Wednesday, April 7, 2010

Vsftpd FTP Server With Virtual Users ( Berkeley DB + PAM )

Vsftpd supports virtual users with PAM (pluggable authentication modules). A virtual user is a user login which does not exist as a real login on the system in /etc/passwd and /etc/shadow file. Virtual users can therefore be more secure than real users, because a compromised account can only use the FTP server but cannot login to system to use other services such as ssh or smtp.

Required software

Berkeley DB (version 4) databases
pam_userdb.so

Install Berkeley DB And Utilities Under RHEL / CentOS

Type the following command:
# yum install db4-utils db4

Create the Virtual Users Database

To create a "db4" format file, first create a plain text files with the usernames and password on alternating lines. For e.g. create user called "shah" with password called "shahpass" and saif with password "saifpass":

# cd /etc/vsftpd
# cat > vusers.txt

Sample output:

shah

shahpass

saif

saifpass

Next, create the actual database file like this:

# db_load -T -t hash -f vusers.txt vsftpd-virtual-user.db
# chmod 600 vsftpd-virtual-user.db
# rm vusers.txt

Configure VSFTPD for virtual user

Edit the vsftpd configuration file. Add or correct the following configuration options:

anonymous_enable=NO
local_enable=YES
# Virtual users will use the same privileges as local users.
# It will grant write access to virtual users. Virtual users will use the
# same privileges as anonymous users, which tends to be more restrictive
# (especially in terms of write access).
virtual_use_local_privs=YES
write_enable=YES

# Set the name of the PAM service vsftpd will use
# RHEL / centos user should use /etc/pam.d/vsftpd
pam_service_name=vsftpd.virtual

# Activates virtual users
guest_enable=YES

# Automatically generate a home directory for each virtual user, based on a template.
# For example, if the home directory of the real user specified via guest_username is
# /home/virtual/$USER, and user_sub_token is set to $USER, then when virtual user shah
# logs in, he will end up (usually chroot()'ed) in the directory /home/virtual/shah.
# This option also takes affect if local_root contains user_sub_token.
user_sub_token=$USER

# Usually this is mapped to Apache virtual hosting docroot, so that
# Users can upload files
local_root=/home/vftp/$USER

# Chroot user and lock down to their home dirs
chroot_local_user=YES

# Hide ids from user
hide_ids=YES

Save and close the file.

Create a PAM File Which Uses Your New Database

The following PAM is used to authenticate users using your new database. Create /etc/pam.d/vsftpd.virtual:

# cat > /etc/pam.d/vsftpd.virtual

Append the following:

#%PAM-1.0

auth required pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user

account required pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user

session required pam_loginuid.so

Create The Location Of The Files

You need to set up the location of the files / dirs for the virtual users. Type the following command:

# mkdir /home/vftp
# mkdir -p /home/vftp/{shah,saif}
# chown -R ftp:ftp /home/vftp

Restart The FTP Server

Type the following command

# service vsftpd restart

Test Your Setup

Open another shell session and type:

$ ftp ftp.example.com

Sample output:

Connected to ftp.example.com.
Name (localhost:root): shah
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

Sample log from /var/log/secure:

# tail -f /var/log/secure

Apr 07 14:54:28 xentest vsftpd: pam_userdb(vsftpd.virtual:auth): user 'shah' granted access

No comments:

Introduction to Linux for beginners

History

UNIX

In order to understand the popularity of Linux, we need to travel back in time, about 30 years ago, imagine computers as big as houses, even stadiums. While the sizes of those computers posed substantial problems, there was one thing that made this even worse: every computer had a different operating system. Software was always customized to serve a specific purpose, and software for one given system didn’t run on another system. Being able to work with one system didn’t automatically mean that you could work with another. It was difficult, both for the users and the system administrators. Computers were extremely expensive then, and sacrifices had to be made even after the original purchases just get the users to understand how they worked. The total cost of IT was enormous. Technologically the world was not quite that advanced, so they had to live with the size for another decade. In 1969, a team of developers in the Bell Labs laboratories started working on a solution for the software problem, to address these compatibility issues.

