Thursday, 1 December 2011

VSFTPD Virtual Users and Shell Users How To

This How To describes a detailed instruction set which when used enables the virtual user access option within VSFTPD server. This document assumes that you already have a working VSFTPD server which has got local shell user access to it, if you don't then follow the instructions at this link to setup the server.

The server being used here is a Linux Cent OS Minimal installation build.
Cent OS 6
VSFTPD 2.2.2

The virtual users home folders will be under /var/ftp/. You need to have either 'su' permissions or 'root' access or 'sudo' access.

As authentication will be required pam_userdb is a good option and is installed by default. Check with 

#yum info db4-utils

Install it with

#yum install db4-utils as necessary

Create the virtual users:

Now cd to /etc/vsftpd and prepare the .txt user file with the usernames and passwords. This file will have a username in single line and the password in the next as shown. It is good practice to put these in a separate folder.

#cd /etc/vsftpd/
#mkdir vuser
#cd vuser
A pwd should show /etc/vsftpd/vuser, now create the file
#vim vuser_list

Add your users and save it. This file now needs to be hashed with the DB4-util db_load so that vsftpd along with pam can use it for authentication.

#db_load -T -t hash -f /etc/vsftpd/vuser/vuser_list /etc/vsftpd/vuser/vuser_db.db

A hashed DB file of the vuser_list is created named vuser_db.db. Note that the file has a .db extension and this is necessary.

Enable Authentication with PAM:

Now append to the file /etc/pam.d/vsftpd for this virtual user authentication to work.

#cd /etc/pam.d/
#vi vsftpd
auth     sufficient db=/etc/vsftpd/vuser/vuser_db
account  sufficient db=/etc/vsftpd/vuser/vuser_db
Put these two lines at the very top of the file just below the #%PAM-1.0 line and save it. PAM_Userdb will automatically append the extension .db to the file specified in the path. This way you can have both real shell users and virtual users using the same instance of the daemon rather than starting two process of vsftpd.

Append Options to vsftpd.conf:

Do the following changes to the vsftpd config file at /etc/vsftpd/vsftpd.conf
guest_enable=YES - activate the virtual users
virtual_use_local_privs=YES -
virtual users have local priveleges
local_root=/var/ftp/vuser/$USER -
# specifies a home directory for each virtual userchroot_local_user=YES - Restricting the user to the FTP area and HOME dir's only
 Also disable SELinux in /etc/selinux/config so that the virtual user can write to the virtual directories under /var/ftp/vuser/$USER. Now change to the virtual user folder

Create the Virtual User Folders:

#cd /var/ftp
#mkdir vuser
#mkdir vuser/sudhakar
#mkdir vuser/bellamkonda
#chown -R ftp:ftp /etc/ftp/vuser/

Create system links with ln -s of all the /home/ folders under /var/ftp/vuser/ so that when the users login VSFTPD will chroot to their respective folders.
BASH Scripts and how to article for automation is at
Scripts maintained at vsftpd-virtualuser-bash-scripts.

For Local Users:

In folder /var/ftp/vuser/
#mkdir yourlocaluser
#chown ftp:ftp yourlocaluser
#ln -s /var/ftp/vuser/yourlocaluser /home/yourlocaluser/ftphome

All file uploaded will be owned by the user ftp:ftp.

Starting the server and testing:

Start the service

#service vsftpd start

Or restart it if already started with

#service vsftpd restart

From a different box connect to this server. Go on, you can use either a GUI or a cli client.

All set, go on use the FTP server, it is ready to serve.