vsftpd_virtual_users_setup

轉帖http://alien2thisworld.net/sitePages/tutorials/vsftpd_virtual_users_setup.html

http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch15_:_Linux_FTP_Server_Setup

STEP 1: Install Required packages:

pam (installed by default)
db4 (db4 is my version and was installed by default)
vsftpd
compat-db (this is the package name on fedora which provides the binary db42_load)

Check if the 'db' package is installed

[root@mysystem vsftpd]# rpm -qa | grep -i db

If the db4 package is not installed, do it:

[root@mysystem vsftpd]# yum install db4

The package compat-db will give us the db42_load binary used to build the virtual username/password db file

[root@mysystem vsftpd]# yum install compat-db
[root@mysystem vsftpd]# yum install vsftpd

Can't find dbXX_load binary? check the locations of the files in this package

[root@mysystem vsftpd]# rpm -ql compat-db


STEP 2: Configure PAM

Confirm existance/location of the file /lib/security/pam_userdb.so

[root@mysystem vsftpd]# rpm -ql pam | grep pam_userdb.so
[root@mysystem vsftpd]# vi /etc/pam.d/vsftpd
(I EDITED THE FILE TO LOOK LIKE THIS:)

#%PAM-1.0
session optional pam_keyinit.so force revoke
auth required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_users
account required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_users
#auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
#auth required pam_shells.so
#auth include system-auth
#account include system-auth
#session include system-auth
#session required pam_loginuid.so

(note: I had to comment out the bottom 6 lines to get the pam_userdb authentication to succeed for ftp logins. With them not commented out, authentication of known good users failed)

STEP 3: Create system user for vsftpd.conf (this is basically a dummy user, not logged into directly via FTP)

[root@mysystem vsftpd]# adduser -d /home/virtualftp/ virtualftp



STEP 4: Configure vsftpd for virtual users

[root@mysystem vsftpd]# cd /etc/vsftpd
[root@mysystem vsftpd]# vi vsftpd.conf
(HERE IS MY vsftpd.conf FILE MINUS DEFAULT COMMENTS:)

local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
chroot_local_user=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

# Virtual users will be logged into /home/virtualftp/[username]/
user_sub_token=$USER
local_root=/home/virtualftp/$USER
guest_enable=YES
guest_username=virtualftp
# Umask applied for virtual users and anon
anon_umask=0022
# Allows uploading by virtual users
anon_upload_enable=YES
# Allows creation of directories by virtual users
anon_mkdir_write_enable=YES
# Allows deletion of files and directories by virtual users
anon_other_write_enable=YES


Now start up vsftpd (which is configured to run stand-alone in my config file):

[root@mysystem vsftpd]# vsftpd


STEP 5: Setup virtual FTP usernames and their passwords

[root@mysystem vsftpd]# vi /etc/vsftpd/vsftpd_users.txt
(FORMAT OF THE FILE:)

username1
passwordforusername1
username2
passwordforusername2
username3
passwordforusername3

Now we create the DB4 formatted username/password file from the plain text vsftpd_users.txt file that will be used by pam_userdb.so:

[root@mysystem vsftpd]# rm /etc/vsftpd/vsftpd_users.db
[root@mysystem vsftpd]# db42_load -T -t hash -f /etc/vsftpd/vsftpd_users.txt /etc/vsftpd/vsftpd_users.db
[root@mysystem vsftpd]# chmod 600 /etc/vsftpd/vsftpd_users.db /etc/vsftpd/vsftpd_users.txt


STEP 6: Create directories for each virtual FTP user

[root@mysystem vsftpd]# mkdir -p /home/virtualftp/username1


STEP 7: Test an FTP virtual user login

[root@mysystem vsftpd]# ftp localhost
Connected to localhost.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (localhost:root): username1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX
Using binary mode to transfer files.
ftp>


Troubleshooting

If there are problems logging in with a virtual ftp user, check /var/log/secure FIRST!

[root@mysystem vsftpd]# tail -f /var/log/secure
Mar 2 15:07:04 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'testing' granted access
Mar 2 15:07:04 mysystem vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Mar 2 15:07:04 mysystem vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=testing rhost=mysystem.cluster
Mar 2 15:07:04 mysystem vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user testing
Mar 2 15:08:32 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'testing' granted access
Mar 2 15:11:15 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'user0123456789012345678901234' granted access
Mar 2 15:12:36 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'user01234567890123456789012345' granted access
Mar 2 15:13:43 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'user012345678901234567890123456' granted access
Mar 2 15:14:51 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'user0123456789012345678901234567' granted access


在redhat as4.4 64位系統下安裝vsftp時遇到的兩個問題，都是由於搜尋lib的路徑不對引發的

引用

/lib/libpam.so.0: could not read symbols: File in wrong format
collect2: ld returned 1 exit status
make: *** [vsftpd] Error 1

將vsftp源文件下的vsf_findlibs.sh文件中的/lib，/usr/lib所有換成了/lib64，/usr/lib64再編譯便可

第二個問題，登錄的時候驗證錯誤
看vsftp的log沒有任何信息。在/var/log/messages中發現了一段

引用

Dec 11 22:02:20 localhost vsftpd: PAM unable to dlopen(/lib/security/pam_userdb.so)
Dec 11 22:02:20 localhost vsftpd: PAM [dlerror: /lib/security/pam_userdb.so: cannot open shared object file: No such file or directo
ry]
Dec 11 22:02:20 localhost vsftpd: PAM adding faulty module: /lib/security/pam_userdb.so

驗證的時候找不到pam_userdb.so這個文件
將/etc/pam.d/ftp中的/lib/security/pam_userdb.so 改成/lib64/security/pam_userdb.so 便可

I found a few times, which can be seen in the real log files above, that the vsftpd_users.db file was not correctly recreated with the db42_load command over the top of an existing vsftpd_users.db file. To resolve this, I simply remove the current vsftpd_users.db file and recreate the file from scratch with the db42_load.

[root@mysystem vsftpd]# strings /etc/vsftpd/vsftpd_users.db
[root@mysystem vsftpd]# db42_load -T -t hash -f /etc/vsftpd/vsftpd_users.txt /etc/vsftpd/vsftpd_users.db

(possibly interesting note: The /var/log/secure messages above show some testing I did on the maximum allowed username character length. At this time, glibc limits usernames to 32 characters, as can be seen above with the longest username that successfully authenticates. For such a fundamental underlying library, I'd like to see it's limit higher so it is not the limiting factor for the higher level programs that use it.)