vsftpd: Local And Virtual Users With Bash Scripts For User Maintainance (CentOS 6.0) - Page 2
This chapter describes a detailed instruction set which when used enables the virtual user access option within VSFTPD server. This document assumes that you already have a working vsftpd server which has got local shell user access to it, if you don't then follow the instructions from the previous page.
The server being used here is a Linux CentOS Minimal installation build.
The virtual users home folders will be under /var/ftp/. You need to have either 'su' permissions or 'root' access or 'sudo' access.
As authentication will be required pam_userdb is a good option and is installed by default. Check with:
# yum info db4-utils
Install it with:
# yum install db4-utils as necessary
Create the virtual usersNow cd to /etc/vsftpd and prepare the .txt user file with the usernames and passwords. This file will have a username in single line and the password in the next as shown. It is good practice to put these in a separate folder.
sudhakar password1 bellamkonda password2
# cd /etc/vsftpd/
# mkdir vuser
# cd vuser
A pwd should show /etc/vsftpd/vuser, now create the file:
# vim vuser_list
Add your users and save it. This file now needs to be hashed with the DB4-util db_load so that vsftpd along with pam can use it for authentication.
# db_load -T -t hash /etc/vsftpd/vuser/vuser_list /etc/vsftpd/vuser/vuser_db.db
A hashed DB file of the vuser_list is created named vuser_db.db. Note that the file has a .db extension and this is necessary.
Enable Authentication with PAM
Now append to the file /etc/pam.d/vsftpd for this virtual user authentication to work.
# cd /etc/pam.d/
# vi vsftpd
auth sufficient pam_userdb.so db=/etc/vsftpd/vuser/vuser_db account sufficient pam_userdb.so db=/etc/vsftpd/vuser/vuser_db
Put these two lines at the very top of the file just below the #%PAM-1.0 line and save it. PAM_Userdb will automatically append the extension .db to the file specified in the path. These two lines have to be at the top of the stack for the dual authentication to work. This way you can have both real shell users and virtual users using the same instance of the daemon rather than starting two process of vsftpd.
Append Options to vsftpd.conf
Do the following changes to the vsftpd config file at /etc/vsftpd/vsftpd.conf:
guest_enable=YES # activate the virtual users virtual_use_local_privs=YES # virtual users have local priveleges user_sub_token=$USER local_root=/var/ftp/vuser/$USER # specifies a home directory for each virtual user chroot_local_user=YES # Restricting the user to the FTP area and HOME dir's only
Also disable SELinux in /etc/selinux/config so that the virtual user can write to the virtual directories under /var/ftp/vuser/$USER. Now change to the virtual user folder.
Create the Virtual User Folders
# cd /var/ftp
# mkdir vuser
# mkdir vuser/sudhakar
# mkdir vuser/bellamkonda
# chown -R ftp:ftp /etc/ftp/vuser/
Create system links with ln -s of all the /home/ folders under /var/ftp/vuser/ so that when the users login vsftpd will chroot to their respective folders.
Bash scripts and Howto article for automation are at http://sudhakarbellamkonda.blogspot.com/2011/12/vsftpd-virtual-users-creation-bash.html
For Local Users
In folder /var/ftp/vuser/:
# mkdir yourlocaluser
# chown ftp:ftp yourlocaluser
# ln -s /var/ftp/vuser/yourlocaluser /home/yourlocaluser/ftphome
All files uploaded will be owned by the user ftp:ftp.
Starting the server and testing
Start the service:
# service vsftpd start
Or restart it if already started with
# service vsftpd restart
From a different box connect to this server. Go on, you can use either a GUI or a cli client.
All set, go on use the FTP server, it is ready to serve.