Differences

This shows you the differences between two versions of the page.

--- ftp:virtual_users_in_vsftpd [2016/09/28 14:09] – peter
+++ ftp:virtual_users_in_vsftpd [2019/11/29 14:39] (current) – removed peter
@@ Line 1: / Line 1: @@
-====== FTP - Virtual users in VsFtpd ======
-Virtual users are users that do not exist on the system - they are not in **/etc/passwd**, do not have a home directory on the system, can not login but in vsftpd - or if they do exist, they can login in vsftpd with a non system password - security.
-You can set different definitions to each virtual user, granting to each of these users different permissions.  If TLS/SSL/FTPS and virtual users are enabled, the level of security of your vsftpd server is increased: encrypted passwords, with passwords that are not used on the system, and users that can't access directly to their home directory (if you want).
-The following example is based and adapted on the example for virtual users in vsftpd site, on documentation and the very good examples.
-Currently there is a restriction that with **guest_enable enabled**, local users also get mapped to guest_username.  This is a polite way to say that if the default vsftpd PAM file is used, the system users will be guests too.  To avoid confusions change the PAM file used by vsftpd to authenticate only virtual users, make all vsftpd users as virtual users and set their passwords, home and permissions based on this example.
-===== Create The Virtual Users Database =====
-To create a "db4" format file to store usernames (another option here would be an apache htpasswd style file, not discussed), first create a plain text files with the usernames and password on alternating lines.  For e.g. create user named "john" with password called "johnpass" and another user named "mark" with password "markpass":
-<code bash>
-mkdir /etc/vsftpd # if necessary.
-cd /etc/vsftpd
-sudo vi vusers.txt
-</code>
-and populate the file:
-<code>
-john
-johnpass
-mark
-markpass
-</code>
-===== Create the actual database file =====
-**NOTE**:  This may require the **db_util** package to be installed first.
-<code bash>
-db_load -T -t hash -f vusers.txt vsftpd-virtual-user.db
-chmod 600 vsftpd-virtual-user.db # make it not global readable.
-rm vusers.txt
-</code>
-===== Configure VsFtpd for virtual user =====
-Edit the VsFtpd configuration file (/etc/vsftpd.conf).
-<code bash>
-vi /etc/vsftpd.conf
-</code>
-and add or modify as:
-<code>
-anonymous_enable=NO
-local_enable=YES
-# Virtual users will use the same privileges as local users.
-# It will grant write access to virtual users. Virtual users will use the
-# same privileges as anonymous users, which tends to be more restrictive
-# (especially in terms of write access).
-virtual_use_local_privs=YES
-write_enable=YES
-# Set the name of the PAM service vsftpd will use
-pam_service_name=vsftpd.virtual
-# Activates virtual users
-guest_enable=YES
-# Automatically generate a home directory for each virtual user, based on a template.
-# For example, if the home directory of the real user specified via guest_username is
-# /home/virtual/$USER, and user_sub_token is set to $USER, then when virtual user vivek
-# logs in, he will end up (usually chroot()'ed) in the directory /home/virtual/vivek.
-# This option also takes affect if local_root contains user_sub_token.
-user_sub_token=$USER
-# Usually this is mapped to Apache virtual hosting docroot, so that
-# Users can upload files
-local_root=/home/vftp/$USER
-# Chroot user and lock down to their home dirs
-chroot_local_user=YES
-# Hide ids from user
-hide_ids=YES
-</code>
-Save and close the file.
-===== Create a PAM File Which Uses Your New Database =====
-The following PAM is used to authenticate users using your new database.  Create **/etc/pam.d/vsftpd.virtual**.
-<code bash>
-sudo vi /etc/pam.d/vsftpd.virtual
-</code>
-and add or modify as:
-<code>
-#%PAM-1.0
-auth       required     pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user
-account    required     pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user
-session    required     pam_loginuid.so
-</code>
-===== Create The Location Of The Files =====
-You need to set up the location of the files / dirs for the virtual users.  Type the following command:
-<code bash>
-mkdir /home/vftp
-</code>
-and then create sub-directories for each virtual user.
-<code bash>
-# mkdir -p /home/vftp/{john,mark}
-# chown -R ftp:ftp /home/vftp
-</code>
-===== Restart The FTP Server =====
-Type the following command:
-<code bash>
-service vsftpd restart
-</code>
-===== Test Your Setup =====
-Open another shell session and type:
-<code bash>
-ftp localhost
-</code>
-Sample success output:
-<code>
-Connected to ftp.sharewiz.net.
-Name (localhost:root): john
-Please specify the password.[user now types in johnpass]
-Password:
-Login successful.
-Remote system type is UNIX.
-Using binary mode to transfer files.
-ftp>
-</code>
-===== Troubleshooting =====
-The official Vsftpd documentation at ftp://vsftpd.beasts.org/users/cevans/untar/vsftpd-3.0.2/EXAMPLE/VIRTUAL_USERS may be helpful.
-By default files are created with permissions like **-rw**.
-(and owned by the ftp user if using virtual users).  To change this to something less restrictive (it defaults to 077, the above) then set **local_umask=022** (for -rw-r--r-- type permissions) in your vsftp.conf file and restart the service.
-===== References =====
-  * http://j.mp/YunkHV - vsftpd - Secure, fast FTP server for UNIX-like systems security.appspot.com Secure, fast FTP server for UNIX systems
-  * http://j.mp/Yunor2 - vsftpd - Wikipedia, the free encyclopedia: en.wikipedia.org vsftpd, which stands for "Very Secure FTPDaemon", is an FTP server for Unix-like systems, including Linux. It is licensed under the GNU General Public License. It supports IPv6 and SSL.
-See Also
-  * http://j.mp/WsBpj0 - Configuring vsftpd for secure connections (TLS/SSL/SFTP) - VPSLink Wiki http://wiki.vpslink.com/Configuring_vsft...
-This article pertains specifically to vsftpd on CentOS.  Except for the installation instructions it should be adaptable to other distributions as well..