john pfeiffer

Linux vsftpd with apache authentication ftp server

vsftpd setup and administration with apache authentication 30mar09

SETTING UP AND CONFIGURING VSFTPD

apt-get install nano //notepad like text editor

http://howto.gumph.org/content/setup-virtual-users-and-directories-in-vsftpd/

apt-get install vsftpd apt-get install libpam-pwdfile //Pluggable Authentication Module - password file (apache)

//alternatively for red hat/centos, yum install vsftpd

NOTE: user "nobody" can be used by the VSFTPD to run processes... so usermod -s /bin/false for user "nobody" will crash the vsftpd system!

sometimes vsftpd installs with a user called "vsftpd" or "ftp" in which case you may want to modify it to make it "nobody"

//create the ftp password file

htpasswd -c /passwordfiles/ftp.password firstuser

nano /etc/pam.d/vsftpd

Customized login using htpasswd file (this is it, 2 lines!)

auth required pam_pwdfile.so pwdfile /passwords/ftp.password account required pam_permit.so

//the password file allows one user to connnect - and can allow //full directory browsing

/etc/init.d/vsftpd reload /etc/init.d/vsftpd restart

nano /etc/vsftpd.conf //this configuration just creates local users

listen=YES //listens for connections connect_from_port_20=YES //ftp listening port ftpd_banner=Welcome to FTP //welcome message

USER MANAGEMENT

anonymous_enable=NO //no anonymous users

local_enable=YES //local users can log on (MUST DISABLE SHELL!) write_enable=YES //users can modify files

chroot_local_user=YES //local users by default are locked to home dir

chroot_list_enable=YES //enable a special file of users chroot_list_file=/passwords/vsftpd.chroot_list //the list of who will can browse outside //for security reasons we will leave it blank

ascii_upload_enable=YES //might enable as vsftpd by default doesn't use ASCII transfers... ascii_download_enable=YES

user_sub_token=$USER local_root=/var/www/ftp/$USER //default ftp directory (for chroots)

LOGGING

BASIC SECURITY

hide_ids=YES //don't display user ids secure_chroot_dir=/var/run/vsftpd //empty directory for CHROOT's

pam_service_name=nobody //user which runs the PAM

rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

EXTRA OPTIONS

chroot_list_enable=YES

chroot_list_file=/anders-password/vsftpd.chroot_list

by default virtual users have anon user privileges (no write) (NOT REQUIRED? GIVEN BY DEFAULT?)

virtual_use_local_privs=YES dirlist_enable=YES

MULTIPLE LOGINS TO SHARED FOLDERS - this

user_config_dir=/var/www/users

in this dir you would have a single file called username

ACCESSING OTHER DIRECTORIES

usermod -aG www-data USERNAME

ensure that the "target" directory has group permisions (e.g. www-data) and is chmod g+w if necessary (chmod 770)

//mount --bind SOURCE TARGET

mkdir /ftp-folders/USERNAME/link-to-TARGETNAME

mount --bind /var/www/temp-upload/ /ftp-folders/USERNAME/link-to-TARGETNAME

You will need to create a script that mounts at boot time...

mount-directory-link-to-www-upload.sh mount --bind /var/www/temp-upload/ /ftp-folders/USERNAME/link-to-TARGETNAME

cp mount-directory-link-to-www-upload.sh /etc/init.d

update-rc.d mount-directory-link-to-www-upload.sh defaults

YOU can either have a top level user - e.g. Marketing Director with FTP sub contractor users

create Marketing user & home folder create SubContractor1 user & home folder create SubContractor2 user & home folder

in the FTP/Marketing/home folder mkdir sub1 and sub2

then chgrp marketing /FTP/Subcontractor1/home then chmod 770 /FTP/Subcontractor1/home

then

mount --bind SOURCE TARGET e.g. mount --bind /FTP/SubContractor1/home /FTP/Marketing/sub1 mount --bind /FTP/SubContractor1/home /FTP/Marketing/sub2

Now marketing can login and add files for subcontractors, and subs can add files but sub1 can't see marketing or sub2!

NOTE: files created by marketing cannot be modified/deleted by subs

An alternative to above is to put the SubContractor users in the Marketing group as well - chroot/shell-nologin will ensure they can't see Marketing/other Sub folders BUT they can modify any files that belong to the Marketing group...

SECURITY

vsftpd has its own built in commands for users so remove their BASH shell access and instead give them a shell called /bin/false (or /usr/sbin/nologin)

usermod -s /usr/sbin/nologin USERNAME

you may have to modify and add /usr/sbin/nologin nano /etc/shells

useradd username passwd username usermod -aG www-data download cat /etc/group

? usermod -d /folders/homedir/username? cat /etc/passwd

SEEMS to work to add a local user, make sure they have upload ability (r/w as well)

CREATING A NEW USER for VSFTPD

login to server via ssh as root, then run the following commands cd /ftpshare

mkdir USERNAME

useradd -d HOMEDIR USERNAME //in our case it is -d /ftpshare/USERNAME passwd username

verify via "cat /etc/passwd"

add to the file /ftp-permissions/vsftpd.chroot_list the USERNAME

chown USERNAME:USERNAME /ftpshare/USERNAME

verify via "ls -al"

then run /etc/init.d/vsftpd reload /etc/init.d/vsftpd restart

NOTE: ensure that the directory (username) exists? is created with r/w permissions for that user...? NOTE: usermod -d /folders/homedir/username?

data_connection_timeout 180 (prevents large file downloads?) idle_session_timeout 180 max_clients 50 max_per_ip 10

htpasswd encrypts passwords using either a version of MD5 modified for Apache, or the system's crypt() routine. Files managed by htpasswd may contain both types of passwords; some user records may have MD5-encrypted passwords while others in the same file may have passwords encrypted with crypt().

And I found how to do it at the command line:

htpasswd -mb /usr/web/.htpasswd-all jones Pwd4Steve

Encrypts the password from the command line (Pwd4Steve) using the MD5 algorithm, and stores it in the specified file.

Published

Category

linux

~718 words

Tags