vsftpd setup and administration with apache authentication 30mar09
SETTING UP AND CONFIGURING VSFTPD
apt-get install nano //notepad like text editor
http://howto.gumph.org/content/setup-virtual-users-and-directories-in-vsftpd/
apt-get install vsftpd apt-get install libpam-pwdfile //Pluggable Authentication Module - password file (apache)
//alternatively for red hat/centos, yum install vsftpd
NOTE: user "nobody" can be used by the VSFTPD to run processes... so usermod -s /bin/false for user "nobody" will crash the vsftpd system!
sometimes vsftpd installs with a user called "vsftpd" or "ftp" in which case you may want to modify it to make it "nobody"
//create the ftp password file
htpasswd -c /passwordfiles/ftp.password firstuser
nano /etc/pam.d/vsftpd
Customized login using htpasswd file (this is it, 2 lines!)
auth required pam_pwdfile.so pwdfile /passwords/ftp.password account required pam_permit.so
//the password file allows one user to connnect - and can allow //full directory browsing
/etc/init.d/vsftpd reload /etc/init.d/vsftpd restart
nano /etc/vsftpd.conf //this configuration just creates local users
listen=YES //listens for connections connect_from_port_20=YES //ftp listening port ftpd_banner=Welcome to FTP //welcome message
USER MANAGEMENT
anonymous_enable=NO //no anonymous users
local_enable=YES //local users can log on (MUST DISABLE SHELL!) write_enable=YES //users can modify files
chroot_local_user=YES //local users by default are locked to home dir
chroot_list_enable=YES //enable a special file of users chroot_list_file=/passwords/vsftpd.chroot_list //the list of who will can browse outside //for security reasons we will leave it blank
ascii_upload_enable=YES //might enable as vsftpd by default doesn't use ASCII transfers... ascii_download_enable=YES
user_sub_token=$USER local_root=/var/www/ftp/$USER //default ftp directory (for chroots)
LOGGING
BASIC SECURITY
hide_ids=YES //don't display user ids secure_chroot_dir=/var/run/vsftpd //empty directory for CHROOT's
pam_service_name=nobody //user which runs the PAM
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
EXTRA OPTIONS
chroot_list_enable=YES
chroot_list_file=/anders-password/vsftpd.chroot_list
by default virtual users have anon user privileges (no write) (NOT REQUIRED? GIVEN BY DEFAULT?)
virtual_use_local_privs=YES dirlist_enable=YES
MULTIPLE LOGINS TO SHARED FOLDERS - this
user_config_dir=/var/www/users
in this dir you would have a single file called username
ACCESSING OTHER DIRECTORIES
usermod -aG www-data USERNAME
ensure that the "target" directory has group permisions (e.g. www-data) and is chmod g+w if necessary (chmod 770)
//mount --bind SOURCE TARGET
mkdir /ftp-folders/USERNAME/link-to-TARGETNAME
mount --bind /var/www/temp-upload/ /ftp-folders/USERNAME/link-to-TARGETNAME
You will need to create a script that mounts at boot time...
mount-directory-link-to-www-upload.sh mount --bind /var/www/temp-upload/ /ftp-folders/USERNAME/link-to-TARGETNAME
cp mount-directory-link-to-www-upload.sh /etc/init.d
update-rc.d mount-directory-link-to-www-upload.sh defaults
YOU can either have a top level user - e.g. Marketing Director with FTP sub contractor users
create Marketing user & home folder create SubContractor1 user & home folder create SubContractor2 user & home folder
in the FTP/Marketing/home folder mkdir sub1 and sub2
then chgrp marketing /FTP/Subcontractor1/home then chmod 770 /FTP/Subcontractor1/home
then
mount --bind SOURCE TARGET e.g. mount --bind /FTP/SubContractor1/home /FTP/Marketing/sub1 mount --bind /FTP/SubContractor1/home /FTP/Marketing/sub2
Now marketing can login and add files for subcontractors, and subs can add files but sub1 can't see marketing or sub2!
NOTE: files created by marketing cannot be modified/deleted by subs
An alternative to above is to put the SubContractor users in the Marketing group as well - chroot/shell-nologin will ensure they can't see Marketing/other Sub folders BUT they can modify any files that belong to the Marketing group...
SECURITY
vsftpd has its own built in commands for users so remove their BASH shell access and instead give them a shell called /bin/false (or /usr/sbin/nologin)
usermod -s /usr/sbin/nologin USERNAME
you may have to modify and add /usr/sbin/nologin nano /etc/shells
useradd username passwd username usermod -aG www-data download cat /etc/group
? usermod -d /folders/homedir/username? cat /etc/passwd
SEEMS to work to add a local user, make sure they have upload ability (r/w as well)
CREATING A NEW USER for VSFTPD
login to server via ssh as root, then run the following commands cd /ftpshare
mkdir USERNAME
useradd -d HOMEDIR USERNAME //in our case it is -d /ftpshare/USERNAME passwd username
verify via "cat /etc/passwd"
add to the file /ftp-permissions/vsftpd.chroot_list the USERNAME
chown USERNAME:USERNAME /ftpshare/USERNAME
verify via "ls -al"
then run /etc/init.d/vsftpd reload /etc/init.d/vsftpd restart
NOTE: ensure that the directory (username) exists? is created with r/w permissions for that user...? NOTE: usermod -d /folders/homedir/username?
data_connection_timeout 180 (prevents large file downloads?) idle_session_timeout 180 max_clients 50 max_per_ip 10
htpasswd encrypts passwords using either a version of MD5 modified for Apache, or the system's crypt() routine. Files managed by htpasswd may contain both types of passwords; some user records may have MD5-encrypted passwords while others in the same file may have passwords encrypted with crypt().
And I found how to do it at the command line:
htpasswd -mb /usr/web/.htpasswd-all jones Pwd4Steve
Encrypts the password from the command line (Pwd4Steve) using the MD5 algorithm, and stores it in the specified file.