Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
HOWTO: Setup secure-esque proftpd w/mod_sql & md5 passwd
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
Danathan
Tux's lil' helper
Tux's lil' helper


Joined: 08 Mar 2004
Posts: 120

PostPosted: Fri Apr 02, 2004 10:17 pm    Post subject: HOWTO: Setup secure-esque proftpd w/mod_sql & md5 passwd Reply with quote

Hi,

I just set up a gentoo web development server that needed an ftp daemon. This creates a security problem, since FTP is known for its habit of sending clear text passwords all over the place. Since my specific problem was that I needed a handful of people to have access to single directory (where the htdocs are), solving the problem basically meant pointing a whole bunch of users towards the same home directory and chrooting them there.

My goals were:

    1. Make sure that no passwords that will ever be sent in clear text can also be used to log in through a shell account. (Password security)

    2. Make sure that ftp access does not allow users to create/read/update/delete files they ought not have access to. (filesystem security)

    3. Ensure that every user who needs access to the htdocs directory can have their own login and read and write to every file in it.


To do this, I decided that the best course of action was to:

    1. Use a password file other than /etc/passwd (or /etc/shadow) for ftp passwords: I chose mysql w/ md5 encryption via openssl.

    2. Use single uid & gid for the directory I was using (/home/webdev), rather than giving each user a unique uid. This ensures that no users can create files that can't be edited later by anyone else.


The first step to merge xinetd. This isn't totally necessary. If you have a good reason for not doing it, don't do it. If you don't know or don't care, do this:

Code:

# emerge xinted


The second step is merge proftpd. You need an extra CFLAG here to get openssl compiled properly:

Code:

# CFLAGS=-DHAVE_OPENSSL emerge -pv proftpd


You'll want to make sure that you're using ssl and (mysql or postgres), and PAM if you don't want to make this the authoratative method of authentication. Once you've got it how you want it, pull the -p flag and merge it for real.

Now you'll need to edit a few files to get xinetd working. First, open /etc/xinetd.conf in your favorite editor and delete the "only_from localhost" line. Then open /etc/xinetd.d/proftpd and change "disable = yes" to "disable = no". Because you don't want to, um, disable it. (The /etc/xinetd.d directory is where you parameterize all the services you want xinetd to handle.)

Now let's set up the user we'll be aliasing. I like to do web stuff out of /home/webdev, so I'll take my www user. So I'll make sure that my web user doesn't have a valid shell, because I don't want any of these dudes to have a valid shell. (see above)

If I were to create this user from scratch, I'd add a webdev group do this:
Code:

# groupadd webdev
# useradd -G webdev -m -s /bin/false webdev


Why is the shell /bin/false? Because that will prevent a shell log in -- read the man page for more. It's funny. Seriously.

Now let's set up our mysql database. This is essentially where we're going to do a lot of aliasing in not a lot of space. The main point to remember here is that in a unix file system, the OS doesn't care about your user name -- it cares about your userid (uid), which is a number. So if there are a bunch of dudes with the same uid, they're all the same dude, as far as Gentoo is concerned. ("All you 1003's look the same to me!")

Now find the userid (uid) and groupid (gid) of your new user.
Code:

# grep "webdev" /etc/passwd

The first number is the uid and the second is the gid. They'll probably be 1000 something and 400 something. Write this down.

The next step is creating this database. For this I've basically followed the instructions here:

[link]http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-SQL.html[/link]

Before we get to the database, let's create the passwords we'll want. From the page listed above, this will print out a proper md5 password for the db:

Code:

/bin/echo "{md5}"`/bin/echo -n "password" | openssl dgst -binary -md5 | openssl enc -base64`


... and then just repeat, replacing "password" with the password you want to use. (Duh.) Put these in a buffer somewhere.

Next, create a new table in your db. We'll call it ftpusers. Enter the database and run the following table creation statements:

Code:

  CREATE TABLE users (
    userid VARCHAR(30) NOT NULL UNIQUE,
    passwd VARCHAR(80) NOT NULL,
    uid INTEGER,
    gid INTEGER,
    homedir VARCHAR(255),
    shell VARCHAR(255)
  );

  CREATE TABLE groups (
    groupname VARCHAR(30) NOT NULL,
    gid INTEGER NOT NULL,
    members VARCHAR(255)
  );


Now insert your user aliases. These should be all the users you want to give ftp access to. You'll use the same uid, gid, homedir and shell for each one -- all those should be the same as the actual webdev account you created above. Just add the {md5}'ed passwords and userids you want to use to each insert statement.

Then, to the groups table, you'd add the groupname and gid, and then the different members as a comma separated list, without spaces. (so: 'user1,user2,user3')

There are a couple of gotchas here. The first is that we've made users.uid non-unique in our table definition, which is different from proftpd's documentation. The second is that the groups table is called "groups", rather than "group" (like /etc/group). Group is a reserved word in SQL, hence "groups." Also, I think whatever parses groups.members chokes if you include spaces after commas. But I'm not positive.

Finally, create a read-only database user for this table. We'll have to store the database username and password in cleartext, so let's make sure that if someone did get their hands on this information, they wouldn't be able to add users.

Now we've got to configure proftpd! Pop over to /etc/proftpd, where you'll find a couple of configuration files. Chown them to 600, so that no one but root can read them. Seriously, this is important.

