1.3.3 Release Notes
------------------------
This file contains a description of the major changes to ProFTPD for the
1.3.3 release cycle, from the 1.3.3rc1 release to the 1.3.3 maintenance
releases. More information on these changes can be found in the NEWS and
ChangeLog files.
1.3.3rc1
---------
+ Added French, Bulgarian, Korean translations.
+ RPM 4.2 or later is required by the proftpd.spec file provided in the
distribution.
+ If the --localstatedir configure option is used, proftpd's build system
used to automatically append "/proftpd" to the configured path. This
behavior has been fixed; proftpd's build system will now use the
configured --localstatedir path as is.
Note that this may cause issues if you have an existing build script
for compling proftpd; the expected locations of files under the
--localstatedir path will change.
+ New command-line options:
The -S, --serveraddr command-line option has been added. This option
can be used to specify the IP address of the host machine. By
default, proftpd attempts to resolve the host IP address by using DNS
resolution of the hostname. However, in cases where DNS is not
configured for the host machine, this approach does not work.
To specify the desired IP address, use -S when starting proftpd, e.g.:
/usr/local/sbin/proftpd -S 1.2.3.4 ...
And if you want proftpd to listen on all interfaces, you can specify
a wildcard socket using an IP address of 0.0.0.0:
/usr/local/sbin/proftpd -S 0.0.0.0 ...
+ New modules:
mod_exec
This module enables execution of external scripts based on actions/events
during a session. See doc/contrib/mod_exec.html for details.
mod_sftp
This module implements the SSH2, SFTP, and SCP protocols. See
doc/contrib/mod_sftp.html for more information.
mod_sftp_pam
This module uses PAM to provide a 'keyboard-interactive' SSH2
authentication method for mod_sftp. More information can be found in
the documentation for mod_sftp_pam, in doc/contrib/mod_sftp_pam.html.
mod_sftp_sql
This module uses SQL (via mod_sql) for looking up authorized SSH2
public keys for user and hostbased authentication. More information
is available in doc/contrib/mod_sftp_sql.html.
mod_shaper
This module can be used to provide data transfer rate "shaping"
across the entire server. See the documentation at
doc/contrib/mod_shaper.html.
mod_tls_shmcache
This module provides an external SSL session cache using shared
memory; see the TLSSessionCache configuration directive. More
information on this module can be found in
doc/contrib/mod_tls_shmcache.html.
+ New configuration directives:
RewriteHome
The RewriteHome directive can be used to support rewriting the
home directory for a user, based on regular expression rules.
One such use case is where some portion of the home directory is
retrieved e.g. from an LDAP directory, but you need to apply some
custom prefix to the LDAP attribute.
To enable this feature, first you need to add the following to your
proftpd.conf:
RewriteHome on
Next, you need to configure the mod_rewrite rules for rewriting your home
directory; this feature depends on mod_rewrite for the rewriting.
The pseudo-command used by mod_rewrite for rewriting home directories is
"REWRITE_HOME". Thus would you use:
RewriteEngine on
RewrlteLog /path/to/rewrite.log
RewriteCondition %m REWRITE_HOME
RewriteRule (.*) /my/new/prefix$1
ScoreboardScrub
The ScoreboardScrub directive can be used to turn on/off proftpd's
periodic "scrubbing" of its ScoreboardFile, where the ScoreboardFile
is scanned for entries of dead sessions:
ScoreboardScrub on|off|secs
Note that if scoreboard scrubbing is turned off, the ScoreboardFile
can still be scrubbed on demand, either by using mod_ctrls_admin's
"ftpdctl scoreboard scrub" action, or by using the new ftpscrub
command-line utility.
TLSControlsACLs
With the addition of support for external session caches, the
mod_tls module now supports some ftpdctl actions for interacting
with those session caches. The TLSControlsACLs directive can be
used to configure ACLs for the ftpdctl actions supported by mod_tls,
and is analogous to other ACLs directives for other modules which
support ftpdctl actions.
TLSPKCS12File
The TLSPKCS12File directive of the mod_tls module is used to
configure mod_tls to use the certificate and private key contained
in the indicated PKCS#12 file. Some sites already use PKCS#12 files
for containing their other certificates, and thus find it useful to
have PKCS#12 support in mod_tls.
TLSSessionCache
The TLSSessionCache directive configures an external SSL session
cache, which can be used for storing and shared SSL sessions across
multiple processes. An external SSL session cache is an optional
facility which speeds up parallel FTPS session connections.
See doc/contrib/mod_tls.html#TLSSessionCache for more information.
