The currently implemented options are:
  <ul>
+   <li><code>AllowClientRenegotiations</code><br>
+     <p>
+     The <code>mod_tls</code> will reject any SSL/TLS session renegotiation
+     attempts by the client, in order to mitigate any issues arising from the
+     <a href="http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html">SSL/TLS session renegotiation vulnerability</a> (CVE-2009-3555).
+     If, however, your particular site or clients absolutely require support
+     for client-initiated SSL/TLS session renegotiations, then this option
+     can be used.  <b>Not recommended.</b>
+ 
+     <p>
+     Note, however, that SSL/TLS session renegotiation requests that are
+     initiated by <code>mod_tls</code>, via the
+     <a href="#TLSRenegotiate"><code>TLSRenegotiate</code></a> directive, are
+     still handled (depending on the OpenSSL version).
+ 
    <li><code>AllowDotLogin</code><br>
      <p>
***************
*** 591,598 ****
      <p>
      Some FTP clients are known to be buggy when handling a server's certificate
!     request.  This option causes the server not to include such a request
      during an SSL handshake.
  
    <p>
    <li><code>StdEnvVars</code><br>
      <p>
--- 660,686 ----
      <p>
      Some FTP clients are known to be buggy when handling a server's certificate
!     request.  This option causes the server to <b>not</b> send such a request
      during an SSL handshake.
  
    <p>
+   <li><code>NoSessionReuseRequired</code><br>
+     <p>
+     As of ProFTPD 1.3.3rc1, <code>mod_tls</code> only accepts SSL/TLS data
+     connections that reuse the SSL session of the control connection, as a
+     security measure.  Unfortunately, there are some clients (<i>e.g.</i>
+     curl) which do not reuse SSL sessions.
+ 
+     <p>
+     To relax the requirement that the SSL session from the control connection
+     be reused for data connections, use the following in the proftpd.conf:
+ <pre>
+     &lt;IfModule mod_tls.c&gt;
+       ...
+       TLSOptions NoSessionReuseRequired
+       ...
+     &lt;/IfModule&gt;
+ </pre>
+ 
+   <p>
    <li><code>StdEnvVars</code><br>
      <p>
***************
*** 721,725 ****
  
        <tr>
!         <td><code>TLS_SERVER_S_DN_</code><i>x509<i></td>
          <td>Component of server certificate's Subject DN, where <i>x509</i> is
            a component of a X509 DN:<br>
--- 809,813 ----
  
        <tr>
!         <td><code>TLS_SERVER_S_DN_</code><i>x509</i></td>
          <td>Component of server certificate's Subject DN, where <i>x509</i> is
            a component of a X509 DN:<br>
***************
*** 766,769 ****
--- 854,884 ----
  
    <p>
+   <li><code>UseImplicitSSL</code><br>
+     <p>
+     This option will cause the <code>mod_tls</code> module to handle <b>all</b>
+     connections as if they are SSL connections implicitly; the client does
+     <i>not</i> need to send the <code>AUTH TLS</code> FTP command.  This can
+     cause issues for FTPS clients which are expecting explicit FTPS, not
+     implicit FTPS.
+ 
+     <p>
+     Thus if the <code>UseImplicitSSL</code> option is used, you will want to
+     have a separate <code>&lt;VirtualHost&gt;</code> section with
+     a different port number just for those clients which require/expect
+     implicit FTPS.  For example:
+ <pre>
+     &lt;IfModule mod_tls.c&gt;
+       &lt;VirtualHost a.b.c.d&gt;
+         TLSEngine on
+         TLSOptions UseImplicitSSL
+ 
+         # The "standard" implicit FTPS port is 990
+         Port 990
+         ...
+       &lt;/VirtualHost&gt;
+     &lt;/IfModule&gt;
+ </pre>
+ 
+   <p>
    <li><code>dNSNameRequired</code><br>
      <p>
***************
*** 793,796 ****
--- 908,936 ----
  <p>
  <hr>
+ <h2><a name="TLSPKCS12File">TLSPKCS12File</a></h2>
+ <strong>Syntax:</strong> TLSPKCS12File <em>file</em><br>
+ <strong>Default:</strong> None<br>
+ <strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
+ <strong>Module:</strong> mod_tls<br>
+ <strong>Compatibility:</strong> 1.3.3rc1 and later
+ 
+ <p>
+ The <code>TLSPKCS12ile</code> directive points to the PKCS#12 file containing
+ the certificate file and its private key for the server.
+ 
+ <p>
+ If the PKCS#12 file is protected with a passphrase, the administrator will
+ be prompted for the passphrase when the daemon starts up, and when the daemon
+ is restarted.  Alternatively, the <code>TLSPassPhraseProvider</code>
+ directive can be used to supply a source for that passphrase.
+ 
+ <p>
+ Example:
+ <pre>
+   TLSPKCS12File /etc/ftpd/server-cert.p12
+ </pre>
+ 
+ <p>
+ <hr>
  <h2><a name="TLSPassPhraseProvider">TLSPassPhraseProvider</a></h2>
  <strong>Syntax:</strong> TLSPassPhraseProvider <em>path</em><br>
***************
*** 1056,1060 ****
  
  <p>
- <p>
  The <code>TLSRSACertificateFile</code> directive points to the PEM-encoded
  file containing the RSA certificate file for the server and optionally also
--- 1196,1199 ----
***************
*** 1064,1068 ****
  If the contained private key is encrypted, the administrator will be
  prompted for the passphrase when the daemon starts up, and when the daemon
! is restarted.
  
  <p>
--- 1203,1208 ----
  If the contained private key is encrypted, the administrator will be
  prompted for the passphrase when the daemon starts up, and when the daemon
! is restarted.  Alternatively, the <code>TLSPassPhraseProvider</code>
! directive can be used to supply a source for that passphrase.
  
  <p>
***************
*** 1104,1107 ****
--- 1244,1293 ----
  <p>
  <hr>
+ <h2><a name="TLSSessionCache">TLSSessionCache</a></h2>
+ <strong>Syntax:</strong> TLSSessionCache <em>type:/info [timeout]</em><br>
+ <strong>Default:</strong> None<br>
+ <strong>Context:</strong> server config<br>
+ <strong>Module:</strong> mod_tls<br>
+ <strong>Compatibility:</strong> 1.3.3rc1 and later
+ 
+ <p>
+ The <code>TLSSessionCache</code> directive configures an external SSL session
+ cache, which can be used for storing and shared SSL sessions across multiple
+ processes.  An external SSL session cache is an optional facility which speeds
+ up parallel FTPS session connections.
+ 
+ <p>
+ Modern FTP clients often create multiple simultaneous connections to an FTP
+ server, for downloading different chunks of data in parallel.  Each FTP
+ connection will be handled by a different server process, and each one
+ will be required to perform a full SSL/TLS handshake.  By using an
+ external SSL session cache, a cached SSL session can be "resumed" by the
+ client, which avoids the expensive portions of the handshake.  FTPS clients
+ which cache the SSL session locally can also attempt to resume that cached
+ session at a later date; if the server still has that same session cached,
+ the FTPS client can again avoid the expensive portions of the handshake and
+ resume its previous SSL session.
+ 
+ <p>
+ If the <code>TLSSessionCache</code> directive is <i>not</i> used, then
+ OpenSSL's default internal SSL session caching will be used.  Thus multiple
+ SSL sessions to the same server process (<i>e.g.</i> for FTP data transfers)
+ will benefit from the speedup, but parallel simultaneous FTP connections from
+ the same FTPS client will each need to perform the full SSL/TLS handshake.
+ 
+ <p>
+ The <em>type</em> and <em>info</em> parameters all depend on the module
+ implementing the external SSL session cache being configured.  For example,
+ for using a shared memory external SSL session cache, see the
+ <a href="mod_tls_shmcache.html"><code>mod_tls_shmcache</code></a> documentation.
+ 
+ <p>
+ The optional <em>timeout</em> parameters sets the time-to-live, in seconds, for
+ the SSL session datal stored in the external SSL session cache.  It can be set
+ as low as 15 for testing, but should be set to higher values like 600 in real
+ life.  The default timeout is 1800 seconds (30 minutes).
+ 
+ <p>
+ <hr>
  <h2><a name="TLSTimeoutHandshake">TLSTimeoutHandshake</a></h2>
  <strong>Syntax:</strong> TLSTimeoutHandshake <em>seconds</em><br>
***************
*** 1213,1216 ****
--- 1399,1494 ----
  <p>
  <hr>
+ <h2>Control Actions</h2>
+ 
+ <p>
+ <hr>
+ <h3><a name="tls_sesscache_clear"><code>tls sesscache clear</code></a></h3>
+ <strong>Syntax:</strong> ftpdctl tls sesscache clear<br>
+ <strong>Purpose:</strong> Clears all cached sessions from the SSL session cache<br>
+ 
+ <p>
+ The <code>tls sesscache clear</code> action is used to clear all cached
+ sessions, whether they have expired or not, from the configured external
+ SSL session cache.  For example:
+ <pre>
+   # ftpdctl tls sesscache clear   
+   ftpdctl: tls sesscache: cleared 1 session from 'shm' session cache
+ </pre>
+ 
+ <p>
+ See also: <a href="#TLSSessionCache"><code>TLSSessionCache</code></a>
+ 
+ <p>
+ <hr>
+ <h3><a name="tls_sesscache_info"><code>tls sesscache info</code></a></h3>
+ <strong>Syntax:</strong> ftpdctl tls sesscache info <em>[-v]</em><br>
+ <strong>Purpose:</strong> Displays status of session cache<br>
+ 
+ <p>
+ The <code>tls sesscache info</code> action is used to display information
+ about the configured external SSL session cache.  If the optional <em>-v</em>
+ command-line option is used, then information about each cached session
+ will also be displayed.
+ 
+ <p>
+ For example:
+ <pre>
+   # ftpdctl tls sesscache info -v
+   ftpdctl: Shared memory (shm) SSL session cache provided by mod_tls_shmcache/0.1
+   ftpdctl:
+   ftpdctl: Shared memory segment ID: 589824
+   ftpdctl: Shared memory segment size: 1576960 bytes
+   ftpdctl: Shared memory cache created on: Mon Mar  9 21:18:05 2009
+   ftpdctl: Shared memory attach count: 1
+   ftpdctl: 
+   ftpdctl: Max session cache size: 153
+   ftpdctl: Current session cache size: 1
+   ftpdctl: 
+   ftpdctl: Cache lifetime hits: 0
+   ftpdctl: Cache lifetime misses: 0
+   ftpdctl: 
+   ftpdctl: Cache lifetime sessions stored: 1
+   ftpdctl: Cache lifetime sessions deleted: 0
+   ftpdctl: Cache lifetime sessions expired: 0
+   ftpdctl: 
+   ftpdctl: Cache lifetime errors handling sessions in cache: 0
+   ftpdctl: Cache lifetime sessions exceeding max entry size: 0
+   ftpdctl: 
+   ftpdctl: Cached sessions:
+   ftpdctl:   -----BEGIN SSL SESSION PARAMETERS-----
+   ftpdctl:     Session ID: A9BB647E236BAB0EF128FE9EAD2ABEC6F8E65C9EB8F050A07D1F0F66EC3019DC
+   ftpdctl:     Session ID Context: 00000000
+   ftpdctl:     Protocol: TLSv1
+   ftpdctl:     Started: Mon Mar  9 21:19:20 2009
+   ftpdctl:     Expires: Tue Mar 10 21:19:20 2009 (86400 secs)
+   ftpdctl:   -----END SSL SESSION PARAMETERS-----
+ </pre>
+ 
+ <p>
+ See also: <a href="#TLSSessionCache"><code>TLSSessionCache</code></a>
+ 
+ <p>
+ <hr>
+ <h3><a name="tls_sesscache_remove"><code>tls sesscache remove</code></a></h3>
+ <strong>Syntax:</strong> ftpdctl tls sesscache remove<br>
+ <strong>Purpose:</strong> Removes the external SSL session cache<br>
+ 
+ <p>
+ The <code>tls sesscache remove</code> action is used to remove the
+ external SSL session cache entirely.  Depending on the actual module providing
+ the session cache, this may or may not be implemented.
+ 
+ <p>
+ For example:
+ <pre>
+   # ftpdctl tls sesscache remove
+   ftpdctl: tls sesscache: removed 'shm' session cache
+ </pre>
+ 
+ <p>
+ See also: <a href="#TLSSessionCache"><code>TLSSessionCache</code></a>
+ 
+ <p>
+ <hr>
  <h2><a name="Usage">Usage</a></h2>
  Much of the documentation for Apache's <code>mod_ssl</code>, concerning
***************
*** 1260,1265 ****
  Last Updated: <i>$Date$</i><br>
  
! <br><hr>
! 
  <font size=2><b><i>
  &copy; Copyright 2002-2009 TJ Saunders<br>
--- 1538,1542 ----
  Last Updated: <i>$Date$</i><br>
  
! <hr>
  <font size=2><b><i>
  &copy; Copyright 2002-2009 TJ Saunders<br>

[Proftpd-docs] CVS: www.proftpd.org/docs/contrib mod_sftp_pam.html, 1.1, 1.2

[TJ S. <cas...@us...>]

Update of /cvsroot/pdd/www.proftpd.org/docs/contrib
In directory sfp-cvsdas-2.v30.ch3.sourceforge.com:/tmp/cvs-serv16237

Modified Files:
	mod_sftp_pam.html 
Log Message:

Update the mod_sftp_pam docs on the website.


Index: mod_sftp_pam.html
===================================================================
RCS file: /cvsroot/pdd/www.proftpd.org/docs/contrib/mod_sftp_pam.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -C2 -r1.1 -r1.2
*** mod_sftp_pam.html	24 Feb 2010 19:08:55 -0000	1.1
--- mod_sftp_pam.html	2 Apr 2010 22:30:20 -0000	1.2
***************
*** 51,55 ****
  <h2><a name="SFTPPAMEngine">SFTPPAMEngine</a></h2>
  <strong>Syntax:</strong> SFTPPAMEngine <em>on|off</em><br>
! <strong>Default:</strong> Off<br>
  <strong>Context:</strong> &quot;server config&quot;, &lt;VirtualHost&gt;, &lt;Global&gt;<br>
  <strong>Module:</strong> mod_sftp_pam<br>
--- 51,55 ----
  <h2><a name="SFTPPAMEngine">SFTPPAMEngine</a></h2>
  <strong>Syntax:</strong> SFTPPAMEngine <em>on|off</em><br>
! <strong>Default:</strong> On<br>
  <strong>Context:</strong> &quot;server config&quot;, &lt;VirtualHost&gt;, &lt;Global&gt;<br>
  <strong>Module:</strong> mod_sftp_pam<br>
***************
*** 59,64 ****
  The <code>SFTPPAMEngine</code> directive toggles the use of the PAM library
  for supporting a keyboard-interactive authentication mechanism for SSH2 logins.
! By default <code>mod_sftp_pam</code> is disabled for both the main server and
! all configured virtual hosts.
  
  <p>
--- 59,63 ----
  The <code>SFTPPAMEngine</code> directive toggles the use of the PAM library
  for supporting a keyboard-interactive authentication mechanism for SSH2 logins.
! By default <code>mod_sftp_pam</code> is enabled.
  
  <p>
***************
*** 125,135 ****
  <hr><br>
  <h2><a name="Usage">Usage</a></h2>
! To use <code>mod_sftp_pam</code>, simply enable the module, and configure
! it to use the correct PAM service name, <i>e.g.</i>:
  <pre>
    &lt;IfModule mod_sftp_pam.c&gt;
      SFTPPAMEngine on
      SFTPPAMServiceName sftp
!   &lt;/IfModule>
  </pre>
  There is no requirement that <code>mod_sftp_pam</code> use the same PAM
--- 124,134 ----
  <hr><br>
  <h2><a name="Usage">Usage</a></h2>
! To use <code>mod_sftp_pam</code>, simply configure it to use the correct PAM
! service name, <i>e.g.</i>:
  <pre>
    &lt;IfModule mod_sftp_pam.c&gt;
      SFTPPAMEngine on
      SFTPPAMServiceName sftp
!   &lt;/IfModule&gt;
  </pre>
  There is no requirement that <code>mod_sftp_pam</code> use the same PAM
***************
*** 146,150 ****
  
  <font size=2><b><i>
! &copy; Copyright 2008 TJ Saunders<br>
   All Rights Reserved<br>
  </i></b></font>
--- 145,149 ----
  
  <font size=2><b><i>
! &copy; Copyright 2008-2010 TJ Saunders<br>
   All Rights Reserved<br>
  </i></b></font>

[Proftpd-docs] CVS: www.proftpd.org/docs index.epl,1.32,1.33

[TJ S. <cas...@us...>]

Update of /cvsroot/pdd/www.proftpd.org/docs
In directory sfp-cvsdas-2.v30.ch3.sourceforge.com:/tmp/cvs-serv29512

Modified Files:
	index.epl 
Log Message:

List more modules in the docs/index page, for users who need their hand held
in order to find things.


Index: index.epl
===================================================================
RCS file: /cvsroot/pdd/www.proftpd.org/docs/index.epl,v
retrieving revision 1.32
retrieving revision 1.33
diff -C2 -r1.32 -r1.33
*** index.epl	2 Mar 2010 16:52:59 -0000	1.32
--- index.epl	2 Mar 2010 22:09:40 -0000	1.33
***************
*** 59,63 ****
    <li><a href="http://www.proftpd.org/docs/howto/Quotas.html">Quota</a> support (mod_quotatab)</li>
    <li><a href="http://www.proftpd.org/docs/contrib/mod_ban.html">Dynamic blacklist</a> support (mod_ban)</li>
!   <li>RADIUS support (mod_radius)</li>
    <li>POSIX capabilities (mod_cap)</li>
    <li>TCP wrappers support (mod_wrap)</li>
--- 59,64 ----
    <li><a href="http://www.proftpd.org/docs/howto/Quotas.html">Quota</a> support (mod_quotatab)</li>
    <li><a href="http://www.proftpd.org/docs/contrib/mod_ban.html">Dynamic blacklist</a> support (mod_ban)</li>
!   <li><a href="http://www.proftpd.org/docs/contrib/mod_shaper.html">Traffic shaping</a> support (mod_shaper)</li>
!   <li><a href="http://www.proftpd.org/docs/contrib/mod_radius.html">RADIUS</a> support (mod_radius)</li>
    <li>POSIX capabilities (mod_cap)</li>
    <li>TCP wrappers support (mod_wrap)</li>

[Proftpd-docs] CVS: www.proftpd.org/docs/contrib mod_sftp_sql.html, 1.1, 1.2

[TJ S. <cas...@us...>]

Update of /cvsroot/pdd/www.proftpd.org/docs/contrib
In directory sfp-cvsdas-2.v30.ch3.sourceforge.com:/tmp/cvs-serv20013

Modified Files:
	mod_sftp_sql.html 
Log Message:

Update mod_sftp_sql doc from source CVS.


