FTP Virtual Account Login

Configuring an FTP server that uses virtual user logins avoids some security issues with operating system accounts as FTP users and is easily managed through a database or other program.

Needless to say, here is a record of the FTP virtual account login deployment process and the problems encountered:

Yum installation vsftpd

[[Email protected] ~] #yum install-y vsftpd

[[Email protected] ~] #yum install-y DB4

On-line post-installation environmental records

[Email protected]_web vsftpd]# pwd

/etc/vsftpd

Set up virtual account file for FTP login

[Email protected]_web vsftpd]# Cat Vuser_passwd.txt

Hqsbcms

[Email protected]

write the account text Database

[Email protected]_web vsftpd] #db_load-T-t hash-f/etc/vsftpd/vuser_passwd.txt/etc/vsftpd/vuser_passwd.db

[[Email protected]_web vsftpd]# ls

Chroot_list user_list vsftpd.conf.bak vuser_passwd.db

Ftpusers vsftpd.conf vsftpd_conf_migrate.sh vuser_conf vuser_passwd.txt

[Email protected]_web vsftpd]# cat vsftpd.conf|grep-v "^#"

Anonymous_enable=no

Local_enable=yes

Write_enable=yes

local_umask=022

Dirmessage_enable=yes

Xferlog_enable=yes

Connect_from_port_20=yes

Xferlog_std_format=yes

Ascii_upload_enable=yes

Ascii_download_enable=yes

Chroot_local_user=yes

Chroot_list_enable=yes

Chroot_list_file=/etc/vsftpd/chroot_list

Listen=yes

Pam_service_name=vsftpd

Userlist_enable=yes

Tcp_wrappers=yes

Userlist_file=/etc/vsftpd/user_list

Guest_enable=yes

Guest_username=FTP

User_config_dir=/etc/vsftp/vuser_conf

[Email protected]_web vsftpd]# Cat Chroot_list

Hqsbcms

[Email protected]_web vsftpd]# Cat Vuser_conf/hqsbcms

local_root=/hqsb/ftp/

Write_enable=yes

anon_umask=022

Anon_world_readable_only=no

Anon_upload_enable=yes

Anon_mkdir_write_enable=yes

Anon_other_write_enable=yes

[Email protected]_web vsftpd]# cat/etc/pam.d/vsftpd

#%pam-1.0

#session optional pam_keyinit.so Force revoke

#auth Required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed

#auth Required Pam_shells.so

#auth include Password-auth

#account include Password-auth

#session Required Pam_loginuid.so

#session include Password-auth

Auth Required pam_userdb.so db=/etc/vsftpd/vuser_passwd

Account Required pam_userdb.so db=/etc/vsftpd/vuser_passwd

[Email protected]_web vsftpd]# ll-d/HQSB

DRWXRWXRWX 5 FTP FTP 4096 June one 17:01/HQSB

[Email protected]_web vsftpd]# ll-d/hqsb/ftp

DRWXRWXRWX 2 FTP ftp 4096 June 12:10/hqsb/ftp

[[Email Protected]_web vsftpd]#/etc/init.d/vsftpd Start

After the above deployment, use the virtual account HQSBCMS login (even if there is no account on the system,/etc/passwd, with the help of the Host account FTP)

But a serious problem has been found:

just log in, find or log in to FTP The default directory/var/ftp/ down here.

Reason:

The FTP shell type is/sbin/nologin, meaning that FTP login can only be restricted to its home directory/VAR/FTP inside!!

[[Email protected]_web vsftpd]# cat/etc/passwd|grep FTP

ftp: x:14:50:ftp User:/var/ftp:/sbin/nologin

Workaround:

Change the hosting account to nobody!

[Email protected]_web vsftpd]# cat vsftpd.conf|grep-v "^#"

.....

Guest_username=Nobody "changed from FTP to nobody"

.....

Restart VSFTPD Service

[Email protected]_web vsftpd]#/etc/init.d/vsftpd Restart

Change nobody's home directory to/hqsb/ftp.

[Email protected]_web vsftpd]# usermod-d/hqsb/ftp Nobody

[Email protected]_web vsftpd]# Cat/etc/passwd|grep Nobody

Nobody: x:99:99:nobody:/hqsb/ftp:/sbin/nologin

Modify FTP directory Permissions

[Email protected]_web vsftpd]# chown-r nobody.nobody/hqsb/ftp

[Email protected]_web vsftpd]# chmod-r 777/hqsb/ftp

After this modification, you can use the Virtual account HQSB login FTP, you can normally go into the/HSQB/FTP directory

FTP Virtual Account Login