Pureftpd - VIRTUAL USERS
http://download.pureftpd.org/pub/pure-ftpd/doc/README.Virtual-Users


Since release 0.99.2, Pure-FTPd supports virtual users.

Virtual users is a simple mechanism to store a list of users, with their
password, name, uid, directory, etc. It's just like /etc/passwd. But it's
not /etc/passwd. It's a different file, only for FTP.

It means that you can easily create FTP-only accounts without messing up
your system accounts.

Additionnaly, virtual users files can store individual quotas, ratios,
bandwidth, etc. System accounts can't do this.

Thousands of virtual users can share the same system user, as long as they
all are chrooted and they have their own home directory.
So a good thing to do before using virtual users is to create a system user
for this. Of course, you can use any existing account like "nobody" (but not
root), but it's better to have a dedicated account.

Let's create an "ftpgroup" group and an "ftpuser
user.
Linux/OpenBSD/NetBSD/Solaris/HPUX/OSX/a lot of other Unix-like systems:
groupadd ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
FreeBSD/DragonflyBSD:
pw groupadd ftpgroup
pw useradd ftpuser -g ftpgroup -d /dev/null -s /etc

Then, all maintenance of virtual users can be made with the "pure-pw"command. 
You can also edit the files by hand if you want.Files storing virtual users have one line per user. 
These lines have the following syntax:
<account>:<password>:<uid>:<gid>:<gecos>:<home directory>:<upload
bandwidth>:<download bandwidth>:<upload ratio>:<download ratio>:<max number
of connections>:<files quota>:<size quota>:<authorized local IPs>:<refused
local IPs>:<authorized client IPs>:<refused client IPs>:<time
restrictions>
Fields can be left empty (exceptions: account, password, uid, gid, homedirectory) .Passwords are compatible with the hashing function used in /etc/passwd or/etc/master.passwd . They are crypto hashed with blowfish, md5, multiple-desand simple des, in this order, according to what your system has support fort.


CREATING A NEW USER

To add a new user, use the following syntax:
pure-pw useradd <login> [-f <passwd file>] -u <uid> [-g <gid>]
                         -D/-d <home directory> [-c <gecos>]
                         [-t <download bandwidth>] [-T <upload bandwidth>]
                         [-n <max number of files>] [-N <max Mbytes>]
                         [-q <upload ratio>] [-Q <download ratio>]
                         [-r <allow client host>[/<mask>][,<allow client host>[/<mask>]]...]
                         [-R <deny client host>[/<mask>][,<deny client host>[/<mask>]]...]
                         [-i <allow local host>[/<mask>][,<allow client host>[/<mask>]]...]
                         [-I <deny local host>[/<mask>][,<deny local host>[/<mask>]]...]
                         [-y <max number of concurrent sessions>]
                         [-z <hhmm>-<hhmm>] [-m]
Let's create "joe", whoose home directory will be /home/ftpusers/joe . Thesystem account associated with "joe" is "ftpusers".           
pure-pw useradd joe -u ftpuser -d /home/ftpusers/joe
Joe's password is asked twice.
With -d, joe will be chrooted. If you want to give joe access to the whole filesystem, use -D instead of -d.
You don't need to create /home/ftpusers/joe if you run pure-ftpd with the-j (--
createhome
createhome) switch. With that switch, home directories willautomatically be created when users will log in for the first time.
사용자 홈디렉토리를 따로 생성해 주지 않아도, 첫 접속시 자동생성되게 할 수 있다.
The "-z" option allow a user to connect only during a range of day time.For instance, with -z 0900-1800, joe will only be able to connect from 9 amto 18 pm. Warning: a user that connected during authorized hours canfinish his session after these authorized hours.
사용자가 접속가능한 시간을 지정할 수 있다.
-r and -R are handy to restrict where the user can connect from. They can befollowed by a simple IP/mask pair (-r 192.168.1.0/24), multiple pairsseparated by a coma (-r 192.168.1.0/24,10.1.0.0/16,127.0.0.1/32), 
single
single IPs(-r 192.168.1.4,10.1.1.5), host names (-r bla.bla.net,yopcitron.com), or anycombination of those.
사용자가 접속가능한 IP주소 대역을 제한 할 수 있다.

