Currently, VSFTP server is the most used server for server construction. For companies, many users will be required for a lot of time, and different users will have different operation permissions. If they are all created as real Linux users, it is definitely not a good choice. , so the creation of virtual users will be used at this time.
The process of creating a virtual user is as follows:
1. Create the host user vsftpuser of the vsftpd service and the host user virtualuser of the virtual user respectively. The commands are as follows:
useradd vsftpuser -s /usr/sbin/nologin
useradd virtualuser -s /usr/sbin/nologin
-s /usr/sbin/nologin means that no login is allowed
2. Create a virtual user data file
cd /etc/vsftpd
vi vftpuser.txt
Create a vsftpuser.txt file to store the username and password of the virtual user
The format of the vftpuser.txt file is one line of username and one line of password. The format is as follows:
username1
password1
username2
password2
...
...
Then use db_load to convert the virtual user file vsftpuser.txt into a db file recognized by the system. The command is as follows:
db_load -T -t hash -f /etc/vsftpd/vftpuser.txt /etc/vsftpd/vftpuser.db
If the db command is unavailable, please install the db_load software. The specific installation method can be googled by yourself
Finally, modify the file permissions to prevent other illegal users from obtaining user information
chmod 600 /etc/vsftpd/vftpuser.*
3. Authenticate client identity by configuring PAM module
PAM (Plugable Authentication Module) is a pluggable authentication module. It is not necessary to reinstall the application system. By modifying the specified configuration file, the authentication method of the program can be adjusted.
The path to the configuration file of the PAM module is the /etc/pam.d/ directory. A large number of authentication-related configuration files are stored in this directory and are named after the service name. For example, the full path of the vsftp configuration file is /etc/pam.d/ vsftp, after finding the file, modify the file configuration items. The file configuration items and configuration methods are as follows:
# Verify the username and password, the module involved in verification is pam_userdb.so, and the file involved in verification is /etc/vsftpd/vftpuser
auth sufficient /lib/x86_64-linux-gnu/security/pam_userdb.so db=/etc/vsftpd/vftpuser
# Verify which permissions and restrictions the user's account has
account sufficient /lib/x86_64-linux-gnu/security/pam_userdb.so db=/etc/vsftpd/vftpuser
# sufficient indicates a sufficient condition, that is, once the verification is passed here, there is no need to go through the remaining verification steps below.
# On the contrary, if it does not pass, it will not be blocked by the system immediately, because the failure of sufficient does not determine the failure of the entire verification, which means that the user must also go through the remaining verification audits
required and sufficient: if sufficient fails the verification, continue to verify, required is required, and if the verification fails, the verification will not proceed.
Final configuration file style:
# Standard behaviour for ftpd(8).
# Authenticate users who cannot log in first
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
# Note: vsftpd handles anonymous logins on its own. Do not enable pam_ftp.so.
# Authenticate virtual users
auth sufficient /lib/x86_64-linux-gnu/security/pam_userdb.so db=/etc/vsftpd/vftpuser
account sufficient /lib/x86_64-linux-gnu/security/pam_userdb.so db=/etc/vsftpd/vftpuser
# Standard pam includes
# Authenticate local user
@include common-account
@include common-session
@include common-auth
auth required pam_shells.so
The configuration file already exists, all you need to do is to be able to read and understand the content of the configuration file, and then modify it according to some personal needs
4. Modify the VSFTPD configuration file etc/vsftpd.conf file
Most of the configuration does not need to be modified normally, some necessary configuration items used by virtual users are listed below
# Set as the host user of the vsftpd service
nopriv_user=vsftpuser
# Point to PAM's vsftpd file
pam_service_name=vsftpd
# Allow guest user
guest_enable=YES
# point to the host user
guest_username=virtualuser
# Allow virtual users to have the same permissions as local users
virtual_use_local_privs=YES
# virtual user configuration path
user_config_dir=/etc/vsftpd/user_config
5. Finally, personalize the configuration according to different users
The user_config_dir configured in vsftpd.conf configures the configuration path of the virtual user. According to the configuration, find the corresponding path /etc/vsftpd/user_config, if not, create it;
Then create a corresponding configuration file under the path according to the user name previously defined in the virtual user database configuration file vftpuser.txt. For example, if the previously defined user name is chris, then the full path of the user configuration file created here is /etc/vsftpd /user_config/chris
The main configuration content of the user is as follows:
# Whether the virtual user has the same permissions as the local user
virtual_use_local_privs=YES
# The initial path when the user logs in to FTP
local_root=/home/ftp
#Writable
write_enable=YES
# virtual user read only
anon_world_readable_only=NO
# Whether virtual users can upload files
anon_upload_enable=YES
The following are some configuration items and related functions:
#Set whether to enable the user list file specified by the chroot_list_file configuration item. Default is NO
chroot_list_enable=YES/NO(NO)
#Used to specify the user list file, which is used to control which users can switch to the upper-level directory of the user's home directory
chroot_list_file=/etc/vsftpd.chroot_list
#Used to specify whether users in the user list file are allowed to switch to the upper-level directory. Default is NO
chroot_local_user=YES/NO(NO)
The following effects can be achieved by combining:
a. When chroot_list_enable=YES, chroot_local_user=YES, users listed in the /etc/vsftpd.chroot_list file can switch to other directories; users not listed in the file cannot switch to other directories
b. When chroot_list_enable=YES and chroot_local_user=NO, users listed in the /etc/vsftpd.chroot_list file cannot switch to other directories; users not listed in the file can switch to other directories
c. When chroot_list_enable=NO, chroot_local_user=YES, all users cannot switch to other directories
d. When chroot_list_enable=NO, chroot_local_user=NO, all users can switch to other directories
virtual_use_local_privs parameter:
a. When virtual_use_local_privs=YES, virtual users and local users have the same privileges
b. When virtual_use_local_privs=NO, virtual users and anonymous users have the same privileges, the default is NO
c. When virtual_use_local_privs=YES, write_enable=YES, the virtual user has write permission (upload, download, delete, rename)
d. When virtual_use_local_privs=NO, write_enable=YES, anon_world_readable_only=YES, anon_upload_enable=YES, virtual users cannot browse directories, only upload files, without other permissions
e. When virtual_use_local_privs=NO, write_enable=YES, anon_world_readable_only=NO, anon_upload_enable=NO, virtual users can only download files and have no other permissions
f. When virtual_use_local_privs=NO, write_enable=YES, anon_world_readable_only=NO, anon_upload_enable=YES, virtual users can only upload and download files without other permissions
g. When virtual_use_local_privs=NO, write_enable=YES, anon_world_readable_only=NO, anon_mkdir_write_enable=YES, virtual users can only download files and create folders, no other permissions
h. When virtual_use_local_privs=NO, write_enable=YES, anon_world_readable_only=NO, anon_other_write_enable=YES, virtual users can only download, delete and rename files, and have no other rights
allow_writeable_chroot=YES 解决 500 OOPS: vsftpd: refusing to run with writable root inside chroot ()
These configurations can be configured in the /etc/vsftpd/user_config path, or in the /etc/vsftpd.conf file. The difference is that one is for a single user and the other is for all users, so you can judge and choose according to your needs. .
After all configuration is complete, reboot.