Wednesday, November 12, 2008

Vsftpd virtual Users

I had to create a few virtual users in vsftpd for our clients. Googled a bit first and then experimented with what I found. A good tutorial can be found at

http://alien2thisworld.net/sitePages/tutorials/vsftpd_virtual_users_setup.html

But, this blocks normal users. I made a few modification to the suggested configuration and enabled the following.

1. Local user login
2. Restricting a all local users to their home directories by default
3. Enabling a set of selected set of local users to see the entire file system

I assume that you already have vsftpd, db4 and pam installed.

Step 1: In the vsftpd configuration file (/etc/vsftpd/vsftpd.conf in FC7), Enable anonymous access, setup chroot parameters and specify a per user configuration directory

anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

#MY CHANGES
user_config_dir=/etc/vsftpd/users
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list


Step 2: Create the per user config directory
mkdir /etc/vsftpd/users

Step 3: Create a password file (user1 is the user name and passwd1 is the password)
echo -e "user1\npasswd1">>users.txt

Step 4: Convert the passwd file to db format

rm users.db
db42_load -T -t hash -f users.txt users.db
mv users.txt /root/vsftpd_users.bkup
chmod 600 users.db


Step 5: Edit the pam configuration file for vsftpd to enable checking newly cerated users.db
#%PAM-1.0
session optional pam_keyinit.so force revoke
auth sufficient /lib/security/pam_userdb.so db=/etc/vsftpd/users
account sufficient /lib/security/pam_userdb.so db=/etc/vsftpd/users

auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth required pam_shells.so
auth include system-auth
account include system-auth
session include system-auth
session required pam_loginuid.so

Step 6: Create the virtual ftp user
adduser -d /var/ftp/clients clients
mkdir -p /var/ftp/clients
#Add directories for virtual users
mkdir -p /var/ftp/clients/user1 /var/ftp/clients/user2
chown -R clients.clients /var/ftp/clients


Step 7: Create the per user configuration in /etc/vsftpd/users/
mkdir /etc/vsftpd/users/
#Create one config file per user. My user configuration looks like this (/etc/vsftpd/users/user1)
user_sub_token=$USER
local_root=/var/ftp/clients/$USER
guest_enable=YES
guest_username=clients
anon_umask=0022
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES

Step 8: Add the trusted users to /etc/vsftpd/chroot_list. They can see the entire FS.

Step 9: Restart vsftpd and your new set of virtual users are ready.

1 comment:

留祺 said...

It's very usefull,thanks!
And ,I think you are good at zaptel developping,I am studying the code of zaptel,however I feel the code is hard to understand, after I read your blog still have some confuse.So could you help me to study the codes of zaptel(now it is called DAHDI)? Thank you very much!
My msn is zlqhope@hotmail.com