Bell Labs

UNIX was originally developed for internal use at AT&T Bell Labs by researchers Ken Thompson and Dennis Ritchie. AT&T licensed the source code, widely allowing many companies to modify and produce UNIX-like operating systems. Because AT&T held the UNIX name, other companies had to create their own names to brand the modifications ad additions they had made: AIX from IBM, HP/UX from Hewlett-Packard, SunOS (later Solaris) from Sun, and Mac from Apple.

They developed a new operating system, which was Simple and elegant.

Features

Written in the C programming language instead of in assembly code.
Able to recycle code.
the Bell Labs developers named their project “UNIX”

The code recycling features were very important. Until then, all commercially available computer system were written in code specifically developed for one system. UNIX on the other hand needed only a small piece of that special code, which is now commonly named the kernel. This kernel is the only piece of code that needs to be adapted for every specific system and forms the base of the UNIX system. The operating system and all other functions were built around this kernel and written in a higher programming language ‘C’.

This language was especially developed for creating the UNIX system. Using this new technique, it was much easier to develop an operating system that could run on many different types of hardware.

The software vendors were quick to adapt, since they could sell ten times more software almost effortlessly. Weird new software came in existence: imagine for instances computers from different vendors communicating in the same network, or users working on different systems without the need for extra education to use another computer. UNIX did a great deal to help users become compatible with different systems. Throughout the next couple of decades the development of UNIX continued. More things became possible to do and more hardware and software vendors added support for UNIX to their products. UNIX was initially found only in very large environments with mainframes and minicomputers (note that a PC a “micro” computer). You had to work at a university, for the government or for large financial corporations on order to get your hands on UNIX system. But smaller computers were being developed, and by end of the 80s, many people had home computers. By that time, there were several versions of UNIX available for the PC architecture, but none of them were truly free.

GNU Project/FSF

GNU project started in 1984 by Richard Mathew Stallman. Project goals were to create “free” UNIX clone, by 1990, nearly all required user space applications created and FSF stands for Free Software Foundation is non-profit organization that manages GNU project.

Philosophy

The term free software may have a different meaning than you expect. The term doesn’t refer to the cost of the software, but the fact that end user has the freedom to modify and change the program.

“Free software” refers to the users’ freedom to run, copy, distribute, study, change and improve the software. More precisely, it refers to four kinds of freedom, for the users of the software:

The freedom to run the program, for any purpose.
The freedom to study how the program works, and adapt it to your needs
The freedom to redistribute codes (software) so you can help your neighbor.
The freedom to improve program, and release your improvements to public, so that the whole community benefits.

Linus and Linux

Linus Torvalds, a young man studying computer science at the University of Helsinki, thought it would be a good idea to have some sort of freely available academic version of UNIX, and promptly stared to code.

He started to ask questions, looking for answers and solutions that would help him get UNIX on his PC.

From the start, it was Linus’ goal to have free system that was completely compliant with the original UNIX.

That is why he asked for POSIX standards, POSIX still being the standard for UNIX.

In those days plug-and-play wasn’t invented yet, but so many people were interested in having a UNIX system of their own, that was only a small obstacle. New drivers became available for all kind of new hardware, at a continuously rising speed. Almost as soon as new piece of hardware became available, someone bought it and submitted it to the Linux test, as the systems was gradually being called, releasing more free code for an ever wider range of hardware. These coders didn’t stop at their PC’s, every piece of hardware they could find was useful for Linux. Back then, those people were called “nerds” or “freaks”, but it didn’t matter to them, as long as the supported hardware list grew longer and longer. Thanks to these people, Linux is now not only ideal to run on new PC’s but it also the system of choice for old and exotic hardware that would be useless if Linux didn’t exist.

