May 18, 2009

How to: Vsftpd Virtual Users PAM Authentication Guide

This How to, will help you get your Vsftpd server up and running with Virtual Users (no local users), PAM authentication, and encrypted passwords.

For a more in depth explanation, and why we did what we did, here are the guides used as reference:
http://ubuntuforums.org/showthread.php?t=518293

Overview of what we're about to create:
  1. Create user account, create directory for user account, and assign permissions to the user account
  2. Create a directory for Virtual User accounts' VSFTPD permissions. Each user account's permissions can be customized in this folder (we will do this later on in step 7)
  3. Backup Vsftpd.conf and edit Vstfpd.conf to enable local users, PAM service, enable guest, and define where our Virtual User account permissions are located
  4. Edit pam.d vsftpd file
  5. Create login text file
  6. Create login database for PAM to read and encrypt it
  7. Create a template settings file for Virtual User account permissions in step 2
  8. Use the template to create our user's permissions
  9. Edit our user's permission to define home and guest username
  10. Restart Vsftpd
  11. Put on our sunglasses and relax under the sun
The Guide:

1. The following will create a user with the name "genesis" and a home directory named "genesis"

# Must use -d option

sudo useradd -d /home/genesis genesis

sudo mkdir /home/genesis

sudo chown genesis /home/genesis



2. Create a directory for Virtual User accounts' VSFTPD permissions. You may already have the folder /etc/vsftpd

sudo mkdir /etc/vsftpd

sudo mkdir /etc/vsftpd/vusers



3. Backup Vsftpd.conf now. Edit your Vstfpd.conf and ensure these comments are either added or changed in addition to whatever you have in your current Vsftpd.conf. (you can use this sample vsftpd.conf as a guide) Virtual users are treated as guests, so we will enable guest access. We are also defining where our Virtual User account permissions are located.

sudo nano /etc/vsftpd.conf

anonymous_enable=NO

local_enable=YES

pam_service_name=vsftpd

guest_enable=YES

user_config_dir=/etc/vsftpd/vusers



4. Edit pam.d vsftpd file

sudo nano /etc/pam.d/vsftpd


Edit and ensure your /etc/pam.d/vsftpd file matches this one

# Standard behaviour for ftpd(8).

auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed

# Note: vsftpd handles anonymous logins on its own. Do not enable

# pam_ftp.so.

# Standard blurb.

#@include common-account

@include common-session

#@include common-auth

#auth required pam_shells.so

# Added per the readme to enable virtual users.

auth required /lib/security/pam_userdb.so db=/etc/vsftpd_login

account required /lib/security/pam_userdb.so db=/etc/vsftpd_login


5. Create a login.txt file wherever you want

sudo nano login.txt


We will specify users and passwords here. You can add as many users/passwords as you want here in the following format:

genesis

genesispasswordgoeshere

someotheruser

someotheruserpasswordgoeshere



6. You must have libdb3 and libdb3-util installed. db4, which you may already have, will not work. Personally, I use Webmin, and I had to install these directly from the packages.ubuntu.com site.

We will create the login database with our login.txt file and restrict access restrictions to the database. Future users will be added through this process, so to add more users, you either will recreate login.txt or edit it:

sudo db3_load -T -t hash -f login.txt /etc/vsftpd/vsftpd_login.db

sudo chmod 600 /etc/vsftpd/vsftpd_login.db

#The following is not a safe solution

#because if the file is compromised, all

#of your user/passwords will be compromised,

#but on the other hand, it will be easier

#to update future users you wish to add to

#your server. You should delete this with

#"sudo rm login.txt" without quotes

sudo chmod 600 /etc/vsftpd/login.txt



7. We will create a template for our user permissions located in /etc/vsftpd/vusers

sudo nano /etc/vsftpd/vusers/template1forusers


write_enable=YES

anon_mkdir_write_enable=YES

anon_other_write_enable=YES

anon_upload_enable=YES

local_root=/home/???

chroot_local_user=YES

dirlist_enable=YES

download_enable=YES

guest_username=???



8. Write out to template1forusers

9. Now open template1forusers once again and change the ??? marks in step 7 to define user "genesis"

sudo nano /etc/vsftpd/vusers/template1forusers


Edit:

write_enable=YES

anon_mkdir_write_enable=YES

anon_other_write_enable=YES

anon_upload_enable=YES

local_root=/home/genesis

chroot_local_user=YES

dirlist_enable=YES

download_enable=YES

guest_username=genesis


10. Instead of saving it to template1forusers, Write out the filename to genesis.

11. Restart Vsftpd. sudo /etc/init.d/vsftpd restart

12. Try logging in with
user name: genesis
password: genesispasswordgoeshere

Give yourself a pat on the back. Great job!
.
Posted by at 1:25 PM
Labels: , ,

1 comment:

Subscribe to: Post Comments (Atom)