Skip to content
Basic vsftpd cookbook to manage local users FTP access.
Branch: master
Clone or download
TheSerapher Merge pull request #20 from cosmonaut-ok/master
Fix vsftpd with ssl configuration
Latest commit ceb2269 Jan 6, 2017
Type Name Latest commit message Commit time
Failed to load latest commit information.
recipes Merge pull request #20 from cosmonaut-ok/master Jan 6, 2017
templates/default adding first version of vsftpd cookbook Mar 5, 2013
.gitignore Support for Debian 8 May 4, 2016
.kitchen.yml Support for Debian 8 May 4, 2016
.rubocop.yml [UPDATE] Rake Tasks and pass tests Jun 19, 2014
.travis.yml [FIX] Travis run should work now Jan 6, 2017
Gemfile [FIX] Travis run should work now Jan 6, 2017
LICENSE adding first version of vsftpd cookbook Mar 5, 2013 [Feature addition] Add support for SSL Jul 27, 2015

Description Travis-CI

A vsftpd Chef cookbook to install and configure a standard vsftpd installation.



  • CentOS
  • RHEL
  • Debian
  • Ubuntu


openssl >= 4.2.0


Attribute Description Default
node['vsftpd']['enabled'] Enable and start vsftpd after installation true
node['vsftpd']['etcdir'] Where to store additional configuration files /etc/vsftpd
node['vsftpd']['allowed'] Array of local users that are allowd to connect via FTP [ ]
node['vsftpd']['chroot'] Array of users that will not be chroot'ed [ ]
node['vsftpd']['config'] Configuration array with key/value pairs. See Manpage for details
node['vsftpd']['ssl']['enabled'] Whether to turn on SSL and create and/or use key and cert files. false
node['vsftpd']['ssl']['tlsv1_enabled'] If SSL is used, whether to use TLS. true when SSL is enabled
node['vsftpd']['ssl']['sslv2_enabled'] If SSL is enabled, whether to use SSLv2 or not. false
node['vsftpd']['ssl']['sslv3_enabled'] If SSL is enabled, whether to use SSLv3 or not. false
node['vsftpd']['ssl']['allow_anon'] Whether or not anonymous users are allowed to use SSL. true
node['vsftpd']['ssl']['force_local_data'] If SSL is enabled and this is set to true, all non-anonymous users must use encrypted connections for sending data. true
node['vsftpd']['ssl']['force_local_logins'] If SSL is enabled and this is set to true, all non-anonymous users must use SSL to send password. true
node['vsftpd']['ssl']['cert']['public_cert_file'] The path to the public certificate file that will be created if it doesn't exist. node['vsftpd']['etcdir'] + '/vsftpd.pem'
node['vsftpd']['ssl']['key']['private_key_file'] The path to the private key file used to sign the cert. Will be created without a password if it does not exist. If it exists, it will be used to sign the public cert using the passphrase specified in node['vsftpd']['ssl']['pass'] attribute if set. node['vsftpd']['etcdir'] + '/vsftpd.key'
node['vsftpd']['ssl']['cert']['common_name'] Value for the `CN` certificate field. ''
node['vsftpd']['ssl']['cert']['org'] Value for the 'O' certificate field. 'Example Company'
node['vsftpd']['ssl']['cert']['org_unit'] Value for the 'OU' certificate field. 'RND'
node['vsftpd']['ssl']['cert']['country'] Value for the 'C' SSL field. 'US'
node['vsftpd']['ssl']['cert']['expire_days'] Value representing the number of days from now through which the issued certificate cert will remain valid. The certificate will expire after this period. Defaults to no expiration. nil
node['vsftpd']['ssl']['key']['length'] Length of private key in bits. 4096
node['vsftpd']['ssl']['key']['user'] Owner of the public certificate and private key file if they are created by this cookbook. 'root'
node['vsftpd']['ssl']['key']['group'] Group owning the public certificate and private key file created by this cookbook. 'root'
node['vsftpd']['ssl']['key']['mode'] Security permissions (in *NIX chmod(1) format) for the public certificate and private key files. 00400
node['vsftpd']['ssl']['key']['pass'] The password for an existing key file (if using your own). This is incredibly insecure. Consider using an encrypted data bag or chef-vault instead of this attribute. nil



Installs/configures vsftpd, includes some sub-tasks via include_recipe.

Known Issue

When using Ubuntu 12.04 or Debian Wheezy you will have issues with this cookbook and running chroot_local_users=YES in the configuration.

There are some workarounds to overcome this problem:

The basic gist of these articles:

  • revoke write permissions on the users home
  • setup a different chroot environment via passwd_chroot_enable=YES
  • install a patched version of the vsftpd 2.x branch and set allow_writeable_chroot=YES to ignore this error
  • use vsftpd 3.x and set allow_writeable_chroot=YES to ignore this error


The cookbook comes with some testing facilities allowing you to iterate quickly on cookbook changes.


You can execute the tests with Rake. The Rakefile provides the following tasks:

$ rake -T
rake chefspec    # Run ChefSpec examples
rake foodcritic  # Run Foodcritic lint checks
rake knife       # Run knife cookbook test
rake rubocop     # Run rubocop checks
rake test        # Run all tests


If you prefer to let Bundler install all required gems (you should), run the tests this way:

$ # I like to install them in a parent folder so all cookbooks can use it
$ bundle install --path=../vendor/bundle
$ bundle exec rake test


Berkshelf is used to set up the cookbook and its dependencies (as defined in Berksfile) prior to testing with Rake and Vagrant.


This cookbook is using test-kitchen to create machines. You can review the boxes by using:

$ bundle exec kitchen list

To run the full kitchen suite included in this cookbook simply execute:

$ bundle exec kitchen test

You can also verify/converge/test any specific machine from the previous list output:

$ bundle exec kitchen verify <instance>

License and Author

Author:: Sebastian Grewe (

Copyright:: 2013, Sebastian Grewe

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

You can’t perform that action at this time.