+ Changed configuration directives:
AllowOverride
This directive no longer supports the optional user/group/class
parameters. If you wish to have per-user/group/class conditional
use of the AllowOverride directive, you will need to use the
mod_ifsession module. For example, instead of:
AllowOverride off user !admin
you will need to use:
AllowOverride on
AllowOverride off
Note that the "!admin" section is necessary. If you set
"AllowOverride off" unconditionally, then use a mod_ifsession context,
you would end up with two AllowOverride settings, and the code might not
be able to distinguish properly which setting to use. Thus you need to
make both the "on" and "off" cases conditional, and mutually exclusive.
Configurations which use the user/group/class conditional parameters
to AllowOverride will now generate configuration errors.
BanOnEvent
The BanOnEvent directive of the mod_ban module now supports
TimeoutLogin events.
You can now specify an IP address of "0.0.0.0" in a
definition.
IdentLookups
The default IdentLookups value is now 'off'. The RFC1413 IDENT lookup
adds latency to the login process, so much so that it is a FAQ to
configure "IdentLookups off". In addition, the IDENT protocol is not
secure; it can easily be spoofed using man-in-the-middle attacks. Sites
that require IDENT lookups must now explicitly configure
"IdentLookups on".
Note that in order to use IdentLookups, you must compile proftpd with
the mod_ident module. If you use the --disable-ident configure
option, then proftpd will not recognize the IdentLookups directive.
Thus in your proftpd.conf, you should use something like:
IdentLookups on
if you want to use RFC1413 lookups.
LogFormat, SQLNamedQuery
There is a new variable, %{protocol}, which describes the protocol
that the client is using. This variable can have values of "ftp",
"ftps", "ssh2", "sftp", and "scp".
Note that for SSH2 connections, the value will be "ssh2" until SFTP or
SCP channels are opened; this means that during login, the %{protocol}
value will be "ssh2".
There is also a new %w variable which is only valid for RNTO commands.
The %w value will be the original name of the file being renamed
(mnemonic: "whence" a renamed file comes).
RewriteCondition, RewriteRule
Use of environment variables in mod_rewrite rules is now supported
via the "%{ENV:var}" syntax.
SQLGroupInfo
The SQLGroupInfo now supports custom queries for retrieve group
information. Note that instead of a single custom query, several
different queries are needed; different lookups are called for
depending on the situation and configuration of mod_sql (e.g.
using the 'groupset' or 'groupsetfast' SQLAuthenticate parameters).
See doc/contrib/mod_sql.html#SQLGroupInfo and
doc/howto/SQL.html#SQLUsersetfast for more details.
SQLUserInfo
The support for custom SQLUserInfo queries has been extended to
support custom queries to be used when the 'userset' or 'usersetfast'
SQLAuthenticate parameters are used.
For more information, see doc/contrib/mod_sql.html#SQLUserInfo and
doc/howto/SQL.html#SQLUsersetfast.
TLSOptions
The NoSessionReuseRequired option has been added. As of
ProFTPD 1.3.3rc1, mod_tls only accepts SSL/TLS data connections
that reuse the SSL session of the control connection, as a security
measure. Unfortunately, there are some clients (e.g. curl) which
do not reuse SSL sessions.
To relax the requirement that the SSL session from the control
connection be reused for data connections, use the following in the
proftpd.conf:
...
TLSOptions NoSessionReuseRequired
...
TLSRequired
The TLSRequired directive can now be used in sections and
in .ftpaccess files. When used in these configuration contexts, only
the TLSRequired values that require SSL/TLS protection on data transfers
are honored. With this, it is now possible to mark specific files or
directories as requiring SSL/TLS protection to be accessed via data
transfer.
TransferLog
The "service-name" field of the TransferLog usually contains just
"ftp". In order to support TransferLogs for SFTP and SCP transfers,
the service-name field of the TransferLog format may now show
"sftp" or "scp". It may also show "ftps" instead of "ftp", if the
data transfer occurred while the client is using FTP over SSL/TLS.
NOTE: This change, while correct, may cause issues for log parsers.
+ Deprecated configuration directives:
AnonymousGroup
Support for this directive has been removed.
+ Developer Notes
If you are a module developer, then you will want to know of the following
API/internals changes:
* The original USER value sent by the client is no longer stored in
the config tree. That is, the following no longer works:
user = get_param_ptr(main_server->conf, C_USER, FALSE);
Instead, the original USER value is stashes in the session.notes
table. Thus the above line of code can be replaced with:
user = pr_table_get(session.notes, "mod_auth.orig-user", NULL);
A similar change occurred for the anonymous "password" sent, but
this will probably not apply to most modules.
Last Updated: $Date: 2009/07/01 02:56:33 $