Index: mod_sftp_sql.html
===================================================================
RCS file: /cvsroot/pdd/www.proftpd.org/docs/contrib/mod_sftp_sql.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -C2 -r1.1 -r1.2
*** mod_sftp_sql.html	24 Feb 2010 19:08:55 -0000	1.1
--- mod_sftp_sql.html	2 Mar 2010 19:05:24 -0000	1.2
***************
*** 30,37 ****
  
  <p>
! The most current version of <code>mod_sftp_sql</code> can be found at:
! <pre>
!   <a href="http://www.castaglia.org/proftpd/">http://www.castaglia.org/proftpd/</a>
! </pre>
  
  <h2>Author</h2>
--- 30,40 ----
  
  <p>
! The most current version of <code>mod_sftp_sql</code> is distributed with the
! ProFTPD source code.
! 
! <p>
! This product includes software developed by the OpenSSL Project for use in the
! OpenSSL Toolkit (<a href="http://www.openssl.org/">http://www.openssl.org/</a>).
! This product includes cryptographic software written by Eric Young (ea...@cr...).
  
  <h2>Author</h2>

[Proftpd-docs] CVS: www.proftpd.org/docs index.epl,1.31,1.32

[TJ S. <cas...@us...>]

Update of /cvsroot/pdd/www.proftpd.org/docs
In directory sfp-cvsdas-2.v30.ch3.sourceforge.com:/tmp/cvs-serv29739

Modified Files:
	index.epl 
Log Message:

Add mod_sftp, mod_ban, and mod_quotatab to the list of modules mentioned
in the docs/ index page.


Index: index.epl
===================================================================
RCS file: /cvsroot/pdd/www.proftpd.org/docs/index.epl,v
retrieving revision 1.31
retrieving revision 1.32
diff -C2 -r1.31 -r1.32
*** index.epl	12 Feb 2009 21:39:11 -0000	1.31
--- index.epl	2 Mar 2010 16:52:59 -0000	1.32
***************
*** 53,61 ****
  
  <ul>
    <li><a href="http://www.proftpd.org/docs/howto/TLS.html">SSL/TLS</a> support (mod_tls)</li>
    <li><a href="http://horde.net/~jwm/software/mod_ldap/">LDAP</a> support (mod_ldap)</li>
-   <li>POSIX capabilities (mod_cap)</li>
    <li><a href="http://www.proftpd.org/docs/howto/SQL.html">SQL</a> support (mod_sql)</li>
    <li>RADIUS support (mod_radius)</li>
    <li>TCP wrappers support (mod_wrap)</li>
    <li>mod_readme</li>
--- 53,64 ----
  
  <ul>
+   <li><a href="http://www.proftpd.org/docs/contrib/mod_sftp.html">SFTP</a> support (mod_sftp)</li>
    <li><a href="http://www.proftpd.org/docs/howto/TLS.html">SSL/TLS</a> support (mod_tls)</li>
    <li><a href="http://horde.net/~jwm/software/mod_ldap/">LDAP</a> support (mod_ldap)</li>
    <li><a href="http://www.proftpd.org/docs/howto/SQL.html">SQL</a> support (mod_sql)</li>
+   <li><a href="http://www.proftpd.org/docs/howto/Quotas.html">Quota</a> support (mod_quotatab)</li>
+   <li><a href="http://www.proftpd.org/docs/contrib/mod_ban.html">Dynamic blacklist</a> support (mod_ban)</li>
    <li>RADIUS support (mod_radius)</li>
+   <li>POSIX capabilities (mod_cap)</li>
    <li>TCP wrappers support (mod_wrap)</li>
    <li>mod_readme</li>

[Proftpd-docs] CVS: www.proftpd.org/docs/howto Versioning.html, 1.1, 1.2

[TJ S. <cas...@us...>]

Update of /cvsroot/pdd/www.proftpd.org/docs/howto
In directory sfp-cvsdas-2.v30.ch3.sourceforge.com:/tmp/cvs-serv13992

Modified Files:
	Versioning.html 
Log Message:

Update website copy of Versioning howto.


Index: Versioning.html
===================================================================
RCS file: /cvsroot/pdd/www.proftpd.org/docs/howto/Versioning.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -C2 -r1.1 -r1.2
*** Versioning.html	11 Dec 2009 04:47:38 -0000	1.1
--- Versioning.html	25 Feb 2010 00:52:32 -0000	1.2
***************
*** 41,45 ****
  maintenance branch is created, the previous maintenance branch is no longer
  supported.  Thus when the 1.3.2 maintenance branch was created, the 1.3.1
! series of release became unsupported.
  
  <p><b>Maintenance Releases</b><br>
--- 41,45 ----
  maintenance branch is created, the previous maintenance branch is no longer
  supported.  Thus when the 1.3.2 maintenance branch was created, the 1.3.1
! series of releases became unsupported.
  
  <p><b>Maintenance Releases</b><br>
***************
*** 69,72 ****
--- 69,74 ----
    <li>proftpd-1.3.2b
    <li>proftpd-1.3.2c
+   <li>proftpd-1.3.2d
+   <li>proftpd-1.3.2e
  </ul>
  

[Proftpd-docs] CVS: www.proftpd.org/docs/contrib mod_exec.html, NONE, 1.1 mod_ldap.html, NONE, 1.1 mod_sftp.html, NONE, 1.1 mod_sftp_pam.html, NONE, 1.1 mod_sftp_sql.html, NONE, 1.1 mod_shaper.html, NONE, 1.1 mod_sql_passwd.html, NONE, 1.1 mod_tls_shmcache.html, NONE, 1.1 index.html, 1.3, 1.4

[TJ S. <cas...@us...>]

Update of /cvsroot/pdd/www.proftpd.org/docs/contrib
In directory sfp-cvsdas-2.v30.ch3.sourceforge.com:/tmp/cvs-serv1011/contrib

Modified Files:
	index.html 
Added Files:
	mod_exec.html mod_ldap.html mod_sftp.html mod_sftp_pam.html 
	mod_sftp_sql.html mod_shaper.html mod_sql_passwd.html 
	mod_tls_shmcache.html 
Log Message:

Add docs for the new contrib modules to the website.


--- NEW FILE ---
<!-- $Id: mod_exec.html,v 1.1 2010/02/24 19:08:55 castaglia Exp $ -->
<!-- $Source: /cvsroot/pdd/www.proftpd.org/docs/contrib/mod_exec.html,v $ -->

<html>
<head>
<title>ProFTPD module mod_exec</title>
</head>

<body bgcolor=white>

<hr><br>
<center>
<h2><b>ProFTPD module <code>mod_exec</code></b></h2>
</center>
<hr><br>

This module is contained in the <code>mod_exec.c</code> file for
ProFTPD 1.3.<i>x</i>, found
<a href="http://www.castaglia.org/proftpd/">here</a>, and is not compiled by
default.  Installation instructions are discussed
<a href="#Installation">here</a>.

<p>
The <code>mod_exec</code> module can be used to execute external programs
or scripts at various points in the process of handling FTP commands.  By
conscious design, the core ProFTPD engine does not and will not execute
external programs.  This is a security decision, as it was decided not to allow
ProFTPD to serve as a means of compromising a system or disclosing information
via bugs in external programs or scripts.  Use of this module allows for such
external programs to be executed, and also opens up the server to the
mentioned possibilities of compromise or disclosure via those programs.

<p>
<center>
  <b>YOU HAVE BEEN WARNED</b><br>
  <b>USE AT YOUR OWN RISK</b><br>
</center>

<p>
Please read the <a href="#Usage">usage</a> section to know the other caveats
with this module.

<p>
The most current version of <code>mod_exec</code> is distributed with the
ProFTPD source code.

<h2>Author</h2>
<p>
Please contact TJ Saunders &lt;tj <i>at</i> castaglia.org&gt; with any
questions, concerns, or suggestions regarding this module.

<h2>Directives</h2>
<ul>
  <li><a href="#ExecBeforeCommand">ExecBeforeCommand</a>
  <li><a href="#ExecEngine">ExecEngine</a>
  <li><a href="#ExecEnviron">ExecEnviron</a>
  <li><a href="#ExecLog">ExecLog</a>
  <li><a href="#ExecOnCommand">ExecOnCommand</a>
  <li><a href="#ExecOnConnect">ExecOnConnect</a>
  <li><a href="#ExecOnError">ExecOnError</a>
  <li><a href="#ExecOnEvent">ExecOnEvent</a>
  <li><a href="#ExecOnExit">ExecOnExit</a>
  <li><a href="#ExecOnRestart">ExecOnRestart</a>
  <li><a href="#ExecOptions">ExecOptions</a>
  <li><a href="#ExecTimeout">ExecTimeout</a>
</ul>

<hr>
<h2><a name="ExecBeforeCommand">ExecBeforeCommand</a></h2>
<strong>Syntax:</strong> ExecBeforeCommand <em>cmds path [arg1 arg2 ...]</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> &quot;server config&quot; <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code>, <code>&lt;Anonymous&gt;</code>, <code>&lt;Directory&gt;</code><br>
<strong>Module:</strong> mod_exec<br>
<strong>Compatibility:</strong> 1.2.8 and later

<p>
The <code>ExecBeforeCommand</code> directive is used to execute the program or
script at <i>path</i> <b>before</b> the handling of any FTP command listed
in <i>cmds</i>, where <i>cmds</i> is a comma-delimited list of FTP commands.
The command groups of the <code>&lt;Limit&gt;</code> directive, such as
READ, WRITE, and ALL, may also be used.  The program will be executed with
the privileges of the logged-in user.

<p>
Any number of arbitrary arguments may be configured to pass to the script.
In addition, the &quot;cookies&quot; supported by the <code>ExecEnviron</code>
directive may also be used in the script argument list.

<p>
<b>Important</b>: use of <code>DefaultRoot</code> will cause complications
(to be elaborated upon soon).

<p>
Example:
<pre>
  ExecBeforeCommand RETR /path/to/ftp-prep --file %f
</pre>

<p>
See Also:
  <a href="#ExecEnviron">ExecEnviron</a>,
  <a href="#ExecOnCommand">ExecOnCommand</a>,
  <a href="#ExecOnConnect">ExecOnConnect</a>,
  <a href="#ExecOnError">ExecOnError</a>,
  <a href="#ExecOnExit">ExecOnExit</a>,
  <a href="#ExecOnRestart">ExecOnRestart</a>,
  <a href="http://www.proftpd.org/docs/directives/linked/config_ref_Limit.html">&lt;Limit&gt;</a>

<p>
<hr>
<h2><a name="ExecEngine">ExecEngine</a></h2>
<strong>Syntax:</strong> ExecEngine <em>on|off</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> &quot;server config&quot;, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_exec<br>
<strong>Compatibility:</strong> 1.2.5rc2 and later

<p>
The <code>ExecEngine</code> directive enables or disables the module's
runtime exec engine.  If it is set to <em>off</em> this module will not
manipulate environment variables or execute external scripts.  Use this
directive to disable the module instead of commenting out all
<code>mod_exec</code> directives.

<p>
<hr>
<h2><a name="ExecEnviron">ExecEnviron</a></h2>
<strong>Syntax:</strong> ExecEnviron <em>key value</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> &quot;server config&quot;, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_exec<br>
<strong>Compatibility:</strong> 1.2.5rc2 and later

<p>
The <code>ExecEnviron</code> directive is used to set the environment variables
in the environment created for the script to be executed.  The current
environment is not passed directly to the script; this is to prevent unwanted
information leakage.  The given <i>key</i> parameter will be uppercased,
to follow the convention for environment variable keys.

<p>
The <i>value</i> parameter may be any arbitrary string which may contain
any of the following &quot;cookies&quot;, which will be substituted with the
corresponding value before the script is executed:
<ul>
  <li><b>%a</b> - client's IP address
  <li><b>%C</b> - current working directory
  <li><b>%c</b> - connection class
  <li><b>%F</b> - transfered file as seen by client
  <li><b>%f</b> - full transfered file path
  <li><b>%g</b> - name of primary group of local user
  <li><b>%h</b> - client's DNS name
  <li><b>%m</b> - FTP command (e.g. RETR, STOR, etc)
  <li><b>%r</b> - full FTP command
  <li><b>%U</b> - original username sent by client
  <li><b>%u</b> - name of local user
  <li><b>%v</b> - name of server handling session
  <li><b>%w</b> - RNFR path ("whence" a rename comes, <i>i.e.</i> the source path)
</ul>
The <i>value</i> parameter may be also be &quot;-&quot;, which indicates that
the current value of the environment variable of name <i>key</i> should be
used (<i>e.g.</i> PATH).  If there is no environment of name <i>key</i> when
&quot;-&quot; is used, it will be created with a blank string as the value.

<p>
<hr>
<h2><a name="ExecLog">ExecLog</a></h2>
<strong>Syntax:</strong> ExecLog <em>file|&quot;none&quot;</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> &quot;server config&quot;, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_exec<br>
<strong>Compatibility:</strong> 1.2.5rc2 and later

<p>
The <code>ExecLog</code> directive is used to a specify a log file for
<code>mod_exec</code> reporting and debugging, and can be done a per-server
basis.  The <em>file</em> parameter must be the full path to the file to use for
logging.  Note that this path must <b>not</b> be to a world-writeable
directory and, unless <code>AllowLogSymlinks</code> is explicitly set to
<em>on</em> (generally a bad idea), the path must <b>not</b> be a symbolic
link.

<p>
If <em>file</em> is &quot;none&quot;, no logging will be done at all; this
setting can be used to override an <code>ExecLog</code> setting inherited from
a <code>&lt;Global&gt;</code> context.

<p>
<hr>
<h2><a name="ExecOnCommand">ExecOnCommand</a></h2>
<strong>Syntax:</strong> ExecOnCommand <em>cmds path [arg1 arg2 ...]</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> &quot;server config&quot; <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code>, <code>&lt;Anonymous&gt;</code>, <code>&lt;Directory&gt;</code><br>
<strong>Module:</strong> mod_exec<br>
<strong>Compatibility:</strong> 1.2.5rc2 and later

<p>
The <code>ExecOnCommand</code> directive is used to execute the program or
script at <i>path</i> <b>after</b> the successful completion of any FTP command
listed in <i>cmds</i>, where <i>cmds</i> is a comma-delimited list of FTP
commands.  The command groups of the <code>&lt;Limit&gt;</code> directive,
such as READ, WRITE, and ALL, may also be used.  The program will be executed
with the privileges of the logged-in user.

<p>
Any number of arbitrary arguments may be configured to pass to the script.
In addition, the &quot;cookies&quot; supported by the <code>ExecEnviron</code>
directive may also be used in the script argument list.

<p>
<b>Important</b>: use of <code>DefaultRoot</code> will cause complications
(to be elaborated upon soon).

<p>
Example:
<pre>
  ExecOnCommand APPE,STOR /path/to/ftp-email-script --user %u --file %f
</pre>

<p>
See Also:
  <a href="#ExecBeforeCommand">ExecBeforeCommand</a>,
  <a href="#ExecEnviron">ExecEnviron</a>,
  <a href="#ExecOnConnect">ExecOnConnect</a>,
  <a href="#ExecOnError">ExecOnError</a>,
  <a href="#ExecOnExit">ExecOnExit</a>,
  <A href="#ExecOnRestart">ExecOnRestart</a>,
  <a href="http://www.proftpd.org/docs/directives/linked/config_ref_Limit.html">&lt;Limit&gt;</a>

<p>
<hr>
<h2><a name="ExecOnConnect">ExecOnConnect</a></h2>
<strong>Syntax:</strong> ExecOnConnect <em>path [arg1 arg2 ...]</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> &quot;server config&quot; <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code>, <code>&lt;Anonymous&gt;</code>, <code>&lt;Directory&gt;</code><br>
<strong>Module:</strong> mod_exec<br>
<strong>Compatibility:</strong> 1.2.5rc2 and later

<p>
The <code>ExecOnConnect</code> directive is used to execute the program or
script at <i>path</i> whenever a client connects to the server.  The program
will be executed with the privileges of the contacted server, which are
set via the <code>User</code>/<code>Group</code> directives.

<p>
Any number of arbitrary arguments may be configured to pass to the script.
In addition, the &quot;cookies&quot; supported by the <code>ExecEnviron</code>
directive may also be used in the script argument list.

<p>
Example:
<pre>
  ExecOnConnect /path/to/ftp-logger --ip %a --dns %h
</pre>

<p>
See Also:
  <a href="#ExecBeforeCommand">ExecBeforeCommand</a>,
  <a href="#ExecEnviron">ExecEnviron</a>,
  <a href="#ExecOnCommand">ExecOnCommand</a>,
  <a href="#ExecOnError">ExecOnError</a>,
  <a href="#ExecOnExit">ExecOnExit</a>,
  <a href="#ExecOnRestart">ExecOnRestart</a>

<p>
<hr>
<h2><a name="ExecOnError">ExecOnError</a></h2>
<strong>Syntax:</strong> ExecOnError <em>cmds path [arg1 arg2 ...]</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> &quot;server config&quot; <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code>, <code>&lt;Anonymous&gt;</code>, <code>&lt;Directory&gt;</code><br>
<strong>Module:</strong> mod_exec<br>
<strong>Compatibility:</strong> 1.2.5rc2 and later

<p>
The <code>ExecOnError</code> directive is used to execute the program or
script at <i>path</i> if an error occurs while processing any FTP command listed
in <i>cmds</i>, where <i>cmds</i> is a comma-delimited list of FTP commands.
The command groups of the <code>&lt;Limit&gt;</code> directive, such as
READ, WRITE, and ALL, may also be used.  The program will be executed with
the privileges of the logged-in user.

<p>
Any number of arbitrary arguments may be configured to pass to the script.
In addition, the &quot;cookies&quot; supported by the <code>ExecEnviron</code>
directive may also be used in the script argument list.

<p>
<b>Important</b>: use of <code>DefaultRoot</code> will cause complications
(to be elaborated upon soon).

<p>
Example:
<pre>
  ExecOnError APPE,STOR /path/to/ftp-cleanup-script --user %u --file %f
</pre>

See Also:
  <a href="#ExecBeforeCommand">ExecBeforeCommand</a>,
  <a href="#ExecEnviron">ExecEnviron</a>,
  <a href="#ExecOnCommand">ExecOnCommand</a>,
  <a href="#ExecOnConnect">ExecOnConnect</a>,
  <a href="#ExecOnExit">ExecOnExit</a>,
  <a href="#ExecOnRestart">ExecOnRestart</a>,
  <a href="http://www.proftpd.org/docs/directives/linked/config_ref_Limit.html">&lt;Limit&gt;</a>

<p>
<hr>
<h2><a name="ExecOnEvent">ExecOnEvent</a></h2>
<strong>Syntax:</strong> ExecOnEvent <em>event[*] path [arg1 arg2 ...]</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> &quot;server config&quot;<br>
<strong>Module:</strong> mod_exec<br>
<strong>Compatibility:</strong> 1.2.10rc1 and later

<p>
The <code>ExecOnEvent</code> directive is used to execute the program or
script at <i>path</i> when the given <em>event</em> occurs.  The program will
be executed with the privileges of the server (set via the <code>User</code>
and <code>Group</code> directives in the <code>proftpd.conf</code>file),
unless the <em>event</em> name is followed by a &quot;*&quot;, in which case
the program will be executed with root privileges.  <b>Note</b>: this
feature should be used <b>very carefully</b>.  It allows scripts to
modify things like firewall rules, but should be used <b>only</b> for
such sensitive tasks.

