CentOS: MySQL-VSFTP authentication – Plus use this FTP directory as your YUM FTP repository.

This how to shows how to use VSFTPD with virtual users that authenticate against a MySQL database. This solution does not scale well because as far as I can tell you cannot have the MySQL database on an isolated server while other several FTP servers use it to authenticate user logins. My understanding is that both VSFTP and MySQL need to reside on the same machine in order for this work.If I am wrong please let me know.  In addition this how-to shows you how to setup this same VSFTP server as a FTP YUM repository.

1) Install vsftpd and mysql database.

yum install vsftpd mysql-server

2) Install the pam_mysql module. You will have to install the EPEL repository first.

wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm

3) Setup your MySQL database andcreate your database. First you will set your root password and then create the VSFTPD database. Change the password to something you only know.

mysql -u root -p
CREATE DATABASE vsftpd;
GRANT SELECT ON vsftpd.* TO 'vsftpd'@'localhost' IDENTIFIED BY 'Password01';
FLUSH PRIVILEGES;

4)Login to your database and create the table that will store the user information.

USE vsftpd;
CREATE TABLE `accounts` (
`id` INT NOT NULL AUTO_INCREMENT PRIMARY KEY ,
`username` VARCHAR( 30 ) NOT NULL ,
`pass` VARCHAR( 50 ) NOT NULL ,
UNIQUE ( `username` )
) ENGINE = MYISAM ;

5) Create the user that will be authenticated.

USE vsftpd;
INSERT INTO accounts (username, pass) VALUES('gmas', md5('User's_password'));

6)Edit your mysql PAM module. By backing up your original config file and entering the following lines. The password in the PAM module needs to match
the password of your database. Reason is because this module it self is used to connect to the database in order for the user authentication to take place. It is
two step process. First the module uses the password stored here to connect to the database. Then the user enters his FTP login and password which was defined
when you created the username in MySQL on step five. Note that if you want a Linux server to authenticate against this server you will have to install the PAM module
on that client machine and enter the ip in the PAM config file of your FTP server (see below where it says “host”).

cp /etc/pam.d/vsftpd /etc/pam.d/vsftpd-fbk
vi /etc/pam.d/vsftpd

#%PAM-1.0
session     optional     pam_keyinit.so     force revoke
auth required pam_mysql.so user=vsftpd passwd=Password01 host=localhost db=vsftpd table=accounts usercolumn=username passwdcolumn=pass crypt=3
account required pam_mysql.so user=vsftpd passwd=Password01 host=localhost db=vsftpd table=accounts usercolumn=username passwdcolumn=pass crypt=3

7) Create directories and set permissions for your virtual user.
useradd -G users -s /sbin/nologin -d /home/vsftpd  vsftpd
mkdir -p /etc/vsftpd/vsftpd_user_conf

8) Set the VSFTPD parameters for your user by creating the file below and by entering the following parameters.

vi /etc/vsftpd/vsftpd_user_conf/gmas
dirlist_enable=YES
download_enable=YES
# full path to the directory where 'gmas' will have access, change to your needs
local_root=/home/users/gmas
write_enable=YES

9) You will need to create the directory for your virtual user and set the appropriate permissions.

mkdir -p /home/users/gmas
chmod 700 /home/users/gmas
chown vsftpd.users /home/users/gmas

 

10) Copy the contents of the vsftp.conf file located below to the one your server.

# No ANONYMOUS users allowed
anonymous_enable=NO
# Allow 'local' users with WRITE permissions (0755)
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES

# if you want to LOG vsftpd activity then uncomment this log_ftp_protocol
# log_ftp_protocol=YES

connect_from_port_20=YES

# uncomment xferlog_file and xferlog_std_format if you DIDN'T use the line above 
# with log_ftp_protocol - it must be excluding each other
# The name of log file when xferlog_enable=YES and xferlog_std_format=YES
# WARNING - changing this filename affects /etc/logrotate.d/vsftpd.log
#xferlog_file=/var/log/xferlog
#
# xferlog_std_format Switches between logging into vsftpd_log_file and xferlog_file files.
# NO writes to vsftpd_log_file, YES to xferlog_file
# xferlog_std_format=YES

#
# You may change the default value for timing out an idle session (in seconds).
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection (in seconds).
#data_connection_timeout=120
#
# define a unique user on your system which the
# ftp server can use as a totally isolated and unprivileged user.
nopriv_user=vsftpd

chroot_local_user=YES

listen=YES

# here we use the authentication module for vsftpd to check users name and passw
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

# If userlist_deny=YES (default), never allow users in this file
# /etc/vsftpd/user_list , and do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.
userlist_deny=yes

# here the vsftpd will allow the 'vsftpd' user to login into '/home/vsftpd/$USER directory
guest_enable=YES
guest_username=vsftpd
local_root=/home/vsftpd/$USER
user_sub_token=$USER
virtual_use_local_privs=YES
user_config_dir=/etc/vsftpd/vsftpd_user_conf

force_local_data_ssl=NO
force_local_logins_ssl=NO

# PASV - passive ports for FTP (range 44000 - 44100 ; 100 PASV ports, 
# REMEMBER to OPEN FIREWALL FOR ALLOWING FTP Passive CONNECTIONS
# check "how to enable Passive FTP in IPTABLES": here or here

pasv_enable=YES
pasv_min_port=44000
pasv_max_port=44100

11) Restart mysql and vsftpd

service vsftpd restart
service mysqld restart.

—————————————————————————————————

Use this FTP setup as your YUM Repository as well.

This section is closely tied to the tutorial that shows how to create a YUM repository using Apache, which is located here.

You do not need to have apache to create this setup but it shows you that you can have both an HTTP and FTP yum repository at the same time with out having to duplicate the contents of your YUM repository in two different places.

1) On your FTP serverMount the contents of your YUM repository that Apache servers to this newly directory

mount --bind /storage/Centos06/centos/ /var/ftp/ftp_repo/

2) On you client machine create your new REPO file. Remember that you will login and authenticate as the user you created in your MySQL database.

[sfentona_ftp] name=sfentona_ftp
baseurl=ftp://gmas:password@192.168.1.26
enabled=1

Share Button

Leave a Reply

Your email address will not be published.

Time limit is exhausted. Please reload the CAPTCHA.