Configuring FTPS with Virtual User on Centos

Recently we have configured FTPS with virtual user to one of our client. I want to share that with you in this blog.

FTPS is also known as FTP secure , an extension to common FTP with TLS and SSL .In otherwords, FTPS is a encrypted flavour of FTP ( like HTTPS ,an encrypted flavour of HTTP ).There are two types in FTPS. They are

  • FTP over Implicit TLS/SSL
  • FTP over Explicit TLS/SSL (also known as FTPES)

In this blog, We are going to see FTP over implicit TLS/SSL.

Step 1 : Creation of Virtual Users Database

   We gonna use pam_userdb to authenticate the virtual users .This needs a username and password detail of the virtual users in db format. To create a virtual users db, first create a plain text file with the username and password of the virtual users.

See for example,

user.txt which contains the  username and password of the virtual users.

logged in as root,

create the actual database  by  using the following command

db_load -T -t hash -f user.txt /etc/vsftpd/user.db

Thus the Virtual user database is saved in the directory /etc/vsftpd as “user.db” file.

NOTE: Many systems have multiple versions of “db” installed, so you may need to use e.g. db3_load for correct operation. This is known to affect some Debian systems. The core issue is that pam_userdb expects its login database to be a specific db version (often db3, whereas db4 may be installed on your system).

Then restricts the permission for the db file

  chmod 600 /etc/vsftpd/user.db

Step 2 : Creation of PAM file which uses the new database

Create a PAM file  as ” vsftpd ” in the directory /etc/pam.d  with the following lines in it.

auth required /lib/security/pam_userdb.so db=/etc/vsftpd/user

account required /lib/security/pam_userdb.so db=/etc/vsftpd/user

Step 3 : Set up the location of the  files for the Virtual users

useradd  -d  /home/ftpsite  virtual

ls  -ld  /home/ftpsite

It should be ..

drwx—— 3 virtual virtual 4096 Oct 16 00:39 /home/ftpsite

change the owner and group name of the directory /home/ftpsite to ” ftp “.

chown ftp:ftp /home/ftpsite

We need to create a directory for each virtual user in the directory path /home/ftpsite/$virtualusername, that will act as home directory for the respective virtual users.

For Example,
if you create a virtual user as “fcoos”, create a directory “fcoos” with full permission in /home/ftpsite/   whose owner and group should be “virtual”.
It can be done by the following command,

mkdir /home/ftpsite/fcoos
chown -R virtual:virtual /home/ftpsite/fcoos
chmod -R 777 /home/ftpsite/fcoos

Step 4 : Generate a Certificate

Use OpenSSL to generate a certificate for vsftpd. The certificate is store on your server, in a location of your choice. Here I choose to put it in the /etc/vsftpd directory. As well, you specify a ‘lifetime’ for the certificate; here’s it set for a year (“-days 365”).

openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem

Step 5 : Create your vsftpd.conf  config file

vim /etc/vsftpd/vsftpd.conf

Edit the vsftpd.conf file as given below

anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=077

#anon_upload_enable=YES
#anon_mkdir_write_enable=YES

dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES

#chown_uploads=YES
#chown_username=whoever

xferlog_file=/var/log/xferlog
xferlog_std_format=NO
idle_session_timeout=800
data_connection_timeout=300

#nopriv_user=ftpsecure
#async_abor_enable=YES
#ascii_upload_enable=YES
#ascii_download_enable=YES
#ftpd_banner=Welcome to iTech FTP service
#deny_email_enable=YES
#banned_email_file=/etc/vsftpd/banned_emails

chroot_local_user=YES

#chroot_list_enable=YES
#chroot_list_file=/etc/vsftpd/chroot_list

ls_recurse_enable=YES
listen=YES

#listen_ipv6=YES

virtual_use_local_privs=YES
write_enable=YES
pam_service_name=vsftpd

#userlist_enable=YES
#tcp_wrappers=YES

guest_enable=YES
user_sub_token=$USER
local_root=/var/data/$USER
ssl_enable=YES
require_ssl_reuse=NO
pasv_enable=YES
pasv_min_port=15000
pasv_max_port=16000
implicit_ssl=YES
listen_port=990
allow_anon_ssl=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem

 

Thats it  !!

We have  Configured  FTPS with virtual users on Centos 6.

Note:

For accessing the files use the client which support FTPS . In FileZilla use the older version FileZilla 3.3.1 , because the newer versions are not compatible for FTPS .

 

 

 

 

 

1 comment for “Configuring FTPS with Virtual User on Centos

  1. Prashant N.K
    November 19, 2012 at 12:37 pm

    Very Nice..Info

Leave a Reply