My proftpd.conf file looks like this:

Code:

ServerName                      "Secure-esque FTP Server"
ServerType                      inetd
DefaultServer                   on

# Port 21 is the standard FTP port.
Port                            21

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable. 
#But I want group writable, so I'm using 2
Umask                           2


# Set the user and group under which the server will run.
User                            proftpd
Group                           proftpd

# Normally, we want files to be overwriteable.
<Directory />
  AllowOverwrite                on
</Directory>

# Add SQL AUTH stuff
# DOCS: http://www.castaglia.org/proftpd/modules/mod_sql.html
SQLAuthenticate users* groups* userset groupset
SQLAuthTypes OpenSSL
SQLConnectInfo ftpusers@localhost mysqluser mysqlpass
SQLMinUserGID 400
RequireValidShell       off

# Chroot a dude to his home dir
DefaultRoot             ~



The only thing that should cause consternation is the SQLMinUserGID 400. That's there because that number needs to be lower than the number of your webdev group. The *only* users allow to access the ftp server are the ones listed in the sql database. This is to keep a wall between the ftp users and the shell users, as I said above. You could, however, give a shell user a password different from his or her shell password, and store that in the database. If you wanted to make this non-authoritative (ie, allow other sources of log in info), pull the asterisks off the SQLAuthenticate statement.

Now add it as a boot service and start it.

Code:

rc-update add xinetd default
/etc/init.d/xinetd start


then ftp localhost and try it out.

Let me know how this works, or if you see any problems with it. Obviously you can repeat this for as many clusters of users as you have.

Dan
Back to top
View user's profile Send private message
Garth
n00b
n00b


Joined: 21 Jan 2004
Posts: 35
Location: Michigan

PostPosted: Tue May 04, 2004 7:21 pm    Post subject: Reply with quote

Hey,

I followed this procedure, and after many hours of tinkering, I finally got this to work! I guess it didn't help that I'm a MySQL newbie (coming from making SQL statements is M$Access only) Heres some things I learned along the way:


  1. After emerging mysql, I ran the command mysql_install_db to install the initial mySQL databases. I'm not sure if the ebuild did this. I forgot to check first.
  2. The Gentooized version of MySQL installs an init script in /etc/init.d. just type /etc/init.d/mysql to get the server working and don't forget to add it to the default runlevel.
  3. Find a good tutorial on MySQL. The html documentation is a bit overwhelming. I slugged through it, but I think it would have been easier with some less cumbersome docs (the whole manual in one html file stinks)
  4. When you create the md5'ed passwords, make sure you include the {md5} on the front! mod_ssl needs this to know what digest was used to create the hashed password. (This was my biggest D'oh!)


If anyone can think of anything else, or if they want to include all the SQL commands to create databases, users, and grant permissions, go right ahead.

Thanks, Danathan for this How-To.
_________________
Garth
Back to top
View user's profile Send private message
HydroSan
l33t
l33t


Joined: 04 Mar 2004
Posts: 764
Location: The Kremlin (aka Canada)

PostPosted: Wed Jul 14, 2004 2:59 am    Post subject: Re: HOWTO: Setup secure-esque proftpd w/mod_sql & md5 pa Reply with quote

Hiya. Your guide seems nice, but unfortunately, I am a MySQL noob. I need to give access to only two or more people, but I wanted to make my FTP secure. I managed to get MySQL running and inserted the tables fine, but...

Danathan wrote:
Now insert your user aliases.


Could you be a little more verbose on everything below that statement? How do you add users to the MySQL database? Documentation for MySQL is really mind-numbing.

Thanks.
_________________
I was a Gangster for Capitalism, by Major General Smedley Butler.

Server status: Currently down, being replaced with fresh install - 20% completed.
Back to top
View user's profile Send private message
HydroSan
l33t
l33t


Joined: 04 Mar 2004
Posts: 764
Location: The Kremlin (aka Canada)

PostPosted: Thu Jul 15, 2004 2:21 am    Post subject: Reply with quote

Alright. Got the FTP users active and the current testing user logs in fine.

UNFORTUNATELY, there is a problem. I can't seem to access the file list. I log in alright with the MD5 passwords, but I can't see any files or anything. It just keeps on saying 'Receiving file list...' until it times out.

Any suggestions. I've followed the guide to the letter.
_________________
I was a Gangster for Capitalism, by Major General Smedley Butler.

Server status: Currently down, being replaced with fresh install - 20% completed.
Back to top
View user's profile Send private message
ElectricHead1
n00b
n00b


Joined: 29 Oct 2003
Posts: 20
Location: The Netherlands

PostPosted: Fri Apr 01, 2005 9:41 am    Post subject: Reply with quote

Hmzzz ... I've got most of the stuff working now.
I got a database called ftpusers. It's got the 2 tables user and groups.
proftpd starts fine (in Standalone mode). but everytime I try to connect to it I get te following error:

Code:
ftp> open 192.168.123.2
Connected to 192.168.123.2.
421 Service not available, remote server has closed connection


I've googled around for this error and it gives me some great info about PAM authentication that isn't correctly running (missing ftpusers file in /etc/ for instance).... But I'm not using PAM... What's up with this?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum