Search:  
Gentoo Wiki

HOWTO_vsftpd

Contents

Introduction

Taken from HOWTO Plan, setup and run a high school Gentoo Club and modified.

This howto will describe how to install VSFTPD and configure it for anonymous, read-only access. FTP (File Transfer Protocol) is an old but reliable protocol which is used for moving large individual files through networks quickly.

Added: Very useful (yes, I really mean it) article on a few typical FTP-sever configurations: Gentoo VSFTPD Howto. Somebody speaking English well, please consider merging info here (-:E

Install VSFTPD

Log in as root and type this command:

emerge vsftpd

Starting the daemon

Gentoo provides a centralized place for what are called init scripts. They are stored in /etc/init.d/ and have names representative of the service they start. Init scripts are used to control services you run. To start the VSFTPD server, type:

/etc/init.d/vsftpd start

You can learn more about what you can do with these init scripts by just typing "/etc/init.d/vsftpd" without any arguements ("start" is an arguement, so is "stop", and "restart").

Init script configuration

You don't want to type /etc/init.d/vsftpd start every time to turn your computer on, do you? Gentoo provides an easy way to control which init scripts are run when you boot your computer up. To set VSFTPD to start on every boot, type:

rc-update add vsftpd default

As per usual, you can learn more about rc-update by typing "man rc-update".

Configuration

That was easy. Now edit /etc/vsftpd/vsftpd.conf using your favorite text editor and copy this into there:

General Configuration

File: /etc/vsftpd/vsftpd.conf
dirmessage_enable=YES
# banner_file=/etc/vsftpd/vsftpd.banner # edit banner first
chown_uploads=NO
xferlog_enable=YES
idle_session_timeout=600
data_connection_timeout=120
ascii_upload_enable=NO
ascii_download_enable=NO
chroot_list_enable=YES
listen=YES
ls_recurse_enable=NO

Anonymous, Read Only

File: /etc/vsftpd/vsftpd.conf
anonymous_enable=YES
anon_upload_enable=NO
anon_mkdir_write_enable=NO

Disable Local Users (Optional)

File: /etc/vsftpd/vsftpd.conf
local_enable=NO
write_enable=NO

NOTE: There are a few good arguments for allowing local users access via ftp in light of sftp/ssh. However, if you were to consider a campus with 100mbit lines and that (some believe) ssh does not scale well, one might use ftp to avoid the resource intensiveness of ssh.

Enable /etc/hosts.* compliance (Optional)

File: /etc/vsftpd/vsftpd.conf
# Used to "enable" the features of the USE="tcpd" flag which forces vsftpd to obey /etc/hosts.* 
tcp_wrappers=YES

In order for vsftpd to comply with /etc/hosts.deny you must specify the above option in your /etc/vsftpd/vsftpd.conf and make sure USE="tcpd" was set when it was merged. See: http://en.wikipedia.org/wiki/TCP_Wrapper and HOWTO_Protect_SSHD_with_DenyHosts

Get chmod right for apache (Optional)

File: /etc/vsftpd/vsftpd.conf
file_open_mode=0666
local_umask=0022

NOTE: This will set new uploaded files chmod to 644 and folders to 755. This is what web hosters probably want.

Uploading

If you want to enable anonymous users to upload you have to make following changes. First we need to create your directories and then change permissions for writing.


File: Creating upload directory
mkdir -p /var/ftp/upload
chmod 722 /var/ftp/upload

And also we need to make some changes in vsftpd.conf

File: /etc/vsftpd/vsftpd.conf

# This option is required by other options
write_enable=YES

# Virtual users will use the same privileges as local users
virtual_use_local_privs=YES

# Enable anonymous users to login
anonymous_enable=YES

# Anonymous users will be permitted to create new directories
anon_mkdir_write_enable=YES

# Anonymous users will be permitted to upload. Option write_enable must be activated

anon_upload_enable=YES

Using SSL to Secure FTP

Generate an SSL Cert, e.g. like that:

cd /etc/ssl/certs
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 \
  -keyout /etc/ssl/certs/vsftpd.pem -out /etc/ssl/certs/vsftpd.pem

