FTP Server
1. vsFTPd
1.1 Installing vsFTPd and pam_pwdfile
1.2 Adding Users
1.3 Configuring vsFTPd
1.4 Configuring pam_pwdfile
1.5 Configuring TLS/SSL
1.6 Testing
2. Virtual Hostess Integration
vsFTPd
The Very Secure FTP Daemon. I want to setup virtual users instead of local users and configure user specific home directories for each user. The reason for setting up virtual users, and different home directory for each user allows ftp access to a web server running a number of different sites. Each user can have one or more login to the ftp server. vsftpd uses PAM for authentication for virtual users, and whilst you can use any of PAM's authentication methods, I'm going to use the pam_pwdfile module because it is easy to manage and light weight.Installing vsFTPd and pam_pwdfile
aptitude install vsftpd libpam-pwdfile
Adding Users
According to the README in the Debian package for libpam-pwdfile Warwick Duncan has written a utility, called chpwdfile, for managing the password files that pam_pwdfile uses. However, his website appears to be dead :-( A bit of Goggling turned up the source tarball and a (Debian Sarge) .deb package for chpwdfile 0.24.chpwdfile tarball
You can figure out how to build it, I was lazy and used the .deb below ;-)wget http://cpbotha.net/files/mirror/chpwdfile-0.24.tar.gz
chpwdfile .deb
wget http://squeezypeezy.com/apt/pool/main/c/chpwdfile/chpwdfile_0.24-2_i386.deb wget http://e-coaches.chateaucolombier.com/apt/pool/main/c/chpwdfile/chpwdfile_0.24-2_i386.deb dpkg -i chpwdfile_0.24-2_i386.debNow that chpwdfile is installed, we can create the vsftpd password file.
mkdir -p /etc/virtual_hostess/ touch /etc/virtual_hostess/passwd-ftp chmod 644 /etc/virtual_hostess/passwd-ftpFinally, we can add some vsftpd users. The example below add two users 'fred' and 'barny'. Both password are secure MD5, Fred's password is "Wilma1" and Barny's is "Betty1".
echo Wilma1 | chpwdfile -a -f /etc/virtual_hostess/passwd-ftp -tm fred -s echo Betty1 | chpwdfile -a -f /etc/virtual_hostess/passwd-ftp -tm barny -sTo modify an existing account, change the -a (for adding) to -m (for modify). If you want to delete an account use -d (for delete). Simple, eh? ;-) It is possible to use 'htpasswd' from the apache2-utils package to manage the pam_pwdfile file, but I am a purist :-P
FTP Home Directories
mkdir -p /home/virtual/fred chown www-data:www-data /home/virtual/fred mkdir -p /home/virtual/barny chown www-data:www-data /home/virtual/barny
Configuring vsFTPd
Next we need to edit the vsftpd configuration file /etc/vsftpd.confnano /etc/vsftpd.confFind the parameters below and change them as shown.
listen=YES anonymous_enable=NO local_enable=YES write_enable=YES local_umask=0022 connect_from_port_20=YES chroot_local_user=YES secure_chroot_dir=/var/run/vsftpd pam_service_name=vsftpdAdd the following parameters, before the Debian customization section, as they are not defined in the default vsftpd.conf that comes in the Debian package.
file_open_mode=0666 virtual_use_local_privs=YES guest_enable=YES guest_username=www-data user_sub_token=$USER local_root=/home/virtual/$USER hide_ids=YES dual_log_enable=YESWe've turned anonymous access off, and enabled local access which we need for virtual users, and we've specified that each user will be chrooted to their own directory, so user Fred will be chrooted to /home/virtual/fred. Although the manual says that local_root will fail silently if the folder doesn't exist, that will not happen as we've turned on chrooting, so in the event of a folder error, the user will get a 500 error from the ftp server. Finally restart vsftpd, so it reloads the configuration changes.
/etc/init.d/vsftpd restart
Configuring pam_pwdfile
Finally we need to configure PAM to use the password file. To do that we need to replace /etc/pam.d/vsftpd.mv /etc/pam.d/vsftpd /etc/pam.d/vsftpd.orig vi /etc/pam.d/vsftpd # Customized login using htpasswd file auth required pam_pwdfile.so pwdfile /etc/virtual_hostess/passwd-ftp account required pam_permit.soYou need the account line as vsftpd requires both auth and account to work, so as we are using virtual users without any account expiry information, we use the default pam_permit module for account authentication.
Configuring TLS/SSL
nano /etc/vsftpd.confSample
ssl_enable=YES force_local_data_ssl=NO force_local_logins_ssl=NO ssl_tlsv1=YES ssl_sslv2=YES ssl_sslv3=YES rsa_cert_file=/etc/ssl/certs/flexion_certificate.pem rsa_private_key_file=/etc/ssl/private/flexion_privatekey.pemAfter enabling TLS/SSL support I could login via TLS/SSL just fine but a directory listing would not get returned and eventually the sessions would timeout and I would get disconnected. I found the solution below... ... simply define your Internet IP address via the 'pasv_address' parameter in '/etc/vsftpd.conf' and also a port range (can be one port) for pasv connections. You will also need to forward/open you chosen pasv port range on your router/firewall.
pasv_address=1.2.3.4 pasv_min_port=12345 pasv_max_port=12349
Testing
To test your setup, simply FTP to localhost on the server you are configuring...ftp localhost...and log in.
Connected to localhost. 220 (vsFTPd 2.0.5) Name (localhost:root): fred 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp>If you can't log in, you did something wrong.
Virtual Hostess Integration
So, all that above explains how to set everything up manuually. Having done that, Virtual Hostess can do the rest for you automatically. The virtual-web-rebuild.sh script does everything to provision chrooted FTP access to virtual hosts for each virtual host admin. References- http://vsftpd.beasts.org/
- http://howto.gumph.org/content/setup-virtual-users-and-directories-in-vsftpd/
- http://eclipse.che.uct.ac.za/chpwdfile/
- http://cpbotha.net/software/pam_pwdfile
- http://www.debiansec.com/linux/services/ftp.html
- http://www.linuxquestions.org/questions/linux-software-2/vsftpd-ssl-passive-listing-problem-262063/
$Id: FtpServer,v 1.30 2008/08/13 07:01:16 martin Exp $
Wiki Index All Recent Edit Top
