FTP with DB Based Users

FTP with DB Based Users

User created virtually with no shell access

Requirement

1. Vsftp Server

2. Mysql server

3. Pam_mysql

Installation of requirement and base packages

Vsftp Server

yum install vsftpd

Pam_mysql

Configuration

è Create a database vsftpd and user vstpd and also create the first virtual user user1

CREATE DATABASE vsftpd;

GRANT SELECT ON vsftpd.* TO 'vsftpd'@'localhost' IDENTIFIED BY 'vsftpdpassword';

FLUSH PRIVILEGES;

USE vsftpd;

CREATE TABLE `accounts` (

`id` INT NOT NULL AUTO_INCREMENT PRIMARY KEY ,

`username` VARCHAR( 30 ) NOT NULL ,

`pass` VARCHAR( 50 ) NOT NULL ,

UNIQUE ( `username` )

) ENGINE = MYISAM ;

#create a first virtual user

INSERT INTO accounts (username, pass) VALUES('user1', md5('secret'));

useradd -G users -s /sbin/nologin -d /home/vsftpd vsftpd

è Add the user vsftpd in the system to control the ftp activity

#Back up the setting of vstftpd

cp -v /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf-orig

#Edit the main configuration file of vsftp

cat /dev/null > /etc/vsftpd/vsftpd.conf

vi /etc/vsftpd/vsftpd.conf

è vsftpd.conf (copy the whole below text box below)

# No ANONYMOUS users allowed

anonymous_enable=NO

# Allow 'local' users with WRITE permissions (0755)

local_enable=YES

write_enable=YES

local_umask=022

dirmessage_enable=YES

xferlog_enable=YES

# if you want to LOG vsftpd activity then uncomment this log_ftp_protocol

# log_ftp_protocol=YES

connect_from_port_20=YES

# uncomment xferlog_file and xferlog_std_format if you DIDN'T use the line above

# with log_ftp_protocol - it must be excluding each other

# The name of log file when xferlog_enable=YES and xferlog_std_format=YES

# WARNING - changing this filename affects /etc/logrotate.d/vsftpd.log

#xferlog_file=/var/log/xferlog

# xferlog_std_format Switches between logging into vsftpd_log_file and xferlog_file files.

# NO writes to vsftpd_log_file, YES to xferlog_file

# xferlog_std_format=YES

# You may change the default value for timing out an idle session (in seconds).

#idle_session_timeout=600

#

# You may change the default value for timing out a data connection (in seconds).

#data_connection_timeout=120

#

# define a unique user on your system which the

# ftp server can use as a totally isolated and unprivileged user.

nopriv_user=vsftpd

chroot_local_user=YES

listen=YES

# here we use the authentication module for vsftpd to check users name and passw

pam_service_name=vsftpd

userlist_enable=YES

tcp_wrappers=YES

# If userlist_deny=YES (default), never allow users in this file

# /etc/vsftpd/user_list , and do not even prompt for a password.

# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers

# for users that are denied.

userlist_deny=yes

# here the vsftpd will allow the 'vsftpd' user to login into '/home/vsftpd/$USER directory

guest_enable=YES

guest_username=vsftpd

local_root=/home/vsftpd/$USER

user_sub_token=$USER

virtual_use_local_privs=YES

user_config_dir=/etc/vsftpd/vsftpd_user_conf

force_local_data_ssl=NO

force_local_logins_ssl=NO

# PASV - passive ports for FTP (range 44000 - 44100 ; 100 PASV ports, OPEN FIREWALL FOR ALLOWING CONNECTIONS

pasv_enable=YES

pasv_min_port=44000

pasv_max_port=44100

è Create the directory for user

mkdir /home/users/user1

è #Give user to read and write the files

chmod 700 /home/users/user1

chown vsftpd.users /home/users/user1

è Configure PAM authentication for vsftpd

#back up old pam file

cp /etc/pam.d/vsftpd /etc/pam.d/vsftpd-orig

cat /dev/null > /etc/pam.d/vsftpd

vi /etc/pam.d/vsftpd

#change pam file for vsftpd

#%PAM-1.0

session optional pam_keyinit.so force revoke

auth required pam_mysql.so user=vsftpd passwd=vsftpdpassword host=localhost db=vsftpd table=accounts usercolumn=username passwdcolumn=pass crypt=3

account required pam_mysql.so user=vsftpd passwd=vsftpdpassword host=localhost db=vsftpd table=accounts usercolumn=username passwdcolumn=pass crypt=3

è Restart the vsftpd server to load the new setting

service vsftpd restart