<p>
Any number of arbitrary arguments may be configured to pass to the script.
In addition, the &quot;cookies&quot; supported by the <code>ExecEnviron</code>
directive may also be used in the script argument list.

<p>
Presently only two specific events are supported: <code>MaxConnectionRate</code>
and <code>MaxInstances</code>.  These events happen when ever the limit
configured by these configuration directives is reached.

<p>
This directive may be used several times to configure multiple programs
to be invoked when <em>event</em> occurs.

<p>
<b>Important</b>: use of <code>DefaultRoot</code> will cause complications
(to be elaborated upon soon).

<p>
Example:
<pre>
  ExecOnEvent MaxConnectionRate* /path/to/ftp-firewall-script --ip %a
</pre>

See Also:
  <a href="#ExecBeforeCommand">ExecBeforeCommand</a>,
  <a href="#ExecEnviron">ExecEnviron</a>,
  <a href="#ExecOnCommand">ExecOnCommand</a>,
  <a href="#ExecOnConnect">ExecOnConnect</a>,
  <a href="#ExecOnExit">ExecOnExit</a>,
  <a href="#ExecOnRestart">ExecOnRestart</a>

<p>
<hr>
<h2><a name="ExecOnExit">ExecOnExit</a></h2>
<strong>Syntax:</strong> ExecOnExit <em>path [arg1 arg2 ...]</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> &quot;server config&quot; <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code>, <code>&lt;Anonymous&gt;</code>, <code>&lt;Directory&gt;</code><br>
<strong>Module:</strong> mod_exec<br>
<strong>Compatibility:</strong> 1.2.8 and later

<p>
The <code>ExecOnExit</code> directive is used to execute the program or
script at <i>path</i> whenever a client disconnects to the server.  The program
will be executed with the privileges of the contacted server, which are
set via the <code>User</code>/<code>Group</code> directives.

<p>
Any number of arbitrary arguments may be configured to pass to the script.
In addition, the &quot;cookies&quot; supported by the <code>ExecEnviron</code>
directive may also be used in the script argument list.

<p>
Example:
<pre>
  ExecOnExit /path/to/ftp-logger --ip %a --dns %h
</pre>

<p>
See Also:
  <a href="#ExecBeforeCommand">ExecBeforeCommand</a>,
  <a href="#ExecEnviron">ExecEnviron</a>,
  <a href="#ExecOnCommand">ExecOnCommand</a>,
  <a href="#ExecOnConnect">ExecOnConnect</a>,
  <a href="#ExecOnError">ExecOnError</a>,
  <a href="#ExecOnRestart">ExecOnRestart</a>

<p>
<hr>
<h2><a name="ExecOnRestart">ExecOnRestart</a></h2>
<strong>Syntax:</strong> ExecOnRestart <em>path [arg1 arg2 ...]</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> &quot;server config&quot; <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code>, <code>&lt;Anonymous&gt;</code>, <code>&lt;Directory&gt;</code><br>
<strong>Module:</strong> mod_exec<br>
<strong>Compatibility:</strong> 1.2.5rc2 and later

<p>
The <code>ExecOnRestart</code> directive is used to execute the program or
script at <i>path</i> whenever the server receives a <code>SIGHUP</code>
signal.  The program will be executed with the privileges of the contacted
server, which are set via the <code>User</code>/<code>Group</code> directives.

<p>
Any number of arbitrary arguments may be configured to pass to the script.
In addition, the &quot;cookies&quot; supported by the <code>ExecEnviron</code>
directive may also be used in the script argument list.

<p>
Example:
<pre>
  ExecOnRestart /path/to/ftp-counter-reset
</pre>

See Also:
  <a href="#ExecBeforeCommand">ExecBeforeCommand</a>,
  <a href="#ExecEnviron">ExecEnviron</a>,
  <a href="#ExecOnCommand">ExecOnCommand</a>,
  <a href="#ExecOnConnect">ExecOnConnect</a>,
  <a href="#ExecOnError">ExecOnError</a>,
  <a href="#ExecOnExit">ExecOnExit</a>

<p>
<hr>
<h2><a name="ExecOptions">ExecOptions</a></h2>
<strong>Syntax:</strong> ExecOptions <em>opt1 ...</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> &quot;server config&quot; <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_exec<br>
<strong>Compatibility:</strong> 1.2.9rc2 and later

<p>
The <code>ExecOptions</code> directive is used to configure various optional
behavior of <code>mod_exec</code>.

<p>
Example:
<pre>
  ExecOptions logStderr sendStdout
</pre>

<p>
The currently implemented options are:
<ul>
  <li><code>logStderr</code><br>
    <p>When executing commands, <code>mod_exec</code> usually ignore any
    <code>stderr</code> output of the command.  If this option is enabled,
    <code>mod_exec</code> will monitor for and log any <code>stderr</code>
    from the executed command to the <code>ExecLog</code>.

  <p>
  <li><code>logStdout</code><br>
    <p>When executing commands, <code>mod_exec</code> usually ignore any
    <code>stdout</code> output of the command.  If this option is enabled,
    <code>mod_exec</code> will monitor for and log any <code>stdout</code>
    from the executed command to the <code>ExecLog</code>.

  <p>
  <li><code>sendStdout</code><br>
    <p>If this option is enabled, <code>mod_exec</code> will attempt to
    send any <code>stdout</code> output from the executed command to the
    connected client.  Note that this only works for commands that are
    executed via <code>ExecOnCommand</code> or <code>ExecOnConnect</code>.

  <p>
  <li><code>useStdin</code><br>
    <p>If this option is enabled, <code>mod_exec</code> will <b>not</b>
    send arguments to the command being executed using the command line;
    instead, those arguments will written to the <code>stdin</code> stream.
    Each command-line argument will be written as a newline-terminated
    string to <code>stdin</code>; the end of arguments is indicated by
    writing the period ('.') character on a line by itself (again, terminated
    with a newline).

    <p>
    For example, a Perl script reading its arguments from <code>stdin</code>
    would use something like:
<pre>
    while (my $line = &lt;STDIN&gt;) {
      chomp($line);

      if ($line eq ".") {
        last;
      }

      # Handle $line appropriately here
    }
</pre>
    The advantange of using this <code>useStdin</code> option is that some
    systems have tools (<i>e.g.</i> <code>ps</code>) which will show the
    command-line arguments to commands being executed.  For the security
    conscious, using <code>stdin</code> to pass arguments is less visible
    to other users of the system.
</ul>

<p>
<hr>
<h2><a name="ExecTimeout">ExecTimeout</a></h2>
<strong>Syntax:</strong> ExecTimeout <em>seconds</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> &quot;server config&quot; <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_exec<br>
<strong>Compatibility:</strong> 1.2.9rc2 and later

<p>
The <code>ExecTimeout</code> directive is used to set a limit on how long
the executed commands can run.  Processes that exceed the configured timeout
will first be sent SIGTERM, to allow them to cleanly shutdown.  If the process
is still around, it will then be sent SIGKILL, which cannot be ignored. A
value of zero configures an infinite timeout (not recommended).

<p>
<hr>
<h2><a name="Usage">Usage</a></h2>
Example configuration:
<pre>
  &lt;IfModule mod_exec.c&gt;
    ExecEngine on
    ExecLog /var/log/ftpd/exec.log
    ExecOnConnect /path/to/script
  &lt;/IfModule&gt;
</pre>

<p>
This module will not work properly for <code>&lt;Anonymous&gt;</code> logins,
or for logins that are affected by <code>DefaultRoot</code>.  These directives
use the <code>chroot(2)</code> system call, which wreaks havoc when it
comes to scripts.  The path to script/shell interpreters often assume a certain
location that is no longer valid within a chroot.  In addition, most modern
operating systems use dynamically loaded libraries (<code>.so</code>
libraries) for many binaries, including script/shell interpreters.  The
location of these libraries, when they come to be loaded, are also assumed;
those assumptions break within a chroot.  Perl, in particular, is so
wrought with filesystem location assumptions that it's almost impossible
to get a Perl script to work within a chroot, short of installing Perl
itself into the chroot environment.

<p>
In short, this module is probably not what you want.  And, try as I might,
I cannot convince users that this module is not what they want.  Therefore,
I'll let you try to use this module yourself, and you can prove to yourself
that it probably won't do what you want.

<p>
As an alternative to <code>mod_exec</code> for executing arbitrary
scripts/commands based on FTP command issued, file uploaded/downloaded,
<i>etc</i>, I recommend using a logging FIFO-based approach, similar to
what is illustrated <a href="../howto/Logging.html">here</a>.  This approach
allows for any script you wish, and is not subject to the restrictions of a
chroot, meaning that you can use <code>DefaultRoot</code> and still have
arbitrary scripts executed.  If requested, I can provide help in writing a
FIFO reader to execute the necessary scripts.

<p>
<hr>
<h2><a name="Installation">Installation</a></h2>
To install <code>mod_exec</code>, copy the <code>mod_exec.c</code> file into
<pre>
  <i>proftpd-dir</i>/contrib/
</pre>
after unpacking the latest proftpd-1.3.<i>x</i> source code.  Then follow the
usual steps for using third-party modules in proftpd:
<pre>
  ./configure --with-modules=mod_exec
  make
  make install
</pre>

<p>
Alternatively, if your proftpd was compiled with DSO support, you can
use the <code>prxs</code> tool to build <code>mod_exec</code> as a shared
module:
<pre>
  prxs -c -i -d mod_exec.c
</pre>

<p>
<hr><br>

Author: <i>$Author: castaglia $</i><br>
Last Updated: <i>$Date: 2010/02/24 19:08:55 $</i><br>

<br><hr>

<font size=2><b><i>
&copy; Copyright 2000-2009 TJ Saunders<br>
 All Rights Reserved<br>
</i></b></font>

<hr><br>

</body>
</html>


--- NEW FILE ---
<!-- $Id: mod_ldap.html,v 1.1 2010/02/24 19:08:55 castaglia Exp $ -->
<!-- $Source: /cvsroot/pdd/www.proftpd.org/docs/contrib/mod_ldap.html,v $ -->

<html>
<head>
<title>ProFTPD module mod_ldap</title>
</head>

<body bgcolor=white>

<hr><br>
<center>
<h2><b>ProFTPD module <code>mod_ldap</code></b></h2>
</center>
<hr><br>

<p>
This module is contained in the <code>mod_ldap.c</code> file for ProFTPD 1.2.<i>x</i>/1.3.<i>x</i>, and is not compiled by default.  Installation instructions
are discussed <a href="#Installation">here</a>.

<p>
The most current version of <code>mod_ldap</code> is distributed with the
ProFTPD source code.

<h2>Author</h2>
<p>
Please contact John Morrissey &lt;jwm <i>at</i> horde.net&gt; with any
questions, concerns, or suggestions regarding this module.

<h2>Directives</h2>
<ul>
  <li><a href="#LDAPAliasDereference">LDAPAliasDereference</a>
  <li><a href="#LDAPAttr">LDAPAttr</a>
  <li><a href="#LDAPAuthBinds">LDAPAuthBinds</a>
  <li><a href="#LDAPDNInfo">LDAPDNInfo</a>
  <li><a href="#LDAPDefaultAuthScheme">LDAPDefaultAuthScheme</a>
  <li><a href="#LDAPDefaultGID">LDAPDefaultGID</a>
  <li><a href="#LDAPDefaultUID">LDAPDefaultUID</a>
  <li><a href="#LDAPDoAuth">LDAPDoAuth</a>
  <li><a href="#LDAPDoGIDLookups">LDAPDoGIDLookups</a>
  <li><a href="#LDAPDoQuotaLookups">LDAPDoQuotaLookups</a>
  <li><a href="#LDAPDoUIDLookups">LDAPDoUIDLookups</a>
  <li><a href="#LDAPForceDefaultGID">LDAPForceDefaultGID</a>
  <li><a href="#LDAPForceDefaultUID">LDAPForceDefaultUID</a>
  <li><a href="#LDAPForceGeneratedHomedir">LDAPForceGeneratedHomedir</a>
  <li><a href="#LDAPGenerateHomedir">LDAPGenerateHomedir</a>
  <li><a href="#LDAPGenerateHomedirPrefix">LDAPGenerateHomedirPrefix</a>
  <li><a href="#LDAPGenerateHomedirPrefixNoUsername">LDAPGenerateHomedirPrefixNoUsername</a>
  <li><a href="#LDAPNegativeCache">LDAPNegativeCache</a>
  <li><a href="#LDAPProtocolVersion">LDAPProtocolVersion</a>
  <li><a href="#LDAPQueryTimeout">LDAPQueryTimeout</a>
  <li><a href="#LDAPSearchScope">LDAPSearchScope</a>
  <li><a href="#LDAPServer">LDAPServer</a>
  <li><a href="#LDAPUseSSL">LDAPUseSSL</a>
  <li><a href="#LDAPUseTLS">LDAPUseTLS</a>
</ul>

<hr>
<h2><a name="LDAPAliasDereference">LDAPAliasDereference</a></h2>
<strong>Syntax:</strong> LDAPAliasDereference <em>never|always|search|find</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_ldap<br>
<strong>Compatibility:</strong> 1.2.7rc1 and later

<p>
The <code>LDAPAliasDereference</code> directive configures how aliases are
handled.  The possible values have the following behaviors:
<ul>
  <li><em>never</em>
    <p>
    Never dereference aliases
  </li>

  <p>
  <li><em>always</em>
    <p>
    Always dereference aliases
  </li>

  <p>
  <li><em>search</em>
    <p>
    Dereference aliases only when searching
  </li>

  <p>
  <li><em>find</em>
    <p>
    Dereference aliases only when locating the base object for the search
  </li>
</ul>

<p>
The default is "never", <i>e.g.</i>:
<pre>
  &lt;IfModule mod_ldap.c&gt;
    LDAPAliasDeference never
  &lt;/IfModule&gt;
</pre>

<p>
<hr>
<h2><a name="LDAPAttr">LDAPAttr</a></h2>
<strong>Syntax:</strong> LDAPAttr <em>old-attr-name new-attr-name</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_ldap<br>
<strong>Compatibility:</strong> 1.2.7rc1 and later

<p>
The <code>LDAPAttr</code> directive is used to map, or to associate, a standard
attribute name to a non-standard attribute name.  If, for example, your
LDAP directory schema used different names for some of the attributes used
by <code>mod_ldap</code>, you would use this directive to tell
<code>mod_ldap</code> what new attribute names to use.

<p>
The following LDAP attributes can be renamed in this manner:
<ul>
  <li><code>uid</code>
  <li><code>uidNumber</code>
  <li><code>gidNumber</code>
  <li><code>homeDirectory</code>
  <li><code>userPassword</code>
  <li><code>loginShell</code>
  <li><code>cn</code>
  <li><code>memberUid</code>
  <li><code>ftpQuota</code>
</ul>

<p>
<hr>
<h2><a name="LDAPAuthBinds">LDAPAuthBinds</a></h2>
<strong>Syntax:</strong> LDAPAuthBinds <em>on|off</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_ldap<br>
<strong>Compatibility:</strong> 1.2.7rc1 and later

<p>
By default, the DN specified by the <a href="#LDAPDNInfo"><code>LDAPDNInfo</code></a> will be used to bind to the LDAP server to obtain user information,
including the <code>userPassword</code> attribute.  If <code>LDAPAuthBinds</code> is set to <em>on</em>, the DN specified by <code>LDAPDNInfo</code> will be
used to fetch all user information <i>except</i> the <code>userPassword</code>
attribute.  Then, the <code>mod_ldap</code> module will bind to the LDAP server
as the user who is logging in via FTP with the user-supplied password.  If this
bind succeeds, the user is considered authenticated and is allowed to log in.
This method of LDAP authentication has the added benefit of supporting any
password encryption scheme that your LDAP server supports.

<p>
In versions of <code>mod_ldap</code> up to 2.7.6, the default for
<code>LDAPAuthBinds</code> was <em>off</em>.  After <code>mod_ldap</code> 2.8,
the default value for <code>LDAPAuthBinds</code> is <em>on</em>.

<p>
<hr>
<h2><a name="LDAPDNInfo">LDAPDNInfo</a></h2>
<strong>Syntax:</strong> LDAPDNInfo <em>dn password</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_ldap<br>
<strong>Compatibility:</strong> 1.2.7rc1 and later

<p>
The <code>LDAPDNInfo</code> directive configures the DN and the password that
<code>mod_ldap</code> will use when binding to the LDAP directory.  If this
configuration directive is missing, then anonymous binds are used.

<p>
The default is:
<pre>
  &lt;IfModule mod_ldap.c&gt;
    # Use anonymous binds
    LDAPDNInfo "" ""
  &lt;/IfModule&gt;
</pre>

<p>
See also: <a href="#LDAPServer"><code>LDAPServer</code></a>

<p>
<hr>
<h2><a name="LDAPDefaultAuthScheme">LDAPDefaultAuthScheme</a></h2>
<strong>Syntax:</strong> LDAPDefaultAuthScheme <em>crypt|clear</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_ldap<br>
<strong>Compatibility:</strong> 1.2.7rc1 and later

<p>
The <code>LDAPDefaultAuthScheme</code> directive specifies the authentication
scheme used for passwords which have no "{hashname}" prefix in the LDAP
directory.  For example, if you are:
<pre>
  userPassword <em>mypass</em>
</pre>
in your directory, you would want to set <code>LDAPDefaultAuthScheme</code>
to <em>clear</em>.

<p>
The default value is <em>crypt</em>.

<p>
<hr>
<h2><a name="LDAPDefaultGID">LDAPDefaultGID</a></h2>
<strong>Syntax:</strong> LDAPDefaultGID <em>gid</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_ldap<br>
<strong>Compatibility:</strong> 1.2.7rc1 and later

<p>
The <code>LDAPDefaultGID</code> directive sets the default GID to be used
for users when no <code>gidNumber</code> attribute is found for that user.

<p>
This directive is useful primarily in virtual user environments common in
large-scale ISPs and hosting organizations.  If a user does not have an LDAP
<code>gidNumber</code> attribute, the <code>LDAPDefaultGID</code> is used.
This allows one to have a large number of users in an LDAP directory without
<code>gidNumber</code> attributes; setting this configuration directive will
automatically assign those users a single GID.

<p>
See also: <a href="#LDAPDefaultUID"><code>LDAPDefaultUID</code></a>

<p>
<hr>
<h2><a name="LDAPDefaultUID">LDAPDefaultUID</a></h2>
<strong>Syntax:</strong> LDAPDefaultUID <em>uid</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_ldap<br>
<strong>Compatibility:</strong> 1.2.7rc1 and later

<p>
The <code>LDAPDefaultUID</code> directive sets the default UID to be used
for users when no <code>uidNumber</code> attribute is found for that user.

<p>
This directive is useful primarily in virtual user environments common in
large-scale ISPs and hosting organizations.  If a user does not have an LDAP
<code>uidNumber</code> attribute, the <code>LDAPDefaultGID</code> is used.
This allows one to have a large number of users in an LDAP directory without
<code>uidNumber</code> attributes; setting this configuration directive will
automatically assign those users a single UID.

