Yet Another Concept of Custom Manageable FTP (Part I)
Dealing with tens of FTP users on a single FTP server is a damn quite easy job since we don't need to maintain hardly those users. It's as simple as creating some users for login on a PC & takes a bit way to create another, delete it or just read the physical log file. But then, how about if we have thousands of dynamic-moving-around users with more than one dedicated FTP servers around us? Well, at least, we're going to need some robots that work 24/7 in order to take care whole of the system. But, unfortunately we're not live in Terminator era that supplies any of it, still.
From below picture, there's a different user accessing different dedicated FTP server. We're talking about huge of FTP users here that will make the log files tracking seems impossible. Hence, also to avoid users storing garbage files to another FTP servers.
Basically, the concept is easy-cake - theoretically, but it's relevant to work on it. First rule is; No one of that FTP servers are browseable from clients & I don't need to create also managed those thousands FTP users manually but I have list contains of it stored in a table of MySQL database (thatís why I use a HTTP authentication server ñ in PHP of course). So, if your condition fit to the situation I described, this article may solve your problem.
The key is to create virtual FTP users! Yes, generate users at runtime on a flat text file with htpasswd cli ñ a feature of HTTPD service. Even the system can delete that virtual account after session ends. On this scene, I use RHEL server with built-in FTP daemon called as VSFTPD - as claimed as a Very Secure FTP Daemon (yet another secure, fast & stable FTP server). Unfortunately, a great number of Linux distros has lack of one important VSFTPD module named as pam_pwdfile (described for Pluggable Authentication Module purposed for authenticating users within htpasswd), including to this RHEL OS.
So, I suggest you to download this library to the HTTP authentication server. I got it from RPMBone site (ftp://ftp.pbone.net/mirror/ftp.pld-linux.org/dists/1.0/updates/general/i586/pam_pwdfile-0.98-2.i586.rpm). Continue to install it:
After it successfully installed, now we need to configure /etc/vsftpd.conf just like below:
Next, configuring PAM to check the passwd file for users. The file to configure is /etc/pam.d/vsftpd:
Simply remove everything else from the file except both above line. After editing, save it. Just to make sure your above configuration files is marked with green OK sign, restart the service twice.
Next, create the passwd file containing a dummy user. I named it as "testis" & I grouped this user to "ftp_users" group. So, we need to create that group before creating the users:
To add later additional users to the file, the command is change to:
The user ID is "virgin" and the password is "boobs". Next, continue to create a physical local user that's used by the virtual users to authenticate:
Also, create user's home directory since VSFTPD doesn't do it automatically.
Finally, restart the VSFTPD service. Make it tested from client using FTP client.
That's it. Now we have a basic skeleton template of dynamically manageable FTP servers.
Still confuse? It looks 100% make sense if you just stay tune on this blog for upcoming part II article in the next couple weeks, I'll plan to share the rest of it. Thank's for reading & have a great day!
From below picture, there's a different user accessing different dedicated FTP server. We're talking about huge of FTP users here that will make the log files tracking seems impossible. Hence, also to avoid users storing garbage files to another FTP servers.
Basically, the concept is easy-cake - theoretically, but it's relevant to work on it. First rule is; No one of that FTP servers are browseable from clients & I don't need to create also managed those thousands FTP users manually but I have list contains of it stored in a table of MySQL database (thatís why I use a HTTP authentication server ñ in PHP of course). So, if your condition fit to the situation I described, this article may solve your problem.
The key is to create virtual FTP users! Yes, generate users at runtime on a flat text file with htpasswd cli ñ a feature of HTTPD service. Even the system can delete that virtual account after session ends. On this scene, I use RHEL server with built-in FTP daemon called as VSFTPD - as claimed as a Very Secure FTP Daemon (yet another secure, fast & stable FTP server). Unfortunately, a great number of Linux distros has lack of one important VSFTPD module named as pam_pwdfile (described for Pluggable Authentication Module purposed for authenticating users within htpasswd), including to this RHEL OS.
So, I suggest you to download this library to the HTTP authentication server. I got it from RPMBone site (ftp://ftp.pbone.net/mirror/ftp.pld-linux.org/dists/1.0/updates/general/i586/pam_pwdfile-0.98-2.i586.rpm). Continue to install it:
After it successfully installed, now we need to configure /etc/vsftpd.conf just like below:
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
nopriv_user=vsftpd
virtual_use_local_privs=YES
guest_enable=YES
user_sub_token=$USER
local_root=/var/www/users/$USER
chroot_local_user=YES
hide_ids=YES
guest_username=vsftpd
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
log_ftp_protocol=YES
pam_service_name=vsftpd
userlist_enable=YES
listen=YES
check_shell=NO
Next, configuring PAM to check the passwd file for users. The file to configure is /etc/pam.d/vsftpd:
auth required pam_pwdfile.so pwdfile /etc/vsftpd/vsftpd.passwd
account required pam_permit.so
Simply remove everything else from the file except both above line. After editing, save it. Just to make sure your above configuration files is marked with green OK sign, restart the service twice.
#service vsftpd restart
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
#service vsftpd restart
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
Next, create the passwd file containing a dummy user. I named it as "testis" & I grouped this user to "ftp_users" group. So, we need to create that group before creating the users:
#groupadd ftp_users
#htpasswd -c /etc/vsftpd/vsftpd.passwd testis
To add later additional users to the file, the command is change to:
#htpasswd -b /etc/vsftpd/vsftpd.passwd virgin boobs
The user ID is "virgin" and the password is "boobs". Next, continue to create a physical local user that's used by the virtual users to authenticate:
#useradd -d /home/vsftpd -g ftp_users -m -s /bin/false vsftpd
Also, create user's home directory since VSFTPD doesn't do it automatically.
#mkdir /var/www/users/testis
#chown vsftpd:ftp_users testis
Finally, restart the VSFTPD service. Make it tested from client using FTP client.
That's it. Now we have a basic skeleton template of dynamically manageable FTP servers.
Still confuse? It looks 100% make sense if you just stay tune on this blog for upcoming part II article in the next couple weeks, I'll plan to share the rest of it. Thank's for reading & have a great day!
Labels: FTP, Linux, Setting, Tips Trik
PS: If you've benefit from this blog, you can support it by making a small contribution. |
Adi Riswan said,
Wednesday, May 02, 2012 2:33:00 PM
never put your testis on FTP server
Eko Wahyudiharto said,
Wednesday, May 02, 2012 3:58:00 PM
Oops..sorry.
* Inspired by Tinto Brass :)