ProFTPD Virtual User Setup
Using virtual users/groups for ftp access is better because it allows ftp users/groups that are not actually system users/groups. This means if an ftp user/group is compromised only the ftp user/group login is obtained. There is no compromise of actual system accounts.
Configuration of the proftpd.conf File
Add these lines to /etc/proftpd/proftpd.conf after the
DenyFilter \*.*/' line.
Authentication Files
The settings below tell proftpd what authentication method to use and which files contain user/group information.
File: proftpd.conf
AuthOrder mod_auth_file.c
AuthUserFile /etc/proftpd/ftpd.passwd
AuthGroupFile /etc/proftpd/ftpd.group
Require Valid Shell
Requiring a valid shell can cause problems when using virtual users/groups. It is best to turn it off.
File: proftpd.conf
# Require a valid shell from /etc/shells.
RequireValidShell off
Create ProFTPD passwd and group Files
Use the ftpasswd program to create and manage virtual users and groups.
You need to know the uid and gid for the user you want to create. The uid and
gid come from the system accounts located in /etc/passwd and /etc/group.
shell# cat /etc/passwd | grep username
shell# cat /etc/group | grep groupname
By default the first non-system user added to the system will have a uid and
gid of 1000.
Adding Users to ftpd.passwd
From the ftpasswd --help:
REQUIRED: --passwd, --group, or --hash. These specify whether ftpasswd is to
operate on a passwd(5) format file, on a group(5) format file, or simply
to generate a password hash, respectively.
If used with --passwd, ftpasswd creates a file in the passwd(5) format,
suitable for use with proftpd's AuthUserFile configuration directive.
You will be prompted for the password to use of the user, which will be
encrypted, and written out as the encrypted string. New entries are
appended to the file by default.
By default, using --passwd will write output to "./ftpd.passwd".
--uid Numerical user ID (required)
--gid Primary group ID for this user (optional, will default to
given --uid value if absent).
--gecos Descriptive string for the given user (usually the user's
full name).
--name Name of the user account (required). If the name does not
exist in the specified output-file, an entry will be created
for her. Otherwise, the given fields will be updated.
--shell Shell for the user (required). Recommended: /bin/false
--home Home directory for the user (required).
--delete-user
Remove the entry for the given user name from the file.
To add a user entry use the following command:
ftpasswd --uid UserID --gid GroupID --gecos "Full Name" --name UserName
--shell /bin/false --home Path --passwd
NOTE: The entry will be placed in the file ftpd.passwd by default.
To delete an entry from the file ftpd.passwd:
ftpasswd --uid UserID --gid GroupID --gecos "Full Name" --name UserName
--shell /bin/false --home Path --passwd --delete-user
Adding Groups and Group Membership to ftpd.group
From the ftpasswd --help:
REQUIRED: --passwd, --group, or --hash. These specify whether ftpasswd is to
operate on a passwd(5) format file, on a group(5) format file, or simply
to generate a password hash, respectively.
If used with --group, ftpasswd creates a file in the group(5) format,
suitable for use with proftpd's AuthGroupFile configuration directive.
By default, using --group will write output to "./ftpd.group".
--gid Primary group ID for this user (optional, will default to
given --uid value if absent).
full name).
--name Name of the user account (required). If the name does not
exist in the specified output-file, an entry will be created
for her. Otherwise, the given fields will be updated.
--member User name to be a member of the group. This argument may be
used multiple times to specify the full list of users to be
members of this group.
--delete-group
Remove the entry for the given group name from the file.
To add a group entry use the following command:
ftpasswd --gid GroupID --name GroupName --group
NOTE: The entry will be placed in the file ftpd.group by default.
To delete an entry from the file ftpd.group:
ftpasswd --gid GroupID --name GroupName --group --delete-group
To add a member to a group:
ftpasswd --gid GroupID --name GroupName --member MemberName --group
Setting Permissions
Set permissions on the ftpd.passwd and ftpd.group files:
chmod 400 /etc/proftpd/ftpd.passwd /etc/proftpd/ftpd.group
chown proftpd.nogroup /etc/proftpd/ftpd.passwd /etc/proftpd/ftpd.group
NOTE: You can also add or remove members from groups or add and remove groups
themselves by editing the file ftpd.group directly.
Restart ProFTPD
Use the following command to restart proftpd:
shell# /etc/init.d/proftpd restart
You should now be able to login as the virtual user to use ftp.
NOTE: Local file permissions for the users ftp directory need to be set for the
users UID and GID so uploading, downloading, renaming, deleting etc... works.
References
http://www.proftpd.org/localsite/Userguide/linked/config-usingauthuserfile.html
http://www.proftpd.org/docs/directives/linked/config_ref_AuthOrder.html
http://www.proftpd.org/docs/directives/linked/config_ref_AuthUserFile.html
http://www.proftpd.org/docs/directives/linked/config_ref_AuthGroupFile.html
http://www.proftpd.org/docs/directives/linked/config_ref_RequireValidShell.html