<p>
See also: <a href="#LDAPDefaultGID"><code>LDAPDefaultGID</code></a>

<p>
<hr>
<h2><a name="LDAPDoAuth">LDAPDoAuth</a></h2>
<strong>Syntax:</strong> LDAPDoAuth <em>off|on base-dn search-filter-template</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_ldap<br>
<strong>Compatibility:</strong> 1.2.7rc1 and later

<p>
The <code>LDAPDoAuth</code> configuration directive activates LDAP
authentication.  The second parameter to this directive is the LDAP base DN to
use for authentication.  The third parameter is a template to be used for the
search filter; <code>%v</code> will be replaced with the username that is being
authenticated.

<p>
By default, the search filter template used is:
<pre>
  (&amp;(uid=%v)(objectclass=posixAccount))
</pre>
The <em>uid</em> for the the search filter is taken from the
<code>LDAPAttr</code> directive.  Search filter templates are only supported
in versions of <code>mod_ldap</code> 2.7 and later.</para>

<p>
See also: <a href="#LDAPAttr"><code>LDAPAttr</code></a>

<p>
<hr>
<h2><a name="LDAPDoGIDLookups">LDAPDoGIDLookups</a></h2>
<strong>Syntax:</strong> LDAPDoGIDLookups <em>off|on base-dn cn-filter-template gid-number-filter-template member-uid-filter-template</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_ldap<br>
<strong>Compatibility:</strong> 1.2.7rc1 and later

<p>
The <code>LDAPDoGIDLookups</code> directive activates LDAP GID-to-name lookups
for directory listings.  The second parameter to this directive is the LDAP
base DN to use for GID-to-name lookups.  The third through fifth parameters are
templates to be used for the search filter; <code>%v</code> will be replaced
with the GID that is being looked up.

<p>
By default, the CN filter template look like this:
<pre>
  (&amp;(LDAPAttr_cn=%v)(objectclass=posixGroup))
</pre>
The <code>gidNumber</code> filter template is:
<pre>
  (&amp;(LDAPAttr_gidNumber=%v)(objectclass=posixGroup))
</pre>
and the <code>memberUid</code> filter template used is:
  (&amp;(LDAPAttr_memberUid=%v)(objectclass=posixGroup))
</pre>
Note that filter templates are only supported in <code>mod_ldap</code>
version 2.8.3 and later.

<p>
The attribute names used in the default search filters are taken from the
<a href="#LDAPAttr"><code>LDAPAttr</code></a> directive.

<p>
<hr>
<h2><a name="LDAPDoQuotaLookups">LDAPDoQuotaLookups</a></h2>
<strong>Syntax:</strong> LDAPDoQuotaLookups <em>off|on base-dn quota-filter-template default-quota</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_ldap<br>
<strong>Compatibility:</strong> 1.2.7rc1 and later

<p>
The <code>LDAPDoQuotaLookups</code> directive enables LDAP quota lookups.  The
second parameter of this directive is the LDAP base DN to use for quota limit
search.  The third parameter is a template to be used for the search filter;
<code>%v</code> will be replaced with the username that is being authenticated.

<p>
By default, the search filter template is:
<pre>
  (&amp;(LDAPAttr_uid=%v)(objectclass=posixAccount))
</pre>
The <em>uid</em> for the the search filter is taken from the
<a href="#LDAPAttr"><code>LDAPAttr</code></a> directive.  Note that search
filter templates are only supported in <code>mod_ldap</code> version 2.7 and
later.

<p>
If specified, the <em>default-quota</em> parameter indicates the quota limits
to use if a user does not have an <code>ftpQuota</code> attribute.  This
parameter is formatted the same way as the <code>ftpQuota</code> LDAP
attribute.

<p>
<hr>
<h2><a name="LDAPDoUIDLookups">LDAPDoUIDLookups</a></h2>
<strong>Syntax:</strong> LDAPDoUIDLookups <em>off|on base-dn uid-filter-template</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_ldap<br>
<strong>Compatibility:</strong> 1.2.7rc1 and later

<p>
The <code>LDAPDoUIDLookups</code> directive activates LDAP UID-to-name lookups
for directory listings.  The second parameter to this directive is the LDAP
base DN to use for UID-to-name lookups.  The third parameter is a
template to be used for the search filter; <code>%v</code> will be replaced
with the UID that is being looked up.

<p>
By default, the search filter template looks like this:
<pre>
  (&amp;(LDAPAttr_uidNumber=%v)(objectclass=posixGroup))
</pre>
The <em>uidNumber</em> attribute name used in the search filter comes from
the <a href="#LDAPAttr"><code>LDAPAttr</code></a> directive.
Note that filter templates are only supported in <code>mod_ldap</code>
version 2.7 and later.

<p>
<hr>
<h2><a name="LDAPForceDefaultGID">LDAPForceDefaultGID</a></h2>
<strong>Syntax:</strong> LDAPForceDefaultGID <em>on|off</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_ldap<br>
<strong>Compatibility:</strong> 1.2.7rc1 and later

<p>
Even when a <a href="#LDAPDefaultGID"><code>LDAPDefaultGID</code></a> is
configured, the <code>mod_ldap</code> module will allow individual users to
have <code>gidNumber</code> attributes that will override this default GID.
With <code>LDAPForceDefaultGID</code> directive configured to be <em>on</em>,
all LDAP-authenticated users are given the default GID; GIDs may not be
overridden by <code>gidNumber</code> attributes.

<p>
<hr>
<h2><a name="LDAPForceDefaultUID">LDAPForceDefaultUID</a></h2>
<strong>Syntax:</strong> LDAPForceDefaultUID <em>on|off</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config<br>
<strong>Module:</strong> mod_ldap<br>
<strong>Compatibility:</strong> 1.2.7rc1 and later

<p>
Even when a <a href="#LDAPDefaultUID"><code>LDAPDefaultUID</code></a> is
configured, the <code>mod_ldap</code> module will allow individual users to
have <code>uidNumber</code> attributes that will override this default UID.
With <code>LDAPForceDefaultUID</code> directive configured to be <em>on</em>,
all LDAP-authenticated users are given the default UID; UIDs may not be
overridden by <code>uidNumber</code> attributes.

<p>
<hr>
<h2><a name="LDAPForceGeneratedHomedir">LDAPForceGeneratedHomedir</a></h2>
<strong>Syntax:</strong> LDAPForceGeneratedHomedir <em>off|on directory-mode</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code
>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_ldap<br>
<strong>Compatibility:</strong> 1.2.7rc1 and later

<p>
See also: <a href="#LDAPGenerateHomedir"><code>LDAPGenerateHomedir</code></a>, <a href="#LDAPGenerateHomedirPrefix"><code>LDAPGenerateHomedirPrefix</code></a>, <a href="#LDAPGenerateHomedirPrefixNoUsername"><code>LDAPGenerateHomedirPrefixNoUsername</code></a>

<p>
<hr>
<h2><a name="LDAPGenerateHomedir">LDAPGenerateHomedir</a></h2>
<strong>Syntax:</strong> LDAPGenerateHomedir <em>on|off</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_ldap<br>
<strong>Compatibility:</strong> 1.2.7rc1 and later

<p>
<hr>
<h2><a name="LDAPGenerateHomedirPrefix">LDAPGenerateHomedirPrefix</a></h2>
<strong>Syntax:</strong> LDAPGenerateHomedirPrefix <em>prefix</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_ldap<br>
<strong>Compatibility:</strong> 1.2.7rc1 and later

<p>
<hr>
<h2><a name="LDAPGenerateHomedirPrefixNoUsername">LDAPGenerateHomedirPrefixNoUsername</a></h2>
<strong>Syntax:</strong> LDAPGenerateHomedirPrefixNoUsername <em>on|off</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_ldap<br>
<strong>Compatibility:</strong> 1.2.7rc1 and later

<p>
<hr>
<h2><a name="LDAPNegativeCache">LDAPNegativeCache</a></h2>
<strong>Syntax:</strong> LDAPNegativeCache <em>on|off</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_ldap<br>
<strong>Compatibility:</strong> 1.2.7rc1 and later

<p>
The <code>LDAPNegativeCache</code> directive specifies whether or not to cache
negative responses from the LDAP server when using LDAP for UID/GID lookups.
This option is useful if you also use/are in transition from another
authentication system; if there are many users in your old authentication
system that aren't in the LDAP database, there can be a significant delay when
a directory listing is performed as the UIDs not in the LDAP database are
repeatedly looked up in an attempt to present usernames instead of UIDs in
directory listings. With <code>LDAPNegativeCache</code> set to <em>on</em>,
negative ("not found") responses from the LDAP server will be cached and speed
will improve on directory listings that contain many users not present in the
LDAP database.

<p>
<hr>
<h2><a name="LDAPProtocolVersion">LDAPProtocolVersion</a></h2>
<strong>Syntax:</strong> LDAPProtocolVersion <em>2|3</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_ldap<br>
<strong>Compatibility:</strong> 1.2.7rc1 and later

<p>
The <code>LDAPProtocolVersion</code> directive configures the version of
the LDAP protocol that <code>mod_ldap</code> will use when talking to the
LDAP servers.  The default protocol version used is <em>3</em>.

<p>
<hr>
<h2><a name="LDAPQueryTimeout">LDAPQueryTimeout</a></h2>
<strong>Syntax:</strong> LDAPQueryTimeout <em>secs</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_ldap<br>
<strong>Compatibility:</strong> 1.2.7rc1 and later

<p>
The <code>LDAPQueryTimeout</code> directive configures the timeout value,
in seconds, that will be used for LDAP directory queries.  The default timeout
value is determined by your LDAP API.

<p>
<hr>
<h2><a name="LDAPSearchScope">LDAPSearchScope</a></h2>
<strong>Syntax:</strong> LDAPSearchScope <em>onelevel|subtree</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_ldap<br>
<strong>Compatibility:</strong> 1.2.7rc1 and later

<p>
The <code>LDAPSearchScope</code> directive is used to set the scope used for
LDAP searches.  The default setting, <em>subtree</em>, searches for all entries
in the tree from the current level down.  Setting this directive to
<em>onelevel</em> searches only one level deep in the LDAP tree.

<p>
<hr>
<h2><a name="LDAPServer">LDAPServer</a></h2>
<strong>Syntax:</strong> LDAPServer <em>&quot;host1:port1 host2:port2&quot;</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_ldap<br>
<strong>Compatibility:</strong> 1.2.7rc1 and later

<p>
The <code>LDAPServer</code> directive allows you to to specify the hostname(s)
and port(s) of the LDAP server(s) to use for LDAP authentication. If no
<code>LDAPServer</code> configuration directive is present, the default LDAP
servers specified by your LDAP library will be used.

<p>
To specify multiple LDAP servers, enclose the entire list of servers in
quotation marks.  For example:
<pre>
  LDAPServer &quot;host1:port1 host2:port2&quot;
</pre>

<p>
<hr>
<h2><a name="LDAPUseSSL">LDAPUseSSL</a></h2>
<strong>Syntax:</strong> LDAPUseSSL <em>on|off</em><br>
<strong>Default:</strong> off<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_ldap<br>
<strong>Compatibility:</strong> 1.3.1rc1 and later

<p>
<hr>
<h2><a name="LDAPUseTLS">LDAPUseTLS</a></h2>
<strong>Syntax:</strong> LDAPUseTLS <em>on|off</em><br>
<strong>Default:</strong> off<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_ldap<br>
<strong>Compatibility:</strong> 1.2.7rc1 and later

<p>
The <code>LDAPUseTLS</code> directive configures whether <code>mod_ldap</code>
will use SSL/TLS to protect the connections made to the configured LDAP
servers.

<p>
By default, the <code>mod_ldap</code> module connects to the LDAP server via 
non-encrypted connections.  Enabling this option causes <code>mod_ldap</code>
to use an encrypted (TLS/SSL) connection to the LDAP server. If a secure
connection to the LDAP server fails, <code>mod_ldap</code> will not
authenticate users; <code>mod_ldap</code> will <b>not</b> fall back to an
unsecure connection.

<p>
<hr><br>
<h2><a name="Usage">Usage</a></h2>

<p>
<hr><br>
<h2><a name="Installation">Installation</a></h2>
Follow the normal steps for using third-party modules in proftpd: 
<pre>
  ./configure --with-modules=mod_ldap
  make
  make install
</pre>
You may need to specify the location of the OpenLDAP header and library files
in your <code>configure</i> command, <i>e.g.</i>:
<pre>
 ./configure --with-modules=mod_ldap \
    --with-includes=/usr/local/openldap/include \
    --with-libraries=/usr/local/openldap/lib
</pre>

<p>
<hr><br>
<h2><a name="Usage">Usage</a></h2>

<p>
One <code>mod_ldap</code> user submitted the following configuration for
allowing <code>mod_ldap</code> to communicate to a Windows Active Directory
server.  Note that this configuration has not been tested; if it works for
you (or not), please let us know:
<pre>
  &lt;IfModule mod_ldap.c&gt;
    LDAPServer dc.example.org:3268
    LDAPUseTLS on
    LDAPAuthBinds on
    LDAPDNInfo "cn=SRV_ACC_SVN_AUTH,ou=special accounts,ou=Sales,dc=example,dc=org" ******************

    LDAPDoAuth on ou=Users,ou=Sales,dc=example,dc=org "(&(sAMAccountName=%u)(objectclass=user)(memberOf=cn=Linux Admins,ou=Groups,ou=Sales,dc=example,DC=org))"
    LDAPSearchScope subtree

    # Assign default IDs
    LDAPDefaultUID 106
    LDAPDefaultGID 65534

    # Create the home directory
    LDAPGenerateHomedir on
    LDAPGenerateHomedirPrefix /home

    # Use different attribute names where necessary
    LDAPAttr uid sAMAccountName
    LDAPAttr gidNumber primaryGroupID

  &lt;/IfModule&gt;
</pre>

<p>
<hr><br>
Author: <i>$Author: castaglia $</i><br>
Last Updated: <i>$Date: 2010/02/24 19:08:55 $</i><br>

<br><hr>

<font size=2><b><i>
&copy; Copyright 2008 TJ Saunders<br>
 All Rights Reserved<br>
</i></b></font>

<hr><br>

</body>
</html>


--- NEW FILE ---
<!-- $Id: mod_sftp.html,v 1.1 2010/02/24 19:08:55 castaglia Exp $ -->
<!-- $Source: /cvsroot/pdd/www.proftpd.org/docs/contrib/mod_sftp.html,v $ -->

<html>
<head>
<title>ProFTPD module mod_sftp</title>
</head>

<body bgcolor=white>

<hr>
<center>
<h2><b>ProFTPD module <code>mod_sftp</code></b></h2>
</center>
<hr><br>

<p>
<b>SFTP versus FTPS</b><br>
There is a great deal of confusion and misunderstanding surrounding two very
[...1468 lines suppressed...]
in your <code>mod_sftp</code> configuration.

<p>
<hr><br>

Author: <i>$Author: castaglia $</i><br>
Last Updated: <i>$Date: 2010/02/24 19:08:55 $</i><br>

<br><hr>

<font size=2><b><i>
&copy; Copyright 2008-2010 TJ Saunders<br>
 All Rights Reserved<br>
</i></b></font>

<hr><br>

</body>
</html>


--- NEW FILE ---
<!-- $Id: mod_sftp_pam.html,v 1.1 2010/02/24 19:08:55 castaglia Exp $ -->
<!-- $Source: /cvsroot/pdd/www.proftpd.org/docs/contrib/mod_sftp_pam.html,v $ -->

<html>
<head>
<title>ProFTPD module mod_sftp_pam</title>
</head>

<body bgcolor=white>

<hr>
<center>
<h2><b>ProFTPD module <code>mod_sftp_pam</code></b></h2>
</center>
<hr><br>

<p>
The <code>mod_sftp_pam</code> module provides support for the "SSH Keyboard-Interactive Authentication" RFC (<a href="http://www.faqs.org/rfcs/rfc4256.html">RFC4256</a>).  How is <code>mod_sftp_pam</code> different from ProFTPD's existing
PAM support, in the form of <code>mod_auth_pam</code>?  The difference is
that the <code>mod_auth_pam</code> module does <b>not</b> echo the prompt,
provided by the underlying PAM library/modules, back to the FTP client;
this <code>mod_sftp_pam</code> module will echo any prompt back to the
connecting SSH2 client.  This makes using onetime-password PAM modules, for
example, work very easily for authenticating SSH2 logins.

<p>
This module is contained in the <code>mod_sftp_pam.c</code> file for
ProFTPD 1.3.<i>x</i>, and is not compiled by default.  Installation
instructions are discussed <a href="#Installation">here</a>; a discussion
on <a href="#Usage">usage</a> is also available.

<p>
The most current version of <code>mod_sftp_pam</code> can be found at:
<pre>
  <a href="http://www.castaglia.org/proftpd/">http://www.castaglia.org/proftpd/</a>
</pre>

<h2>Author</h2>
<p>
Please contact TJ Saunders &lt;tj <i>at</i> castaglia.org&gt; with any
questions, concerns, or suggestions regarding this module.

<h2>Directives</h2>
<ul>
  <li><a href="#SFTPPAMEngine">SFTPPAMEngine</a>
  <li><a href="#SFTPPAMOptions">SFTPPAMOptions</a>
  <li><a href="#SFTPPAMServiceName">SFTPPAMServiceName</a>
</ul>

<hr>
<h2><a name="SFTPPAMEngine">SFTPPAMEngine</a></h2>
<strong>Syntax:</strong> SFTPPAMEngine <em>on|off</em><br>
<strong>Default:</strong> Off<br>
<strong>Context:</strong> &quot;server config&quot;, &lt;VirtualHost&gt;, &lt;Global&gt;<br>
<strong>Module:</strong> mod_sftp_pam<br>
<strong>Compatibility:</strong> 1.3.2rc2 and later

<p>
The <code>SFTPPAMEngine</code> directive toggles the use of the PAM library
for supporting a keyboard-interactive authentication mechanism for SSH2 logins.
By default <code>mod_sftp_pam</code> is disabled for both the main server and
all configured virtual hosts.

<p>
<hr>
<h2><a name="SFTPPAMOptions">SFTPPAMOptions</a></h2>
<strong>Syntax:</strong> SFTPPAMOptions <em>opt1 opt2 ... optN</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> &quot;server config&quot;, &lt;VirtualHost&gt;, &lt;Global&gt;<br>
<strong>Module:</strong> mod_sftp_pam<br>
<strong>Compatibility:</strong> 1.3.2rc2 and later

<p>
The <code>SFTPPAMOptions</code> directive is used to configure various
optional behaviors of <code>mod_sftp_pam</code>; it is directly analogous
to <code>mod_auth_pam</code>'s <code>AuthPAMOptions</code> directive, and
supports the exact same range of options.  See the <code>mod_auth_pam</code>
documentation for more information.

<p>
<hr>
<h2><a name="SFTPPAMServiceName">SFTPPAMServiceName</a></h2>
<strong>Syntax:</strong> SFTPPAMServiceName <em>service</em><br>
<strong>Default:</strong> SFTPPAMServiceName sshd<br>
<strong>Context:</strong> &quot;server config&quot;, &lt;VirtualHost&gt;, &lt;Global&gt;<br>
<strong>Module:</strong> mod_sftp_pam<br>
<strong>Compatibility:</strong> 1.3.2rc2 and later

<p>
The <code>SFTPPAMConfig</code> directive is used to specify the name of the
service used when performing the PAM check; PAM configurations can vary
depending on the service.  By default, the &quot;sshd&quot; service is used.