Introduction to Linux

Two years after Linus’ post, there were 12000 Linux users. The project, popular with hobbyists, grew steadily, all the while staying within the bounds of the POSIX standard. All the features of the UNIX were added over the next couple of years, resulting in the mature operating system Linux has become today. Linux is a full UNIX clone, fit for use on workstations s well as on middle-range and high-end servers. Today, all the important players on the hard and software market each have their team of Linux developers, at your local dealer’s you can even buy pre-installed Linux systems with official support.

Why Linux is better?

Cost -- Linux is free, and that includes all the apps. Microsoft is greedy. Vista Home Premium and Ultimate cost hundreds of dollars, even when upgrading from Windows XP. Moving up to Office 2007 involves handing over another bundle of dollars.
Resources -- Even the most lavishly equipped Linux distros demand no more resources than Windows XP. Vista is greedy: a single-user PC operating system that needs 2GB of RAM to run at acceptable speed, and 15GB of hard disk space, is grossly obese.
Performance -- Linux worked faster on my Dell Inspiron Core Duo than XP, at least the way XP worked out of the box. After cleaning out the bloatware and trading McAfee's Abrams Tank for the lightweight NOD32, XP and Linux (with Guarddog and Clam-AV) perform at similar speed.
No bloat ware -- Linux is free from adware, trialware, shovelware, and bloat ware. Running Linux is like watching the public TV network.
Security -- Last year, 48,000 new virus signatures were documented for Windows, compared to 40 for Linux. Still, most bistros come with firewalls and anti virus (AV) software. Programs like Guard dog and Clam-AV are free, of course.
Dual booting -- The best Linux distros make dual booting a simple affair, along with the required disk partitioning (so you don't need to buy partitioning software). Windows on my Dell laptop is still intact after installing and uninstalling a dozen distros.
Installation -- Anyone who's done it once knows that installing Windows from scratch takes hours or even days by the time you get all your apps up and running. With Linux, it can take as little as half an hour to install the operating system, utilities, and a full set of applications. No registration or activation is required, no paperwork, and no excruciating pack drill.
Reinstalling the OS -- You can't just download an updated version of Windows. You have to use the CD that came with your PC and download all the patches Microsoft has issued since the CD was made. With Linux, you simply download the latest version of your distro (no questions asked) and, assuming your data files live in a separate disk partition, there's no need to reinstall them. You only need to re-install the extra programs you added to the ones that came with the distro.
Keeping track of software -- Like most Windows users, I have a shelf full of software CDs and keep a little book with serial numbers under my bed in case I have to reinstall the lot. With Linux, there are no serial numbers or passwords to lose or worry about. Not a single one.
Updating software -- Linux updates all the software on your system whenever updates are available online, including all applications programs. Microsoft does that for Windows software but you have to update each program you've added from other sources. That's about 60 on each of my PCs. More icing on the Linux cake is that it doesn't ask you to reboot after updates. XP nags you every ten minutes until you curse and reboot your machine. If you choose "custom install" to select only the updates you want, XP hounds you like a mangy neighborhood dog until you give in.
More security -- These days, operating systems are less vulnerable than the applications that run on them. Therefore a vital aspect of PC security is keeping your apps up-to-date with the latest security patches. That's hard manual labor in Windows, but with Linux it's automatic.
No need to defrag disks -- Linux uses different file systems that don't need defragging. NTFS was going to be replaced in Vista, but Microsoft's new file system didn't make the final cut. Instead, Vista does scheduled disk defragging by default, but the defrag utility is a sad affair.
A wealth of built-in utilities -- The utilities supplied with Windows are pretty ordinary on the whole, that's why so many small software firms have made a nice living writing better ones. Linux programs are comparable with the best Windows freeware, from CD burners to photo managers, memory monitors and disk utilities. PDF conversion is built-in, both into OpenOffice Writer and into the DTP application Scribus. All you do is click a button on the task bar.