VSFTPD Virtual Users Setup (with individual FTP home directories)

(This was written while performing the install and setup on Fedora Core 6, but applies broadly to all distributions)

STEP 1: Install Required packages:

pam (installed by default)
db4 (db4 is my version and was installed by default)
vsftpd
compat-db (this is the package name on fedora which provides the binary db42_load)

Check if the 'db' package is installed

[root@mysystem vsftpd]# rpm -qa | grep -i db

 If the db4 package is not installed, do it:

[root@mysystem vsftpd]# yum install db4

The package compat-db will give us the db42_load binary used to build the virtual username/password db file

[root@mysystem vsftpd]# yum install compat-db
[root@mysystem vsftpd]# yum install vsftpd

Can't find dbXX_load binary? check the locations of the files in this package

[root@mysystem vsftpd]# rpm -ql compat-db

STEP 2: Configure PAM

Confirm existance/location of the file /lib/security/pam_userdb.so

[root@mysystem vsftpd]# rpm -ql pam | grep pam_userdb.so
[root@mysystem vsftpd]# vi /etc/pam.d/vsftpd
 (I EDITED THE FILE TO LOOK LIKE THIS:)

#%PAM-1.0
session optional pam_keyinit.so force revoke
auth required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_users
account required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_users
#auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
#auth required pam_shells.so
#auth include system-auth
#account include system-auth
#session include system-auth
#session required pam_loginuid.so
(note: I had to comment out the bottom 6 lines to get the pam_userdb authentication to succeed for ftp logins. With them not commented out, authentication of known good users failed)

STEP 3: Create system user for vsftpd.conf (this is basically a dummy user, not logged into directly via FTP)

[root@mysystem vsftpd]# adduser -d /home/virtualftp/ virtualftp

STEP 4: Configure vsftpd for virtual users

[root@mysystem vsftpd]# cd /etc/vsftpd
[root@mysystem vsftpd]# vi vsftpd.conf
 (HERE IS MY vsftpd.conf FILE MINUS DEFAULT COMMENTS:)

local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
chroot_local_user=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

# Virtual users will be logged into /home/virtualftp/[username]/
user_sub_token=$USER
local_root=/home/virtualftp/$USER
guest_enable=YES
guest_username=virtualftp
# Umask applied for virtual users and anon
anon_umask=0022
# Allows uploading by virtual users
anon_upload_enable=YES
# Allows creation of directories by virtual users
anon_mkdir_write_enable=YES
# Allows deletion of files and directories by virtual users
anon_other_write_enable=YES


Now start up vsftpd (which is configured to run stand-alone in my config file):

[root@mysystem vsftpd]# vsftpd

STEP 5: Setup virtual FTP usernames and their passwords

[root@mysystem vsftpd]# vi /etc/vsftpd/vsftpd_users.txt
 (FORMAT OF THE FILE:)

username1
passwordforusername1
username2
passwordforusername2
username3
passwordforusername3
Now we create the DB4 formatted username/password file from the plain text vsftpd_users.txt file that will be used by pam_userdb.so:

[root@mysystem vsftpd]# rm /etc/vsftpd/vsftpd_users.db
[root@mysystem vsftpd]# db42_load -T -t hash -f /etc/vsftpd/vsftpd_users.txt /etc/vsftpd/vsftpd_users.db
[root@mysystem vsftpd]# chmod 600 /etc/vsftpd/vsftpd_users.db /etc/vsftpd/vsftpd_users.txt

STEP 6: Create directories for each virtual FTP user

[root@mysystem vsftpd]# mkdir -p /home/virtualftp/username1

STEP 7: Test an FTP virtual user login

[root@mysystem vsftpd]# ftp localhost
Connected to localhost.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (localhost:root): username1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX
Using binary mode to transfer files.
ftp>

Troubleshooting

If there are problems logging in with a virtual ftp user, check /var/log/secure FIRST!

[root@mysystem vsftpd]# tail -f /var/log/secure
Mar 2 15:07:04 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'testing' granted access
Mar 2 15:07:04 mysystem vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Mar 2 15:07:04 mysystem vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=testing rhost=mysystem.cluster
Mar 2 15:07:04 mysystem vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user testing
Mar 2 15:08:32 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'testing' granted access
Mar 2 15:11:15 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'user0123456789012345678901234' granted access
Mar 2 15:12:36 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'user01234567890123456789012345' granted access
Mar 2 15:13:43 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'user012345678901234567890123456' granted access
Mar 2 15:14:51 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'user0123456789012345678901234567' granted access

I found a few times, which can be seen in the real log files above, that the vsftpd_users.db file was not correctly recreated with the db42_load command over the top of an existing vsftpd_users.db file. To resolve this, I simply remove the current vsftpd_users.db file and recreate the file from scratch with the db42_load.

[root@mysystem vsftpd]# strings /etc/vsftpd/vsftpd_users.db
[root@mysystem vsftpd]# db42_load -T -t hash -f /etc/vsftpd/vsftpd_users.txt /etc/vsftpd/vsftpd_users.db
(possibly interesting note: The /var/log/secure messages above show some testing I did on the maximum allowed username character length. At this time, glibc limits usernames to 32 characters, as can be seen above with the longest username that successfully authenticates. For such a fundamental underlying library, I'd like to see it's limit higher so it is not the limiting factor for the higher level programs that use it.)