vsftpd virtual user configuration

Article directory



Next chapter vsftpd server building (basic part).

Before we start, let's explore the difference between using virtual users and using local users.

Virtual user is a mapping of local users, that is, from a certain level, it can only be used to log in to ftp, and cannot access other system resources.

Local users, there is no such restriction (there is a threat of system login).

The existence of the mapping indicates whether the permissions of the virtual user depend on the permissions of the mapped local user.

In general, it is safer to use virtual users.


Note: in the following experiment, the local data file verification method is used.



Virtual user configuration

Experimental environment:

  • CentOS-7-x86_64-DVD-1708
  • win10
  • VMware Workstation 15 Pro

To configure the virtual user process:

  1. Create a virtual user login file (a file ending in a. txt suffix with a line for user name and password)
  2. Use the command db load to compile the configuration file into a database file ending in. db
  3. Modify the / etc/vsftpd/vsftpd.conf file to start virtual user login and set other permissions
  4. Modify / etc/pam.d/vsftp file and add authentication mechanism
  5. Create local users and map with virtual users (two users need to be consistent)
  6. Create the required directories and files (virtual user configuration directory, virtual user configuration file, chroot list file, etc.)



Create a virtual user login file

[root@localhost ~]# cd /etc/vsftpd/
[root@localhost vsftpd]# vim vusers.txt # User name and password in one line
test # User name
test # Password
"vusers.txt" [New] 2L, 10C written                                                   
[root@localhost vsftpd]#



Generate database file

[root@localhost vsftpd]# db_load -T  -t hash -f vusers.txt vusers.db



Edit the vsftpd.conf configuration file

[root@localhost vsftpd]# vim vsftpd.conf #  Add the following

# Disable anonymous login
anonymous_enable=NO 

# Open the following three comments and change them
chroot_local_user=NO
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list

# Add the following

# Enable virtual users
guest_enable=YES

# Bind local user
guest_username=test

# Prevent 500 oops: vsftpd: referring to run with writable root inside chroot()
allow_writeable_chroot=YES

# Directory of virtual user profile
user_conf_dir=/etc/vsftpd/vusers_conf



Configure authentication mechanism

[root@localhost vsftpd]# vim /etc/pam.d/vsftpd # Comment out the original and add the following
auth        required     pam_userdb.so  db=/etc/vsftpd/vusers # No suffix
account     required     pam_userdb.so  db=/etc/vsftpd/vusers



Mapping users

[root@localhost vsftpd]# useradd -s /sbin/nologin -d /home/test test # Create user
[root@localhost vsftpd]# setfacl -m user:test:rwx /home/test/ # Change permission (only for testing, not recommended in actual combat)
[root@localhost vsftpd]# getfacl /home/test/ # View directory permissions
getfacl: Removing leading '/' from absolute path names
# file: home/test/
# owner: test
# group: test
user::rwx
user:test:rwx
group::---
mask::rwx
other::---

[root@localhost vsftpd]# 



Create dependent directories and files

[root@localhost vsftpd]# mkdir vusers_conf # This directory should be consistent with the one filled in the main configuration file of vsftpd.conf
[root@localhost vsftpd]# vim vusers_conf/test # Add the following
local_root=/home/test # Specify shared directory
write_enable=YES # Have write permission
anon_upload_enable=YES # Have upload permission
anon_mkdir_write_enable=YES # Have permission to create folder 
anon_other_write_enable=YES # Permission to delete and rename
[root@localhost vsftpd]# vim chroot_list # Add the following
test
[root@localhost vsftpd]#

Note: spaces are not allowed at the end of the virtual user profile above.



Login test

[root@localhost vsftpd]# systemctl stop firewalld # ftp service can be added to the firewall white list
[root@localhost vsftpd]# setenforce 0 # Turn off SELinux
[root@localhost vsftpd]# systemctl start vsftpd # Start vsftpd service
[root@localhost vsftpd]# ftp localhost # Use native test here
Trying ::1...
Connected to localhost (::1).
220 (vsFTPd 3.0.2)
Name (localhost:root): test
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit
221 Goodbye.
[root@localhost vsftpd]# 

Note: a simple vsftpd virtual user is configured.

12 original articles published, 30 praised, 2703 visited
Private letter follow

Keywords: vsftpd vim ftp Database

Added by youdontmeanmuch on Thu, 06 Feb 2020 06:40:05 +0200