Server : Apache System : Linux server1.cgrithy.com 3.10.0-1160.95.1.el7.x86_64 #1 SMP Mon Jul 24 13:59:37 UTC 2023 x86_64 User : nobody ( 99) PHP Version : 8.1.23 Disable Function : NONE Directory : /usr/share/doc/pure-ftpd/ |
------------------------ VIRTUAL USERS ------------------------ Virtual users is a simple mechanism to store a list of users, with their password, name, uid, directory, etc. It's just like /etc/passwd. But it's not /etc/passwd. It's a different file, only for FTP. It means that you can easily create FTP-only accounts without messing up your system accounts. In addition, virtual users files can store individual quotas, ratios, bandwidth, etc. System accounts can't do this. Thousands of virtual users can share the same system user, as long as they all are chrooted and they have their own home directory. *IMPORTANT* If you are planning to use the virtual users feature, and unless your operating system already provides a secure password hashing function, please install libsodium (http://doc.libsodium.org) before compiling Pure-FTPd. A good thing to do before using virtual users is to create a system user for this. Of course, you can use any existing account like "nobody" (but not root), but it's better to have a dedicated account. Let's create an "ftpgroup" group and an "ftpuser" user. Linux/OpenBSD/NetBSD/Solaris/HPUX/OSX/a lot of other Unix-like systems: groupadd ftpgroup useradd -g ftpgroup -d /dev/null -s /etc ftpuser FreeBSD/DragonflyBSD: pw groupadd ftpgroup pw useradd ftpuser -g ftpgroup -d /dev/null -s /etc Then, all maintenance of virtual users can be made with the "pure-pw" command. You can also edit the files by hand if you want. Files storing virtual users have one line per user. These lines have the following syntax: <account>:<password>:<uid>:<gid>:<gecos>:<home directory>:<upload bandwidth>:<download bandwidth>:<upload ratio>:<download ratio>:<max number of connections>:<files quota>:<size quota>:<authorized local IPs>:<refused local IPs>:<authorized client IPs>:<refused client IPs>:<time restrictions> Fields can be left empty (exceptions: account, password, uid, gid, home directory) . Passwords are compatible with the hashing function used in /etc/passwd or /etc/master.passwd. ------------------------ CREATING A NEW USER ------------------------ To add a new user, use the following syntax: pure-pw useradd <login> [-f <passwd file>] -u <uid> [-g <gid>] -D/-d <home directory> [-c <gecos>] [-t <download bandwidth>] [-T <upload bandwidth>] [-n <max number of files>] [-N <max Mbytes>] [-q <upload ratio>] [-Q <download ratio>] [-r <allow client ip>/<mask>] [-R <deny client ip>/<mask>] [-i <allow local ip>/<mask>] [-I <deny local ip>/<mask>] [-y <max number of concurrent sessions>] [-C <max number of concurrent login attempts>] [-M <total memory (in MB) to reserve for password hashing>] [-z <hhmm>-<hhmm>] [-m] Let's create "joe", whose home directory will be /home/ftpusers/joe . The system account associated with "joe" is "ftpusers". pure-pw useradd joe -u ftpuser -d /home/ftpusers/joe Joe's password is asked twice. With -d, joe will be chrooted. If you want to give joe access to the whole filesystem, use -D instead of -d. You don't need to create /home/ftpusers/joe if you run pure-ftpd with the -j (--createhome) switch. With that switch, home directories will automatically be created when users will log in for the first time. The "-z" option allow a user to connect only during a range of day time. For instance, with -z 0900-1800, joe will only be able to connect from 9 am to 18 pm. Warning: a user that connected during authorized hours can finish his session after these authorized hours. -r and -R are handy to restrict where the user can connect from. They can be followed by a simple IP/mask pair (-r 192.168.1.0/24), multiple pairs separated by a coma (-r 192.168.1.0/24,10.1.0.0/16,127.0.0.1/32), single IPs (-r 192.168.1.4,10.1.1.5), host names (-r bla.bla.net,yopcitron.com), or any combination of those. -y is to restrict the number of concurrent sessions a user can have at the same time. '' or 0 mean unlimited. Avoid this feature on very loaded servers. Use per-ip limits instead. Ok, "joe" has been created. By default, the list of virtual users is stored in the /etc/pureftpd.passwd file (you can of course change this with -f <file>) . Let's have a look at its content: joe:$7$C6..../....swVShTUX9kLJepm0vvj7dUXPqtULzQ9G3GT/GAO3bd3$GMHJRyUdSRwNROunwtRbEDHlx5t3eNQew7bb1dz29K2:500:101::/home/ftpusers/joe/./::::::::::::: Passwords are hashed with the most secure hash function your system supports. Hashes are tried in this order: argon2, scrypt, bcrypt, SHA-512, MD5. SHA-512 and MD5 should not be used any more. bcrypt requires crypt(3) from the C library to support it, which is commonly the case on BSD systems, but is only present on some Linux distributions. Argon2 and scrypt are the recommended functions, and require pure-ftpd to be compiled in presence of libsodium. Note that a login attempt will require up to 64 Mb memory, and 100% of a CPU core. The number of simultaneously allowed sessions should be tuned accordingly to avoid resources starvation. ------------------------ CHANGING INFO ------------------------ Once virtual users have been created, you can edit their info. For instance you can add bandwidth throttling, change quotas, add their full name, update ratio, etc. The "pure-pw usermod" command works just like "pure-pw useradd" except that it modifies an existing account instead of creating a new one. For instance, we will add a quota to Joe. Joe should be limited to 1000 files and 10 Megabytes. pure-pw usermod joe -n 1000 -N 