<p>
Here's an example of changing the <em>service</em> used:
<pre>
  &lt;IfModule mod_sftp_pam.c&gt;
    SFTPPAMEngine on
    SFTPPAMServiceName ftpd
  &lt;/IfModule&gt;
</pre>

<p>
The <code>SFTPPAMServiceName</code> directive is directly analogous to
<code>mod_auth_pam</code>'s <code>AuthPAMConfig</code> directive.

<p>
<hr>
<h2><a name="Installation">Installation</a></h2>
To install <code>mod_sftp_pam</code>, copy the <code>mod_sftp_pam.c</code> file
into:
<pre>
  <i>proftpd-dir</i>/contrib/
</pre>
after unpacking the latest proftpd-1.3.<i>x</i> source code.  Then follow the
usual steps for using third-party modules in proftpd, making sure to include
the <code>mod_sftp</code> module, which <code>mod_sftp_pam</code> requires:
<pre>
  ./configure --with-modules=mod_sftp:mod_sftp_pam ...
  make
  make install
</pre>

<p>
<hr><br>
<h2><a name="Usage">Usage</a></h2>
To use <code>mod_sftp_pam</code>, simply enable the module, and configure
it to use the correct PAM service name, <i>e.g.</i>:
<pre>
  &lt;IfModule mod_sftp_pam.c&gt;
    SFTPPAMEngine on
    SFTPPAMServiceName sftp
  &lt;/IfModule>
</pre>
There is no requirement that <code>mod_sftp_pam</code> use the same PAM
service name as the <code>mod_auth_pam</code> module; this allows you to have
different PAM configurations for FTP versus SSH2 logins.

<p>
<hr><br>

Author: <i>$Author: castaglia $</i><br>
Last Updated: <i>$Date: 2010/02/24 19:08:55 $</i><br>

<br><hr>

<font size=2><b><i>
&copy; Copyright 2008 TJ Saunders<br>
 All Rights Reserved<br>
</i></b></font>

<hr><br>

</body>
</html>


--- NEW FILE ---
<!-- $Id: mod_sftp_sql.html,v 1.1 2010/02/24 19:08:55 castaglia Exp $ -->
<!-- $Source: /cvsroot/pdd/www.proftpd.org/docs/contrib/mod_sftp_sql.html,v $ -->

<html>
<head>
<title>ProFTPD module mod_sftp_sql</title>
</head>

<body bgcolor=white>

<hr>
<center>
<h2><b>ProFTPD module <code>mod_sftp_sql</code></b></h2>
</center>
<hr><br>

<p>
The <a href="http://www.castaglia.org/proftpd/modules/mod_sftp.html"><code>mod_sftp</code></a> module for ProFTPD can support different storage formats for
its user- and host-based authorized keys.  By default, the <code>mod_sftp</code>
module supports storing authorized keys in flats.  This
<code>mod_sftp_sql</code> module allows for authorized SSH keys to be stored
in SQL tables.

<p>
This module is contained in the <code>mod_sftp_sql.c</code> file for
ProFTPD 1.3.<i>x</i>, and is not compiled by default.  Installation
instructions are discussed <a href="#Installation">here</a>.  Examples
of how to use the <code>mod_sftp_sql</code> module are available
<a href="#Usage">here</a>.

<p>
The most current version of <code>mod_sftp_sql</code> can be found at:
<pre>
  <a href="http://www.castaglia.org/proftpd/">http://www.castaglia.org/proftpd/</a>
</pre>

<h2>Author</h2>
<p>
Please contact TJ Saunders &lt;tj <i>at</i> castaglia.org&gt; with any
questions, concerns, or suggestions regarding this module.

<p>
<hr>
<h2><a name="Installation">Installation</a></h2>
To install <code>mod_sftp_sql</code>, copy the <code>mod_sftp_sql.c</code> file
into:
<pre>
  <i>proftpd-dir</i>/contrib/
</pre>
after unpacking the latest proftpd-1.3.<i>x</i> source code.  Then follow the
usual steps for using third-party modules in proftpd, making sure to include
the <code>mod_sftp</code> and <code>mod_sql</code> modules, which
<code>mod_sftp_sql</code> requires.  For example, if you use MySQL as your
SQL database, then you might use:
<pre>
  ./configure --with-modules=mod_sql:mod_sql_mysql:mod_sftp:mod_sftp_sql ...
  make
  make install
</pre>

<p>
<hr><br>
<h2><a name="Usage">Usage</a></h2>

<p>
The <code>mod_sftp_sql</code> module works by using <code>mod_sql</code>'s
<code>SQLNamedQuery</code> ability to define a SQL <code>SELECT</code>
statement which returns the requested key.  Thus the <code>mod_sftp_sql</code>
module has no configuration directives of its own.

<p>
To help demonstrate, see the example configuration below:
<pre>
  &lt;IfModule mod_sql.c&gt;
    # Other mod_sql configuration here

    # Define a SELECT statement to retrieve users' authorized SSH keys
    SQLNamedQuery get-user-authorized-keys SELECT "key FROM sftpuserkeys WHERE name='%U'"

    # Define a SELECT statement to retrieve hosts' authorized SSH keys
    SQLNamedQuery get-host-authorized-keys SELECT "key FROM sftphostkeys WHERE host='%{0}'"
  &lt;/IfModule&gt;

  &lt;IfModule mod_sftp.c&gt;
    SFTPEngine on
    SFTPLog /path/to/sftp.log

    # Host keys, for server host authentication
    SFTPHostKey /etc/ssh_host_dsa_key
    SFTPHostKey /etc/ssh_host_rsa_key

    &lt;IfModule mod_sftp_sql.c&gt; 
      # Instead of using a file-based key store, we tell mod_sftp to use
      # the SQL-based key store provided by mod_sftp_sql
      SFTPAuthorizedUserKeys sql:/get-user-authorized-keys
      SFTPAuthorizedHostKeys sql:/get-host-authorized-keys
    &lt;/IfModule&gt;
  &lt;/IfModule&gt;
</pre>

<p>
What should the schema be, for the table which holds these authorized keys?
The <b>required</b> columns are one for the key (as a single base64-encoded
string) and one for the name of the entity owning that key, <i>e.g.</i> the
user name or FQDN (or IP address) of the host.  These columns can be added to
existing tables you might have, or be part of a new table.

<p>
For example, using SQLite, you could do:
<pre>
  # sqlite3 sftp.db
  sqlite&gt; CREATE TABLE sftpuserkeys (
  sqlite&gt;  name TEXT NOT NULL,
  sqlite&gt;  key BLOB NOT NULL
  sqlite&gt; );
  sqlite&gt; CREATE INDEX sftpuserkeys_idx ON sftpuserkeys (name);

  sqlite&gt; CREATE TABLE sftphostkeys (
  sqlite&gt;  host TEXT NOT NULL,
  sqlite&gt;  key BLOB NOT NULL
  sqlite&gt; );
  sqlite&gt; CREATE INDEX sftphostkeys_idx ON sftphostkeys (host);
</pre>
and then configure <code>mod_sql</code> to use that <code>sftp.db</code>
database file.  The indices are a very good idea, especially if you have many
rows and/or users.  And for good data hygiene, adding a foreign key constraint
on the <code>sftpuserkeys.name</code> column to your normal users table is
recommended.

<p>
An example MySQL schema looks like:
<pre>
  CREATE TABLE sftpuserkeys (
    name VARCHAR(255) NOT NULL,
    key VARCHAR(255) NOT NULL
  );
  CREATE INDEX sftpuserkeys_idx ON sftpuserkeys (name);

  CREATE TABLE sftphostkeys (
    host VARCHAR(255) NOT NULL,
    key VARCHAR(255) NOT NULL
  );
  CREATE INDEX sftphostkeys_idx ON sftphostkeys (host);
</pre>

<p>
Which leads to the next question: how can I transfer existing authorized
SSH keys from their current flat files into the SQL tables?  First, you need
to make sure that the key is in the RFC4716 format, using:
<pre>
  # ssh-keygen -e -f /path/to/key.pub
</pre>
Then simply add the output data to your SQL table (<i>e.g.</i> to the
<code>sftpuserkeys.key</code> column in the above example schema).

<p>
Other databases (<i>e.g.</i> MySQL, Postgres, Oracle, <i>etc</i>) have
bulk data loading tools which can also be used to load a CSV file containing
keys into your SQL tables, for use via <code>mod_sftp_sql</code>.

<p>
<hr><br>

Author: <i>$Author: castaglia $</i><br>
Last Updated: <i>$Date: 2010/02/24 19:08:55 $</i><br>

<br><hr>

<font size=2><b><i>
&copy; Copyright 2009-2010 TJ Saunders<br>
 All Rights Reserved<br>
</i></b></font>

<hr><br>

</body>
</html>


--- NEW FILE ---
<!-- $Id: mod_shaper.html,v 1.1 2010/02/24 19:08:55 castaglia Exp $ -->
<!-- $Source: /cvsroot/pdd/www.proftpd.org/docs/contrib/mod_shaper.html,v $ -->

<html>
<head>
<title>ProFTPD module mod_shaper</title>
</head>

<body bgcolor=white>

<hr>
<center>
<h2><b>ProFTPD module <code>mod_shaper</code></b></h2>
</center>
<hr><br>

<p>
The <code>mod_shaper</code> module is designed to split overall rates, both
download and upload, for the <code>proftpd</code> daemon among all connected
FTP clients, shaping each session to use only a portion of the overall rate.
<code>mod_shaper</code> shapes both <i>transmitted</i> traffic,
<i>e.g.</i> bits being downloaded via the <code>RETR</code> command, and
<i>received</i> traffic, <i>e.g.</i> bits being uploaded via the
<code>APPE</code>, <code>STOR</code>, and <code>STOU</code> commands.

<p>
This module is contained in the <code>mod_shaper.c</code> file for
ProFTPD 1.2.<i>x</i>/1.3.<i>x</i>, and is not compiled by default.
Installation instructions are discussed <a href="#Installation">here</a>.
Detailed documentation on <code>mod_shaper</code> usage can be found
<a href="#Usage">here</a>.

<p>
The most current version of <code>mod_shaper</code> is distributed with the
ProFTPD source code.

<h2>Author</h2>
<p>
Please contact TJ Saunders &lt;tj <i>at</i> castaglia.org&gt; with any
questions, concerns, or suggestions regarding this module.

<h2>Directives</h2>
<ul>
  <li><a href="#ShaperAll">ShaperAll</a>
  <li><a href="#ShaperControlsACLs">ShaperControlsACLs</a>
  <li><a href="#ShaperEngine">ShaperEngine</a>
  ...
 
[truncated message content]

[Proftpd-docs] CVS: www.proftpd.org/docs/howto Compiling.html, 1.2, 1.3 ConfigurationTricks.html, 1.2, 1.3 DisplayFiles.html, 1.1, 1.2 Logging.html, 1.1, 1.2 SQL.html, 1.3, 1.4 Upgrade.html, 1.1, 1.2

[TJ S. <cas...@us...>]

Update of /cvsroot/pdd/www.proftpd.org/docs/howto
In directory sfp-cvsdas-2.v30.ch3.sourceforge.com:/tmp/cvs-serv29868/howto

Modified Files:
	Compiling.html ConfigurationTricks.html DisplayFiles.html 
	Logging.html SQL.html Upgrade.html 
Log Message:

Updating howto docs from CVS.


Index: Compiling.html
===================================================================
RCS file: /cvsroot/pdd/www.proftpd.org/docs/howto/Compiling.html,v
retrieving revision 1.2
retrieving revision 1.3
diff -C2 -r1.2 -r1.3
*** Compiling.html	5 Jan 2010 16:56:41 -0000	1.2
--- Compiling.html	24 Feb 2010 18:55:57 -0000	1.3
***************
*** 649,652 ****
--- 649,670 ----
  
  <p>
+ <font color=red>Question</font>: Why do I get a configure error like this:
+ <pre>
+   configure: error: source file './modules/d_auth_pam.c' cannot be found -- aborting
+ </pre>
+ <font color=blue>Answer</font>: Notice how the name of the module reported
+ there is "d_auth_pam.c", rather than "mod_auth_pam.c"?  If you see a mangled
+ module name like this, it probably means that your <code>--with-modules</code>
+ or <code>--with-shared</code> module lists contain a double colon, <i>e.g.</i>:
+ <pre>
+   # ./configure --with-modules=mod_sql<b>::</b>mod_sql_mysql:...
+ </pre>
+ or:
+ <pre>
+   # ./configure --with-shared=mod_sql<b>::</b>mod_sql_mysql:...
+ </pre>
+ <i>Use only a single colon between module names</i>; this should fix this error.
+ 
+ <p>
  <font color=red>Question</font>: I can't seem to compile <code>mod_tls</code>
  <b>and</b> <code>mod_sql</code>.  Using one or the other works (<i>i.e.</i>

Index: ConfigurationTricks.html
===================================================================
RCS file: /cvsroot/pdd/www.proftpd.org/docs/howto/ConfigurationTricks.html,v
retrieving revision 1.2
retrieving revision 1.3
diff -C2 -r1.2 -r1.3
*** ConfigurationTricks.html	11 Oct 2007 18:13:33 -0000	1.2
--- ConfigurationTricks.html	24 Feb 2010 18:55:58 -0000	1.3
***************
*** 138,146 ****
  <p>
  Users who wish to have entire sections of configuration only apply to specific
! users, or groups, or even
! <a href="http://www.proftpd.org/docs/howto/Classes.html">classes</a> of
! clients really should be aware of the <a href="http://www.proftpd.org/docs/contrib/mod_ifsession.html"><code>mod_ifsession</code></a> module, and its
! very handy <code>&lt;IfUser&gt;</code>, <code>&lt;IfGroup&gt;</code>, and
! <code>&lt;IfClass&gt;</code> sections.
  
  <p>
--- 138,146 ----
  <p>
  Users who wish to have entire sections of configuration only apply to specific
! users, or groups, or even <a href="Classes.html">classes</a> of clients really
! should be aware of the
! <a href="../contrib/mod_ifsession.html"><code>mod_ifsession</code></a> module,
! and its very handy <code>&lt;IfUser&gt;</code>, <code>&lt;IfGroup&gt;</code>,
! and <code>&lt;IfClass&gt;</code> sections.
  
  <p>

Index: DisplayFiles.html
===================================================================
RCS file: /cvsroot/pdd/www.proftpd.org/docs/howto/DisplayFiles.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -C2 -r1.1 -r1.2
*** DisplayFiles.html	17 Aug 2007 00:11:26 -0000	1.1
--- DisplayFiles.html	24 Feb 2010 18:55:58 -0000	1.2
***************
*** 222,225 ****
--- 222,235 ----
      <td>The number of files transferred (uploaded and downloaded) in this session</td>
    </tr>
+ 
+   <tr>
+     <td>%{env:<i>name</i>}</td>
+     <td>The value of the environment variable <i>name</i></td>
+   </tr>
+ 
+   <tr>
+     <td>%{time:<i>format</i>}</td>
+     <td>Uses <i>format</i> (as per the <code>strftime(3)</code> function) to format a timestamp</td>
+   </tr>
  </table>
  

Index: Logging.html
===================================================================
RCS file: /cvsroot/pdd/www.proftpd.org/docs/howto/Logging.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -C2 -r1.1 -r1.2
*** Logging.html	17 Aug 2007 00:11:26 -0000	1.1
--- Logging.html	24 Feb 2010 18:55:58 -0000	1.2
***************
*** 29,43 ****
  is normally <code>root</code>. <b>Do not</b> give people write access to the
  directory where the logs are stored without being aware of the consequences:
! if the logs directory is writeable (by a non-<code>root</code> user), someone
  could replace a log file with a symlink to some other system file, and then
  <code>root</code> might overwrite that file with arbitrary data. If the log
! files themselves are writeable (by a non-<code>root</code> user), then someone
  may be able to overwrite the log itself with bogus data.
  
  <p>
! When opening log files, <code>proftpd</code> will by default error if the
! file being opened for logging is in a directory that does not exist, or
! is world-writeable.  It will also, by default, error if the file given is
! a symlink; this symlink check can be configured via the <a href="http://www.proftpd.org/docs/directives/linked/config_ref_AllowLogSymlinks.html"><code>AllowLogSymlinks</code></a> directive.
  
  <p>
--- 29,47 ----
  is normally <code>root</code>. <b>Do not</b> give people write access to the
  directory where the logs are stored without being aware of the consequences:
! if the logs directory is writable (by a non-<code>root</code> user), someone
  could replace a log file with a symlink to some other system file, and then
  <code>root</code> might overwrite that file with arbitrary data. If the log
! files themselves are writable (by a non-<code>root</code> user), then someone
  may be able to overwrite the log itself with bogus data.
  
  <p>
! When opening log files, <code>proftpd</code> will by default log a warning if
! the file being opened for logging is in a directory that does not exist, or
! is world-writable.  The log file will <b>not</b> be written in world-writable
! directories; there are no exceptions.  (If you have configured log files in
! your <code>proftpd.conf</code> that are not appearing, check for the warnings
! about world-writable directories.)  The <code>proftpd</code> process will also,
! by default, log a warning if the file given is a symlink; this symlink check
! can be configured via the <a href="http://www.proftpd.org/docs/directives/linked/config_ref_AllowLogSymlinks.html"><code>AllowLogSymlinks</code></a> directive.
  
  <p>

Index: SQL.html
===================================================================
RCS file: /cvsroot/pdd/www.proftpd.org/docs/howto/SQL.html,v
retrieving revision 1.3
retrieving revision 1.4
diff -C2 -r1.3 -r1.4
*** SQL.html	25 Jun 2009 20:40:42 -0000	1.3
--- SQL.html	24 Feb 2010 18:55:58 -0000	1.4
***************
*** 520,523 ****
--- 520,539 ----
  <code>SQLAuthenticate</code> options as well.
  
