VSFTPD/MYSQL Virtual users Tutorial


#1

First of all thanks for bringing EasyEngine to us!

Followed and used the project for quite some time now, and love the way it’s going and the direction the development has taken.

The only thing I hate, is that EasyEngine dos not give us a way to give a user FTP Access, we only got the www-data SFTP login, I got a couple of costumers that need FTP access, and I dont want to hand out the www-data user, since they can do to mutch harm.

So I started my journey how could I make a solution that worked with EasyEngine, and that allowed me to create FTP accounts for specific websites, with out giving them access to all other websites on the server.

After some searching on Virtual Users FTP, I tried out a couple of tutorials and it worked! BUT! They used text files, and raw passwords, not very safe to be honest, so when I got a new server I played arround with VSFTPD/MySQL and PAM, to create a more secure container for the password, and to be honest it’s just a better way then creating text files to get the same result.

The guides found for VSFTPD/MySQL/PAM and Virtual Users, did not work out that well, because they forgot to mention, that Ubuntu got meny problems with VSFTPD true apt-get, after a lot of searching I finally found a good forum thread on UbuntuForums.


First we need to get a working version of VSFTPD! http://ehcpforce.tk/faq/index.php?sid=2579&lang=en&action=artikel&cat=1&id=3&artlang=en this link contains info for Ubuntu 12.04 and above, and is different for every Version of Ubuntu.

After you installed VSFTPD follow the following guide. apt-get install libpam-mysql libpam-ldap

LDAP server Uniform Resource Identifier: <--  ENTER
Distinguished name of the search base: <-- ENTER
LDAP version to use: <-- 3
Make local root Database admin: <-- Yes
Does the LDAP database require login?  <-- No
LDAP account for root: <-- ENTER
LDAP root account password: <-- ldaprootpw (change to your password)

If you get more questions select the option that it surgests

==> Create The MySQL Database For vsftpd

mysql -u root -p

==> Create the Database, and user, remember to set your own password instead of fpdpass

CREATE DATABASE vsftpd;
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP ON vsftpd.* TO 'vsftpd'@'localhost' IDENTIFIED BY 'ftpdpass';
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP ON vsftpd.* TO 'vsftpd'@'localhost.localdomain' IDENTIFIED BY 'ftpdpass';
FLUSH PRIVILEGES;
USE vsftpd;

==> Create the Tables in vsftpd Database

USE vsftpd; 
CREATE TABLE `accounts` (
`id` INT NOT NULL AUTO_INCREMENT PRIMARY KEY ,
`username` VARCHAR( 30 ) NOT NULL ,
`pass` VARCHAR( 50 ) NOT NULL ,
UNIQUE (
`username`
)
) ENGINE = MYISAM ; 
quit; 

==> Only use this line if you got issues with the setup, I only tested with this line, since I had some issues, that I later found out was Ubuntus version of VSFTPD

useradd --home /home/vsftpd --gid nogroup -m --shell /bin/false vsftpd 

==> Config file stuff

cp /etc/vsftpd.conf /etc/vsftpd.conf_orig
cat /dev/null > /etc/vsftpd.conf
nano /etc/vsftpd.conf 

==> Insert following to the config file

listen=YES
anonymous_enable=NO
local_enable=YES
virtual_use_local_privs=YES
write_enable=YES
local_umask=022
connect_from_port_20=YES
secure_chroot_dir=/var/run/vsftpd
pam_service_name=vsftpd
guest_enable=YES
ftp_username=www-data
chown_username=www-data
guest_username=www-data
user_sub_token=$USER
local_root=/var/www/$USER
chroot_local_user=YES
hide_ids=YES
check_shell=NO
user_config_dir=/var/www/users
allow_writeable_chroot=YES

==> Create user_config_dir

mkdir /var/www/users 

==> Lets create the PAM config files for vsftpd

cp /etc/pam.d/vsftpd /etc/pam.d/vsftpd_orig
cat /dev/null > /etc/pam.d/vsftpd
nano /etc/pam.d/vsftpd 

==> Insert the following, remember to change ftpdpass in to the password you set for the mysql vsftpd user earlyer

auth required pam_mysql.so user=vsftpd passwd=ftpdpass host=localhost db=vsftpd table=accounts usercolumn=username passwdcolumn=pass crypt=2
account required pam_mysql.so user=vsftpd passwd=ftpdpass host=localhost db=vsftpd table=accounts usercolumn=username passwdcolumn=pass crypt=2

==> Restart VSFTPD

/etc/init.d/vsftpd restart 

==> Create the first virtual user, remember the username needs to match a folder in /var/www ex. Domain.com

mysql -u root -p 
USE vsftpd; 

==> Remember to change domain.com and password to what you want

INSERT INTO accounts (username, pass) VALUES('testuser', PASSWORD('secret'));
quit; 

You should now be good to go, and have a working ftp user that can only access /var/www/domain.com

If you want a user to have a different root, or create a “master” account, you can do this by creating a file in /var/www/users

Example – the file you create inside /var/www/users needs to match the username, lets say I created a username thats masteruser in the mysql table

nano /var/www/users/masteruser

==>> Insert the following change the directory to /var/www or something inside /var/www

Example 1

local_root=/var/www

Example 2

local_root=/var/www/domain.com

#2

Minor note if you install libpam-mysql and then update to MariaDB you need to install libpam-mysql once more.


#3

Hi @benzons

Thanks for sharing this tutorial with the Community.


#4

Hi,

I’m trying to implement your solution but it doesn’t work for me so far. I cannot sftp into my server. When I configure ‘ldap-auth-config’ what should be LDAP account for root? What account should I use for this?

Thanks, D.


#5

Great!!!

Thanks @benzons

it’s exactly what i need !!!


#6