- blog.up-link.ro - https://blog.up-link.ro -

How To Set Up VSFTPD virtual users ( Berkeley DB + PAM )

vsftpd is a GPL licensed FTP server for UNIX systems, including Linux and FreeBSD. It is secure, stable and extremely fast.

vsftpd will handle:

If you are hosting several web sites, for security reasons, you may want the webmasters to access their own files only.  This article describes how you can install and configure vsftpd to work with virtual users.

A virtual user is a user login which does not exist as a real login on the system in /etc/passwd and /etc/shadow file. Virtual users can therefore be more secure than real users, because a compromised account can only use the FTP server but cannot login to system to use other services such as ssh, telnet or smtp.

1. Installation of vsftpd

For CentOS, RHEL and Fedora, you can install vsftpd with yum:

# yum install vsftpd

For Debian and Ubuntu,

# apt-get install vsftpd ( for Ubuntu use sudo )

For FreeBSD,

# cd /usr/ports/ftp/vsftpd

# make install clean

Set up vsftpd service to start automatically at boot time

For CentOS, RHEL and Fedora:

# chkconfig vsftpd on

For Debian and Ubuntu:

# update-rc.d -f vsftpd defaults ( for Ubuntu use sudo)

For FreeBSD add the following line to /etc/rc.conf:

vsftpd_enable=YES

2. Virtual users and authentication ( Linux and FreeBSD )

a. Linux

In Linux, we are going to set up virtual users using pam_userdb. This needs a username / password file in "db" format. We need db_load program.

For CentOS, Fedora , RHEL , you can install the package db4-utils:

# yum install db4-utils

For Ubuntu and Debian:

# apt-get install db4.2-util

To create a 'db' format file, first create a plain text file "virtual-users.txt" with the user names and passwords on alternating lines:

adrian
password123
john
123pass

Then execute the following command to create the actual database:

# db_load -T -t hash -f virtual-users.txt /etc/vsftpd/virtual-users.db

For security reasons you should remove the plain text file:

# rm -f virtual-users.txt

Now, create a PAM file /etc/pam.d/vsftpd-virtual which uses your database:

auth required pam_userdb.so db=/etc/vsftpd/virtual-users
account required pam_userdb.so db=/etc/vsftpd/virtual-users
session required pam_loginuid.so

b. FreeBSD

In FreeBSD, we are going to set up virtual users using pam_pwdfile. This needs a username / password file in htpassword format. We need pam_pwdfile package.

To install pam_pwdfile package in FreeBSD:

# /usr/ports/security/pam_pwdfile
# make install clean

To create vsftpd accounts, you need to use htpasswd (create /usr/local/etc/vsftpd/ directory first):

# htpasswd -bc adrian password123 /usr/local/etc/vsftpd/virtual-users

where adrian is the user name and passsword123 is the password

To add another user, make sure you remove "-c" from htpassword. "-c" is used to create a new file.

Now, create a PAM file /etc/pam.d/vsftpd-virtual which uses your pwdfile:

auth       required    /usr/local/lib/pam_pwdfile.so pwdfile /usr/local/etc/vsftpd/virtual-users
account      required    /usr/lib/pam_permit.so

3. Configuration of vsftpd

Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf (or /usr/local/etc/vsftpd.conf for FreeBSD). Add or correct the following configuration options:

# enable background mode
background=YES
# disables anonymous FTP
anonymous_enable=NO
# enables non-anonymous FTP
local_enable=YES
# activates virtual users
guest_enable=YES
# virtual users to use local privs, not anon privs
virtual_use_local_privs=YES
# enables uploads and new directories
write_enable=YES
# the PAM file used by authentication of virtual uses
pam_service_name=vsftpd-virtual
# in conjunction with 'local_root',
# specifies a home directory for each virtual user
user_sub_token=$USER
local_root=/var/www/virtual/$USER
anon_root=/var/www/ftp
# the virtual user is restricted to the virtual FTP area
chroot_local_user=YES
# hides the FTP server user IDs and just display "ftp" in directory listings
hide_ids=YES
# runs vsftpd in standalone mode
listen=YES
# listens on this port for incoming FTP connections
listen_port=21
# the minimum port to allocate for PASV style data connections
pasv_min_port=65500
# the maximum port to allocate for PASV style data connections
pasv_max_port=65535
# controls whether PORT style data connections use port 20 (ftp-data)
connect_from_port_20=YES
# the umask for file creation
local_umask=022
# Restrict connections
max_clients=20
max_per_ip=10
# secured empty directory
secure_chroot_dir=/usr/share/empty

Create /usr/share/empty and /var/www/ftp :

# mkdir -p /usr/share/empty
# mkdir -p /var/www/ftp

4. Creating home directories

Create home directories in /var/www/virtual, and change the owner of the directory to the user "ftp" :

# mkdir /var/www/virtual/adrian
# chown ftp:ftp /var/www/virtual

Change the home directory of the ftp user to /var/www/virtual (or /var/www):

Linux
# usermod -d /var/www/virtual ftp
FreeBSD
# pw usermod ftp -d /var/www/virtual

5. Starting vsftpd and testing vsftpd configuration

Startsftpd using the following command:

# service vsftpd start

or

# /usr/local/etc/rc.d/vsftpd start

for FreeBSD (make sure vsftpd_enable=YES in /etc/rc.conf)

NOTE: A system reboot might be required on some systems.

Test the FTP access of a virtual user:

# ftp localhost
Connected to localhost.localdomain.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (localhost:root): adrian
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

The virtual user should have full access to his directory only.