Use configuration of FTP virtual user under Linux

Linux use configuration for the next FTP virtual user

The FTP service for Linux supports 3 types of users:

1. Anonymous account

2. Local accounts

3. Virtual Users

Why use virtual users:

Anonymous accounts can guarantee the security of the FTP server, however, the rights management of anonymous users is not flexible enough. If you want to give more permissions to an account that accesses FTP, you can do so with a local account. However, local accounts can be accessed by default on the Linux system, This is a security risk to the Linux system. So how can you make the FTP server and the entire Linux system secure with the flexibility to give FTP user permissions? Using virtual users is a solution.

Below, we will learn how to configure the virtual user of the FTP server under Linux.

Before starting the configuration, let's start with an overview of how FTP virtual users work:

A virtual user, as the name implies, is not a legitimate Linux system account, but can be used to log on to an FTP server running on that system.

When the user connects to the FTP server, they are asked to enter a user name and password. When the FTP server gets the username and password, it will call the corresponding PAM authentication module, and compare the FTP authentication file in the system. If the user name and password match a record in the FTP authentication file, it is authenticated and then the account is mapped to a local account under Linux. The FTP resource is then accessed based on the local account being used. Otherwise, the connection request is disconnected.

Having understood how the FTP virtual user works, we can begin to configure the FTP virtual user.

The whole process can be divided into the following steps:

1. Prepare a password vault file for a virtual user. The user name and password saved in this file are the user name and password that users need to enter when they connect to the FTP server. The file can be created by itself, the location is irrelevant, the file format is: Odd behavior user name, Even-numbered behavior password.

For example: Touch Login.txt//Create a virtual user password vault file named Login.txt

VI login.txt//Edit the password vault file

Mike//virtual user Mike

123//Virtual user Mike's password

John//Virtual user John

321//Virtual user John's password

Save exit.

2. Generate the authentication file for the FTP server with the virtual User password library file that you just created. The authentication file is an encrypted cipher. After the corresponding authentication module is called, Pam encrypts the user name and password from the FTP server, and then compares the file to find the matching entry. Login users will be allowed to log in.

Db_load-t-t hash-f login.txt/etc/vsftpd/vsftpd_login.db

//Before you run the command, don't forget to install the Db4-utils package, which contains db_ Load command, and so on. The use of this command is beyond the scope of this article. Where the-f parameter is followed by the virtual user Password vault file that you just created. The final path is the location where the generated FTP authentication files are stored.

To further ensure security, you can set the permissions for this FTP authentication file to.

3. Create the PAM profile required by the virtual user. Since the FTP server calls PAM authentication after accepting the user's username and password, we will also be creating a Pam profile for the virtual user.

We save the file in the/ETC/PAM.D directory, the filename is temporarily taken as: vsftpd. It is important to note that the file name is associated with the FTP service master configuration file (/etc/vsftpd/vsftpd.conf) in the Pam_service_name= The option values for the VSFTPD option are the same.

After you have created the file, add the following to the file:

Auth required/lib/security/pam_userdb.so Db=/etc/vsftpd/vsftpd_login

Account Required/lib/security/pam_userdb.so Db=/etc/vsftpd/vsftpd_login

After you've changed it, save the exit. Note the file name of the 3 red files. The 3 files are 1 files, except that they are written differently in use.

4. Since the user is mapped to a local user after the authentication through Pam, we also create a local user for use by the virtual user.

We just need to give the local user the proper access to the FTP home directory. Even if the FTP server is compromised, this local user does not have access to other directories, which is relatively secure.

useradd-d/home/ftpsite Virtual//user name virtual, home directory is the root of FTP

chmod 700/home/ftpsite//Set its permissions to 700, can be modified according to the actual situation

5. In the FTP master configuration file, enable the FTP virtual user. Add the following options:

Guest_enable=yes

Guest_username=virtual//The virtual user is mapped to which user the cost is. Here is virtual, just built

The user who made the stand.

PAM_SERVICE_NAME=/ETC/VSFTPD/VSFTPD//Remember to modify the value of this item

6. Configure here to complete, do not forget to restart the FTP service for testing.

7. Assigning permissions to different virtual users

By default, the virtual user has the same permissions, which is the virtual permissions, and we can assign permissions to the different virtualized users according to the actual requirements.

First, add an option to the FTP main configuration file:

user_config_dir=/etc/vsftpd_user_conf//filenames and paths can be defined by themselves

Then create the directory.

Mkdir/etc/vsftpd_user_conf

Under this directory, you can edit the permissions profiles for different virtual users, for example, to edit their permissions on Mike.

Touch Mike//Create a permission file for Mike. The file name is the same as the virtual user name

You can add the following options and values to the file according to your actual needs:

Anon_world_readable_only=no//Indicates user can browse FTP directory and download file

Anon_upload_enable=yes//Indicates that users can upload files

Anon_mkdir_write_enable=yes//indicates user has permission to create and delete directories

Anon_other_write_enable=yes//Indicates that the user has permission to rename files and delete files

Chroot_local_user=yes//Indicates lock virtual user in root directory

Local_root=/home/encodery//Indicates the root directory of the specified virtual user

Here, the virtual user completes the configuration even though it is complete.

Use configuration of FTP virtual user under Linux