+ <p><a name="SQLEncryptedDBConn"></a>
+ <font color=red>Question</font>: How do I configure <code>mod_sql</code> so
+ that it will use encrypted connections (<i>e.g.</i> SSL/TLS) to the
+ backend database server?<br>
+ <font color=blue>Answer</font>: This sort of configuration depends on the
+ backend database server you are using.
+ 
+ <p>
+ If you are using MySQL, then you can configure this in the "[client]" section
+ of your <code>my.cnf</code> configuration file.
+ 
+ <p>
+ If you are using Postgres, then this will happen automatically, by default,
+ as long as your <code>libpq</code> Postgres client library has been
+ compiled with SSL support.
+ 
  <p>
  <hr>

Index: Upgrade.html
===================================================================
RCS file: /cvsroot/pdd/www.proftpd.org/docs/howto/Upgrade.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -C2 -r1.1 -r1.2
*** Upgrade.html	17 Aug 2007 00:11:26 -0000	1.1
--- Upgrade.html	24 Feb 2010 18:55:58 -0000	1.2
***************
*** 36,40 ****
    ./configure ..
    make
!   ./proftpd -t -d9 -c /path/to/proftpd.conf
  </pre>
  The &quot;<code>./proftpd</code>&quot; means to use the new
--- 36,40 ----
    ./configure ..
    make
!   ./proftpd -t -d10 -c /path/to/proftpd.conf
  </pre>
  The &quot;<code>./proftpd</code>&quot; means to use the new
***************
*** 48,52 ****
  the new <code>proftpd</code> binary reports a successful syntax check:
  <pre>
!   ./proftpd -t -d9 -c /path/to/proftpd.conf.new
  </pre>
  
--- 48,52 ----
  the new <code>proftpd</code> binary reports a successful syntax check:
  <pre>
!   ./proftpd -t -d10 -c /path/to/proftpd.conf.new
  </pre>
  

[Proftpd-docs] CVS: www.proftpd.org md5_pgp.epl, 1.51, 1.52 index.epl, 1.106, 1.107

[TJ S. <cas...@us...>]

Update of /cvsroot/pdd/www.proftpd.org
In directory sfp-cvsdas-2.v30.ch3.sourceforge.com:/tmp/cvs-serv23647

Modified Files:
	md5_pgp.epl index.epl 
Log Message:

Updating website with news of release of 1.3.2e, 1.3.3.


Index: md5_pgp.epl
===================================================================
RCS file: /cvsroot/pdd/www.proftpd.org/md5_pgp.epl,v
retrieving revision 1.51
retrieving revision 1.52
diff -C2 -r1.51 -r1.52
*** md5_pgp.epl	13 Feb 2010 01:21:55 -0000	1.51
--- md5_pgp.epl	24 Feb 2010 18:20:37 -0000	1.52
***************
*** 9,16 ****
  
  <pre>
! 0941935e30199a3f22f7225fe76bc489 <a href="ftp://ftp.proftpd.org/distrib/sources/proftpd-1.3.2d.tar.bz2">proftpd-1.3.2d.tar.bz2</a>
! 50baf4f067379b527922c03ddf9d2d61 <a href="ftp://ftp.proftpd.org/distrib/sources/proftpd-1.3.2d.tar.gz">proftpd-1.3.2d.tar.gz</a>
! 926a56ee6f12be6d5e94cb189d9fac50 <a href="ftp://ftp.proftpd.org/distrib/sources/proftpd-1.3.3rc4.tar.bz2">proftpd-1.3.3rc4.tar.bz2</a>
! 73a7062239d6b3f0c437bdadd2b10add <a href="ftp://ftp.proftpd.org/distrib/sources/proftpd-1.3.3rc4.tar.gz">proftpd-1.3.3rc4.tar.gz</a>
  </pre>
  
--- 9,16 ----
  
  <pre>
! 018e0eb1757d9cea2a0e17f2c9b1ca2d <a href="ftp://ftp.proftpd.org/distrib/sources/proftpd-1.3.2e.tar.bz2">proftpd-1.3.2e.tar.bz2</a>
! 4ecb82cb1050c0e897d5343f6d2cc1ed <a href="ftp://ftp.proftpd.org/distrib/sources/proftpd-1.3.2e.tar.gz">proftpd-1.3.2e.tar.gz</a>
! 3951244f1940f0a40e8af142a9cf67fe <a href="ftp://ftp.proftpd.org/distrib/sources/proftpd-1.3.3.tar.bz2">proftpd-1.3.3.tar.bz2</a>
! 97ad29f31f4fe633a9f8d021bab2df20 <a href="ftp://ftp.proftpd.org/distrib/sources/proftpd-1.3.3.tar.gz">proftpd-1.3.3.tar.gz</a>
  </pre>
  
***************
*** 18,61 ****
  
  <pre>
! <strong>proftpd-1.3.2d.tar.bz2.asc</strong>
  -----BEGIN PGP SIGNATURE-----
  Version: GnuPG v1.4.9 (GNU/Linux)
  
! iEYEABECAAYFAkt1+VAACgkQt46JP6URl2oOcQCeOFS7vOdQbvQKctWDRdqj9o3r
! 5o4AoKFEE/C/XjLg16ZBnwKkvqD2nUZr
! =4Hn9
  -----END PGP SIGNATURE-----
  </pre>
  
  <pre>
! <strong>proftpd-1.3.2d.tar.gz.asc</strong>
  -----BEGIN PGP SIGNATURE-----
  Version: GnuPG v1.4.9 (GNU/Linux)
  
! iEYEABECAAYFAkt1+VgACgkQt46JP6URl2p62ACfSCrYaXGu3On3Y3K3jlDlPIav
! 6bYAn1EtyJp0oxxuoD33JkGge33huX25
! =RrWx
  -----END PGP SIGNATURE-----
  </pre>
  
  <pre>
! <strong>proftpd-1.3.3rc4.tar.bz2.asc</strong>
  -----BEGIN PGP SIGNATURE-----
  Version: GnuPG v1.4.9 (GNU/Linux)
  
! iEYEABECAAYFAkt1/YoACgkQt46JP6URl2riEwCfTBGRX0VBFDE7kwrrEDVZX7Wz
! BlQAn1cL4MJJXJySsVvN41xw9HA4W8cE
! =MxYg
  -----END PGP SIGNATURE-----
  </pre>
  
  <pre>
! <strong>proftpd-1.3.3rc4.tar.gz.asc</strong>
  -----BEGIN PGP SIGNATURE-----
  Version: GnuPG v1.4.9 (GNU/Linux)
  
! iEYEABECAAYFAkt1/Y8ACgkQt46JP6URl2q8uwCeJar3kWH2GeFzrUiVj5/Ie8vS
! 4MUAn1ZOdQ/tcdRh5qZ4FUZDs0F/5tjs
! =bqAn
  -----END PGP SIGNATURE-----
  </pre>
--- 18,61 ----
  
  <pre>
! <strong>proftpd-1.3.2e.tar.bz2.asc</strong>
  -----BEGIN PGP SIGNATURE-----
  Version: GnuPG v1.4.9 (GNU/Linux)
  
! iEYEABECAAYFAkuFYtsACgkQt46JP6URl2rqVACgzefr58XHVoh2ARERbkW5qPzb
! Qj4AoOwwH55FlS7OM8sBjELT0OhrN0jQ
! =E6hR
  -----END PGP SIGNATURE-----
  </pre>
  
  <pre>
! <strong>proftpd-1.3.2e.tar.gz.asc</strong>
  -----BEGIN PGP SIGNATURE-----
  Version: GnuPG v1.4.9 (GNU/Linux)
  
! iEYEABECAAYFAkuFYuAACgkQt46JP6URl2pTVQCeJ7HM7ltLwJwb4TQ3AwT9j36n
! /ywAn3rB6HRVDGTF2WuOJgn/dss7VWeV
! =G553
  -----END PGP SIGNATURE-----
  </pre>
  
  <pre>
! <strong>proftpd-1.3.3.tar.bz2.asc</strong>
  -----BEGIN PGP SIGNATURE-----
  Version: GnuPG v1.4.9 (GNU/Linux)
  
! iEYEABECAAYFAkuFajoACgkQt46JP6URl2ofMgCgwRGr6uIeypVlmuem8/Agxc/Q
! L9QAn0fNQ6qzt3Th1MLHI6CEobkUvFCA
! =kRcc
  -----END PGP SIGNATURE-----
  </pre>
  
  <pre>
! <strong>proftpd-1.3.3.tar.gz.asc</strong>
  -----BEGIN PGP SIGNATURE-----
  Version: GnuPG v1.4.9 (GNU/Linux)
  
! iEYEABECAAYFAkuFakAACgkQt46JP6URl2pgqwCfRBdul/Rt6REHJ6fqVBBhinmm
! mwQAn1LtacIL9TEj+fRc1zICa9jD1/+7
! =PNjF
  -----END PGP SIGNATURE-----
  </pre>

Index: index.epl
===================================================================
RCS file: /cvsroot/pdd/www.proftpd.org/index.epl,v
retrieving revision 1.106
retrieving revision 1.107
diff -C2 -r1.106 -r1.107
*** index.epl	13 Feb 2010 01:21:55 -0000	1.106
--- index.epl	24 Feb 2010 18:20:37 -0000	1.107
***************
*** 4,7 ****
--- 4,20 ----
  #include "header.epl"
  
+ <h1>1.3.2e, 1.3.3 released</h1>
+ [<i>24/Feb/2010</i>]
+ <p>The ProFTPD Project team is pleased to release 1.3.2e to the community.
+ This is a maintenance release, containing fixes for bugs found in the 1.3.2
+ in the 1.3.2 release.  The <a href="docs/RELEASE_NOTES-1.3.2e">RELEASE_NOTES</a>
+ and <a href="docs/NEWS-1.3.2e">NEWS</a> files contain the full details.</p>
+ Note that this will be the last maintenance release from the 1.3.2 branch.
+ 
+ <p>We are also happy to release 1.3.3 to the community.  This is the stable
+ release of the 1.3.3 branch, and contains minor additional fixes.  The
+ <a href="docs/RELEASE_NOTES-1.3.3">RELEASE_NOTES</a>
+ and <a href="docs/NEWS-1.3.3">NEWS</a> files contain the full details.</p>
+ 
  <h1>1.3.2d, 1.3.3rc4 released</h1>
  [<i>12/Feb/2010</i>]
***************
*** 13,17 ****
  <p>We are also glad to release 1.3.3rc4 to the community.  This is the 
  fourth release candidate of the 1.3.3 development cycle, and contains fixes
! mod_tls and mod_sftp build errors, memory leaks, and segfaults.  The
  <a href="docs/RELEASE_NOTES-1.3.3rc4">RELEASE_NOTES</a>
  and <a href="docs/NEWS-1.3.3rc4">NEWS</a> files contain the full details.</p>
--- 26,30 ----
  <p>We are also glad to release 1.3.3rc4 to the community.  This is the 
  fourth release candidate of the 1.3.3 development cycle, and contains fixes
! for mod_tls and mod_sftp build errors, memory leaks, and segfaults.  The
  <a href="docs/RELEASE_NOTES-1.3.3rc4">RELEASE_NOTES</a>
  and <a href="docs/NEWS-1.3.3rc4">NEWS</a> files contain the full details.</p>
***************
*** 68,102 ****
  <a href="docs/NEWS-1.3.2">NEWS</a> files contain the full details.</p>
  
- <h1>1.3.2rc4 released</h1>
- [<i>23/Jan/2009</i>]
- <p>The ProFTPD Project team is pleased to release 1.3.2rc4 to the community.
- This is primarily a bugfix release.  The
- <a href="docs/RELEASE_NOTES-1.3.2rc4">RELEASE_NOTES</a> and
- <a href="docs/NEWS-1.3.2rc4">NEWS</a> files contain the full details.</p>
- 
- <h1>1.3.2rc3 released</h1>
- [<i>20/Nov/2008</i>]
- <p>The ProFTPD Project team is pleased to release 1.3.2rc3 to the community.
- Highlights include several minor segfaults fixed, and better handling
- of aborted data transfers.  Please read the
- <a href="docs/RELEASE_NOTES-1.3.2rc3">RELEASE_NOTES</a> and
- <a href="docs/NEWS-1.3.2rc3">NEWS</a> files for the full details.</p>
- 
- <h1>1.3.2rc2 released</h1>
- [<i>17/Sep/2008</i>]
- <p>The ProFTPD Project team is pleased to release 1.3.2rc2 to the community.
- Highlights include fixed SSL/TLS session shutdowns, a new <code>prxs</code>
- tool for building and installing third-party modules, a new Chinese
- translation, and many bugfixes.  Please read the
- <a href="docs/RELEASE_NOTES-1.3.2rc2">RELEASE_NOTES</a> and
- <a href="docs/NEWS-1.3.2rc2">NEWS</a> files for the full details.</p>
- 
- <h1>1.3.2rc1 released</h1>
- [<i>15/Apr/2008</i>]
- <p>The ProFTPD Project team is pleased to release 1.3.2rc1 to the community.
- Highlights include support for the MLST/MLSD commands, FIPS and OCSP support
- in mod_tls, a new Italian translation, and many bugfixes.  Please read the
- <a href="docs/RELEASE_NOTES-1.3.2rc1">RELEASE_NOTES</a> and
- <a href="docs/NEWS-1.3.2rc1">NEWS</a> files for the full details.</p>
- 
  #include "footer.epl"
--- 81,83 ----

[Proftpd-docs] CVS: www.proftpd.org/include header.epl,1.40,1.41

[TJ S. <cas...@us...>]

Update of /cvsroot/pdd/www.proftpd.org/include
In directory sfp-cvsdas-2.v30.ch3.sourceforge.com:/tmp/cvs-serv23647/include

Modified Files:
	header.epl 
Log Message:

Updating website with news of release of 1.3.2e, 1.3.3.


Index: header.epl
===================================================================
RCS file: /cvsroot/pdd/www.proftpd.org/include/header.epl,v
retrieving revision 1.40
retrieving revision 1.41
diff -C2 -r1.40 -r1.41
*** header.epl	13 Feb 2010 01:21:55 -0000	1.40
--- header.epl	24 Feb 2010 18:20:37 -0000	1.41
***************
*** 18,38 ****
  <div id="menu">
    <h1>Current Versions</h1>
!   Stable: <strong>1.3.2d</strong>
    <div class="indent">
!     <span class="nowrap">[ <a href="/docs/RELEASE_NOTES-1.3.2d">RELEASE_NOTES</a> ]</span>
    </div>
    <div class="indent">
!     <span class="nowrap">[ <a href="/docs/NEWS-1.3.2d">NEWS</a> ]</span>
!     <span class="nowrap">[ <a href="ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.2d.tar.gz">gz</a> ]</span>
!     <span class="nowrap">[ <a href="ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.2d.tar.bz2">bz2</a> ]</span>
    </div>
!   Release Candidate: <strong>1.3.3rc4</strong>
    <div class="indent">
-     <span class="nowrap">[ <a href="/docs/RELEASE_NOTES-1.3.3rc4">RELEASE_NOTES</a> ]</span>
-   </div>
-   <div class="indent">
-     <span class="nowrap">[ <a href="/docs/NEWS-1.3.3rc4">NEWS</a> ]</span>
-     <span class="nowrap">[ <a href="ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.3rc4.tar.gz">gz</a> ]</span>
-     <span class="nowrap">[ <a href="ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.3rc4.tar.bz2">bz2</a> ]</span>
    </div>
  
--- 18,32 ----
  <div id="menu">
    <h1>Current Versions</h1>
!   Stable: <strong>1.3.3</strong>
    <div class="indent">
!     <span class="nowrap">[ <a href="/docs/RELEASE_NOTES-1.3.3">RELEASE_NOTES</a> ]</span>
    </div>
    <div class="indent">
!     <span class="nowrap">[ <a href="/docs/NEWS-1.3.3">NEWS</a> ]</span>
!     <span class="nowrap">[ <a href="ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.3.tar.gz">gz</a> ]</span>
!     <span class="nowrap">[ <a href="ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.3.tar.bz2">bz2</a> ]</span>
    </div>
!   Release Candidate: <strong>None</strong>
    <div class="indent">
    </div>
  
***************
*** 91,95 ****
        <img src="http://sflogo.sourceforge.net/sflogo.php?group_id=17793&type=10" width="80" height="15" border="0" alt="Get ProFTPD Server Software at SourceForge.net. Fast, secure and Free Open Source software downloads" />
      </a>
!     <p>Copyright &copy; 1999, 2000-9, The ProFTPD Project.</p>
    </div>
  </div>
--- 85,89 ----
        <img src="http://sflogo.sourceforge.net/sflogo.php?group_id=17793&type=10" width="80" height="15" border="0" alt="Get ProFTPD Server Software at SourceForge.net. Fast, secure and Free Open Source software downloads" />
      </a>
!     <p>Copyright &copy; 1999, 2000-10, The ProFTPD Project.</p>
    </div>
  </div>

[Proftpd-docs] CVS: www.proftpd.org/docs/modules mod_cap.html, 1.3, 1.4 mod_delay.html, 1.2, 1.3

[TJ S. <cas...@us...>]

Update of /cvsroot/pdd/www.proftpd.org/docs/modules
In directory sfp-cvsdas-2.v30.ch3.sourceforge.com:/tmp/cvs-serv28772/modules

Modified Files:
	mod_cap.html mod_delay.html 
Log Message:

Updating module docs from CVS.


Index: mod_cap.html
===================================================================
RCS file: /cvsroot/pdd/www.proftpd.org/docs/modules/mod_cap.html,v
retrieving revision 1.3
retrieving revision 1.4
diff -C2 -r1.3 -r1.4
*** mod_cap.html	5 Feb 2009 21:21:45 -0000	1.3
--- mod_cap.html	24 Feb 2010 18:49:22 -0000	1.4
***************
*** 115,119 ****
  
  <p>
! By default, <code>mod_cap</code> removes all but two capabilities
  from the session-handling process: <code>CAP_NET_BIND_SERVICE</code>, for
  binding to ports lower than 1024 (required for active data transfers), and
--- 115,119 ----
  
  <p>
! By default, <code>mod_cap</code> removes all but a few capabilities
  from the session-handling process: <code>CAP_NET_BIND_SERVICE</code>, for
  binding to ports lower than 1024 (required for active data transfers), and
***************
*** 122,132 ****
  necessary if the <code>UserOwner</code> configuration directive is in use; if
  not being used, the <code>CAP_CHOWN</code> capability is best removed.
  
  <p>
  To remove a capability, prefix the name with a '-'; to enable a capability,
! use '+'.  This directive only supports the following capabilities:
! <code>CAP_CHOWN</code>, <code>CAP_DAC_OVERRIDE</code> (override all directory
! access controls), and <code>CAP_DAC_READ_SEARCH</code> (allow read and search
! directory access).
  
  <p>
--- 122,138 ----
  necessary if the <code>UserOwner</code> configuration directive is in use; if
  not being used, the <code>CAP_CHOWN</code> capability is best removed.
+ Additionally, <code>CAP_AUDIT_WRITE</code> is retained if
+ the <code>mod_auth_pam</code> module is present, as this capability is needed
+ for some PAM modules such as <code>pam_loginuid</code>. 
  
