How To Set Up VSFTPD virtual users ( Berkeley DB + PAM )

vsftpd is a GPL licensed FTP server for UNIX systems, including Linux and FreeBSD. It is secure, stable and extremely fast.

vsftpd will handle:

  • Virtual IP configurations
  • Virtual users
  • Standalone or inetd operation
  • Powerful per-user configurability
  • Bandwidth throttling
  • Per-source-IP configurability
  • Per-source-IP limits
  • IPv6
  • Encryption support through SSL integration
  • etc...

If you are hosting several web sites, for security reasons, you may want the webmasters to access their own files only.  This article describes how you can install and configure vsftpd to work with virtual users.

A virtual user is a user login which does not exist as a real login on the system in /etc/passwd and /etc/shadow file. Virtual users can therefore be more secure than real users, because a compromised account can only use the FTP server but cannot login to system to use other services such as ssh, telnet or smtp.

1. Installation of vsftpd

For CentOS, RHEL and Fedora, you can install vsftpd with yum:

# yum install vsftpd

For Debian and Ubuntu,

# apt-get install vsftpd ( for Ubuntu use sudo )

For FreeBSD,

# cd /usr/ports/ftp/vsftpd

# make install clean

Set up vsftpd service to start automatically at boot time

For CentOS, RHEL and Fedora:

# chkconfig vsftpd on

For Debian and Ubuntu:

# update-rc.d -f vsftpd defaults ( for Ubuntu use sudo)

For FreeBSD add the following line to /etc/rc.conf:


2. Virtual users and authentication ( Linux and FreeBSD )

a. Linux

In Linux, we are going to set up virtual users using pam_userdb. This needs a username / password file in "db" format. We need db_load program.

For CentOS, Fedora , RHEL , you can install the package db4-utils:

# yum install db4-utils

For Ubuntu and Debian:

# apt-get install db4.2-util

To create a 'db' format file, first create a plain text file "virtual-users.txt" with the user names and passwords on alternating lines:


Then execute the following command to create the actual database:

# db_load -T -t hash -f virtual-users.txt /etc/vsftpd/virtual-users.db

For security reasons you should remove the plain text file:

# rm -f virtual-users.txt

Now, create a PAM file /etc/pam.d/vsftpd-virtual which uses your database:

auth required db=/etc/vsftpd/virtual-users
account required db=/etc/vsftpd/virtual-users
session required

b. FreeBSD

In FreeBSD, we are going to set up virtual users using pam_pwdfile. This needs a username / password file in htpassword format. We need pam_pwdfile package.

To install pam_pwdfile package in FreeBSD:

# /usr/ports/security/pam_pwdfile
# make install clean

To create vsftpd accounts, you need to use htpasswd (create /usr/local/etc/vsftpd/ directory first):

# htpasswd -bc adrian password123 /usr/local/etc/vsftpd/virtual-users

where adrian is the user name and passsword123 is the password

To add another user, make sure you remove "-c" from htpassword. "-c" is used to create a new file.

Now, create a PAM file /etc/pam.d/vsftpd-virtual which uses your pwdfile:

auth       required    /usr/local/lib/ pwdfile /usr/local/etc/vsftpd/virtual-users
account      required    /usr/lib/

3. Configuration of vsftpd

Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf (or /usr/local/etc/vsftpd.conf for FreeBSD). Add or correct the following configuration options:

# enable background mode
# disables anonymous FTP
# enables non-anonymous FTP
# activates virtual users
# virtual users to use local privs, not anon privs
# enables uploads and new directories
# the PAM file used by authentication of virtual uses
# in conjunction with 'local_root',
# specifies a home directory for each virtual user
# the virtual user is restricted to the virtual FTP area
# hides the FTP server user IDs and just display "ftp" in directory listings
# runs vsftpd in standalone mode
# listens on this port for incoming FTP connections
# the minimum port to allocate for PASV style data connections
# the maximum port to allocate for PASV style data connections
# controls whether PORT style data connections use port 20 (ftp-data)
# the umask for file creation
# Restrict connections
# secured empty directory

Create /usr/share/empty and /var/www/ftp :

# mkdir -p /usr/share/empty
# mkdir -p /var/www/ftp

4. Creating home directories

Create home directories in /var/www/virtual, and change the owner of the directory to the user "ftp" :

# mkdir /var/www/virtual/adrian
# chown ftp:ftp /var/www/virtual

Change the home directory of the ftp user to /var/www/virtual (or /var/www):

# usermod -d /var/www/virtual ftp
# pw usermod ftp -d /var/www/virtual

5. Starting vsftpd and testing vsftpd configuration

Startsftpd using the following command:

# service vsftpd start


# /usr/local/etc/rc.d/vsftpd start

for FreeBSD (make sure vsftpd_enable=YES in /etc/rc.conf)

NOTE: A system reboot might be required on some systems.

Test the FTP access of a virtual user:

# ftp localhost
Connected to localhost.localdomain.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (localhost:root): adrian
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

The virtual user should have full access to his directory only.

Print This Post Print This Post
Comments (0) Trackbacks (0)

No comments yet.

Leave a comment


No trackbacks yet.