-y is to restrict the number of concurrent sessions a user can haveat the same time. '' or 0 mean unlimited. Avoid this feature on very loadedservers. Use per-ip limits instead.
한 사용자가 접속할 수 최대 동시 세션 수를 제한 할 수 있다.
Ok, "joe" has been created. By default, the list of virtual users is storedin the /etc/pureftpd.passwd file (you can of course change this with -f<file>) .Let's have a look at its content:joe:$1$LX/3.F60$bYdYwsQOYIaWq.Ko.hfI3.:500:101::/home/ftpusers/joe/./:::::::::::::Passwords are
hashed
hashed with the best one-way hash function your system supports.Hashes are tried in this order: Blowfish, MD5, multiple DES, simple DES.


CHANGING INFO
Once virtual users have been created, you can edit their info. For instanceyou can add bandwidth throttling, change quotas, add their full name, updateratio, etc.
The "pure-pw usermod" command works just like "pure-pw useradd" except thatit modifies an existing account instead of creating a new one.
For instance, we will add a quota to Joe. Joe should be limited to 1000files and 10 Megabytes.

pure-pw usermod joe -n 1000 -N 10

Let's have a look at /etc/pureftpd.passwd:
joe:$1$LX/3.F60$bYdYwsQOYIaWq.Ko.hfI3.:500:101::/home/ftpusers/joe/./::::::1000:10485760::::::
As you can see, the size quota is stored in bytes in the file.

RESETTING ATTRIBUTES
To disable file quotas, use pure-pw usermod <user> -n ''
To disable size quotas, use pure-pw usermod <user> -N ''
To disable ratios, use pure-pw usermod <user> -q '' -Q ''
To disable download bandwidth throttling, use pure-pw usermod <user> -t ''
To disable upload bandwidth throttling, use pure-pw usermod <user> -T ''
To disable IP filtering, use pure-pw usermod <user> <-i,-I,-r or -R> ''
To disable time restrictions, use pure-pw usermod <user> -z ''
To disable the number of concurrent sessions, use pure-pw usermod <user> -y ''


-
DELETING USERS
We won't delete Joe at this time. Joe is a fine guy :) But FYI, deleting anuser is as simple as running "pure-pw userdel", whoose syntax is:      
   
pure-pw userdel <login> [-f <passwd file>] [-m]

Deleting Joe would be:
pure-pw userdel joe
The content of his home directory is kept. Delete it by hand if you want.



CHANGING PASSWORDS
To change the password of a user, use "pure-pw passwd":  
   
pure-pw passwd <login> [-f <passwd file>] [-m]


DISPLAYING INFO  
To review info about one user, reading the /etc/pureftpd.passwd file is ok,but it's not really human-friendly.It's why you can use "pure-pw show", whoose syntax is:    
     
pure-pw show <login> [-f <passwd file>]
Let's try with joe:                             
pure-pw show joe
Login              : joe
Password           : $1$LX/3.F60$bYdYwsQOYIaWq.Ko.hfI3.
UID                : 500 (ftpuser)
GID                : 101 (ftpgroup)
Directory          : /home/ftpusers/joe/./
Full name          : 
Download bandwidth : 0 Kb (unlimited)
Upload   bandwidth : 0 Kb (unlimited)
Max files          : 1000 (enabled)
Max size           : 10 Mb (enabled)
Ratio              : 0:0 (unlimited:unlimited)
Allowed local  IPs : 
Denied  local  IPs : 
Allowed client IPs : 192.168.0.0/16
Denied  client IPs : 192.168.1.1,blah.verybadhost.com
Time restrictions  : 0900-1800 (enabled)
Max sim sessions   : 0 (unlimited)
"/./" at the end of a home directory means that this user will be chrooted.


