pure-certd - TLS certificate agent for Pure-FTPd.
pure-certd [-p </path/to/pidfile>] [-u uid] [-g gid] [-B] <-s /path/to/socket> -r /program/to/run
pure-certd is a daemon that forks an authentication program, waits for a certificate path as a reply, and returns it to an application server.
pure-certd listens to a local Unix socket. A new connection to that socket should send pure-authd the following structure:
- sni_name:xxx end
These content is passed to the authentication program, as an environment variable:
The authentication program should take appropriate actions to select a TLS certificate, and reply to the standard output with the following format:
- action:strict cert_file:/path/to/cert.pem key_file:/path/to/cert.pem end
- Absolute path to the certificate in PEM format.
- This is optional, as a certificate and its key can be concatenated in the same file.
- If action is "deny", a certificate for that name was not found and access is denied. If xxx is "default", the default certificate will be used. If xxx is "strict", the certificate whose path is indicated in "cert_path" will be used. If absent or invalid, access will be denied. If xxx is "fallback", the certificate whose path is indicated in "cert_path" will be used. If absent or invalid, the default certificate will be used instead.
- The system uid to be assigned to that user. Must be > 0.
- The primary system gid. Must be > 0.
- The absolute path to the home directory. Can contain /./ for a chroot jail.
Only one authentication program is forked at a time. It must return quickly.
To run this program the standard way type:
pure-certd -s /var/run/certd.sock -r /usr/bin/my-cert-program &
pure-ftpd -lextauth:/var/run/certd.sock &
- /usr/bin/my-cert-program can be as simple as:
- #! /bin/sh
Frank DENIS <j at pureftpd dot org>