Howto: Virtual users for vsftpd
I recently noticed that this howto was gone due to the "Linux Know How" section being removed some time ago. This one is actually useful though, thus I re-add it as a blog post now.
Virtual users (users with no real account on the system) can be easily set up for vsftpd. We will use PAM's pam_userdb module to authenticate the virtual users.
We need one real user for this to work. I simply used the ftp user, as this one is normally already there and has no shell login anyway. Of course, you can use or create any user you want for this. Set the home directory of this user to the root of the FTP directories we want to serve. E. g.:
usermod -d /srv/ftp ftp
Here we have the relevant part of the /etc/vsftpd/vsftpd.conf I use:
local_enable=YES guest_enable=YES write_enable=YES nopriv_user=ftp guest_username=ftp virtual_use_local_privs=YES pam_service_name=vsftpd.virtual user_sub_token=$USER local_root=/srv/ftp/$USER chroot_local_user=YES allow_writeable_chroot=YES
Of course, you are free to add other options, like logging, umask, etc.
The config says it uses vsftpd.virtual to authenticate the virtual users. So let's also create the respective PAM config file /etc/pam.d/vsftpd.virtual:
#%PAM-1.0 auth required pam_userdb.so db=/etc/vsftpd/users crypt=crypt account required pam_userdb.so db=/etc/vsftpd/users crypt=crypt session required pam_loginuid.so
Notice the reference to /etc/vsftpd/users, not /etc/vsftpd/users.db (which will be the actual filename used). We append crypt=crypt to indicate we want to use crypted passwords (nobody wants to store clear text passwords, does anybody?).
Finally, we need to add one or more virtual users to the userdb. I wrote a script called userdbadm to do this in an easy way. Of course, you can create the database in whatever way you want to. When using userdbadm, it's something like:
userdbadm /etc/vsftpd/users.db add virtual_user
Notice the .db here! You will be prompted for a password. The user and the salted crypted password will be stored in the database.
Finally, the virtual user needs a home directory which will be served by vsftpd when the user logs in. It has to be owned by the real user vsftpd uses. For the above example, we simply do
mkdir /srv/ftp/virtual_user chown ftp:ftp /srv/ftp/virtual_user
That's it :-) Restart vsftpd and have fun with virtual users now!