• Home
  • History
  • Annotate
  • only in this directory
NameDateSize

..13-Aug-20139

logins.txtH A D13-Aug-201317

READMEH A D13-Aug-20135 KiB

vsftpd.confH A D13-Aug-2013260

vsftpd.pamH A D13-Aug-2013129

README

1This example shows how to set up vsftpd / PAM with "virtual users".
2A virtual user is a user login which does not exist as a real login on the
3system. Virtual users can therefore be more secure than real users, beacuse
4a compromised account can only use the FTP server.
5
6Virtual users are often used to serve content that should be accessible to
7untrusted users, but not generally accessible to the public.
8
9Step 1) Create the virtual users database.
10We are going to use pam_userdb to authenticate the virtual users. This needs
11a username / password file in "db" format - a common database format.
12To create a "db" format file, first create a plain text files with the
13usernames and password on alternating lines.
14See example file "logins.txt" - this specifies "tom" with password "foo" and
15"fred" with password "bar".
16Whilst logged in as root, create the actual database file like this:
17
18db_load -T -t hash -f logins.txt /etc/vsftpd_login.db
19(Requires the Berkeley db program installed).
20NOTE: Many systems have multiple versions of "db" installed, so you may
21need to use e.g. db3_load for correct operation. This is known to affect
22some Debian systems. The core issue is that pam_userdb expects its login
23database to be a specific db version (often db3, whereas db4 may be installed
24on your system).
25
26This will create /etc/vsftpd_login.db. Obviously, you may want to make sure
27the permissions are restricted:
28
29chmod 600 /etc/vsftpd_login.db
30
31For more information on maintaing your login database, look around for
32documentation on "Berkeley DB", e.g.
33http://www.sleepycat.com/docs/utility/index.html
34
35
36Step 2) Create a PAM file which uses your new database.
37
38See the example file vsftpd.pam. It contains two lines:
39
40auth required /lib/security/pam_userdb.so db=/etc/vsftpd_login
41account required /lib/security/pam_userdb.so db=/etc/vsftpd_login
42
43This tells PAM to authenticate users using our new database. Copy this PAM
44file to the PAM directory - typically /etc/pam.d/
45
46cp vsftpd.pam /etc/pam.d/ftp
47
48(Note - if you set pam_service_name to e.g. vsftpd instead, you'll need to copy
49to /etc/pam.d/vsftpd).
50
51
52Step 3) Set up the location of the files for the virtual users.
53
54useradd -d /home/ftpsite virtual
55ls -ld /home/ftpsite
56(which should give):
57drwx------    3 virtual  virtual      4096 Jul 30 00:39 /home/ftpsite
58
59We have created a user called "virtual" with a home directory "/home/ftpsite".
60Let's add some content to this download area:
61
62cp /etc/hosts /home/ftpsite
63chown virtual.virtual /home/ftpsite/hosts
64
65
66Step 4) Create your vsftpd.conf config file.
67
68See the example in this directory. Let's go through it line by line:
69
70anonymous_enable=NO
71local_enable=YES
72
73This disables anonymous FTP for security, and enables non-anonymous FTP (which
74is what virtual users use).
75
76write_enable=NO
77anon_upload_enable=NO
78anon_mkdir_write_enable=NO
79anon_other_write_enable=NO
80
81These ensure that for security purposes, no write commands are allowed.
82
83chroot_local_user=YES
84
85This makes sure that the virtual user is restricted to the virtual FTP area
86/home/ftpsite we set up above.
87
88guest_enable=YES
89guest_username=virtual
90
91The guest_enable is very important - it activates virtual users! And
92guest_username says that all virtual users are mapped to the real user
93"virtual" that we set up above. This will also determine where on the
94filesystem the virtual users end up - the home directory of the user
95"virtual", /home/ftpsite.
96
97listen=YES
98listen_port=10021
99
100This puts vsftpd in "standalone" mode - i.e. not running from an inetd. This
101means you just run the vsftpd executable and it will start up. This also
102makes vsftpd listen for FTP requests on the non-standard port of 10021 (FTP
103is usually 21).
104
105pasv_min_port=30000
106pasv_max_port=30999
107
108These put a port range on passive FTP incoming requests - very useful if
109you are configuring a firewall.
110
111Copy the example vsftpd.conf file to /etc:
112
113cp vsftpd.conf /etc/
114
115
116Step 5) Start up vsftpd.
117
118Go to the directory with the vsftpd binary in it, and:
119
120./vsftpd
121
122If all is well, the command will sit there. If all is not well, you will
123likely see some error message.
124
125
126Step 6) Test.
127
128Launch another shell session (or background vsftpd with CTRL-Z and then "bg").
129Here is an example of an FTP session:
130
131ftp localhost 10021
132Connected to localhost (127.0.0.1).
133220 ready, dude (vsFTPd 1.1.0: beat me, break me)
134Name (localhost:chris): tom
135331 Please specify the password.
136Password:
137230 Login successful. Have fun.
138Remote system type is UNIX.
139Using binary mode to transfer files.
140ftp> pwd
141257 "/"
142ftp> ls
143227 Entering Passive Mode (127,0,0,1,117,135)
144150 Here comes the directory listing.
145226 Transfer done (but failed to open directory).
146ftp> size hosts
147213 147
148ftp>
149
150Comments:
151The password we gave was "foo".
152Do not be alarmed by the "failed to open directory". That is because the
153directory /home/ftpsite is not world readable (we could change this
154behaviour if we wanted using anon_world_readable_only=NO but maybe we want
155it this way for security.
156We can see that we have access to the "hosts" file we copied into the virtual
157FTP area, via the size command.
158
159