10 Let's have a look at /etc/pureftpd.passwd: joe:$7$C6..../....swVShTUX9kLJepm0vvj7dUXPqtULzQ9G3GT/GAO3bd3$GMHJRyUdSRwNROunwtRbEDHlx5t3eNQew7bb1dz29K2:500:101::/home/ftpusers/joe/./::::::1000:10485760:::::: As you can see, the size quota is stored in bytes in the file. ------------------------ RESETTING ATTRIBUTES ------------------------ To disable file quotas, use pure-pw usermod <user> -n '' To disable size quotas, use pure-pw usermod <user> -N '' To disable ratios, use pure-pw usermod <user> -q '' -Q '' To disable download bandwidth throttling, use pure-pw usermod <user> -t '' To disable upload bandwidth throttling, use pure-pw usermod <user> -T '' To disable IP filtering, use pure-pw usermod <user> <-i,-I,-r or -R> '' To disable time restrictions, use pure-pw usermod <user> -z '' To disable the number of concurrent sessions, use pure-pw usermod <user> -y '' ------------------------ DELETING USERS ------------------------ We won't delete Joe at this time. Joe is a fine guy :) But FYI, deleting an user is as simple as running "pure-pw userdel", whose syntax is: pure-pw userdel <login> [-f <passwd file>] [-m] Deleting Joe would be: pure-pw userdel joe The content of his home directory is kept. Delete it by hand if you want. ------------------------ CHANGING PASSWORDS ------------------------ To change the password of a user, use "pure-pw passwd": pure-pw passwd <login> [-f <passwd file>] [-m] ------------------------ DISPLAYING INFO ------------------------ To review info about one user, reading the /etc/pureftpd.passwd file is ok, but it's not really human-friendly. It's why you can use "pure-pw show", whose syntax is: pure-pw show <login> [-f <passwd file>] Let's try with joe: pure-pw show joe Login : joe Password : $7$C6..../....swVShTUX9kLJepm0vvj7dUXPqtULzQ9G3GT/GAO3bd3$GMHJRyUdSRwNROunwtRbEDHlx5t3eNQew7bb1dz29K2 UID : 500 (ftpuser) GID : 101 (ftpgroup) Directory : /home/ftpusers/joe/./ Full name : Download bandwidth : 0 Kb (unlimited) Upload bandwidth : 0 Kb (unlimited) Max files : 1000 (enabled) Max size : 10 Mb (enabled) Ratio : 0:0 (unlimited:unlimited) Allowed local IPs : Denied local IPs : Allowed client IPs : 192.168.0.0/16 Denied client IPs : 192.168.1.1,blah.verybadhost.com Time restrictions : 0900-1800 (enabled) Max sim sessions : 0 (unlimited) "/./" at the end of a home directory means that this user will be chrooted. ------------------------ COMMITTING CHANGES ------------------------ IMPORTANT: You can add, modify and delete users with the previous commands, or by editing /etc/pureftpd.passwd by hand. But the FTP server won't consider the changes you make to that file, until you commit them. Committing changes really means that a new file is created from /etc/pureftpd.passwd (or whatever file name you choose) . That new file is a PureDB file. It contains exactly the same info than the other file. But in that file, accounts are sorted and indexed for faster access, even with thousands of accounts. PureDB files are binary files, don't try to view them or your terminal will beep like hell. Let's create a PureDB file from /etc/pureftpd.passwd. The indexed file will be called /etc/pureftpd.pdb (as always, choose whatever name you like): pure-pw mkdb this reads /etc/pureftpd.passwd and creates /etc/pureftpd.pdb by default, but to read another file, add the pdb file, optionally followed by -f <passwd file> For instance: pure-pw mkdb /etc/accounts/myaccounts.pdb -f /etc/accounts/myaccounts.txt All modifications you made to the virtual users database will be committed automatically: all new accounts will be activated at the same time and all deleted users won't be able to log in as soon as you'll have hit the Return key. There's no need to restart the pure-ftpd server to commit changes. You can also change something to the text passwords file (add users, change password, delete users, etc) and automatically run "pure-pw mkdb /etc/pureftpd.pdb" afterwards. To do so, just use the -m switch: pure-pw passwd joe -m This command will change Joe's password in pureftpd.passwd *and* commit the change to /etc/pureftpd.pwd . ------------------------ ENABLING VIRTUAL USERS ------------------------ Of course, to use virtual users, you have to enable their support in the FTP server itself. At compile-time, this is done by giving --with-puredb to ./configure (--with-everything also enables it and binary packages have it compiled in) . Then, add this switch to your usual pure-ftpd switches: -l puredb:/path/to/puredb_file If long options are enabled, you can also use --login instead of -l . Let's run the server with automatic creation of home directories and puredb authentication: /usr/local/sbin/pure-ftpd -j -lpuredb:/etc/pureftpd.pdb & Try to 'ftp localhost' and log in as joe. ------------------------ CONVERTING SYSTEM ACCOUNTS ------------------------ You can convert all system (/etc/passwd) accounts to virtual FTP users, with the "pure-pwconvert" tool. Just run it: pure-pwconvert >> /etc/pureftpd.passwd If you do it as a non-privileged user, passwords won't be filled in. If you do it as root, everything will be copied, even hashed passwords. Copying system accounts to FTP accounts makes sense, because that way, users can use different passwords for FTP and for Telnet access. ------------------------ ENVIRONMENT VARIABLES ------------------------ If defined, a PURE_PASSWDFILE environment variable can set the default path to the pureftpd.passwd file. Without this variable, it defaults to /etc/pureftpd.passwd . If defined, a PURE_DBFILE environment variable can set the default path to the pureftpd.pdb file. Without this variable, it defaults to /etc/pureftpd.pdb .