The reason for setting up virtual users, and different home directory for each user, was to allow ftp access to a web server running a number of different sites for different clients. Each client can have one or more login to the ftp server, and the usernames and passwords can be shared with the apache webserver, so you only need to store their passwords in one place.
Installation
#yum install vsftpd libpam-pwdfile
In this example I want the ftp server to provide access various locally hosted websites, which I’m running from /var/www/sites/site1 etc so I don’t want anonymous access or for users to be able to access other sites.
I will use htpasswd utility that comes with apache & pawan is the virtual user. For first user i will use -c option to create user file.
#htpasswd -c /etc/vsftpd/passwd pawan
For further users
#htpasswd /etc/vsftpd/passwd alice
#vim /etc/vsftpd.conf
listen=YES
anonymous_enable=NO
local_enable=YES
virtual_use_local_privs=YES
write_enable=YES
connect_from_port_20=YES
secure_chroot_dir=/var/run/vsftpd
pam_service_name=vsftpd
guest_enable=YES
user_sub_token=$USER
local_root=/var/www/sites/$USER
chroot_local_user=YES
hide_ids=YES
I’ve turned anonymous access off, and enabled local access which we need for virtual users, and we’ve specified that each user will be chrooted to their own web directory, so user pawan will be chrooted to /var/www/sites/pawan. Although the manual says that local_root will fail silently if the folder doesn’t exist, that will not happen as we’ve turned on chrooting, so in the event of a folder error, the user will get a 500 error from the ftp server.
I will configure PAM to use the password file, so edit /etc/pam.d/vsftpd
# Customized login using htpasswd file
auth required pam_pwdfile.so pwdfile /etc/vsftpd/passwd
account required pam_permit.so
# /etc/init.d/vsftpd stop
# /etc/init.d/vsftpd start
and try logging on via ftp.
# ftp 127.0.0.1
Connected to 127.0.0.1.
220 (vsFTPd 2.0.3)
Name (127.0.0.1:root): pawan
331 Please specify the password.
Password:
500 OOPS: cannot change directory:/var/www/sites/pawan
Login failed.
421 Service not available, remote server has closed connection
ftp> quit
#
Now create pawan home folder, and set permissions up correctly.
debian# mkdir /var/www/sites/pawan
chmod +w /var/www/sites/pawan
and try ftping in again
debian# ftp 127.0.0.1
Connected to 127.0.0.1.
220 (vsFTPd 2.0.3)
Name (127.0.0.1:root): pawan
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
Success !
Extra Options
If you need to have multiple logins for the same folder, such as for a client who wants each developer to have their own login, then add the following line to the /etc/vsftpd.conf file
user_config_dir=/var/www/users
It’s easiest if each virtual user for a client has a login that starts with that clients name, so alice working for client1 would be client1-alice. Add their username and password to the password file, and then create a file in the user config folder /var/www/users called client1-alice with the single line
local_root=/var/www/sites/client1
If you are offering multiple logins to lots of clients then it’s easiest to create a file for each client eg /var/www/users/client1 would contain the single line
local_root=/var/www/sites/client1
and then each for user for that client would just create a symbolic link instead
# cd /var/www/users
# ln -s client1 client1-alice
as you are less likely to make mistakes if each user points to the same file