COMMITING CHANGES  
IMPORTANT:You can add, modify and delete users with the previous commands, or byediting /etc/pureftpd.passwd by hand. But the FTP server won't consider thechanges you make to that file, until you commit them.Commiting changes really means that a new file is created from/etc/pureftpd.passwd (or whatever file name you choose) . That new file is aPureDB file. It contains exactly the same info than the other file. But inthat file, accounts are sorted and indexed for faster access, even withthousands of accounts. PureDB files are binary files, don't try to view themor your terminal will beep like hell.Let's create a PureDB file from /etc/pureftpd.passwd. The indexed file willbe called /etc/pureftpd.pdb (as always, choose whatever name you like):
                               
pure-pw mkdb
 
this reads /etc/pureftpd.passwd and creates /etc/pureftpd.pdb by default, butto read another file, add the pdb file, optionnaly followed by -f <passwd file>
For instance:  
pure-pw mkdb /etc/accounts/myaccounts.pdb -f /etc/accounts/myaccounts.txt

All modifications you made to the virtual users database will be committedatomatically: all new accounts will be activated at the same time and alldeleted users won't be able to log in as soon as you'll have hit the Returnkey.
There's no need to restart the pure-ftpd server to commit changes.You can also change something to the text passwords file (add users, changepassword, delete users, etc) and automatically run "pure-pw mkdb /etc/pureftpd.pdb" afterwards. To do so, just use the -m switch:
pure-pw passwd joe -m
This command will change Joe's password in pureftpd.passwd *and* commit thechange to /etc/pureftpd.pwd .


ENABLING VIRTUAL USERS    
Of course, to use virtual users, you have to enable their support in the FTPserver itself. At compile-time, this is done by giving --with-puredb to./configure (--with-everything also enables it and binary packages have itcompiled in) .Then, add this switch to your usual pure-ftpd switches:
-l puredb:/path/to/puredb_file
If long options are enabled, you can also use --login instead of -l .Let's run the server with automatic creation of home directories and puredbauthentication:
/usr/local/sbin/pure-ftpd -j -lpuredb:/etc/pureftpd.pdb &
Try to 'ftp localhost' and log in as joe.


CONVERTING SYSTEM ACCOUNTS    
You can convert all system (/etc/passwd) accounts to virtual FTP users, withthe "pure-pwconvert" tool.
Just run it:                   
pure-pwconvert >> /etc/pureftpd.passwd
If you do it as a non-privileged user, passwords won't be filled in. If youdo it as 
root
root, everything will be copied, even hashed passwords.Copying system accounts to FTP accounts makes sense, because that way, userscan use different passwords for FTP and for Telnet access.  

ENVIRONMENT VARIABLES
If defined, a PURE_PASSWDFILE environment variable can set the default path
to the pureftpd.passwd file. Without this variable, it defaults to
/etc/pureftpd.passwd .  
  
If defined, a PURE_DBFILE environment variable can set the default path
to the pureftpd.pdb file. Without this variable, it defaults to
/etc/pureftpd.pdb .  




MYSQLCrypt MYSQLDatabase MYSQLDefaultGID MYSQLDefaultUID MYSQLGetDir MYSQLGetGID MYSQLGetPW MYSQLGetUID MYSQLPassword MYSQLSocket MYSQLUser


'opensource' 카테고리의 다른 글

Pureftpd - FTP over SSH  (0) 2010.06.22
Pureftpd MySQL authentication README  (0) 2010.06.22
redmine  (0) 2010.06.17
freebsd documents  (0) 2010.04.08
pureftpd - OPTIMIZING FOR HIGH LOAD  (0) 2010.02.20
Latest update: 2010. 6. 22. 13:03