vsftpd: Local And Virtual Users With Bash Scripts For User Maintainance (CentOS 6.0) - Page 2

Virtual Users

This chapter describes a detailed instruction set which when used enables the virtual user access option within VSFTPD server. This document assumes that you already have a working vsftpd server which has got local shell user access to it, if you don't then follow the instructions from the previous page.

The server being used here is a Linux CentOS Minimal installation build.

CentOS 6
vsftpd 2.2.2

The virtual users home folders will be under /var/ftp/. You need to have either 'su' permissions or 'root' access or 'sudo' access.

As authentication will be required pam_userdb is a good option and is installed by default. Check with:

  # yum info db4-utils

Install it with:

  # yum install db4-utils as necessary

 

Create the virtual users

Now cd to /etc/vsftpd and prepare the .txt user file with the usernames and passwords. This file will have a username in single line and the password in the next as shown. It is good practice to put these in a separate folder.

sudhakar
password1
bellamkonda
password2

# cd /etc/vsftpd/
# mkdir vuser
# cd vuser

A pwd should show /etc/vsftpd/vuser, now create the file:

    # vim vuser_list

Add your users and save it. This file now needs to be hashed with the DB4-util db_load so that vsftpd along with pam can use it for authentication.

    # db_load -T -t hash /etc/vsftpd/vuser/vuser_list /etc/vsftpd/vuser/vuser_db.db

A hashed DB file of the vuser_list is created named vuser_db.db. Note that the file has a .db extension and this is necessary.

 

Enable Authentication with PAM

Now append to the file /etc/pam.d/vsftpd for this virtual user authentication to work.

# cd /etc/pam.d/
# vi vsftpd

auth     sufficient pam_userdb.so db=/etc/vsftpd/vuser/vuser_db
account  sufficient pam_userdb.so db=/etc/vsftpd/vuser/vuser_db

Put these two lines at the very top of the file just below the #%PAM-1.0 line and save it. PAM_Userdb will automatically append the extension .db to the file specified in the path. These two lines have to be at the top of the stack for the dual authentication to work. This way you can have both real shell users and virtual users using the same instance of the daemon rather than starting two process of vsftpd.

 

Append Options to vsftpd.conf

Do the following changes to the vsftpd config file at /etc/vsftpd/vsftpd.conf:

guest_enable=YES # activate the virtual users
virtual_use_local_privs=YES # virtual users have local priveleges
user_sub_token=$USER
local_root=/var/ftp/vuser/$USER # specifies a home directory for each virtual user
chroot_local_user=YES # Restricting the user to the FTP area and HOME dir's only

Also disable SELinux in /etc/selinux/config so that the virtual user can write to the virtual directories under /var/ftp/vuser/$USER. Now change to the virtual user folder.

 

Create the Virtual User Folders

# cd /var/ftp
# mkdir vuser
# mkdir vuser/sudhakar
# mkdir vuser/bellamkonda
# chown -R ftp:ftp /etc/ftp/vuser/

Create system links with ln -s of all the /home/ folders under /var/ftp/vuser/ so that when the users login vsftpd will chroot to their respective folders.

Bash scripts and Howto article for automation are at http://sudhakarbellamkonda.blogspot.com/2011/12/vsftpd-virtual-users-creation-bash.html

 

For Local Users

In folder /var/ftp/vuser/:

# mkdir yourlocaluser
# chown ftp:ftp yourlocaluser
# ln -s /var/ftp/vuser/yourlocaluser /home/yourlocaluser/ftphome

All files uploaded will be owned by the user ftp:ftp.

 

Starting the server and testing

Start the service:

  # service vsftpd start

Or restart it if already started with

  # service vsftpd restart

From a different box connect to this server. Go on, you can use either a GUI or a cli client.

All set, go on use the FTP server, it is ready to serve.

Share this page:

1 Comment(s)