SEO

hi,

i am using my debian (woody) system to offer basic webhosting to a small
number of clients. i therefore need to have ftp access to the system.
i'm wondering if anyone has suggestions for a good ftp server, with
security being the key priority.

also, this might be a silly question, but is it possible to have the ftp
server use a list of users that is different from the /etc/passwd file
(i.e. I don't want to create system accounts for my ftp users)?

thanks again,
camilo

Hi,

Camilo Ellis Rostoker <rostokec@cs.ubc.ca> wrote:

> i am using my debian (woody) system to offer basic webhosting to a small
> number of clients. i therefore need to have ftp access to the system.
> i'm wondering if anyone has suggestions for a good ftp server, with
> security being the key priority.

vsftpd claims to be secure :-). But you should think about using scp or
WebDAV/https for secure file transfers.

> also, this might be a silly question, but is it possible to have the ftp
> server use a list of users that is different from the /etc/passwd file
> (i.e. I don't want to create system accounts for my ftp users)?

vsftpd can handle it's own userlist. Beside that it supports chrooting
and per user configuration.

hth

so long tho
--
Posting at the top because that's where the cursor happened to be is
like shitting in your pants because that's where your asshole
happened to be.
Unknown

Thomas Richter wrote:
> vsftpd can handle it's own userlist. Beside that it supports chrooting
> and per user configuration.

Thanks for the tip. I checked it out and looks pretty good. I
downloaded and installed, and all is working fine. Now I just need to
tune to my system. Do you use vsftpd?

I see how I can add virtual users using a seperate user/passwd file, and
I can even assign different config files per user ... But how can I
specify a home directory for that user? There doesn't seem to be a
specific config option for this...

Anyone out there use vsftpd and know how I might be able to do this?

Thanks,
Camilo

Hi,

Camilo Rostoker <rostokec@cs.ubc.ca> wrote:
> Thomas Richter wrote:
>> vsftpd can handle it's own userlist. Beside that it supports chrooting
>> and per user configuration.
>
> Thanks for the tip. I checked it out and looks pretty good. I
> downloaded and installed, and all is working fine. Now I just need to
> tune to my system. Do you use vsftpd?

Jepp, I set up vsftpd for some customers.

> I see how I can add virtual users using a seperate user/passwd file, and
> I can even assign different config files per user ... But how can I
> specify a home directory for that user? There doesn't seem to be a
> specific config option for this...

Probably there's a better way to solve this, but the following works
form me[tm]:

1. Set up a system user for a guest account
e.g. ftpuser with /home/ftpuser/

and create a directory for every virtual user under that directory
e.g. /home/ftpuser/user1, /home/ftpuser/user2

set owner to ftpuser and rights to 700.

2. Create a per user configuration directory
e.g. /etc/vsftpd/userconf

and create a configuration file for each virtual user under that directory
e.g. /etc/vsftpd/userconf/user1, etc/vsftpd/userconf/user2
filename and username must be the same
the files content is

local_root=user1

3. Tell vsftpd about the things above

guest_enable=YES
guest_username=ftpuser
chroot_local_user=YES
user_config_dir=/etc/vsftpd/userconf

And that's basicaly it.
Now vsftpd maps the virtual users to ftpuser, reads the virtual user's
config from /etc/vsftpd/userconf/$username and does a chroot to
$ftpuserhome/$local_root

Use at your own risk!

hth

so long tho
--
Posting at the top because that's where the cursor happened to be is
like shitting in your pants because that's where your asshole
happened to be.
Unknown

Hi again :=)

I followed your directions exactly, but something is not working...But I
don't think its with the virtual user setup, I think the authentication
isn't working properly.

I have a /etc/pam.d/ftp file, and it points to my user database at
/etc/vsftpd/login.db

When I do "ldd vsftpd" I get the following output:

libcrypt.so.1 => /lib/libcrypt.so.1 (0x40020000)
libdl.so.2 => /lib/libdl.so.2 (0x4004d000)
libnsl.so.1 => /lib/libnsl.so.1 (0x40050000)
libresolv.so.2 => /lib/libresolv.so.2 (0x40065000)
libutil.so.1 => /lib/libutil.so.1 (0x40078000)
libcap.so.1 => /lib/libcap.so.1 (0x4007b000)
libc.so.6 => /lib/libc.so.6 (0x4007f000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

Which doesn't show any libpam modules ... ? The builddefs.h file says
to build with pam support:

#ifndef VSF_BUILDDEFS_H
#define VSF_BUILDDEFS_H

#undef VSF_BUILD_TCPWRAPPERS
#define VSF_BUILD_PAM
#undef VSF_BUILD_SSL

#endif /* VSF_BUILDDEFS_H */


So now I'm kinda stuck trying to figure out whether its something in my
authentication setup or a small glitch in my user configuration thats
causing the login failure.

Any thoughts would be most appreciated.

