vsftpd - PAM - MySQL and pam_mkhomedir to create directories

Question

I've been successfully using vsftpd with virtual users connecting with PAM to my mysql DB. Now I'd like to automate creation of user directories with successful vsftpd connection.

Here is /etc/pam.d/vsftpd configuration:

#%PAM-1.0
session    optional     pam_keyinit.so    force revoke
auth required pam_mysql.so verbose=1 user=root passwd=mypass host=localhost db=mydb table=mytable usercolumn=username passwdcolumn=password crypt=3
account required pam_mysql.so verbose=1 user=root passwd=mypass host=localhost db=mydb table=mytable usercolumn=username passwdcolumn=password crypt=3
session required pam_mkhomedir.so skel=/home/skel/ umask=0022 debug

Adding pam_mkhomedir now just shows it can't create the directory with no other messages in any log. So it obviously is not applying. Is there anything else I need?

My /etc/vsftpd/vsftpd.conf:

# No ANONYMOUS users allowed
anonymous_enable=NO
# Allow 'local' users with WRITE permissions (0755)
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=NO
xferlog_enable=YES
connect_from_port_20=YES

# define a unique user on your system which the
# ftp server can use as a totally isolated and unprivileged user.
nopriv_user=vsftpd
chroot_local_user=YES
listen=YES

# here we use the authentication module for vsftpd to check users name and passw
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
userlist_deny=YES
# here the vsftpd will allow the 'vsftpd' user to login into '/home/vsftpd/$USER directory
guest_enable=YES
guest_username=vsftpd
local_root=/home/vsftpd/$USER
user_sub_token=$USER
virtual_use_local_privs=YES
download_enable=NO

force_local_data_ssl=NO
force_local_logins_ssl=NO

# PASV - passive ports for FTP 
pasv_enable=YES
pasv_min_port=14000
pasv_max_port=14100

I saw a post saying I need this in my vsftpd.conf so I tried this as well:

session_support=YES

But now it doesn't seem to authenticate anymore as the logs show:

Mar 24 00:46:16 ip-10-212-239-40 vsftpd[1962]: pam_keyinit(vsftpd:session): Unable to look up user "user1"
Mar 24 00:46:16 ip-10-212-239-40 vsftpd[1962]: pam_mkhomedir(vsftpd:session): User unknown.

This is even if I've created the directory already. Now no one can get in.

Any ideas?

I resolved the issue in a very different way, I moved away from vsftpd and went with pureftp. Setup and running in a couple hours without all these issues. Works perfectly. — George, Feb 02 '15 at 17:38

score 1 · Answer 1 · answered Feb 10 '20 at 17:44

The short answer is you are mixing system and service credentials, and shouldn't (can't ?) use pam_mkhomedir with virtual users in vsftpd.

pam_mkhomedir is for creation of user local directories and assumes the user is defined in the system. Virtual users in vsftpd are not system users (by design) and as such have no privileges outside of the vsftpd service (the system has no knowledge of those users). Using PAM for authentication is only handing off the validation of user credentials (user name + password ==> OK). This can be confusing when using virtual users, as vsftpd can also be configured to use system users with PAM.

When you are creating the home directory for a virtual user, you must make the vsftpd service account/group the owner of the folder, and place the "virtual home directory" within the vsftpd service path, with appropriate perms for the vsftpd service. I'm not sure what problem you are trying to solve, but as you are chroot-ing the user session, I'm assuming you are trying to create some isolation between users. Since you must create the virtual user in your user database for them to log in, why not generate the home directory at the same time? I have done this using a script for user add/change/delete to keep the virtual user database and vsftpd user virtual home folders consistent. YMMV.

Just remember, with virtual users, you are only working within vsftpd, and not the system.

score 0 · Answer 2 · answered Mar 24 '13 at 12:31

0

For user lookups by PAM module to succeed, you need to enable NSS module for MySQL in nsswitch.conf(5). nss_mysql is your friend.

answered Mar 24 '13 at 12:31

abbe

356
1
11

Any references you can provide on this? I can't seem to find anything about needing `nss-mysql` in my context? – Tom Mar 24 '13 at 16:52
How is `pam_mkhomedir` going to figure out the path to the home directory of the user it's supposed to create ? How does it know which database to use for resolving the user ? NSS provides it with that information. In your case, you'll be needing [nss_mysql](http://savannah.nongnu.org/projects/nss-mysql/), assuming your user database is stored in a MySQL database. – abbe Mar 24 '13 at 17:10
I'm just trying to find out anything about this library. The link you provided is a very old project with no documentation. If I do install this it gives no indication on what to put in your nssswitch.conf. Only that it may contain 3 parameters. Can you provide any kind of guidance? It does sound like pam_mysql is the same thing as nss-mysql? I do have pam_mysql working where it uses the mysql db to authenticate with vsftpd virtual users. – Tom Mar 24 '13 at 17:58
[PAM](http://en.wikipedia.org/wiki/Pluggable_authentication_module) is not same as [NSS](http://en.wikipedia.org/wiki/Name_Service_Switch). PAM is targeted towards authentication, whereas NSS' objective is to resolve names (hostnames, usernames, etc.). Most of the distros provide a package for `nss_mysql`, e.g. Debian and derivatives provide it as `libnss-mysql`. And, yes it's not updated for half-a-decade, but it works fine. Once you install the module, configure it, and add it to your `nsswitch.conf(5)`, things will start working for you. – abbe Mar 24 '13 at 18:13
I added libnss-mysql from my distro. Tried out of the box and nothing is working. Any ideas on what I need to change in nsswitch.conf? – Tom Mar 24 '13 at 18:53
`passwd: compat mysql`, and ofcourse you need to configure `nss_mysql`. – abbe Mar 25 '13 at 03:40

score 0 · Answer 3 · edited Apr 13 '17 at 12:14

You could try using pam_script - it's a pam module that allows executing arbitrary shell scripts after a user session is opened (among others).

You can find pam_script here: https://github.com/jeroennijhof/pam_script. It should also be installable via package managers, at least I've been able to install it through apt-get.

Be careful, as vsftpd seems to have some problems with pam_script at least when it denies authentication, see my unresolved question: vsftpd freezes after failed pam_script authentication. However in your case it should not be a problem.

vsftpd - PAM - MySQL and pam_mkhomedir to create directories

3 Answers3