OpenBSD FTP Server Configuration

Creating an ftp-only account (not anonymous FTP!)

	Add /usr/bin/false into /etc/shells.

	Create user and set the shell to /usr/bin/false
	  They will not be able log in interactively, but will be
	  able to use ftp capabilities. adduser(8) will give them
	  a home dir by default of /home/. If this is what
	  you desire it doesn't need to be changed, however you can
	  set this to whatever directory you wish. You can force the
	  user to only be able to see files in their home directory by
	  adding their username to /etc/ftpchroot.

	Using the -A option with ftpd(8), only allows ftpchroot logins!

Creating a secured, chrooted FTP Server

Add "/usr/bin/false" to /etc/shells

Use 'adduser' with the below options, and a blank password.
 User Name: ftp
 Full Name: Anonymous FTP
 Shell: false 
 Login Group: ftp
 Invite to other Groups: No
 Enter Password []: <>
 Set the password so that user cannot logon? (y/n) [n]: y

Change/ensure the ownership of the ftp root directory is owned by root,
and files are read-only.

 # chown root.root /home/ftp
 # chmod 555 /home/ftp
 # mkdir /home/ftp/pub
 # chmod 555 /home/ftp/pub 

From the man pages (and FAQ,) the below are suggested directories, but are not required for the server to operate.
~/ftp/bin Make this directory owned by "root" and unwritable by anyone (mode 511). This directory is optional unless you have commands you wish the anonymous ftp user to be able to run (the ls(1) command exists as a builtin). Any programs in this directory should be mode 111 (executable only)
~/ftp/etc Make this directory owned by "root" and unwritable by anyone (mode 511). The files pwd.db (see pwd_mkdb(8)) and group(5) must be present for the ls command to be able to produce owner names rather than numbers. The password field in pwd.db is not used, and should not contain real passwords. The file motd, if present, will be printed after a successful login. These files should be mode 444
~/ftp/pub Make this directory mode 555 and owned by "root". This is traditionally where publically accessible files are stored for download

Restrict User Access
/etc/ftpusers List of unwelcome/restricted users
/etc/ftpchroot List of normal users who should be chroot'd

With the -A switch we effectively deny access to accounts not listed in the /etc/ftpchroot file.

Restrict Access: (chroot) If you provide ftp access for your user-accounts, add all users (not restricted above) to /etc/ftpchroot. ftpd will allow access by ftp accounts to the root directory, we can enforce some security by allowing chroot to force each login into their private directory.

In login.conf one can add default values for any user class:
adding 'ftp-chroot' to the user class will chroot everyone in that class. This can be used instead of adding users in /etc/ftpchroot.
adding 'ftp-dir=/home/ftp' will make all class users chroot to /home/ftp without changing each users home directory.

LOGIN.CONF Variables
 The ftpd daemon uses the following ftp specific parameters:
 (auth-ftp and welcome not listed here.)
 ftp-chroot A boolean value. If set, users in this class will be automatically chrooted to the user's login directory.
 ftp-dir A path to a directory. This value overrides the login directory for users in this class. A leading tilde (`~') in ftp-dir will be expanded to the user's home directory based on the contents of the password database.


#/etc/login.conf
 :tc=auth-ftp-defaults:\ 
 :ftp-chroot:\
 :ftp-dir=~: 

A users class is set in the fifth field of the user record in the passwd(5) file. This field is not set on new users when you add them with adduser etc, hence we all become default. (the other pre defined classes are daemon and staff)
If you do not wish for all users to be treated the same, then you could add a new class (e.g.'ftpusers'.) This way you can set a whole bunch of parameters specific to only these users.

To auto-start ftpd with each system start-up we change the settings in the /etc/rc.conf.local We can also manually start the service with the same flags at the command prompt.
 Edit /etc/rc.conf.local:
 ftpd_flags="-DllUSA" # for non-inetd use: ftpd_flags="-D"

Starting ftpd at the command-prompt
 You can also enable ftpd through inetd (described in the FAQ) but making
 the above settings in the /etc/rc.conf.local is what I like.
 # /usr/libexec/ftpd -DllUSA 



The switches listed above are described further [man pages.]
D Detach and become a daemon, accepting connections on the FTP port and forking child processes to handle them. This has lower overhead than starting ftpd from inetd(8) and is thus useful on busy servers to reduce load.
l lower-case L, log successful and failed ftp(1) session using syslog.
When specified twice (eg. -ll,) the log will also include: retrieve (get), store (put), append, delete, make directory, remove directory and rename operations and their filename arguments. 
U Log each concurrent ftp(1) session to the file /var/run/utmp, making them visible to commands such as who(1).
S Log all anonymous downloads to the file /var/log/ftpd when this file exists.
A Permit only anonymous ftp connections or accounts listed in /etc/ftpchroot. Other connection attempts are refused.

Other configuration files of interest are:
/etc/nologin The file can be used to disable ftp access. If the file exists, ftpd displays it and exits.
/etc/ftpwelcome Welcome notice. This holds the Welcome message for people once they have connected to your ftp server.
/etc/motd Welcome notice after login. This holds the message for people once they have successfully logged into your ftp server
.message This file can be placed in any directory. It will be shown once a user enters that directory.
/var/run/utmp List of users on the system
/var/run/ftpd.pid Process id if running in daemon mode
/var/log/ftpd Log file for anonymous downloads

http://www.svartalfheim.net/natftp.html