I've been successfully using vsftpd with virtual users connecting with PAM to my mysql DB. Now I'd like to automate creation of user directories with successful vsftpd connection.
Here is /etc/pam.d/vsftpd configuration:
#%PAM-1.0
session optional pam_keyinit.so force revoke
auth required pam_mysql.so verbose=1 user=root passwd=mypass host=localhost db=mydb table=mytable usercolumn=username passwdcolumn=password crypt=3
account required pam_mysql.so verbose=1 user=root passwd=mypass host=localhost db=mydb table=mytable usercolumn=username passwdcolumn=password crypt=3
session required pam_mkhomedir.so skel=/home/skel/ umask=0022 debug
Adding pam_mkhomedir now just shows it can't create the directory with no other messages in any log. So it obviously is not applying. Is there anything else I need?
My /etc/vsftpd/vsftpd.conf:
# No ANONYMOUS users allowed
anonymous_enable=NO
# Allow 'local' users with WRITE permissions (0755)
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=NO
xferlog_enable=YES
connect_from_port_20=YES
# define a unique user on your system which the
# ftp server can use as a totally isolated and unprivileged user.
nopriv_user=vsftpd
chroot_local_user=YES
listen=YES
# here we use the authentication module for vsftpd to check users name and passw
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
userlist_deny=YES
# here the vsftpd will allow the 'vsftpd' user to login into '/home/vsftpd/$USER directory
guest_enable=YES
guest_username=vsftpd
local_root=/home/vsftpd/$USER
user_sub_token=$USER
virtual_use_local_privs=YES
download_enable=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
# PASV - passive ports for FTP
pasv_enable=YES
pasv_min_port=14000
pasv_max_port=14100
I saw a post saying I need this in my vsftpd.conf so I tried this as well:
session_support=YES
But now it doesn't seem to authenticate anymore as the logs show:
Mar 24 00:46:16 ip-10-212-239-40 vsftpd[1962]: pam_keyinit(vsftpd:session): Unable to look up user "user1"
Mar 24 00:46:16 ip-10-212-239-40 vsftpd[1962]: pam_mkhomedir(vsftpd:session): User unknown.
This is even if I've created the directory already. Now no one can get in.
Any ideas?
Best Answer
The short answer is you are mixing system and service credentials, and shouldn't (can't ?) use pam_mkhomedir with virtual users in vsftpd.
pam_mkhomedir is for creation of user local directories and assumes the user is defined in the system. Virtual users in vsftpd are not system users (by design) and as such have no privileges outside of the vsftpd service (the system has no knowledge of those users). Using PAM for authentication is only handing off the validation of user credentials (user name + password ==> OK). This can be confusing when using virtual users, as vsftpd can also be configured to use system users with PAM.
When you are creating the home directory for a virtual user, you must make the vsftpd service account/group the owner of the folder, and place the "virtual home directory" within the vsftpd service path, with appropriate perms for the vsftpd service. I'm not sure what problem you are trying to solve, but as you are chroot-ing the user session, I'm assuming you are trying to create some isolation between users. Since you must create the virtual user in your user database for them to log in, why not generate the home directory at the same time? I have done this using a script for user add/change/delete to keep the virtual user database and vsftpd user virtual home folders consistent. YMMV.
Just remember, with virtual users, you are only working within vsftpd, and not the system.