Saturday, March 10, 2012

VsFTPD Virtual Server

Mysql Virtual Hosting, Individual User Directories and SSL Authentication with Chmod facility in Redhat6 and CentOS 6

Step 1: Install the required packages

  • Vsftpd
  • pam_mysql (for supporting mysql backend through pam)
Terminal
[root@station1.example.com~]# yum install vsftpd* pam_mysql

Step 2: Create Mysql database for Vsftpd

Terminal
[root@station1.example.com~]# mysql -u root -p
Enter password: 
#after entering the password you will get a 'mysql>' prompt
# type the following here
mysql > create database vsftpd;
#database will be created.
mysql > GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP ON vsftpd.* \
        TO 'vsftpd'@'localhost' IDENTIFIED BY 'ftpdpass';
mysql > GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP ON vsftpd.* \
        TO 'vsftpd'@'localhost.localdomain' IDENTIFIED BY 'ftpdpass';
mysql > FLUSH PRIVILEGES;

Replace the string ftpdpass with whatever password you want to use for the MySQL user vsftpd. Still on the MySQL shell, we create the database table we need (yes, there is only one table!):

Terminal
mysql > USE vsftpd;
mysql > CREATE TABLE `accounts` (
`id` INT NOT NULL AUTO_INCREMENT PRIMARY KEY ,
`username` VARCHAR( 30 ) NOT NULL ,
`pass` VARCHAR( 50 ) NOT NULL ,
UNIQUE (
`username`
)
) ENGINE = MYISAM ;
# table will be created
mysql > quit ; 

As you may have noticed, with the quit; command we have left the MySQL shell and are back on the Linux shell.

Step 3: Create a virtual user virtualftp

First we create a non-privileged user called virtualftp (with the homedir /home/virtualftp ) belonging to the group virtualftp. We will run vsftpd under this user, and the FTP directories of our virtual users will be in the /home/virtualftp directory (e.g. /home/virtualftp/user1 , /home/virtualftp/user2 , etc.).

Terminal
[root@station1.example.com~]# useradd -d /home/virtualftp -s /sbin/nologin virtualftp

Then we make a backup of the original /etc/vsftpd.conf file and create our own:

Terminal
[root@station1.example.com~]# cp /etc/vsftpd/vsftpd.conf \
                              /etc/vsftpd/vsftpd.conf_orig
[root@station1.example.com~]# cat /dev/null > /etc/vsftpd.conf
[root@station1.example.com~]# vi /etc/vsftpd.conf
# Enter the following in vsftpd.conf file.

listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
connect_from_port_20=NO
listen_port=990
#ftpd_banner=Welcome to server2.linux.com FTP SITE
banner_file=/etc/vsftpd/banner_file
nopriv_user=nobody
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd
pam_service_name=vsftpd

ssl_enable=YES
force_local_logins_ssl=YES
rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

guest_enable=YES
guest_username=virtualftp
user_sub_token=$USER
local_root=/home/virtualftp/$USER
virtual_use_local_privs=YES
chmod_enable=YES
#user_config_dir=/etc/vsftpd_user_conf

The configuration options are explained on http://vsftpd.beasts.org/vsftpd_conf.html. The important options for our virtual setup are chroot_local_user, guest_enable, guest_username, user_sub_token, local_root, and virtual_use_local_privs.

With the user_config_dir option you can specify a directory for per-user configuration files that override parts of the global settings. This is totally optional and up to you if you want to use this feature. I have not used this feature here so I put the # characher in front of the user_config_dir option.

Step 4: Configuring PAM to use Mysql

Now we must configure PAM so that it uses the MySQL database to authenticate our virtual FTP users instead of /etc/passwd and /etc/shadow. The PAM configuration for vsftpd is in /etc/pam.d/vsftpd. We make a backup of the original file and create a new one like this:

Terminal
[root@station1.example.com~]# cp /etc/pam.d/vsftpd /etc/pam.d/vsftpd_orig
[root@station1.example.com~]# cat /dev/null > /etc/pam.d/vsftpd
[root@station1.example.com~]# vi /etc/pam.d/vsftpd

# this sould have the following line
auth required /lib/security/pam_mysql.so user=virtualftp passwd=virtualftp \
     host=localhost db=vsftpd table=accounts usercolumn=username \
     passwdcolumn=pass crypt=2
account required /lib/security/pam_mysql.so user=virtualftp passwd=virtualftp \
     host=localhost db=vsftpd table=accounts usercolumn=username \
     passwdcolumn=pass crypt=2

Please make sure mysql password is the same as the one you used in mysql previously

Afterwards, we restart vsftpd:

Terminal
[root@station1.example.com~]# service vsftpd restart

Step 5: Creating the first virtual user

To populate the database we have to go back to the MySql shell again, login as before and follow the instructions below.

Terminal
mysql > use vsftpd;
database changed
mysql > INSERT INTO accounts (username, pass) VALUES('Jimi', PASSWORD('secret'));
query successful

Jimi's homedir is /home/virtualftp/Jimi; unfortunately vsftpd doesn't create that directory automatically. Therefore we create it manually now and make it owned by the virtualftp user and the virtualftp group:

Terminal
[root@station1.example.com~]# mkdir /home/virtualftp/Jimi
[root@station1.example.com~]# chown virtualftp:virtualftp /home/vsftpd/Jimi

For database administration you can use PhpMyAdmin web interface to manage your users more time efficiently.

Now open your FTP client program on your work station (something like WS_FTP or SmartFTP if you are on a Windows system or gFTP on a Linux desktop) and try to connect. As hostname you use ftp.example.com (or the IP address of the system), the username is Jimi , and the password is secret . And remember use the port 990 to connect and check whether Auth-SSL is selected to authenticate.

If you are able to connect - congratulations! If not, something went wrong.

SSL and CHMOD notes below

To create a rsa certificate you would have to go to the /etc/pki/tls/certs directory and give a make command over there to get a vsftpd.pem

Terminal
[root@station1.example.com~]# cd /etc/pki/tls/certs
[root@station1.example.com~]# make vsftpd.pem

Note from Step 3 the SSL section this settings will force local logins to use SSL

Users on this server can change the permissions of thier files through the client program
chmod_enable and virtual_use_local_privs are the directives needed to accomplish that.

1 comment: