Vsftpd

Introduction
This article will describe how to install and configure vsftpd. File Transfer Protocol (FTP) is an old but reliable protocol which is used for moving large individual files through networks quickly.

Install vsftpd
Log in as root and type this command:

Starting the Daemon
Gentoo provides a centralized place for what are called init scripts. They are stored in and have names representative of the service they start. Init scripts are used to control services you run. To start the vsftpd server, type:

You can learn more about what you can do with this init script by just typing without any arguments; start is an argument, as is stop and restart.

Init Script Configuration
You don't want to type /etc/init.d/vsftpd start every time to turn your computer on, do you? Gentoo provides an easy way to control which init scripts are run when you boot your computer up. To set vsftpd to start on every boot, type:

As usual, you can learn more about rc-update by typing "man rc-update".

Configuration
That was easy. Now edit /etc/vsftpd/vsftpd.conf using your favorite text editor and copy this into there:

Enable Compliance (Optional)
In order for vsftpd to comply with /etc/hosts.deny you must specify the above option in your /etc/vsftpd/vsftpd.conf and make sure USE="tcpd" was set when it was merged. See: and Protect SSHD with DenyHosts

Uploading
If you want to enable anonymous users to upload you have to make following changes. First we need to create your directories and then change permissions for writing.

And also we need to make some changes in vsftpd.conf

Using SSL to Secure FTP

 * Generate an SSL Cert, e.g. like that:

You will be asked alot of Questions about your Company etc., as your Certificate is not a trusted one it doesn't really matter what you fill in. You will use this for encryption! If you plan to use this in a matter of trust get one from a CA like thawte, verisign etc.


 * Eit your configuration

Where to put Files
Gentoo sets up FTP incorrectly by default, correct this and start adding public files in /var/ftp

Alternatively, instead of creating a link in /home to /var/ftp, change the home dir of the ftp user:

Virtual Users
There are two approaches to authenticate virtual users.

a) pam_userdb (obsolete)
Just follow the instructions in the README file found on ftp://vsftpd.beasts.org/users/cevans/untar/vsftpd-2.0.5/EXAMPLE/VIRTUAL_USERS.

But when editing the file '/etc/pam.d/vsftpd' add "crypt=hash" twice at the end of the lines.

auth required pam_userdb.so db=/etc/vsftpd/vsftpd_login crypt=hash account required pam_userdb.so db=/etc/vsftpd/vsftpd_login crypt=hash

b) pam_pwdfile
The pam_pwdfile.so module can also be used for virtual users. It uses a file in the same format as Apache's .htpasswd files, with lines of "username:password_crypt", so it's very simple to maintain, compared to cumbersome Berkeley DB files. :) Using virtual users requires to map their login name to a local username (which is "ftp" by default):

For further help read the vsftpd manual about virtual users. But you should use the Pam-Authentication-Method described as follows.

First of all we need to emerge pam_pwdfile:

Previously, vsftpd used the file /etc/pam.d/vsftpd, but that changed, so nowadays it uses /etc/pam.d/ftp by default. If you want the old behaviour (I did!), you need to update your vsftpd.conf:

Next, you need to change your /etc/pam.d/vsftpd file. Notice that the "account" facility is not available from pam_pwdfile.so, so just use the regular pam_permit.so to let any account in, provided that they know their password. (The account facility is intended for temporarily disabling accounts, among other things.) Change your /etc/pam.d/vsftpd to look like this:

Edit stando: I don't know why but i had to enter full path: /lib/security/pam_pwdfile.so and /lib/security/pam_permit.so

NB: sys-auth/pam_pwdfile is currently HARD MASKED (09/27/2010)

Create a password file
Now, all you need to do is simply to put lines of the form "username:password_crypt" into the /etc/vsftpd/passwd_ftp file!

If you have installed Apache server, you can also use the following command:

If you don't have the Apache server installed, you can use the following Perl script to create password hashes. Put this into /etc/vsftpd/filter.pl: /etc/vsftpd/filter.pl Remember to:

Now, try something like:

...And that's it! Suddenly john can log in with the password "secret". If you want to simplify this even further, create a Makefile. Remember that the indented lines in a Makefile must be tab characters, not eight spaces!

/etc/vsftpd/Makefile This way, if you want to update your virtual users, simply:

tim2k: added "rm -f cleartext", leaving the passwords there is a securityrisk ;) tha_gamemaster: changed "./filter.pl $< >$@" to "./filter.pl $< >>$@" to concatenate users to passwd_ftp instead of overwriting the list every time make was executed.

Client Access
You should be able to easily access your FTP server easily from any client that supports FTP.

Test your server by visiting ftp://localhost/

If your client is running in a Linux environment, you might also try mounting the FTP connection.

vsftpd: refusing to run with writable anonymous root
What this cryptic message means is that your ftp root directory is writable. Since it's anonymous, vsftpd doesn't like that. chmod -w the ftp root to get rid of this common error. Another possible solution to this situation is that anonymous root and vsftpd have a completely different GIDs, for example ftpadmin (which sounds logically, as long as admin should have write access) for /home/ftp (chmod'ed 775) and just usual ftp for vsftpd process.

xinetd Fails to Start vsftpd
Your server runs fine in standalone mode (listen=yes), but when running via xinetd, you can't get a connection? Check your xinetd server logs, and if you got a FAIL: ftp address from= , you probably still have a only_from = localhost in the defaults section in /etc/xinetd.conf

Either comment it out, or set a new value in