Use MySQL to handle VSFTPD virtual users on Debian/Ubuntu System
VSFTPD is a secure, robust FTP server on Unix/Linux system. It not only can handle local users but also virtual users. Virtual users have to use username and password to access ftp server instead of anonymous user. I helped to set a VSFTPD server recently to handle virtual users on a Debian/Ubuntu server system. It took me a while to get everything fixed. I’d like to write down all bits I encountered and went through. Hopefully it is useful to new comers. The main idea and configuration was from the two reference posts listed at the end of the article. The authors of these articles should get major credits. I just read and modified what they suggested and combined them together.
Install and configure VSFTPD
On a Debian/Ubuntu server system, it is pretty easy to install vsftpd server package. If you are not sure the package name please use apt-cache search to search package database. The following Linux command can easily install VSFTPD to your system.
# apt-get install vsftpd
Once installation is done, you can rename the default vsftpd.conf file to a different name and create a new one with the following content.
/etc/vsftpd.conf
anonymous_enable=NO local_enable=YES write_enable=YES local_umask=022 dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_std_format=YES ftpd_banner=Hello. pam_service_name=vsftpd listen=YES tcp_wrappers=YES anon_upload_enable=NO anon_mkdir_write_enable=NO anon_other_write_enable=NO guest_enable=YES guest_username=vsftpdguest user_sub_token=$USER local_root=/home/vsftpdguest/$USER virtual_use_local_privs=YES chroot_local_user=YES
Now you should create a local user as a representative for all vritual users in your system.
# useradd -s /bin/false -d /home/vsftpdguest vsftpdguest
The home directory of this user is /home/vsftpdguest and has no shell console access privilege. It is specifically for handling virtual ftp users. For all virtual users, you have to create a folder with same name as user name for each virtual user under /home/vsftpdguest. We will create a virtual user call ‘vuser_1′ in next step. Let use create a folder for it.
# mkdir /home/vsftpdguest/vuser_1
Create MySQL database and populate it
I assume that MySQL server is already installed on the same machine. To reduce errors, do not manual type your commands. Copy and paste the vsftpd.sql file to your system and edit it based on your need. Then run mysql command as the following with your root password for MySQL server.
# mysql -u root -p
vsftpd.sql
/* create database */
CREATE DATABASE IF NOT EXISTS `vsftpdvu`;
/* create users table in the database */
CREATE TABLE `users` (
`name` char(16) character NULL,
`passwd` char(41) default NULL
) ENGINE=MyISAM DEFAULT CHARSET=utf8;
/* insert a new virtual user */
INSERT INTO `users` VALUES
('vuser_1',password('temppasswd1');
/* create new database user */
grant select on vsftpdvu.users to vsftpdguest@localhost identified by 'temppasswd';
Test the new database user ‘vsftpdguest’ on vsftpdvu database. If everything works out correctly, you should see virtual user ‘vuser_1′.
# mysql -u vsftpdguest -ptemppasswd vsftpdvu
mysql> select * from users;
mysql> quit
Install libpam_mysql and setup PAM authorization method
In order to use MySQL database to handle virtual users for the ftp server, you have to install pam_mysql module, a PAM module allowing authentication from a MySQL server.
# apt-get install libpam-mysql
The pam_mysql.so lib will be installed to /lib/security/. Then copy and paste the following two rows to replace the content of your /etc/pam.d/vsftpd. The original content in the vsftpd file is for local user authorization. See my comment at the end for reason to do this.
/etc/pam.d/vsftpd
auth required /lib/security/pam_mysql.so user=vsftpdguest passwd=temppasswd1 host=localhost db=vsftpdvu table=users usercolumn=name passwdcolumn=passwd crypt=2 account required /lib/security/pam_mysql.so user=vsftpdguest passwd=temppasswd1 host=localhost db=vsftpdvu table=users usercolumn=name passwdcolumn=passwd crypt=2
Test FTP server inside out
Now you have a brand new FTP server to handle all virtual users. Let us test the server and make sure it works properly. First of all, restart the vsftpd server.
# /etc/init.d/vsftpd restart
Test the ftp server locally.
# ftp 127.0.0.1 Connected to 127.0.0.1. 220 Hello. User (127.0.0.1:(none)): vuser_1 331 Please specify the password. Password: 230 Login successful. ftp>
Additional comments
The FTP server we setup here can exclusively handle virtual users, not local users. You need setup different server to handle the two groups of users, not both simultaneously. I read a lot of threads on different forums asking about how to set VSFTPD to handle both groups of users simultaneously. It is not possible for security sake.
Reference
- VSFTP + MySQL virtual user configuration process
- VSFTPD Problems – Virtual Users
- Setup Virtual Users and Directories in VSFTPD