You will be asked alot of Questions about your Company etc., as your Certificate is not a trusted one it doesn't really matter what you fill in. You will use this for encryption! If you plan to use this in a matter of trust get one from a CA like thawte, verisign etc.


edit your configuration

File: /etc/vsftpd/vsftpd.conf
#this is important
ssl_enable=YES

#choose what you like, if you accept anon-connections
# you may want to enable this
# allow_anon_ssl=NO

#choose what you like,                                         
# it's a matter of performance i guess
# force_local_data_ssl=NO

#choose what you like            
force_local_logins_ssl=YES

#you should at least enable this if you enable ssl...
ssl_tlsv1=YES
#choose what you like
ssl_sslv2=YES
#choose what you like
ssl_sslv3=YES
#give the correct path to your currently generated *.pem file
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
#the *.pem file contains both the key and cert
rsa_private_key_file=/etc/ssl/certs/vsftpd.pem
                          

Where to put files

IMHO, gentoo sets up ftp incorrectly by default, correct this and start adding public files in /var/ftp

rmdir /home/ftp
mkdir /var/ftp
chown ftp:ftp /var/ftp
ln -s /var/ftp /home/

Alternatively, instead of creating a link in /home to /var/ftp, change the ftp user line in /etc/passwd:

ftp:x:##:##:added by portage for ftpbase:/home/ftp:/sbin/nologin

to:

ftp:x:##:##:added by portage for ftpbase:/var/ftp:/sbin/nologin

Since you now have FTP, you might as well put up your distfiles and packages for others to use. Then make sure you add yourself to the list.

mv /usr/portage/distfiles /var/ftp/
ln -s /var/ftp/distfiles /usr/portage/
mv /usr/portage/packages /var/ftp/
ln -s  /var/ftp/packages /usr/portage/

An alternative to creating the above symlinks is to define the locations of portage distfiles and packages to be in /var/ftp by putting this in your /etc/make.conf:

DISTDIR="/var/ftp/distfiles"
PKGDIR="/var/ftp/packages"

Another alternative is to mount your distfiles and packages like so:

mount -o bind /usr/portage/packages /var/ftp/packages
mount -o bind /usr/portage/distfiles /var/ftp/distfiles

Virtual Users

There are two approaches to authenticate virtual users. 1) using pam_userdb 2) using pam_pwdfile

pam_userdb

Just follow the instructions in the README file found on ftp://vsftpd.beasts.org/users/cevans/untar/vsftpd-2.0.5/EXAMPLE/VIRTUAL_USERS .

But when editing the file '/etc/pam.d/vsftpd' add "crypt=hash" twice at the end of the lines.

auth required pam_userdb.so db=/etc/vsftpd/vsftpd_login crypt=hash
account required pam_userdb.so db=/etc/vsftpd/vsftpd_login crypt=hash

pam_pwdfile

The pam_pwdfile.so module can also be used for virtual users. It uses a file in the same format as Apache's .htpasswd files, with lines of "username:password_crypt", so it's very simple to maintain, compared to cumbersome Berkeley DB files. :) Using virtual users requires to map their login name to a local username (which is "ftp" by default):

File: /etc/vsftpd/vsftpd.conf
# If enabled, all non-anonymous logins are classed as "guest" logins. A guest
# login is remapped to the user specified in the guest_username setting.
guest_enable=YES

For further help read the VSFTPD-Manual about Virtual Users. But you should use the Pam-Authentication-Method described as follows.

