How to: Vsftpd Virtual Users PAM Authentication Guide

This How to, will help you get your Vsftpd server up and running with Virtual Users (no local users), PAM authentication, and encrypted passwords.

For a more in depth explanation, and why we did what we did, here are the guides used as reference:

http://ubuntuforums.org/showthread.php?t=518293

http://ubuntuforums.org/showpost.php?p=867795&postcount=9

Overview of what we're about to create:

1. Create user account, create directory for user account, and assign permissions to the user account
2. Create a directory for Virtual User accounts' VSFTPD permissions. Each user account's permissions can be customized in this folder (we will do this later on in step 7)
3. Backup Vsftpd.conf and edit Vstfpd.conf to enable local users, PAM service, enable guest, and define where our Virtual User account permissions are located
4. Edit pam.d vsftpd file
5. Create login text file
6. Create login database for PAM to read and encrypt it
7. Create a template settings file for Virtual User account permissions in step 2
8. Use the template to create our user's permissions
9. Edit our user's permission to define home and guest username
10. Restart Vsftpd
11. Put on our sunglasses and relax under the sun

The Guide:

1. The following will create a user with the name "genesis" and a home directory named "genesis"

# Must use -d option

sudo useradd -d /home/genesis genesis

sudo mkdir /home/genesis

sudo chown genesis /home/genesis

2. Create a directory for Virtual User accounts' VSFTPD permissions. You may already have the folder /etc/vsftpd

sudo mkdir /etc/vsftpd

sudo mkdir /etc/vsftpd/vusers

3. Backup Vsftpd.conf now. Edit your Vstfpd.conf and ensure these comments are either added or changed in addition to whatever you have in your current Vsftpd.conf. (you can use this sample vsftpd.conf as a guide) Virtual users are treated as guests, so we will enable guest access. We are also defining where our Virtual User account permissions are located.

sudo nano /etc/vsftpd.conf

anonymous_enable=NO

local_enable=YES

pam_service_name=vsftpd

guest_enable=YES

user_config_dir=/etc/vsftpd/vusers

4. Edit pam.d vsftpd file

sudo nano /etc/pam.d/vsftpd

Edit and ensure your /etc/pam.d/vsftpd file matches this one

# Standard behaviour for ftpd(8).

auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed

# Note: vsftpd handles anonymous logins on its own. Do not enable

# pam_ftp.so.

# Standard blurb.

#@include common-account

@include common-session

#@include common-auth

#auth required pam_shells.so

# Added per the readme to enable virtual users.

auth required /lib/security/pam_userdb.so db=/etc/vsftpd_login

account required /lib/security/pam_userdb.so db=/etc/vsftpd_login

5. Create a login.txt file wherever you want

sudo nano login.txt

We will specify users and passwords here. You can add as many users/passwords as you want here in the following format:

genesis

genesispasswordgoeshere

someotheruser

someotheruserpasswordgoeshere

6. You must have libdb3 and libdb3-util installed. db4, which you may already have, will not work. Personally, I use Webmin, and I had to install these directly from the packages.ubuntu.com site.

We will create the login database with our login.txt file and restrict access restrictions to the database. Future users will be added through this process, so to add more users, you either will recreate login.txt or edit it:

sudo db3_load -T -t hash -f login.txt /etc/vsftpd/vsftpd_login.db

sudo chmod 600 /etc/vsftpd/vsftpd_login.db

#The following is not a safe solution

#because if the file is compromised, all

#of your user/passwords will be compromised,

#but on the other hand, it will be easier

#to update future users you wish to add to

#your server. You should delete this with

#"sudo rm login.txt" without quotes

sudo chmod 600 /etc/vsftpd/login.txt

7. We will create a template for our user permissions located in /etc/vsftpd/vusers

sudo nano /etc/vsftpd/vusers/template1forusers

write_enable=YES

anon_mkdir_write_enable=YES

anon_other_write_enable=YES

anon_upload_enable=YES

local_root=/home/???

chroot_local_user=YES

dirlist_enable=YES

download_enable=YES

guest_username=???

8. Write out to template1forusers

9. Now open template1forusers once again and change the ??? marks in step 7 to define user "genesis"

sudo nano /etc/vsftpd/vusers/template1forusers

Edit:

write_enable=YES

anon_mkdir_write_enable=YES

anon_other_write_enable=YES

anon_upload_enable=YES

local_root=/home/genesis

chroot_local_user=YES

dirlist_enable=YES

download_enable=YES

guest_username=genesis

10. Instead of saving it to template1forusers, Write out the filename to genesis.

11. Restart Vsftpd. sudo /etc/init.d/vsftpd restart

12. Try logging in with

user name: genesis

password: genesispasswordgoeshere

Give yourself a pat on the back. Great job!

.

Sample Vsftpd Configuration File

For those trying to create a Vsftpd FTP Server, just for reference, here's my Vsftpd configuration file configured for:

1. PAM authentication for Virtual Users
2. FTPS SSL
3. No anonymous users
4. Ports 30000-30100 for firewall access when using Passive connection
5. Chrooted users

#Sample Vsftpd Config:
write_enable=YES
guest_enable=YES
user_config_dir=/etc/vsftpd/vusers
listen=YES
listen_port=990

local_umask=022

anon_umask=022
anonymous_enable=NO
local_enable=YES
anon_upload_enable=NO
anon_mkdir_write_enable=NO
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
idle_session_timeout=600
data_connection_timeout=120
ftpd_banner=**********Something goes here.************
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd
pam_service_name=vsftpd
pasv_min_port=30000
pasv_max_port=30100
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
rsa_cert_file=/etc/vsftpd/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/vsftpd.key
hide_ids=YES
max_per_ip=2
max_clients=15

.