Skip to content

Instantly share code, notes, and snippets.

@caseycoding

caseycoding/vsftpd.md

Forked from giordanocardillo/Install vsftpd with virtual users on Ubuntu 14.04.md
Last active January 17, 2024 10:46
Show Gist options
  • Save caseycoding/a4b3c5071c4b38c9a2741324a64061fc to your computer and use it in GitHub Desktop.
Save caseycoding/a4b3c5071c4b38c9a2741324a64061fc to your computer and use it in GitHub Desktop.
Download ZIP
vsftpd with virtual users (htpasswd), s3fs
Raw
vsftpd.md

OS: Ubuntu 16.04

First you need vsftp and PAM installed

sudo apt-get update && sudo apt-get upgrade -y
sudo apt-get install vsftpd libpam-pwdfile apache2-utils s3fs -y

Edit /etc/vsftpd.conf

sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.orig
sudo vi /etc/vsftpd.conf
:1,$d # if you want to delete all lines

then paste in the following

listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
local_root=/mnt/s3
chroot_local_user=YES
allow_writeable_chroot=YES
hide_ids=YES

pasv_enable=Yes
pasv_min_port=1024
pasv_max_port=1048
pasv_address=xxx.xxx.xxx.xxx

#virutal user settings
user_config_dir=/etc/vsftpd_user_conf
guest_enable=YES
virtual_use_local_privs=YES
pam_service_name=vsftpd
nopriv_user=vsftpd
guest_username=vsftpd

#TLS
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH

Don't forget to update with your servers IP address and passive ports. Edit to your exact needs the most important bit for virtual users is everything after the virtual user settings comment

Creating User

You can either use a database or htpasswd I found htpasswd faster and easier to use.

Make a directory to store your users

sudo mkdir /etc/vsftpd
sudo htpasswd -c /etc/vsftpd/ftpd.passwd user1 # you can ignore the password here, see next note

There are some encryption differences between platforms and we want something longer than 8 characters. my current work around is to run

openssl rand -base64 14 # generate password
openssl passwd -1 # then encrypt password in correct format

then add this password directly to the /etc/vsftpd/ftpd.passwd file in username:pw format

sudo vi /etc/vsftpd/ftpd.passwd

src

Once your users are created you can now change your PAM config file

sudo vi /etc/pam.d/vsftpd

and remove everything inside this file and replace with the following

auth required pam_pwdfile.so pwdfile /etc/vsftpd/ftpd.passwd
account required pam_permit.so

This will enable login for your virtual users defined in /etc/vsftpd/ftpd.passwd and will disable local users

Next we need to add a user for these virtual users to use. These users will not have access to the shell and will be called vsftpd

sudo useradd --home /home/vsftpd --gid nogroup -m --shell /bin/false vsftpd

the user must match guest_username=vsftpd in the vsftpd conf file

Defining Directory Access

The important line here is the following

user_config_dir=/etc/vsftpd_user_conf

this means that when user1 logs in it will look for the following file

/etc/vsftpd_user_conf/user1

this file the same as the vsftpd.conf so you can define a new local_root

going back to the question we want user1 to only have access to var/www/website_name1/sub_folder1, so we need to create the vsftpd_user_conf folder:

sudo mkdir /etc/vsftpd_user_conf

Now create the user file:

sudo vi /etc/vsftpd_user_conf/user1

and enter the following line

local_root=/mnt/s3/user1

you should now be able to login as user1 who will only be able to see /mnt/s3/user1 and any folder and file inside it (creating this folder in the next step).

That's it you can now add as many users as you want and limit their access to whatever folder you wish.

Lets actually make the mount point while we are at it:

sudo mkdir /mnt/s3

important to remember if you do not create a user conf file it will default to the var/www folder as root (in the example above)

If the subfolder is intended to be modifiable by the user, it might be necesary to change the owner of the shared subfolder:

sudo chmod 770 /mnt/s3/

S3FS

Add your AWS creds:

sudo vi /etc/passwd-s3fs # and paste in MYIDENTITY:MYCREDENTIAL
sudo chmod 600 /etc/passwd-s3fs

Make sure your creds have s3 access

Add the following onto /etc/fstab replacing <bucket name> with name of the s3 bucket:

s3fs#<bucket name> /mnt/s3 fuse _netdev,rw,nosuid,nodev,allow_other,nonempty 0 0

Mount and handle errors:

sudo mount -a

Unmount if needed:

sudo fusermount -u /mnt/s3

You may need to free up permissions:

sudo chmod 770 /mnt/s3

SSL This part is not working

sudo openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

Open port 990 for file transfers to work

Lastly Now restart vsftp

sudo service vsftpd restart

Note You may need to chown the folder for the vsftpd user

sudo chown vsftpd /mnt/s3.....
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment