Centos – How to create an FTP user with access to the CentOS Virtual Server

centosftp

I have a virtual server running CentOS, and need to create an FTP user to give to a client so they can upload some files to me.

Any idea how I go about this, and how I only give them access to upload from one folder? (I don't care what folder, as long as they do not get access to my other files.)

Thanks.

Best Answer

Here are the basics

Create a local user account for your client give it a password and home directory etc.

Install vsftpd

yum install vsftpd

Edit

/etc/vsftpd/vsftpd.conf

anonymous_enable=NO
local_enable=YES
write_enable=YES
xferlog_file=YES
local_umask=022
chroot_local_user=YES
listen=YES
pam_service_name=vsftpd

save the file and exit then restart vsftpd

/sbin/service vsftpd restart

and ensure it runs when the system starts

/sbin/chkconfig vsftpd on

Edit /etc/sysconfig/iptables-config

ensure that there is an entry for IPTABLES_MODULES which amongst other things contains ip_conntrack_ftp e.g.

IPTABLES_MODULES="ip_conntrack_ftp"

Then modify the firewall

/sbin/service iptables save

edit /etc/sysconfig/iptables

After the line

:RH-Firewall-1-Input - [0:0] or similar ( the [0:0] may be different) add

-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT

save the file and exit then restart the firewall

/sbin/service iptables restart

You sould be good to go.

Related Solutions

Ftp – Creating FTP site for uploading of files from multiple clients – how to create users

Not sure what OS, etc. that's important. If it is Windows, here's what I've done in the past.

I'll just assume local user accounts:

set up the local user accounts on the computer for each "user/client"
In explorer setup the NTFS structure so that you have a "root" folder and inside that folder you have folders for each client/etc.
Set up the NTFS rights, so that each user (you can use a group called FTP users, and add them all to that group) has "List" rights to the root folder. Then give them specific rights to each of their "home" folders (read/write/whatever).
In IIS for the FTP site, create virtual directories named EXACTLY the same as the user accounts you created, and point each one to the right home folder. ie. virtual directory of BOBJONES points to d:\ftpsite\BOBJONES
go back into explorer and create a new folder in the same folder as the ROOT folder and call it DEADEND
give the FTP users list/read permissions to the DEADEND folder
Back in IIS set the "root folder" for the FTP site to the DEADEND folder

That's it.

now when BOBJONES logs into the FTP site he is in the BOBJONES directory. If he gets wily and tries to do a cd .. to go up to the parent/root he'll get knocked into the DEADEND folder and won't see the list of everyone else's home folders, etc. (NOTE: he can get back to his home folder by typing cd BOBJONES still)

ONE FINAL NOTE: anybody that has a user ID but no virtual directory named the same will get defaulted to the root directory which has been changed to DEADEND.

Amazon EC2 CentOS – How to Add User with SFTP/FTP Access to /var/www/html/website_abc

By default services that provide a remote shell, like ssh or telnet, or an interactive remote session for commands like sftp, allow a local user to change into any directory they have permissions for, and retrieve a copy of any file they have access to.

As a general security configuration this is unfortunate because there are many files and directories which are world-readable of necessity. For example here is me a non-root user on some remote CentOS box;

$ cd /etc
-bash-3.2$ ls -1
acpi
adjtime
aliases
...

e.g. I can access lots of stuff, that ideally you would want to restrict from some unknown user who you wish to provide local access to.

Here is me looking at all the local users configured in the /etc/passwd file;

$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
...

Unix systems provide the chroot command which allows you to reset the / of the user to some directory in the filesystem hierarchy, where they cannot access "higher-up" files and directories.

However in your case, it would appropriate to provide a virtual chroot implemented by the remote shell service. sftp can be easily configured to restrict a local user to a specific subset of the filesystem using a configuration in the

hence in your case, you want to chroot the adeveloper user into the /var/www/html/website_abc directory.

You can set a chroot directory for your user to confine them to the subdirectory /var/www/html/website_abc like so in /etc/ssh/sshd_config;

This stuff requires openssh-server later than 4.8?, so probably requires CentOS 6.2

Match Group sftp
    ChrootDirectory %h
    AllowTcpForwarding no

(not tested, see man sshd_config to confirm syntax)

and then add those users to the sftp group;

 groupadd sftp
 usermod -d /var/www/html/website_abc adeveloper
 usermod -G sftp adeveloper

Regarding shared keys

you should create an additional keypair for the adeveloper users, and send that to your consultant. (or alternatively, have them send your their public key and add it to the authorized_keys file for adeveloper)

never give up your private key, thats why its called private ;-)

traditional ftp alternatives

vsftp/proftp etc also support chroot configurations, but in this modern day ssh based configurations are the normal way, and support for ftp is historical only.

there are a couple of links to tutorials here;
http://www.techrepublic.com/blog/opensource/chroot-users-with-openssh-an-easier-way-to-confine-users-to-their-home-directories/229

http://www.howtoforge.com/chrooted-ssh-sftp-tutorial-debian-lenny

Best Answer

Related Solutions

Ftp – Creating FTP site for uploading of files from multiple clients – how to create users

Amazon EC2 CentOS – How to Add User with SFTP/FTP Access to /var/www/html/website_abc

Related Topic