Cheers,
Camilo





Thomas Richter wrote:
>
>
> Probably there's a better way to solve this, but the following works
> form me[tm]:
>
> 1. Set up a system user for a guest account
> e.g. ftpuser with /home/ftpuser/
>
> and create a directory for every virtual user under that directory
> e.g. /home/ftpuser/user1, /home/ftpuser/user2
>
> set owner to ftpuser and rights to 700.
>
> 2. Create a per user configuration directory
> e.g. /etc/vsftpd/userconf
>
> and create a configuration file for each virtual user under that directory
> e.g. /etc/vsftpd/userconf/user1, etc/vsftpd/userconf/user2
> filename and username must be the same
> the files content is
>
> local_root=user1
>
> 3. Tell vsftpd about the things above
>
> guest_enable=YES
> guest_username=ftpuser
> chroot_local_user=YES
> user_config_dir=/etc/vsftpd/userconf
>
> And that's basicaly it.
> Now vsftpd maps the virtual users to ftpuser, reads the virtual user's
> config from /etc/vsftpd/userconf/$username and does a chroot to
> $ftpuserhome/$local_root
>
> Use at your own risk!
>
> hth
>
> so long tho

Hi,

Camilo Rostoker <rostokec@cs.ubc.ca> wrote:
> I followed your directions exactly, but something is not working...But I
> don't think its with the virtual user setup, I think the authentication
> isn't working properly.

Take a look at /var/log/vsftpd.log

> I have a /etc/pam.d/ftp file, and it points to my user database at
> /etc/vsftpd/login.db

I got /etc/pam.d/vsftpd with the following content:

|# Standard behaviour for ftpd(8).
|auth required pam_listfile.so item=user sense=deny \
|file=/etc/ftpusers onerr=succeed
|
|# Note: vsftpd handles anonymous logins on its own. Do not enable
|# pam_ftp.so.
|
|# Standard blurb.
|auth required /lib/security/pam_userdb.so db=/etc/vsftpd/login
|account optional /lib/security/pam_userdb.so db=/etc/vsftpd/login

> So now I'm kinda stuck trying to figure out whether its something in my
> authentication setup or a small glitch in my user configuration thats
> causing the login failure.

Try apt-get install vsftpd instead :-).

so long tho
--
Posting at the top because that's where the cursor happened to be is
like shitting in your pants because that's where your asshole
happened to be.
Unknown

> Take a look at /var/log/vsftpd.log
The log only records FAIL/CONNECT but does not give reasons why. Not
much of a debugging log more of an access log.

> I got /etc/pam.d/vsftpd with the following content:
> |# Standard behaviour for ftpd(8).
> |auth required pam_listfile.so item=user sense=deny \
> |file=/etc/ftpusers onerr=succeed
What is this bit for? I don't have this, but it wasn't included in the
sample vsftpd.pam file included with vsftpd.
The rest of my vsftpd.pam file is the same as yours.

> Try apt-get install vsftpd instead :-).
I did, but it was asking for slightly older packages of pam and ssl than
what I have, and so it didn't work :-(


Hmm....there's got to be some reason that mine won't compile with PAM
support. If you have any other suggestions then please pass them my
way...Otherwise I guess I'll have to wait for the next release which
looks like its on its way soon ...

Cheers,
Camilo

p.s. Just a general question...The main disadvantages of FTP is that is
uses cleartext passwords, and obviously sftp or scp would be much
better. But in a webhosting environment most users only have access to
basic FTP clients. I'm just curious what other people do about this
situation, if they force their users to get secure FTP clients, or do
they still use FTP regardless??

Hi,

Camilo Rostoker <rostokec@cs.ubc.ca> wrote:

>> I got /etc/pam.d/vsftpd with the following content:
>> |# Standard behaviour for ftpd(8).
>> |auth required pam_listfile.so item=user sense=deny \
>> |file=/etc/ftpusers onerr=succeed
> What is this bit for? I don't have this, but it wasn't included in the
> sample vsftpd.pam file included with vsftpd.

Users listed in /etc/ftpusers are not allowed to login.

> Hmm....there's got to be some reason that mine won't compile with PAM
> support. If you have any other suggestions then please pass them my
> way...Otherwise I guess I'll have to wait for the next release which
> looks like its on its way soon ...

Looks like libpam0g-dev is missing. If installed vsftpd compiles with
pam support, if not installed pam support is disabled.

> p.s. Just a general question...The main disadvantages of FTP is that is
> uses cleartext passwords, and obviously sftp or scp would be much
> better. But in a webhosting environment most users only have access to
> basic FTP clients. I'm just curious what other people do about this
> situation, if they force their users to get secure FTP clients, or do
> they still use FTP regardless??

I forced most of my users to scp. WinSCP provides a gui for the windows
guys and iirc there are scp-guis for mac-os too.
WebDAV/HTTPS provides secure filesystem access as well and iirc most
html-editors can deal with that.

so long tho
--
Posting at the top because that's where the cursor happened to be is
like shitting in your pants because that's where your asshole
happened to be.
Unknown