Configuring vsftpd:
---
vsftpd will accept the log-in of users created in the shell, however if you wish to add additional non-system users and/or lock them down to a specific folder, you will need to use the following instructions. Note that if you use virtual users, this is done in place of system users.
It is strongly recommended to read the documentation at https://security.appspot.com/vsftpd.html
-
If you simply wish to lock the system users to their home folder via FTP - you can do so by doing the following:
# vim /etc/vsftpd/vsftpd.conf
Make sure following line exists and is not commented out:
chroot_local_user=YES
Save and close the file. Restart vsftpd.
# /etc/init.d/vsftpd restart
-
To make use of virtual users, it can be done as follows.
In this example, users will be locked down to a folder specified on a per user basis, i.e; /home/www/www.mydomain.com/ - we also want anonymous access disabled and for users to only be able to access their respective site folder.
Firstly, to create a password file - you can use the htpasswd tool provided with apache. It only supports 8 characters passwords however; if you want to support longer passwords you would need to use a different PAM module or use md5-crypt passwords.
Assuming Apache is installed, allowing the use of htpasswd - for a user 'john' you run:
# mkdir /etc/vsftpd/
# htpasswd -c /etc/vsftpd/passwd john
for additional users just use:
# htpasswd /etc/vsftpd/passwd tom
# htpasswd /etc/vsftpd/passwd jack
etc.
Next we need to replace the vsftpd configuration file /etc/vsftpd.conf. Firstly take a copy of your original /etc/vsftpd.conf file as a backup. Then replace the current one with the following:
listen=YES
anonymous_enable=no
local_enable=YES
local_umask=022
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd.virtual
rsa_cert_file=/etc/ssl/private/vsftpd.pem
virtual_use_local_privs=YES
write_enable=YES
guest_enable=YES
user_sub_token=$USER
hide_ids=YES
user_config_dir=/etc/vsftpd/
The above will disable anonymous access as well as system users, but enable local access for virtual users. We have also specified that users will be chrooted to their specific site/user folder. Note that if the folder you specify (covered later) does not exist, you will receive a 500 error on logging in.
Next, to configure PAM to use the password file, open /etc/pam.d/vsftpd.virtual in a text editor (vim/emacs/pico/nano) and paste the following three lines:
# Customized login using htpasswd file
auth required pam_pwdfile.so pwdfile /etc/vsftpd/passwd
account required pam_permit.so
Finally, we create the file which lists where each user can log in.
echo "local_root=/path/to/customer-ftp-folder/" > /etc/vsftpd/USERNAME
i.e - to lock the user 'john' to '/home/www/johnsites.com' you would do:
echo "local_root=/home/www/johnsites.com" > /etc/vsftpd/john
You must add a new file for each user you create.
Testing
-
Restart the vsftpd process to pick up the new settings
# /etc/init.d/vsftpd stop
# /etc/init.d/vsftpd start
and try logging on via ftp.
# ftp 127.0.0.1
Connected to 127.0.0.1.
220 (vsFTPd 2.0.5)
Name (127.0.0.1:root): john
331 Please specify the password.
Password:
500 OOPS: cannot change directory:/home/www/johnsites.com/
So you will now need to create John's home folder and set the relevant permissions
# mkdir /home/www/johnsites.com/
# chmod 750 /home/www/johnsites.com/
Now when we ftp in:
# ftp 127.0.0.1
Connected to 127.0.0.1.
220 (vsFTPd 2.0.5)
Name (127.0.0.1:root): john
331 Please specify the password.
Password:
230 Login successful.
This concludes configuring vsftpd for virtual users.
Comments
0 comments
Article is closed for comments.