I've set up a virtual machine running Centos 7 and VSFTPD.
VSFTPD is working great when connecting with local users. It chroots the user into his previously created home in /ftp/pub/{user_name} with "useradd -d". I've added TLS encryption which is working great too (disabled here in order to see what was wrong). I've set SElinux context of /ftp to public_content_t ; /ftp/pub(/.*)? to public_content_rw_t and set 755 rights on /ftp/pub
Recently, I tried to add LDAP auth to the VSFTPD server by doing this:
authconfig --enableldap --enableldapauth --ldapserver=name_of_my_server --ldapbasedn="dc=item1,dc=item2,dc=item3" --enablemkhomedir --update
but it only adds authentication to the server itself (I can ssh to the server with a non-local account), not to the service (vsftp), so I came accross a :
500 OOPS: cannot change directory:/home/default/path
What I understand from this error is that it tries to log in in the default home (which obviously doesn't exist) without creating a new one. What I want to do is when a non-local user tries to FTP on my server, it creates him a new home in /ftp/pub/{user_name} and chroot him in it.
Here is pam.d/login:
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth substack system-auth
auth include postlogin
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session include postlogin
-session optional pam_ck_connector.so
pam.d/vsftpd :
#%PAM-1.0
session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth required pam_shells.so
auth include password-auth
account include password-auth
session required pam_loginuid.so
session include password-auth
vsftpd.conf:
anonymous_enable=NO
#Permet aux utilisateurs locaux de RW
local_enable=YES
write_enable=YES
local_umask=022
pasv_enable=YES
pasv_max_port=1026
pasv_min_port=1025
dirmessage_enable=YES
connect_from_port_20=YES
ascii_download_enable=YES
ascii_upload_enable=YES
ftpd_banner=Welcome to blah FTP service.
#Partie chroot
chroot_local_user=YES
allow_writeable_chroot=YES
local_root=/ftp/pub/$USER
user_sub_token=$USER
# (default follows)
#chroot_list_file=/etc/vsftpd/chroot_list
#logs
xferlog_enable=YES
xferlog_std_format=NO
log_ftp_protocol=YES
listen=YES
listen_ipv6=NO
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
# Ajouts
use_localtime=YES
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
require_ssl_reuse=NO
ssl_ciphers=HIGH
ssl_enable=NO
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
I'm really stuck on that ldap auth for VSFTPD and couldn't find what I should do on other posts on serverfault. If someone could help me or recommend documentation, it would be greatly appreciated.
EDIT: SSH login creates successfuly a home for the user in the default path (/home), FTP login neither create it in /home, nor in /ftp/pub my goal is to create a home for the user on FTP login in /ftp/pub
EDIT2: As suggested by mxttie I could use pam_exec, but it would be more "getting around" the problem without really solving it. I would have to create a folder in "/home", then a folder in "/ftp/pub" for each user who would connect in order to solve the two consecutive 500 OOPS errors
Best Answer
Use
pam_exec
module to call a script that performs the necessary commands (i.e. create the home in /ftp/pub for non-local users)Official
pam_exec
man page: http://www.linux-pam.org/Linux-PAM-html/sag-pam_exec.htmlSee the ArchLinux wiki for (another)
pam_exec
example.