For those of you who don’t know vsftpd is probably the most secure ftp out there right now. As a whole I think that ftp is going the way of telnet, but it seems that developers still use it quite a bit (at least that’s what my developers tell me). So anyway, if you have to use an ftp server, I highly recommend vsftpd.
Onto the topic at hand: Virtual Users. One of the outstanding security features of vsftpd is the ability to have virtual users that can connect to the ftp server. From a security standpoint this helps to lock down server access via other means (ssh, telnet, etc) because the users are restricted to only that ftp server. In addition, you can also lock the ftp users into the directory of your choosing, which also prevents unauthorized file-system browsing.
While setting this up I had a hard time finding a cohesive set of instructions on how to do this (one that newer than 2009 at least). They way I settled on seems to be only one possible way, but uses db to generate a database file that is used to lookup usernames and passwords. I am going to make the instructions as generic as possible so that it applies to as many *NIX platforms and distributions as possible.
The first part of this is really the only tricky part; we need the program db_load. This is already in the base install on Arch Linux, and in Ubuntu it’s db4.6-util (iirc). Anyway, check around forums, the web, search your package manager, whatever, just make sure that db_load is installed and ready to go.
Once that is installed we need to create a simple text file with the virtual users logins and passwords. The format should look like this:
Obviously you get the pattern. Once you have this file ready, we are going to compute a new db table from it. Make sure to replace “logins.txt” with whatever you called the user/pass file. Once the db file is created, we are also going to make sure the permissions are restrictive enough to keep it safe:
# db_load -T -t hash -f logins.txt /etc/vsftpd_login.db
# chmod 600 /etc/vsftpd_login.db
Please don’t forget to delete the original file with everyone’s logins and passwords in them. So after you delete that file, and have the db file sitting safely in the /etc directory, we need to modify the authorization settings for pam. Again, I know this differs for both Ubuntu and Arch, so I am going to be a little generic here. There should be a file in the /etc/pam.d/ directory that sets permissions for ftp access. In Arch this is simply ftp, whereas in Ubuntu I think it is vsftpd. Anyway, we need to modify that file to have only the following:
auth required pam_userdb.so db=/etc/vsftpd_login crypt=hash
account required pam_userdb.so db=/etc/vsftpd_login crypt=hash
Next we are going to work on the /etc/vsftpd.conf file. Here are the changes I made to my file. These are the options I added besides the defaults that were already selected:
# Directory to lock virtual users into
# Guest is what tells vsftpd to look in the pam database
The last thing that needs to be done is the creation of this new virtual user. This is merely as simple:
# useradd -d /path/to/ftp/directory/ -s /dev/null virtual
After that just (re)start the daemon and you are good to go. There are some other tricks you might have to do depending on your setup, like adding specific folders for each person to log into, or maybe change the permissions of the ftp directory to line up with your new virtual user you created. I’m not going to cover that stuff here, as I didn’t need to go any further than this, but if you need to do anything else, do a few searches on google, there is a ton of information out there once you have this basic setup done.