  <p>
  To remove a capability, prefix the name with a '-'; to enable a capability,
! use '+'.  This directive supports the following capabilities:
! <ul>
!   <li><code>CAP_CHOWN</code>
!   <li><code>CAP_DAC_OVERRIDE</code> (override all directory access controls)
!   <li><code>CAP_DAC_READ_SEARCH</code> (allow read and search directory access)
!   <li><code>CAP_FOWNER</code>
! </ul>
  
  <p>
***************
*** 135,139 ****
    &lt;IfModule mod_cap.c&gt;
      CapabilitiesEngine on
!     CapabilitiesSet -CAP_CHOWN +CAP_DAC_READ_SEARCH
    &lt;/IfModule&gt;
  </pre>
--- 141,145 ----
    &lt;IfModule mod_cap.c&gt;
      CapabilitiesEngine on
!     CapabilitiesSet -CAP_CHOWN +CAP_DAC_READ_SEARCH +CAP_FOWNER
    &lt;/IfModule&gt;
  </pre>
***************
*** 168,171 ****
--- 174,199 ----
  
  <p>
+ <font color=red>Question</font>: What does the following mean?
+ <pre>
+   chown() as root failed: Operation not permitted
+ </pre>
+ <font color=blue>Answer</font>: The purpose of the <code>mod_cap</code>
+ module is to restrict the capabilities of the all-powerful <code>root</code>
+ user.  Thus when <code>mod_cap</code> is in effect, operations like
+ <code>chown()</code> are restricted.
+ 
+ <p>
+ The message above usually happens when your configuration uses the
+ <code>UserOwner</code> or <code>GroupOwner</code> configuration directives.
+ To enable those directives to function and still use <code>mod_cap</code>,
+ you will need to use a configuration such as:
+ <pre>
+   &lt;IfModule mod_cap.c&gt;
+     # Allow root to use chown(2)
+     CapabilitiesSet -CAP_CHOWN
+   &lt;/IfModule&gt;
+ </pre>
+ 
+ <p>
  <hr><br>
  Author: <i>$Author$</i><br>
***************
*** 174,178 ****
  
  <font size=2><b><i>
! &copy; Copyright 2000-2008 TJ Saunders<br>
   All Rights Reserved<br>
  </i></b></font>
--- 202,206 ----
  
  <font size=2><b><i>
! &copy; Copyright 2000-2009 TJ Saunders<br>
   All Rights Reserved<br>
  </i></b></font>

Index: mod_delay.html
===================================================================
RCS file: /cvsroot/pdd/www.proftpd.org/docs/modules/mod_delay.html,v
retrieving revision 1.2
retrieving revision 1.3
diff -C2 -r1.2 -r1.3
*** mod_delay.html	1 Oct 2007 15:15:38 -0000	1.2
--- mod_delay.html	24 Feb 2010 18:49:22 -0000	1.3
***************
*** 197,202 ****
  if the timing information leak is not of concern for your FTP site, this is
  the recommended approach.  Second, you can use the
! <a href="http://www.proftpd.org/docs/contrib/mod_ifsession.html"><code>mod_ifsession</code></a> module and its <code>&lt;IfClass&gt;</code> sections so that
! the <code>mod_delay</code> module applies only to certain DNS names and
  IP address ranges.  For example:
  <pre>
--- 197,203 ----
  if the timing information leak is not of concern for your FTP site, this is
  the recommended approach.  Second, you can use the
! <a href="../contrib/mod_ifsession.html"><code>mod_ifsession</code></a> module
! and its <code>&lt;IfClass&gt;</code> sections so that the
! <code>mod_delay</code> module applies only to certain DNS names and
  IP address ranges.  For example:
  <pre>
***************
*** 217,221 ****
    &lt;/IfModule&gt;
  </pre>
! More information on defining classes can be found <a href="http://www.proftpd.org/docs/howto/Classes.html">here</a>.
  
  <p>
--- 218,244 ----
    &lt;/IfModule&gt;
  </pre>
! More information on defining classes can be found <a href="../howto/Classes.html">here</a>.
! 
! <p><a name="FAQ">
! <b>Frequently Asked Questions</b><br>
! 
! <p>
! <font color=red>Question</font>: My client times out, after a couple of minutes,
! after sending the <code>USER</code> command.  After disabling <code>mod_delay</code>, the login succeeds quickly.  Isn't this a bug in <code>mod_delay</code>?<br>
! <font color=blue>Answer</font>: No.
! 
! <p>
! The <code>DelayTable</code> file can, over time, build up a store of long
! delay values.  A series of logins which take a while (<i>e.g.</i> SSL/TLS
! handshakes over slow network connections) can cause this sort of behavior.
! You can delete the <code>DelayTable</code> file or use the <a href="#delay_reset"><code>delay reset</code></a> ftpdctl action to clear the stored data.
! 
! <p>
! <font color=red>Question</font>: Shouldn't <code>mod_delay</code> have some
! sort of maximum delay value, so that it doesn't cause timeouts?<br>
! <font color=blue>Answer</font>:  No.  There is no single value, hardcoded
! or configurable, that will work well for all sites <i>and</i> achieve
! <code>mod_delay</code>'s purpose at the same time.  What seems like a normal
! delay time for one site will be unacceptably long for another site.
  
  <p>
***************
*** 233,237 ****
  
  <font size=2><b><i>
! &copy; Copyright 2004-2007 TJ Saunders<br>
   All Rights Reserved<br>
  </i></b></font>
--- 256,260 ----
  
  <font size=2><b><i>
! &copy; Copyright 2004-2009 TJ Saunders<br>
   All Rights Reserved<br>
  </i></b></font>

[Proftpd-docs] CVS: www.proftpd.org/docs NEWS-1.3.3rc1, 1.1, NONE NEWS-1.3.3rc2, 1.1, NONE NEWS-1.3.3rc3, 1.1, NONE RELEASE_NOTES-1.3.3rc1, 1.1, NONE RELEASE_NOTES-1.3.3rc2, 1.1, NONE RELEASE_NOTES-1.3.3rc3, 1.1, NONE

[TJ S. <cas...@us...>]

Update of /cvsroot/pdd/www.proftpd.org/docs
In directory sfp-cvsdas-2.v30.ch3.sourceforge.com:/tmp/cvs-serv26624

Removed Files:
	NEWS-1.3.3rc1 NEWS-1.3.3rc2 NEWS-1.3.3rc3 
	RELEASE_NOTES-1.3.3rc1 RELEASE_NOTES-1.3.3rc2 
	RELEASE_NOTES-1.3.3rc3 
Log Message:

Removing old files.


--- NEWS-1.3.3rc1 DELETED ---

--- NEWS-1.3.3rc2 DELETED ---

--- NEWS-1.3.3rc3 DELETED ---

--- RELEASE_NOTES-1.3.3rc1 DELETED ---

--- RELEASE_NOTES-1.3.3rc2 DELETED ---

--- RELEASE_NOTES-1.3.3rc3 DELETED ---

[Proftpd-docs] CVS: www.proftpd.org/docs NEWS-1.3.2e, NONE, 1.1 NEWS-1.3.3, NONE, 1.1 RELEASE_NOTES-1.3.2e, NONE, 1.1 RELEASE_NOTES-1.3.3, NONE, 1.1

[TJ S. <cas...@us...>]

Update of /cvsroot/pdd/www.proftpd.org/docs
In directory sfp-cvsdas-2.v30.ch3.sourceforge.com:/tmp/cvs-serv23647/docs

Added Files:
	NEWS-1.3.2e NEWS-1.3.3 RELEASE_NOTES-1.3.2e 
	RELEASE_NOTES-1.3.3 
Log Message:

Updating website with news of release of 1.3.2e, 1.3.3.


--- NEW FILE ---
$Id: NEWS-1.3.2e,v 1.1 2010/02/24 18:20:37 castaglia Exp $

-----------------------------------------------------------------------------
  More details on the bugs listed below can be found by using the bug number
  indicated in the following URL:

    http://bugs.proftpd.org/show_bug.cgi?id=N

  where `N' is the bug number.
-----------------------------------------------------------------------------

1.3.2e - Released 24-Feb-2010
--------------------------------
- Bug 3342 - FEAT response contains LF without preceding CR.

1.3.2d - Released 12-Feb-2010
--------------------------------
- Bug 3358 - mod_tls doesn't compile with pre-0.9.7 openssl.
- Bug 3370 - Lack of PID protection in ScoreboardFile.
[...2017 lines suppressed...]
- sendfile() deprecates politely on Linux 2.0.x.
- AuthPAMAuthoritative now defaults to False.  This should clear up any
  confusion on using PAM with AuthUserFile and friends.
- Removed Bandwidth from the documentation.
- Fixed a rare segfault in mod_auth.
- Logging has changed slightly to be more informative and more consistent.
    All messages that get logged are now preceded with
    <virtualhost> (remote host[remote ip]).
- mod_ldap for authentication against LDAP directories is now in place.
- ftpwho/ftpcount -- a grammatical error corrected, and they now build
    as seperate binaries.
- Fixed the 'no names, just UIDs' bug.
- Added genuser.pl to facilitate AuthUserFile entry creation.
- Umask now takes an optional second argument, specifying a directory umask.
- Work around FreeBSD's broken setpassent(), and a new option to override
    this in fixed versions of FreeBSD's libc (--enable-force-setpassent).
- Generate RPMs for both inetd and standalone versions of ProFTPD.
- Added AuthUsingAlias to allow for more fine-grain control of anonymous
    logins.
- Added support for 'TYPE L 8' and 'TYPE L 7' per RFC 959.

--- NEW FILE ---
$Id: NEWS-1.3.3,v 1.1 2010/02/24 18:20:37 castaglia Exp $

-----------------------------------------------------------------------------
  More details on the bugs listed below can be found by using the bug number
  indicated in the following URL:

    http://bugs.proftpd.org/show_bug.cgi?id=N

  where `N' is the bug number.
-----------------------------------------------------------------------------

1.3.3 - Released 24-Feb-2010
--------------------------------
- Bug 3389 - Cannot create mod_ban whitelists using <Class> and <IfClass>
  sections.
- Bug 3397 - HideFiles none does not work properly on a per-user basis.

1.3.3rc4 - Released 12-Feb-2010
--------------------------------
[...2205 lines suppressed...]
- sendfile() deprecates politely on Linux 2.0.x.
- AuthPAMAuthoritative now defaults to False.  This should clear up any
  confusion on using PAM with AuthUserFile and friends.
- Removed Bandwidth from the documentation.
- Fixed a rare segfault in mod_auth.
- Logging has changed slightly to be more informative and more consistent.
    All messages that get logged are now preceded with
    <virtualhost> (remote host[remote ip]).
- mod_ldap for authentication against LDAP directories is now in place.
- ftpwho/ftpcount -- a grammatical error corrected, and they now build
    as seperate binaries.
- Fixed the 'no names, just UIDs' bug.
- Added genuser.pl to facilitate AuthUserFile entry creation.
- Umask now takes an optional second argument, specifying a directory umask.
- Work around FreeBSD's broken setpassent(), and a new option to override
    this in fixed versions of FreeBSD's libc (--enable-force-setpassent).
- Generate RPMs for both inetd and standalone versions of ProFTPD.
- Added AuthUsingAlias to allow for more fine-grain control of anonymous
    logins.
- Added support for 'TYPE L 8' and 'TYPE L 7' per RFC 959.

--- NEW FILE ---
                    1.3.2 Release Notes
                  ------------------------

This file contains a description of the major changes to ProFTPD for the
1.3.2 release cycle, from the 1.3.2rc1 release to the 1.3.2 maintenance
releases.  More information on these changes can be found in the NEWS and
ChangeLog files.

1.3.2e (maintenance)
---------------------

  + Fixed FEAT response RFC compliance.

1.3.2d (maintenance)
---------------------

  + Fixed mod_tls compilation when using OpenSSL versions older than 0.9.7.
  + Fixed SSL/TLS (broken due to bad backport)
  + Fixed RADIUS authentication on 64-bit platforms.

1.3.2c (maintenance)
---------------------

  + Added Taiwan translation.

  + Added a workaround in mod_tls to deal with the vulnerability found in
    SSL/TLS protocol during renegotiation (CVE-2009-3555).  Good
    descriptions of this vulnerability can be found here:
  
      http://extendedsubset.com/?p=8 
      http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html

    The workaround implemented in mod_tls (Bug#3324) is one of the suggested
    mitigation approaches: the server now refuses all client-initiated
    SSL/TLS session renegotiations.


1.3.2b (maintenance)
---------------------

  + Bug and regression fixes.


1.3.2a (maintenance)
---------------------

  + Added French, Bulgarian, Korean translations.

  + Various bug and regression fixes.


1.3.2 (stable)
---------------

  + Security fixes

    Fixed encoding-dependent SQL injection vulnerability in mod_sql_mysql
    and mod_sql_postgres modules.


1.3.2rc4
---------

  + Fixed %f logging, HiddenStore and UserOwner not working (Bug#3137).

  + Added Russian translation.

  + New documentation:

      doc/howto/Compiling.html
      doc/howto/Rewrite.html
      doc/howto/Sendfile.html


1.3.2rc3
---------

  + Fixed character set/encoding support on FreeBSD.

  + Fixed mod_sql authentication regression (Bug#2922)

  + Start of a regression testsuite.  Currently have basic unit tests for
    most FTP commands, and a few of the configuration directives.  See
    the Testing howto for more information.

  + Fixed variable substitution in user/group names in SQL queries.

  + Lowered the default TimeoutLinger value from 180 secs to 30 secs,
    for better interoperability.  Many FTP clients have a timeout of
    60 secs, waiting for a response from the server, before the client
    closes the control connection.  ProFTPD's lingering closes should
    thus not be longer than 60 secs, to avoid hitting those clients'
    timeout limit.

  + Fixed several issues related to aborting of downloads.

  + New documentation:

      doc/howto/Testing.html
      doc/howto/Translations.html


1.3.2rc2
---------

  + Added Chinese translation.

  + Fixed handling of SSL/TLS session shutdowns on data connections.  This
    issue was causing problems for users of recent FileZilla versions which
    insisted on proper SSL/TLS session shutdowns.

  + Fixed file descriptor leak when using syslog logging.

  + Fixed syslog logging on Mac OSX platforms.

  + Attempted to address the following message in system log files:

      warning: `proftpd' uses 32-bit capabilities (legacy support in use)

    by having mod_cap use the libcap version numbers provided by newer
    Linux kernels.  See doc/modules/mod_cap.html for more details.

  + Added new `prxs' tool, for compiling and installing third-party
    modules without needing the proftpd source code.  See
    doc/howto/DSO.html for more information.

  + Added sendfile support for Mac OSX 10.5.


1.3.2rc1
---------

  + Added pkgconfig file

    As part of the process of installing proftpd from source, a proftpd.pc
    file, suitable for use by the common `pkg-config' tool, is provided.
    This proftpd.pc file is installed into the <install-dir>/lib/pkgconfig/
    directory.

    See http://pkgconfig.freedesktop.org/ for more details.

  + IPv6 support is enabled by default.  To disable at build time, use:

      ./configure --disable-ipv6 ...

    And to disable IPv6 support at runtime, use:

      UseIPv6 off

    in your proftpd.conf

  + Changed command-line behavior:

      The -vv command-line option currently shows only the static modules,
      e.g.:

        - ProFTPD Version: 1.3.0 (stable)
        -   Scoreboard Version: 01040002
        -   Built: mar gen 2 10:57:47 CET 2007
        -     Module: mod_core.c
        -     Module: mod_xfer.c
        -     Module: mod_auth_unix.c
        -     Module: mod_auth_file.c
        ...

      Now, the -vv command-line option will show all modules, static *and*
      shared:

        ProFTPD Version: 1.3.0 (stable)
        Scoreboard Version: 01040002
        Built: Thu Jun 14 14:13:37 UTC 2007

        Loaded modules:
          mod_ifsession.c
          mod_tls/2.1.1
          mod_cap/1.0
          ...

       Note that the output format has changed slightly (no leading " - ").
       The -l command-line option can be used to list just the static
       modules.

       Also note that order of the module listed via -vv shows the order
       in which the core proftpd engine calls each module, i.e. the modules
       are listed in module order.

  + New configuration directives:

      AuthPAMOptions

        Some PAM modules need the PAM_TTY item to be set; the mod_auth_pam
        module now sets the PAM_TTY item, unless the following configuration
        is used:

          AuthPAMOptions NoTTY

        This configuration should not be necessary, and is only supported
        as a safeguard.

      MaxTransferPerHost

        This directive configures a limit on the maximum number of
        simultaneous data transfers (uploads/downloads) for a given
        host.

      MaxTransfersPerUser

        This directive configures a limit on the maximum number of
        simultaneous data transfers (uploads/downloads) for a given
        user name, regardless of the number of clients using that user name.

      TLSVerifyOrder

        This directive is part of the support for the Online Certificate
        Status Protocol (OCSP) in the mod_tls module.  See
        doc/contrib/mod_tls.html#TLSVerifyOrder for details.

      TransferPriority

        This directive can be used to change the process priority while
        the session process is handling a data transfer.  Using this
        directive, data transfers can be given lower/higher priorities
        than other processes on the system, depending on the site needs.

      UseEncoding

        The mod_lang module can how support encodings other than just
        UTF8 for the control connection FTP commands and responses.  See
        doc/modules/mod_lang.html#UseEncoding for additional information.

  + New contrib scripts:

      Added contrib/ftpmail, a Perl script which reads a TransferLog FIFO and
      sends automatic email notifications whenever uploads occur.  See
      doc/contrib/ftpmail.html for more details.

  + Enhanced configuration directives:

      BanOnEvent ClientConnectRate

        Clients can now be banned if they connect too frequently; see
        doc/contrib/mod_ban.html#BanOnEvent

      LogFormat %f

        The %f LogFormat variable is now properly substituted for the
        RNFR, RNTO, SITE CHGRP, and SITE CHMOD commands.

      TimeoutIdle, TimeoutNoTransfer, TimeoutStalled

        These directives can now be used within <Anonymous> sections to
        specify different timeouts for anonymous sessions.

      TLSOptions EnableDiags

        The EnableDiags option configures mod_tls to be *much* more verbose,
        and to print diagnostics about the SSL/TLS protocol to the TLSLog.
        See doc/contrib/mod_tls.html#TLSOptions

      TLSRequired !data, ctrl+!data, auth+!data

        The various combinations for requiring SSL/TLS protection on
        control and data connections have increased.  More details can be
        found here: doc/contrib/mod_tls.html#TLSRequired

  + Deprecated configuration directives

      AnonymousGroup

        This directive is NOT recommended, and relies on a "special
        dynamic configuration" which is very confusing to users.  It will
        be removed in the 1.3.3 ProFTPD release cycle.

      UseUTF8

        This directive has been replaced by the UseEncoding directive.

  + New translations

      The FTP response messages used by proftpd have been translated into
      Italian.  To use translations, compile proftpd using:

        ./configure --enable-nls ...

      This builds the mod_lang module, in addition to installing the
      translated message catalogs for proftpd's use.  See
      doc/modules/mod_lang.html for more information.

  + New modules:

      mod_dynmasq

        Useful for sites using dynamic DNS and other similar services.
        This module automatically refreshes the IP address of the daemon,
        so that the correct address is communicated to clients i.e. via
        the MasqueradeAddress directive.  See the module documentation at:

          doc/contrib/mod_dynmasq.html

      mod_facts

        Implements the MLSD and MLST commands, as per RFC3659.  Also provides
        the MFF and MFMT commands from:

          http://www.ietf.org/internet-drafts/draft-somers-ftp-mfxx-03.txt
 
        Module documentation is available for mod_facts at:

          doc/modules/mod_facts.html

        This module is compiled in by default.

      mod_ident

        The RFC1413 "identification protocol" lookup was separated out of
        the main proftpd code and into this mod_ident module.  With this
        change, you can now choose to build proftpd without this support
        using:

          ./configure --disable-ident ..

        You can also choose to build mod_ident as a shared module, loadable
        as needed:

          ./configure --enable-dso --with-shared=mod_ident ...