First of all we need to emerge pam_pwdfile:

emerge pam_pwdfile

Previously, vsftpd used the file /etc/pam.d/vsftpd, but that changed, so nowadays it uses /etc/pam.d/ftp by default. If you want the old behaviour (I did!), you need to update your vsftpd.conf:

echo pam_service_name=vsftpd >> /etc/vsftpd/vsftpd.conf

Next, you need to change your /etc/pam.d/vsftpd file. Notice that the "account" facility is not available from pam_pwdfile.so, so just use the regular pam_permit.so to let any account in, provided that they know their password. (The account facility is intended for temporarily disabling accounts, among other things.) Change your /etc/pam.d/vsftpd to look like this:

auth    required pam_pwdfile.so pwdfile /etc/vsftpd/passwd_ftp 
account required pam_permit.so

Edit stando: I don't know why but i had to enter full path: /lib/security/pam_pwdfile.so and /lib/security/pam_permit.so

Now, all you need to do is simply to put lines of the form "username:password_crypt" into the /etc/vsftpd/passwd_ftp file!

I came up with a short Perl script to create password hashes. Put this into /etc/vsftpd/filter.pl:

#! /usr/bin/perl -w 
 use strict; 
 
 # filter "user:cleartext" lines into "user:md5_crypted" 
 # probably requires glibc 
 
 while (<>) { 
     chomp; 
     (my $user, my $pass) = split /:/, $_, 2; 
     my $crypt = crypt $pass, '$1$' . gensalt(8); 
     print "$user:$crypt\n"; 
 } 
 
 sub gensalt { 
     my $count = shift; 
     my @salt = ('.', '/', 0 .. 9, 'A' .. 'Z', 'a' .. 'z'); 
     my $s; 
     $s .= $salt[rand @salt] for (1 .. $count); 
     return $s; 
 } 

Remember to:

chmod +x /etc/vsftpd/filter.pl

Now, try something like:

cd /etc/vsftpd 
 touch cleartext 
 chmod go= cleartext 
 echo john:secret >> cleartext 
 ./filter.pl cleartext > passwd_ftp

...And that's it! Suddenly john can log in with the password "secret". If you want to simplify this even further, create a Makefile. Remember that the indented lines in a Makefile must be tab characters, not eight spaces!

# /etc/vsftpd/Makefile 
 passwd_ftp: cleartext 
         touch $@ 
         chmod 600 $@ 
         ./filter.pl $< >>$@
         rm -f cleartext

This way, if you want to update your virtual users, simply:

cd /etc/vsftpd 
vi cleartext 
make

tim2k: added "rm -f cleartext", leaving the passwords there is a securityrisk ;)


tha_gamemaster: changed "./filter.pl $< >$@" to "./filter.pl $< >>$@" to concatenate users to passwd_ftp instead of overwriting the list every time make was executed.

Client Access

You should be able to easily access your ftpserver easily from any client, here are a few examples

Test your server by visiting ftp://localhost/packages

If your client is a linux box, you might also try mounting the ftp connection!

See Also

MAN vsftpd.conf - http://vsftpd.beasts.org/vsftpd_conf.html

HOWTO Plan, setup and run a high school Gentoo Club

http://wjholden.com/vsftpd-help.html

Troubleshooting

vsftpd: refusing to run with writable anonymous root

What this cryptic message means is that your ftp root directory is writable. Since it's anonymous, vsftpd doesn't like that. chmod -w the ftp root to get rid of this common error. Another possible solution to this situation is that anonymous root and vsftpd have a completely different GIDs, for example ftpadmin (which sounds logically, as long as admin should have write access) for /home/ftp (chmod'ed 775) and just usual ftp for vsftpd process.

xinetd FAILs to start vsftpd

Your server runs fine in standalone mode (listen=yes), but when running via xinetd, you can't get a connection?

Check your xinetd server logs, and if you got a
FAIL: ftp address from=<someIP>
, you probably still have a only_from = localhost in the defaults section in /etc/xinetd.conf

Either comment it out, or set a new value in /etc/xinetd.d/vsftpd

Retrieved from "http://www.gentoo-wiki.info/Vsftpd"

Last modified: Sat, 06 Sep 2008 11:02:00 +0000 Hits: 66,776