 We want to setup virtual users and configure user specific directories for each user, or shared between a handful of users. Firstly we need to download and install the ftp server VSFTPD debian# apt-get install vsftpd vsftpd uses PAM for authentication of virtual users. We are going to use the pam_pwdfile module, so we can easily share the password file between the ftp server (via PAM) and the webserver (apache). debian# apt-get install libpam-pwdfile Configuration In this example we want the ftp server to provide access various locally hosted websites, which we are running from /var/www/sites/ etc so we don't want anonymous access or for users to be able to access other sites. Firstly we need to create a password file for the users. We use the htpasswd utility that comes with apache. In it's normal use it supports passwords up to 8 characters long. We have apache installed already, so first create a password file for the first user (we call it "educin") debian# htpasswd -c /etc/vsftpd/passwd educin (In debian /etc/vsftpd does not exist, it is needed to create it previously!). For subsequent users: debian# htpasswd /etc/vsftpd/passwd pepa Next we need to edit the vsftpd configuration file /etc/vsftpd.conf Read this file slowly and carefully! This file is at least good for Debian Squeeze. ---------------------------------------------------------------------------------------------------------------------------------------------------------- listen=YES # If enabled, vsftpd will run in standalone mode. # This means that vsftpd must not be run from an inetd of some kind. # Instead, the vsftpd executable is run once directly. # vsftpd itself will then take care of listening for and handling incoming connections. anonymous_enable=NO # Controls whether anonymous logins are permitted or not. # If enabled, both the usernames ftp and anonymous are recognised as anonymous logins. local_enable=YES # Controls whether local logins are permitted or not. # If enabled, normal user accounts in /etc/passwd (or wherever your PAM config references) may be used to log in. # This must be enable for any non-anonymous login to work, including virtual users. virtual_use_local_privs=YES # If enabled, virtual users will use the same privileges as local users. # By default, virtual users will use the same privileges as anonymous users; # which tends to be more restrictive (especially in terms of write access). write_enable=YES pam_service_name=vsftpd rsa_cert_file=/etc/ssl/private/vsftpd.pem # This option specifies the location of the RSA certificate to use for SSL encrypted connections. guest_enable=YES # If enabled, all non-anonymous logins are classed as "guest" logins. # If disabled there is no access for virtual users! # A guest login is remapped to the user specified by guest_username. #guest_username # This setting is the real username which guest users are mapped to. # Default: ftp # Then the folders where we are going to work should be owned by the user ftp by default!. user_sub_token=$USER # It may be used to automatically generate a working directory for each virtual user, together with local_root. local_root=/var/www/sites/$USER # This option represents a directory which vsftpd will try to change into after a local (i.e. non-anonymous) login. # This will be the place where our virtual user will have access. chroot_local_user=YES # If set to YES, local users will be (by default) placed in a chroot() jail in # their home directory after login. secure_chroot_dir=/var/run/vsftpd/empty # This option should be the name of a directory which is empty. # Also, the directory should not be writable by the ftp user. # This directory is used as a secure chroot() jail at times vsftpd does not require filesystem access. ftpd_banner=Welcome to Eduard's FTP service # You may fully customise the login banner string hide_ids=YES # If enabled, all user and group information in directory listings will be displayed as "ftp". dirmessage_enable=YES # Activate directory messages - messages given to remote users when they go into a certain directory. use_localtime=YES # If enabled, vsftpd will display directory listings with the time in your local time zone. connect_from_port_20=YES pasv_min_port=30020 pasv_max_port=30031 # These put a port range on passive FTP incoming requests - very useful if you are configuring a firewall. # Open those ports in the firewall. local_umask=022 # Default umask for local users is 077. # You may wish to change this to 022, if your users expect that (022 is used by most other ftpd's) xferlog_enable=YES # Activate logging of uploads/downloads. rsa_cert_file=/etc/ssl/private/vsftpd.pem # This option specifies the location of the RSA certificate to use for SSL encrypted connections. ##################################################################################################### ########################## This section is for setting up TLS (FTPS) ################################ ##################################################################################################### # Turn on SSL ssl_enable=YES # Allow anonymous users to use secured SSL connections allow_anon_ssl=NO # All non-anonymous logins are forced to use a secure SSL connection in order to # send and receive data on data connections. force_local_data_ssl=YES # All non-anonymous logins are forced to use a secure SSL connection in order to send the password. force_local_logins_ssl=YES # Disable SSL session reuse (required by some clients) require_ssl_reuse=NO # Select which SSL ciphers vsftpd will allow for encrypted SSL connections (required by FileZilla) ssl_ciphers=HIGH # In Filezilla, use the Servertype "FTPES - FTP over explicit TLS/SSL" option to connect to the server with TLS/SSL/FTPS. -------------------------------------------------------------------------------------------------------------------------- We've turned anonymous access off, and enabled local access which we need for virtual users, and we've specified that each user will be chrooted to their own web directory, so user educin will be chrooted to /var/www/sites/educin. The last section is optional and it increases security. Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide communication security over the Internet.[1] TLS and SSL encrypt the segments of network connections at the Application Layer for the Transport Layer, using asymmetric cryptography for key exchange, symmetric encryption for confidentiality, and message authentication codes for message integrity. Then we are configuring a FTPS server, which is not the same as a plain FTP server. PAM configuration We need to configure PAM to use the password file, so edit /etc/pam.d/vsftpd by commenting out everything in the file and adding the following lines: # Customized login using htpasswd file auth required pam_pwdfile.so pwdfile /etc/vsftpd/passwd account required pam_permit.so We need the account line as vsftpd requires both auth and account to work, so as we are using virtual users without any account expiry information, we use the default pam_permit module for account authentication. Creating the SSL certificate for TLS (only for FTPS) In order to use TLS, we must create an SSL certificate. We create it in /etc/ssl/private. we generate the SSL certificate as follows: openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem And the we answer a few questions: Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE"). State or Province Name (full name) [Some-State]: <-- Enter your State or Province Name. Locality Name (eg, city) []: <-- Enter your City. Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter your Organization Name (e.g., the name of your company). Organizational Unit Name (eg, section) []: <-- Enter your Organizational Unit Name (e.g. "IT Department"). Common Name (eg, YOUR name) []: <-- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com"). Email Address []: <-- Enter your Email Address. The default certificate provided by Debian has to be replaced by a new one anyway. Permissions of folders Now create educin's home folder, and set permissions up correctly. chown -R ftp:ftp /var/www/sites/educin chmod -R 644 /var/www/sites/educin (we have ftp in guest_username by default) Finally And finally... first we stop and restart vsftp sudo /etc/init.d/vsftpd stop sudo /etc/init.d/vsftpd start and the following is useful to test ftp, not ftps! debian# ftp 127.0.0.1IF THE SERVER IS BEHIND A ROUTER/NAT/PAT In this case, use pasv_address Use this option to override the IP address that vsftpd will advertise in response to the PASV command. Provide a numeric IP address, unless pasv_addr_resolve is enabled, in which case you can provide a hostname which will be DNS resolved for you at startup. Default: (none - the address is taken from the incoming connected socket) For pasv_address you should then write the IP of the router, or, alternativelly: pasv_addr_resolve Set to YES if you want to use a hostname (as opposed to IP address) in the pasv_address option. Default: NO Si necessiteu resoldre algun dubte, poseu-vos en contacte a través d'aquest enllaç. |
|
12. VSFTPD |