Configuring vsftpd for the Canon 5D Mark IV

This Web page gives a commented configuration file that is usable (with certain edits) to let you use vsftpd as a server that can automatically accept pictures from a Canon 5D Mark IV, assuming you've done all the setup given on the main page. The rest of this page is a sample configuration file; comments are given after various sections. If you select the sample configuration from here on down, copy it, and paste it into your own configuration, the commments should disappear and you should have a working config file! (How cool is that?)

# Example config file /etc/vsftpd.conf
#
# The default compiled-in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled-in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# ################
# General Settings
# ################
#
# Enable any form of FTP write command.
write_enable=YES

The whole point of this configuration is to let the camera write files to the server. You would comment this out if you only wanted people to download files.

#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
nopriv_user=ftpsecure

The ftpsecure user was created by my distribution; you might have to create it yourself.

# #######################
# Local FTP user Settings
# #######################
#
# Uncomment this to allow local users to log in.
local_enable=YES

You need to set local_enable so that the camera can log in as the user you specified (e.g., canon5d4).b

#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022

Some people might prefer 077, especially if the server is a shared machine.

#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_local_user=YES
#chroot_list_enable=YES
chroot_list_enable=NO

chroot provides much stronger security; it will protect you even against most bugs in the server. But it's really hard to set up correctly, so we won't attempt that here.

#
# ##########################
# Anonymous FTP user Settings
# ##########################
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO

Anonymous ftp isn't really compatible with what we're doing here. In truth, anonymous ftp is pretty obsolete nowadays; ordinary Web sites are a better solution to the problem it tried to address.

# ############
# Log Settings
# ############
#
# Log to the syslog daemon instead of using a logfile.
syslog_enable=NO
#
# Uncomment this to log all FTP requests and responses.
log_ftp_protocol=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# You may override where the log file goes if you like. The default is shown
# below.
#
#vsftpd_log_file=/var/log/vsftpd.log

It's a good idea to log the daemon's activity so you can monitor misbehavior and debug problems. If you installed vsftpd from your distro, it should have set up that log file and also created a logrotate configuration to keep the file from growing too large. If you didn't, or it didn't, you should configure rotation. You might also need to change the location of the log.

# #################
# Transfer Settings
# #################
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# You may change the default value for timing out an idle session.
idle_session_timeout=7200
#
# You may change the default value for timing out a data connection.
data_connection_timeout=900

The above timeouts are given in seconds; 7200 is two hours. I chose quite long timeouts because I didn't want the ftp server to give up on the camera in the middle of a picture transfer.

# Set to NO if you want to disallow the PASV method of obtaining a data
# connection.
#pasv_enable=NO

It is important that you do NOT uncomment this line; pasv_enable must be set to YES for some uses of the 5D Mark IV (see the "passive" setting on the camera).

#
# PAM setting. Do NOT change this unless you know what you are doing!
pam_service_name=vsftpd
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# listen_ipv6 must be turned off; the 5D Mark IV doesn't support IPv6.
# In any case, vsftpd can't listen on IPv4 and IPv6 at the same time;
# you have to run two copies.
listen_ipv6=NO
#
# Set to ssl_enable=YES if you want to enable SSL
ssl_enable=YES

ssl_enable is essential for running a secure server. # Don't turn it off!

#
# Limit passive ports to this range to assist firewalling
pasv_min_port=30000
pasv_max_port=30100

If you have a network administrator who believes in harsh firewalling, you may need to change the passive port range.

# ############
# SSL Settings
# ############
#
# Allow debugging of SSL connections
debug_ssl=NO

If you have problems connecting, you might want to turn this on.

#
# Expect SSL handshake right away (don't know if this is needed for 5D4).
implicit_ssl=NO
#
# Require an SSL client certificate.
require_cert=NO
#
# Require data connections to do SSL reuse.  This breaks many clients.
require_ssl_reuse=NO
#
# Allow SSL v2
ssl_sslv2=NO
#
# Allow SSL v3
ssl_sslv3=NO
#
# Allow TLS v1
ssl_tlsv1=YES

The 5D Mark IV is fairly picky about SSL versions. The selections above work.

#
# SSL client certificate validation.  Self-signed certificates don't validate.
validate_cert=NO

We use a self-signed certificate so we need to keep validation off. That's OK because the client (the camera) is going to provide a password to authenticate itself.

#
# Certificate authority location.
ca_certs_file=/etc/ssl/private/vsftpd.pem

The above line needs to point to wherever you created your openssl certificate.

#
# Certificate locations
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.key

Again, these need to point to where you made your certificates.

#
# Which ciphers to use (see "man ciphers" and security blogs).
ssl_ciphers=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

The 5D4 is quite primitive in its encryption algorithms. The above list works; it could probably be smaller. But the reality is that the required ones are also the weaker ones, sigh.

#
# #############
# Other Options
# #############
#
# Don't keep failures
delete_failed_uploads=YES

# Display file times in the host's time zone, not UTC
use_localtime=YES

# Only accept certain users
userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/vsftpd.users

The above file must contain a list of users allowed to use the vsftpd daemon. For the Canon 5D Mark IV, it should contain a single line giving the name of the user you created for the camera, e.g. canon5d4 in my examples.

# The undocumented seccomp_sandbox option appears to be intended to increase
# security, but unfortunately what it actually does is crash an important
# child process with SIGSYS.  This option MUST be specified for vsftpd
# to work with the 5D Mark IV.
seccomp_sandbox=NO