One of the labs that I work for wanted to have a shared file share that’s accessible from anywhere, from any of the clients they run. We ended up going with a FTPS configuration on Ubuntu using vsftpd. All of the users are considered “virtual users”, so they don’t have login privileges to the Ubuntu system, only the FTP daemon running (meaning no SSH, etc). Also, all users are working out of the same file share folder.
Since I had some trouble finding a good set of directions, I thought I’d write up what I did. First, because I’ll probably have to repeat it at some point, second because someone else might be looking for the same thing.
Requirements
- Ubuntu 10.04 LTS
- vsftpd 2.2.2+
- SSL certificate, either self-signed or from a SSL provider
Install software
If you haven’t installed vsftpd yet, you’ll want to do this:
sudo apt-get install vsftpd
Next we need a database utility for creating the hashed username/password file that vsftpd will authenticate against:
sudo apt-get install db4.8-util
Create virtual users
Now we need to create a text file that will have your virtual users identified. Let’s start by creating a directory to store this in: sudo mkdir -p /etc/vsftpd
Now create the text file. This file will be turned into a hashed database file, so it’s OK that you’re typing out the password in clear text right now. sudo nano /etc/vsftpd/logins.txt
The file configuration is one line for the user account name, then the next line is the account password. Repeat this for each user in a single monolithic file. For example:
mary
das2hky434adfg6yjkaf
peter
uh4nufh7ands
paul
ud674kr6d
Now we take this plain-text file and convert it to a database file with hashed passwords using the following command
sudo db_load -T -t hash -f /etc/vsftpd/logins.txt /etc/vsftpd/virtual-users.db
We should change the file permissions on both of these files, just to protect them from prying eyes:
sudo chmod 600 /etc/vsftpd/logins.txt sudo chmod 600 /etc/vsftpd/virtual-users.db
Note: in the future if you need add/change/delete users, modify the logins.txt file and then use the db_load command to re-create the hashed database file.
Configure vsftpd
Now we need to configure the vsftpd daemon to use the correct directory, have the correct permissions and correctly authenticate our users.
Let’s create a single directory for the data files on our server
sudo mkdir -p /var/ftp-data
Make sure that your ftp service account (created when we installed vsftpd) has correct permissions for this directory
sudo chown -R ftp:ftp /var/ftp-data
Now we need to create a new type of authentication that vsftpd will use to verify our user logins. We do this by creating a new file in the PAM configuration folder
sudo nano /etc/pam.d/vsftpd-virtual
The file contents should be as follows, which tells the system to look at our hashed database for the user login/password combinations:
auth required pam_userdb.so db=/etc/vsftpd/virtual-users account required pam_userdb.so db=/etc/vsftpd/virtual-users
Now we have to tell vsftpd about these new configurations, but first let’s make a backup of the configuration, then make a new one.
sudo mv /etc/vsftpd.conf /etc/vsftpd/vsftpd.conf.bak sudo nano /etc/vsftpd.conf
For the contents of this file, paste the following:
# runs vsftpd in standalone mode listen=YES # listens on this port for incoming FTP connections listen_port=21 # disables anonymous FTP anonymous_enable=NO # enables non-anonymous FTP local_enable=YES # enables uploads and new directories write_enable=YES # the umask for file creation local_umask=022 # Activate directory messages - messages given to remote users when they # go into a certain directory. dirmessage_enable=YES # If enabled, vsftpd will display directory listings with the time # in your local time zone. The default is to display GMT. The # times returned by the MDTM FTP command are also affected by this # option. use_localtime=YES # Activate logging of uploads/downloads. xferlog_enable=YES # Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES # the virtual user is restricted to the virtual FTP area chroot_local_user=YES # the PAM file used by authentication of virtual uses pam_service_name=vsftpd-virtual # SSL configuration directives rsa_cert_file=/etc/ssl/certs/server.crt rsa_private_key_file=/etc/ssl/private/server.key ssl_enable=YES force_local_logins_ssl=YES force_local_data_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO # the minimum port to allocate for PASV style data connections pasv_min_port=31000 # the maximum port to allocate for PASV style data connections pasv_max_port=31453 # activates virtual users guest_enable=YES # virtual users to use local privs, not anon privs virtual_use_local_privs=YES # specifies a home directory for all virtual users local_root=/var/ftp-data # hides the FTP server user ID, just show "ftp" in directory listings hide_ids=YES
Now we restart the vsftpd service for all of the changes to take place
sudo service vsftpd restart
Conclusion
If you have a SSL certificate in the directory outlined, then you should be able to login to the FTP service over SSL and have access to the directory we setup in /var/ftp-data.
In my case we also put this network share behind an Astaro Security Gateway (ASG), so first our users make an SSL VPN connection to the ASG, then make a SSL connection to the FTP server.
6 comments:
"db_load" does not work following your instructions. Other searching suggested that you need to use the command "db4.8_load" which appears to have worked
Hi, I setup vsftpd on Ubuntu, but I am having trouble setting up 2 virtual users. All I need is for 2 virtual users to be able to connect to Ubuntu vsftpd from 2 other separate computers on my home network. That's it, no other users from outside. I want to restrict these 2 new virtual users to 1 folder on the secondary drive in the Ubuntu computer. For example, I need the 2 new virtual users to be named "Fred" and "Barney", and they should only be able to upload (or see) to /media/FilesDrive/FTPfolder . I don't have any background in server stuff, so please explain how I can set this up? Right now, vsftpd is setup on Ubuntu and working, but it is just the standard setup from the installation. I would really appreciate your help, this is driving me crazy...
I did this exactly as you wrote, but it won't work at all. vsftpd refuses all connections from users. And, no there isn't any firewall issue. Oh, and the db_load is db5.1_load, which works for that part, but still can't connect using the virtual users?
I did this exactly as you wrote, but vsftpd won't allow any virtual users to connect at all!
Are you using Ubuntu Server 10.04 LTS or a newer version? If you're using a newer version I cannot guarantee that these directions will work.
Which steps are you able to complete successfully?
Some of the problems may be because there are stray paragraph tags, '<p$gt;</p$gt;', on one of the first lines of the vsftpd.conf file.
Post a Comment