        Module documentation is available for mod_ident at:

          doc/modules/mod_ident.html

        This module is compiled in by default.

      mod_sql_odbc

        This module is a mod_sql backend module which supports ODBC
        drivers.  See doc/contrib/mod_sql_odbc.html for more information.

      mod_sql_sqlite

        This module is a mod_sql backend module which uses SQLite as its
        backend database.  See doc/contrib/mod_sql_sqlite.html for details.

      mod_unique_id

        Generates a unique ID for every FTP session.  This ID can be
        written to log files and stored in databases, for tracking all of
        the activity associated with a particular FTP session.  See:

          doc/contrib/mod_unique_id.html

  + New documentation:

      doc/howto/ConfigurationTricks.html

  + Updated documentation:

      doc/howto/TLS.html

        Added instructions on how to use OpenSSL in FIPS mode; see
        doc/howto/TLS.html#TLSFIPS


Last Updated: $Date: 2010/02/24 18:20:37 $

--- NEW FILE ---
                    1.3.3 Release Notes
                  ------------------------

This file contains a description of the major changes to ProFTPD for the
1.3.3 release cycle, from the 1.3.3rc1 release to the 1.3.3 maintenance
releases.  More information on these changes can be found in the NEWS and
ChangeLog files.

1.3.3
---------

  + Fixed mod_ban whitelisting using mod_ifsession.
  + Fixed per-user/group/class "HideFiles none" configurations.

1.3.3rc4
---------

  + Fixed mod_tls compilation using OpenSSL installations older than 0.9.7.
  + Fixed mod_sftp compilation on AIX.
  + Fixed RADIUS authentication on 64-bit platforms
  + Fixed memory leak in SCP downloads.

  + New configuration directives

    SQLPasswordUserSalt

      The SQLPasswordUserSalt directive can be used to configure per-user
      salt data to be added to the encrypted password for a user.  The salt
      can be the user name, or it can be the result of a SQL query.  More
      information can be found in
      doc/contrib/mod_sql_passwd.html#SQLPasswordUserSalt.


1.3.3rc3
---------

  + Added Taiwan translation.

  + Added support in mod_sftp for the following SFTP extensions:

      check-file
      copy-file
      vendor-id
      version-select
      pos...@op...
      fst...@op...
      st...@op...

  + Added a workaround in mod_tls to deal with the vulnerability found in
    SSL/TLS protocol during renegotiation (CVE-2009-3555).  Good
    descriptions of this vulnerability can be found here:

      http://extendedsubset.com/?p=8
      http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html

    The workaround implemented in mod_tls (Bug#3324) is one of the suggested
    mitigation approaches: the server now refuses all client-initiated
    SSL/TLS session renegotiations.

  + Updated to the bundled libtool to 2.2.4 (plus patch) to deal with a
    libtool vulnerability (CVE-2009-3736).

  + Added support for SHA256 and SHA512 passwords to the mod_sql_passwd
    module.

  + New configuration directives

    SFTPExtensions

      The SFTPExtensions directive can be used to selectively enable/disable
      mod_sftp's support for specific SFTP extensions.  See
      doc/contrib/mod_sftp.html#SFTPExtensions for more details.

  + Changed configuration directives

    CapabilitiesSet

      The CAP_FOWNER capability can now be explicitly requested when
      using the mod_cap module:

        <IfModule mod_cap.c>
          CapabilitiesSet +CAP_FOWNER
        </IfModule>

      For operations allowed on files, this capability overrides the
      restriction that the file owner ID must match the process user ID.


1.3.3rc2
---------

  + When handling .ftpaccess files, proftpd was merging them into the
    main configuration such that the .ftpaccess files configurations would
    override the main configuration.  This was never the intended behavior,
    and has been fixed (Bug#3279).

    However, this does mean that sites which use .ftpaccess files may see
    a change in the behavior of their proftpd.

  + Changed scoreboard format (Bug#3286), need for "ServerType inetd"
    server to manually delete their old ScoreboardFiles.  Otherwise they
    will see "error opening scoreboard: bad version (too old)" errors.

  + Changed SQL connection policy (Bug#3290).  Important for clients which
    connect but don't authenticate (e.g. mod_ban, mod_dnsbl, mod_wrap2_sql,
    etc which will reject connected clients prior to authentication); saves
    on unnecessary database connections in such cases.  For sites which
    require the old behavior, there is a new "PERCONNECTION" connection
    policy.

    NOTE: If you are using mod_sql for logging purposes only, e.g. you have
    the following in your mod_sql config:

      SQLEngine log

    then this connection policy change may affect you.  If the database
    connection is opened after a chroot has occurred (via DefaultRoot or
    <Anonymous> login), the database connection may fail.  And since now
    the connection is delayed until first use, and the first use for logging
    may occur after the chroot, the logging may fail.  For such sites, then,
    you will need to use the "PERCONNECTION" connection policy explicitly.

  + Support for "implicit" FTPS.  To enable this, use:

      TLSOptions UseImplicitSSL

    WARNING: Using this setting will cause mod_tls to handle ALL connections
    to the vhost as implicit FTPS connections.  It is NOT possible to support
    both plain FTP (or explicit FTPS) clients AND implicit FTPS clients on the
    same address/port.  Therefore this setting should ONLY ever be used in
    order to support braindead/broken FTPS clients, and then only for as long
    as it takes to fix/replace those broken clients.

    Note that "implicit" FTPS was explicitly DROPPED from the RFC which
    defines FTP over SSL/TLS; the only clients which use this feature are
    outdated clients based on older, now-invalidated versions of the
    specification.  Please update your FTPS clients to one which uses
    explicit FTPS as soon as possible.

  + Re-enable turning off the Nagle algorithm; this drastically helps speed
    up transfers of multiple small files.

  + New modules

    mod_sql_passwd
      This module supports MD5 and SHA1 passwords, encoding using base64 or
      hex, from SQL tables.  See doc/contrib/mod_sql_passwd.html for details.

  + New configuration directives

    AuthUnixOptions

      In Bug#1896, support for checking some AIX-specific functions for
      whether a login should be accepted was added; this happens only on AIX
      server, of course.

      However, some AIX admins like to configure "rlogin=false", yet still
      want to allow FTP logins.  To enable this specific behavior, a new
      AuthUnixOptions directive was added, with a setting which is only
      honored on AIX:

        AuthUnixOptions aixNoRLogin

      If this setting is used on any other server, it is silently ignored.
      Bug#3300 has the full details.

  + Changed configuration directives

    ExtendedLog

      You can now disable logging in an <Anonymous> section to an ExtendedLog
      which was opened outside of the <Anonymous> section, i.e.:

        ExtendedLog /path/to/ext.log ALL

        <Anonymous /path/to/anon>
          ...
          ExtendedLog /path/to/anon-ext.log ALL

          # Disable the logging to the higher-level ExtendedLog by
          # configuring again here, but changing the command class to 'NONE'
          ExtendedLog /path/to/ext.log NONE
          ...
        </Anonymous>

    HiddenStores

      The HiddenStores directive can now be used to customize and change
      the prefix which is prepended to the HiddenStore files.  The default
      prefix is ".in.", but if you wish to use a different prefix for any
      reason, you can use something like:

        HiddenStores foo

      This will cause the prefix to be ".foo.".

    SQLOptions

      When the connection to the database is lost, mod_sql now will try
      only once to automatically reconnect (if such reconnect functionality
      is supported by the database, e.g. MySQL or Postgres).  To disable this
      reconnect behavior, there is a new "noReconnect" SQLOptions setting:

        SQLOptions noReconnect

      See Bug#3270 for the full details of this behavior change.  It should
      be transparent for most sites.


1.3.3rc1
---------

  + Added French, Bulgarian, Korean translations.

  + RPM 4.2 or later is required by the proftpd.spec file provided in the
    distribution.

  + If the --localstatedir configure option is used, proftpd's build system
    used to automatically append "/proftpd" to the configured path.  This
    behavior has been fixed; proftpd's build system will now use the
    configured --localstatedir path as is.

    Note that this may cause issues if you have an existing build script
    for compling proftpd; the expected locations of files under the
    --localstatedir path will change.

  + New command-line options:

    The -S, --serveraddr command-line option has been added.  This option
    can be used to specify the IP address of the host machine.  By
    default, proftpd attempts to resolve the host IP address by using DNS
    resolution of the hostname.  However, in cases where DNS is not
    configured for the host machine, this approach does not work.

    To specify the desired IP address, use -S when starting proftpd, e.g.:

      /usr/local/sbin/proftpd -S 1.2.3.4 ...

    And if you want proftpd to listen on all interfaces, you can specify
    a wildcard socket using an IP address of 0.0.0.0:

      /usr/local/sbin/proftpd -S 0.0.0.0 ...

  + New modules:

    mod_exec

      This module enables execution of external scripts based on actions/events
      during a session.  See doc/contrib/mod_exec.html for details.

    mod_sftp

      This module implements the SSH2, SFTP, and SCP protocols.  See
      doc/contrib/mod_sftp.html for more information.

    mod_sftp_pam

      This module uses PAM to provide a 'keyboard-interactive' SSH2
      authentication method for mod_sftp.  More information can be found in
      the documentation for mod_sftp_pam, in doc/contrib/mod_sftp_pam.html.

    mod_sftp_sql

      This module uses SQL (via mod_sql) for looking up authorized SSH2 
      public keys for user and hostbased authentication.  More information
      is available in doc/contrib/mod_sftp_sql.html.

    mod_shaper

      This module can be used to provide data transfer rate "shaping"
      across the entire server.  See the documentation at
      doc/contrib/mod_shaper.html.

    mod_tls_shmcache

      This module provides an external SSL session cache using shared
      memory; see the TLSSessionCache configuration directive.  More
      information on this module can be found in
      doc/contrib/mod_tls_shmcache.html.

  + New configuration directives:

    RewriteHome

      The RewriteHome directive can be used to support rewriting the
      home directory for a user, based on regular expression rules.
      One such use case is where some portion of the home directory is
      retrieved e.g. from an LDAP directory, but you need to apply some
      custom prefix to the LDAP attribute.

      To enable this feature, first you need to add the following to your
      proftpd.conf:

        RewriteHome on

      Next, you need to configure the mod_rewrite rules for rewriting your home
      directory; this feature depends on mod_rewrite for the rewriting.
      The pseudo-command used by mod_rewrite for rewriting home directories is
      "REWRITE_HOME".  Thus would you use:

        <IfModule mod_rewrite.c>
          RewriteEngine on
          RewrlteLog /path/to/rewrite.log

          RewriteCondition %m REWRITE_HOME
          RewriteRule (.*) /my/new/prefix$1
        </IfModule>

    ScoreboardScrub

      The ScoreboardScrub directive can be used to turn on/off proftpd's
      periodic "scrubbing" of its ScoreboardFile, where the ScoreboardFile
      is scanned for entries of dead sessions:

        ScoreboardScrub on|off|secs

      Note that if scoreboard scrubbing is turned off, the ScoreboardFile
      can still be scrubbed on demand, either by using mod_ctrls_admin's
      "ftpdctl scoreboard scrub" action, or by using the new ftpscrub
      command-line utility.

    TLSControlsACLs

      With the addition of support for external session caches, the
      mod_tls module now supports some ftpdctl actions for interacting
      with those session caches.  The TLSControlsACLs directive can be
      used to configure ACLs for the ftpdctl actions supported by mod_tls,
      and is analogous to other ACLs directives for other modules which
      support ftpdctl actions.

    TLSPKCS12File

      The TLSPKCS12File directive of the mod_tls module is used to
      configure mod_tls to use the certificate and private key contained
      in the indicated PKCS#12 file.  Some sites already use PKCS#12 files
      for containing their other certificates, and thus find it useful to
      have PKCS#12 support in mod_tls.

    TLSSessionCache

      The TLSSessionCache directive configures an external SSL session
      cache, which can be used for storing and shared SSL sessions across
      multiple processes.  An external SSL session cache is an optional
      facility which speeds up parallel FTPS session connections.

      See doc/contrib/mod_tls.html#TLSSessionCache for more information.

  + Changed configuration directives:

    AllowOverride

      This directive no longer supports the optional user/group/class
      parameters.  If you wish to have per-user/group/class conditional
      use of the AllowOverride directive, you will need to use the
      mod_ifsession module.  For example, instead of:

        AllowOverride off user !admin

      you will need to use:

        <IfUser admin>
          AllowOverride on
        </IfUser>

        <IfUser !admin>
          AllowOverride off
        </IfUser>

      Note that the "!admin" section is necessary.  If you set
      "AllowOverride off" unconditionally, then use a mod_ifsession context,
      you would end up with two AllowOverride settings, and the code might not
      be able to distinguish properly which setting to use.  Thus you need to
      make both the "on" and "off" cases conditional, and mutually exclusive.

      Configurations which use the user/group/class conditional parameters
      to AllowOverride will now generate configuration errors.

    BanOnEvent

      The BanOnEvent directive of the mod_ban module now supports
      TimeoutLogin events.

    <VirtualHost>

      You can now specify an IP address of "0.0.0.0" in a <VirtualHost>
      definition.

    IdentLookups

      The default IdentLookups value is now 'off'.  The RFC1413 IDENT lookup
      adds latency to the login process, so much so that it is a FAQ to
      configure "IdentLookups off".  In addition, the IDENT protocol is not
      secure; it can easily be spoofed using man-in-the-middle attacks.  Sites
      that require IDENT lookups must now explicitly configure
      "IdentLookups on".

      Note that in order to use IdentLookups, you must compile proftpd with
      the mod_ident module.  If you use the --disable-ident configure
      option, then proftpd will not recognize the IdentLookups directive.
      Thus in your proftpd.conf, you should use something like:

        <IfModule mod_ident.c>
          IdentLookups on
        </IfModule>

      if you want to use RFC1413 lookups.

    LogFormat, SQLNamedQuery

      There is a new variable, %{protocol}, which describes the protocol
      that the client is using.  This variable can have values of "ftp",
      "ftps", "ssh2", "sftp", and "scp".

      Note that for SSH2 connections, the value will be "ssh2" until SFTP or
      SCP channels are opened; this means that during login, the %{protocol}
      value will be "ssh2".

      There is also a new %w variable which is only valid for RNTO commands.
      The %w value will be the original name of the file being renamed
      (mnemonic: "whence" a renamed file comes).

    RewriteCondition, RewriteRule

      Use of environment variables in mod_rewrite rules is now supported
      via the "%{ENV:var}" syntax.

    SQLGroupInfo

      The SQLGroupInfo now supports custom queries for retrieve group
      information.  Note that instead of a single custom query, several
      different queries are needed; different lookups are called for
      depending on the situation and configuration of mod_sql (e.g.
      using the 'groupset' or 'groupsetfast' SQLAuthenticate parameters).

      See doc/contrib/mod_sql.html#SQLGroupInfo and
      doc/howto/SQL.html#SQLUsersetfast for more details.

    SQLUserInfo

      The support for custom SQLUserInfo queries has been extended to
      support custom queries to be used when the 'userset' or 'usersetfast'
      SQLAuthenticate parameters are used.

      For more information, see doc/contrib/mod_sql.html#SQLUserInfo and 
      doc/howto/SQL.html#SQLUsersetfast.

    TLSOptions

      The NoSessionReuseRequired option has been added.  As of
      ProFTPD 1.3.3rc1, mod_tls only accepts SSL/TLS data connections
      that reuse the SSL session of the control connection, as a security
      measure.  Unfortunately, there are some clients (e.g. curl) which
      do not reuse SSL sessions.

      To relax the requirement that the SSL session from the control
      connection be reused for data connections, use the following in the
      proftpd.conf:

        <IfModule mod_tls.c>
          ...
          TLSOptions NoSessionReuseRequired
          ...
        </IfModule>

    TLSRequired

      The TLSRequired directive can now be used in <Directory> sections and
      in .ftpaccess files.  When used in these configuration contexts, only
      the TLSRequired values that require SSL/TLS protection on data transfers
      are honored.  With this, it is now possible to mark specific files or
      directories as requiring SSL/TLS protection to be accessed via data
      transfer.

    TransferLog

      The "service-name" field of the TransferLog usually contains just
      "ftp".  In order to support TransferLogs for SFTP and SCP transfers,
      the service-name field of the TransferLog format may now show
      "sftp" or "scp".  It may also show "ftps" instead of "ftp", if the
      data transfer occurred while the client is using FTP over SSL/TLS.

      NOTE: This change, while correct, may cause issues for log parsers.

  + Deprecated configuration directives:

    AnonymousGroup

      Support for this directive has been removed.

  + Developer Notes

    If you are a module developer, then you will want to know of the following
    API/internals changes:

      * The original USER value sent by the client is no longer stored in
        the config tree.  That is, the following no longer works:

          user = get_param_ptr(main_server->conf, C_USER, FALSE);

        Instead, the original USER value is stashes in the session.notes
        table.  Thus the above line of code can be replaced with:

          user = pr_table_get(session.notes, "mod_auth.orig-user", NULL);

        A similar change occurred for the anonymous "password" sent, but
        this will probably not apply to most modules.

 
Last Updated: $Date: 2010/02/24 18:20:37 $

[Proftpd-docs] CVS: www.proftpd.org wwwmirror.epl,1.115,1.116

[John M. <jw...@us...>]

Update of /cvsroot/pdd/www.proftpd.org
In directory sfp-cvsdas-2.v30.ch3.sourceforge.com:/tmp/cvs-serv28477

Modified Files:
	wwwmirror.epl 
Log Message:
update

Index: wwwmirror.epl
===================================================================
RCS file: /cvsroot/pdd/www.proftpd.org/wwwmirror.epl,v
retrieving revision 1.115
retrieving revision 1.116
diff -C2 -r1.115 -r1.116
*** wwwmirror.epl	13 Jan 2010 22:15:48 -0000	1.115
--- wwwmirror.epl	23 Feb 2010 16:36:37 -0000	1.116
***************
*** 32,36 ****
  	<a href="http://www.de.proftpd.org/">de</a>
  	<a href="http://www.ie.proftpd.org/">ie</a>
- 	<a href="http://www.il.proftpd.org/">il</a>
  	<a href="http://www.it.proftpd.org/">it</a>
  	<a href="http://www.kr.proftpd.org/">kr</a>
--- 32,35 ----
***************
*** 271,285 ****
  			</p>
  	<p>
- 		<a href="http://www2.il.proftpd.org">http://www2.il.proftpd.org/</a>
-         <br />
- 		<a href="http://proftpd.interhost.co.il">http://proftpd.interhost.co.il</a>
- 		<br />
- 
- 		Location: Israel					(ISRAEL)
- 				<br />
- 
- 					Maintained by: Dmitry Sherman<br />
- 			</p>
- 	<p>
  		<a href="http://www1.tw.proftpd.org">http://www1.tw.proftpd.org/</a>
          <br />
--- 270,273 ----
***************
*** 293,307 ****
  			</p>
  	<p>
- 		<a href="http://www36.us.proftpd.org">http://www36.us.proftpd.org/</a>
-         <br />
- 		<a href="http://proftpd.mirror.facebook.net/">http://proftpd.mirror.facebook.net/</a>
- 		<br />
- 
- 		Location: United States					(San Francisco, CA United States)
- 				<br />
- 
- 					Maintained by: Lucas Nealan<br />
- 			</p>
- 	<p>
  		<a href="http://www1.kr.proftpd.org">http://www1.kr.proftpd.org/</a>
          <br />
--- 281,284 ----