Tag Archives: pam

vsftpd with ftpes and virtual users (without mysql!)

I have Ubuntu 12.04.
download vsftpd_2.3.2-3ubuntu5_amd64.deb from official site.
I don't use version 2.3.5 from repository, because there is a issue with writable chroot. Since 2.3.5 users in chroot can't write in root of chroot folder.

1
2
3
4
5
6
7
sudo dpkg -i vsftpd_2.3.2-3ubuntu5_amd64.deb
sudo apt-get install libpam-pwdfile
mkdir -p /etc/vsftpd/users
mkdir -p /raid/ftp/USERS/{user1,user2,user3}
useradd --home /raid/ftp --gid nogroup -m --shell /bin/false vsftpd
chown -R vsftpd.nogroup /raid/ftp/
touch /etc/vsftpd/chroot_list

cat >> /etc/vsftpd.conf << EOF

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
listen=YES
connect_from_port_20=YES

anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES

xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
log_ftp_protocol=YES
debug_ssl=YES
syslog_enable=NO

pam_service_name=vsftpd
secure_chroot_dir=/var/run/vsftpd
rsa_private_key_file=/etc/ssl/private/vsftpd.key
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
user_config_dir=/etc/vsftpd/users
hide_ids=YES
local_root=/raid/ftp/USERS/$USER
user_sub_token=$USER
chroot_local_user=YES
guest_enable=YES
guest_username=vsftpd
virtual_use_local_privs=YES
anon_world_readable_only=NO
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
use_sendfile=NO
tcp_wrappers=NO

pasv_enable=YES
port_enable=YES
pasv_promiscuous=YES
pasv_min_port=16000
pasv_max_port=16050
pasv_address=THEREIS.YOUR.EXTERNAL.IP

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
require_ssl_reuse=NO
ssl_ciphers=HIGH

EOF

cat >> /etc/pam.d/vsftpd << EOF

1
2
3
auth required pam_pwdfile.so pwdfile /etc/vsftpd/passwd_ftp
account required pam_permit.so
EOF

Create users:
htpasswd -c /etc/vsftpd/passwd_ftp user1
htpasswd /etc/vsftpd/passwd_ftp user2
htpasswd /etc/vsftpd/passwd_ftp user3


cat >> /etc/vsftpd/users/user1 << EOF

local_root=/raid/ftp/USERS/user1/
EOF

cat >> /etc/vsftpd/users/user2 << EOF
local_root=/raid/ftp/USERS/user2/
EOF

cat >> /etc/vsftpd/users/user3 << EOF
local_root=/raid/ftp/USERS/user3/
EOF

sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.key -out /etc/ssl/certs/vsftpd.pem
chmod 600 /etc/ssl/certs/vsftpd.pem /etc/ssl/private/vsftpd.key

/etc/init.d/vsftpd restart

FreeRadius + pam + sshd

For example we will authorized on 192.168.0.233 with pam on ssh from radius server on 192.168.0.1.

192.168.0.1:
For different nix system installation of freeradius and pam_radius_auth.so is not so difficult.
for ubuntu
sudo apt-get install freeradius
fo gentoo
emerge freeradius

 

192.168.0.233:
For the next you will download «PAM Authentication and Accounting module» from:
http://freeradius.org/pam_radius_auth/

Or (in ubuntu):

apt-get install libpam-radius-auth


To install it doing
1. make
2. Copy 'pam_radius_auth.so' to /lib/security/pam_radius_auth.so

192.168.0.1:
Next we will tune settings of freeradius:
All of files are store in /etc/raddb in gentoo or /etc/freeradius in ubuntu.

vim clients.conf
...
client 192.168.0.233 {
secret = passwordko
}
...
EOF
Hear we will allow to auth 192.168.0.233 on radius with pass passwordko.


192.168.0.233:
vim /etc/pam_radius_auth.conf and /etc/radiusclient/servers

192.168.0.1    passwordko 1
EOF

vim /etc/pam.d/sshd ( comment all lines like auth )

auth       required     pam_radius_auth.so debug
EOF

Thats all. Now you can login with passes like on 192.168.0.1 machine by ssh on 192.168.0.233.

Note that logins will be equal on 192.168.0.233 and 192.168.0.1. If you have no login on 192.168.0.233 like equal login on 192.168.0.1 — you cant login.

Anybody know how?? Please tell me on g.link0ln@gmail.com. (languages: Russian/Einglish)