Tuesday, October 6, 2009

VSFTPD and virtual user

I will show you how to install FTP server on RedHat Linux and made virtual user "upload" with password "kuku" for uploading and downloading files.

First, you need to run
[alexey@blogger ~]$ sudo yum install vsftpd
i got version 2.0.1
[alexey@blogger ~]$ vsftpd -v
vsftpd: version 2.0.1
than let's backup original config
[alexey@blogger ~]$ sudo cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.default
now we can edit config for our needs, open vi
[alexey@blogger ~]$ sudo vi /etc/vsftpd/vsftpd.conf
paste the following
listen=YES
anonymous_enable=NO
local_enable=YES
virtual_use_local_privs=YES
write_enable=YES
connect_from_port_20=YES
secure_chroot_dir=/usr/share/empty
pam_service_name=vsftpd
guest_enable=YES
guest_username=www
local_root=/path/to/ftp-directory
chroot_local_user=YES
hide_ids=YES
dirmessage_enable=NO
tcp_wrappers=YES
check_shell=NO
userlist_enable=YES
anon_umask=0644
ftpd_banner=Welcome to my FTP!

Now we should create virtual users authentication file, you can use Apache's tools.
'-c' creates new file (remove it when adding new users), '-b' will take password from command line
[alexey@blogger ~]$ /usr/local/httpd/bin/htpasswd -cb /path/to/ftp/users upload kuku
Adding password for user default

Now we need to tell how vsftpd should check users, it will use PAM that described in
[alexey@blogger ~]$ cat /etc/pam.d/vsftpd
#%PAM-1.0
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed
auth required pam_stack.so service=system-auth
auth required pam_shells.so
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
backup it with
[alexey@blogger ~]$ sudo cp /etc/pam.d/vsftpd /etc/pam.d/vsftpd.default
and paste the following
[alexey@blogger ~]$ cat /etc/pam.d/vsftpd
# MaggaPlus access
auth required pam_pwdfile.so pwdfile /path/to/ftp/users
account required pam_permit.so
[alexey@blogger ~]$

At this point you can start deamon with
[alexey@blogger ~]$ sudo /etc/init.d/vsftpd start
and if everything is ok, try to connect to your new FTP.

I was dealing with some problem that even if i use username and password pair I just created, it always was return me "Invalid login". I thought that the problem was in the users file and i rewrited it many time. But it was just pwdfile file missing, that I got from
[alexey@blogger ~]$ sudo tail /var/log/messages
Oct 5 20:21:57 blogger vsftpd: vsftpd vsftpd succeeded
Oct 5 20:21:59 blogger vsftpd[27288]: PAM unable to dlopen(/lib/security/pam_pwdfile.so)
Oct 5 20:21:59 blogger vsftpd[27288]: PAM [dlerror: /lib/security/pam_pwdfile.so: cannot open shared object file: No such file
Oct 5 20:21:59 blogger vsftpd[27288]: PAM adding faulty module: /lib/security/pam_pwdfile.so
All PAM plugins placed in
[alexey@blogger ~]$ ll /lib/security/
total 1884
-rwxr-xr-x 1 root root 15560 May 12 2006 pam_access.so
-rwxr-xr-x 1 root root 52334 Oct 13 2004 pam_ccreds.so
-rwxr-xr-x 1 root root 6004 May 12 2006 pam_chroot.so
...
And pam_pwdfile.so was missing :-(
I found it and installed
[alexey@blogger ~]$ sudo rpm -i pam-pam_pwdfile-0.99-2.i586.rpm
warning: pam-pam_pwdfile-0.99-2.i586.rpm: V3 DSA signature: NOKEY, key ID 1bbd5459
Now it is fine, and FTP auth worked!
[alexey@blogger ~]$ ll /lib/security/pam_pwdfile.so
-rwxr-xr-x 1 root root 14572 Jul 30 2004 /lib/security/pam_pwdfile.so
Make sure that FTP root is readable and writable for specified user
[alexey@blogger ~]$ chmod 777 -R /path/to/ftp-directory

[alexey@blogger ~]$ ftp localhost
Connected to localhost (127.0.0.1).
220 Welcome to my FTP!
Name (blogger:alexey): upload
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> close
221 Goodbye.
ftp> bye
[alexey@blogger ~]$

Information used