Tutorial VSFTPD - Kerberos authentication [ Step by step ]

Would you like to learn how to configure the VSFTPD service Kerberos authentication on Active Directory? In this tutorial, we are going to show you how to authenticate VSFTPD users using the Active Directory from Microsoft Windows and the Kerberos protocol.

• Ubuntu 20.04
• Ubuntu 19.10
• Ubuntu 18.04
• VSFTPD 3.0.3

In our example, the domain controller IP address is 192.168.15.10.

In our example, the FTP server IP address is 192.168.0.200.

Tutorial Windows – Domain Account Creation

• IP – 192.168.15.10
• Operacional System – WINDOWS 2012 R2
• Hostname – TECH-DC01

We need to create at least 1 account on the Active Directory database.

The ADMIN account will be used to login on the VSFTPD server.

On the domain controller, open the application named: Active Directory Users and Computers

Create a new account inside the Users container.

Create a new account named: admin

Password configured to the ADMIN user: kamisama123

This account will be used to authenticate on the VSFTPD server.

zabbix active directory admin properties

Repeat this process and create a new account named TEST01.

Congratulations, you have created the required Active Directory account.

VSFTPD – Kerberos authentication on the Active Directory

• IP – 192.168.15.11
• Operational System – Ubuntu 20
• Hostname – VSFTPD

Set a hostname using the HOSTNAMECTL command.

Copy to Clipboard

Edit the HOSTS configuration file.

Copy to Clipboard

Add the domain controller IP address and hostname.

Copy to Clipboard

Install the list of required packages to enable the Kerberos authentication.

Copy to Clipboard

On the Graphic installation, perform the following configuration:

• Kerberos realm – TECH.LOCAL
• Kerberos server – TECH-DC01.TECH.LOCAL
• Administrative server – TECH-DC01.TECH.LOCAL

You need to change the domain information to reflect your Network environment.

Edit the Kerberos configuration file.

Copy to Clipboard

Here is the file, before our configuration.

Copy to Clipboard

[libdefaults]
        default_realm = TECH.LOCAL
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        fcc-mit-ticketflags = true
[realms]
        TECH.LOCAL = {
                kdc = TECH-DC01.TECH.LOCAL
                admin_server = TECH-DC01.TECH.LOCAL
        }
        ATHENA.MIT.EDU = {
                kdc = kerberos.mit.edu
                kdc = kerberos-1.mit.edu
                kdc = kerberos-2.mit.edu:88
                admin_server = kerberos.mit.edu
                default_domain = mit.edu
        }
        ZONE.MIT.EDU = {
                kdc = casio.mit.edu
                kdc = seiko.mit.edu
                admin_server = casio.mit.edu
        }
        CSAIL.MIT.EDU = {
                admin_server = kerberos.csail.mit.edu
                default_domain = csail.mit.edu
        }
        IHTFP.ORG = {
                kdc = kerberos.ihtfp.org
                admin_server = kerberos.ihtfp.org
        }
        1TS.ORG = {
                kdc = kerberos.1ts.org
                admin_server = kerberos.1ts.org
        }
        ANDREW.CMU.EDU = {
                admin_server = kerberos.andrew.cmu.edu
                default_domain = andrew.cmu.edu
        }
        CS.CMU.EDU = {
                kdc = kerberos-1.srv.cs.cmu.edu
                kdc = kerberos-2.srv.cs.cmu.edu
                kdc = kerberos-3.srv.cs.cmu.edu
                admin_server = kerberos.cs.cmu.edu
        }
        DEMENTIA.ORG = {
                kdc = kerberos.dementix.org
                kdc = kerberos2.dementix.org
                admin_server = kerberos.dementix.org
        }
        stanford.edu = {
                kdc = krb5auth1.stanford.edu
                kdc = krb5auth2.stanford.edu
                kdc = krb5auth3.stanford.edu
                master_kdc = krb5auth1.stanford.edu
                admin_server = krb5-admin.stanford.edu
                default_domain = stanford.edu
        }
        UTORONTO.CA = {
                kdc = kerberos1.utoronto.ca
                kdc = kerberos2.utoronto.ca
                kdc = kerberos3.utoronto.ca
                admin_server = kerberos1.utoronto.ca
                default_domain = utoronto.ca
        }
[domain_realm]
        .mit.edu = ATHENA.MIT.EDU
        mit.edu = ATHENA.MIT.EDU
        .media.mit.edu = MEDIA-LAB.MIT.EDU
        media.mit.edu = MEDIA-LAB.MIT.EDU
        .csail.mit.edu = CSAIL.MIT.EDU
        csail.mit.edu = CSAIL.MIT.EDU
        .whoi.edu = ATHENA.MIT.EDU
        whoi.edu = ATHENA.MIT.EDU
        .stanford.edu = stanford.edu
        .slac.stanford.edu = SLAC.STANFORD.EDU
        .toronto.edu = UTORONTO.CA
        .utoronto.ca = UTORONTO.CA

Here is the file, after our configuration.

Copy to Clipboard

You need to change the domain information to reflect your Network environment.

You have finished the required Kerberos configuration.

Tutorial Ubuntu – Installing VSFTPD

Install the required packages.

Copy to Clipboard

Edit the PAM configuration file.

Copy to Clipboard

Here is the file content, before our configuration.

Copy to Clipboard

Here is the file content, after our configuration.

Copy to Clipboard

Search for the VSFTPD service configuration file

Copy to Clipboard

Edit the VSFTPD service configuration file

Copy to Clipboard

Add the following lines at the end of this file.

Copy to Clipboard

Here is the file content, before our configuration.

Copy to Clipboard

Here is the file content, after our configuration.

Copy to Clipboard

The CHROOT feature will prevent users from getting out of their HOME directory.

To exclude a user from the CHROOT feature, add its username into the list file.

Copy to Clipboard

Here is the file content.

Copy to Clipboard

In our example, we excluded the account named TEST01.

Restart the FTP service.

Copy to Clipboard

Enable the VSFTPD service to start automatically during boot.

Copy to Clipboard

Keep in mind that we are performing only the authentication using the Kerberos protocol.

The user account must exist locally.

Use the following command to create a user account locally on the FTP server.

Copy to Clipboard

Congratulations! You have finished the VSFTP server authentication using Kerberos.

Tutorial Ubuntu – Testing the VSFTPD installation

Create 2 local accounts.

Copy to Clipboard

In our example, the user account named TEST01 was excluded from the CHROOT feature.

We excluded this account by adding the username to the CHROOT list file.

Copy to Clipboard

On a remote computer, download the WINSCP software and try to connect to the FTP server.

Use the Active Directory password to authenticate the FTP users.

The Account named TEST01 will be able to access directories outside its HOME directory.

The Account named ADMIN will not be able to access directories outside its HOME directory.

Congratulations! You successfully tested the VSFTPD installation on Ubuntu Linux.

VSFTPD – Kerberos authentication

VSFTPD – Kerberos authentication

Tutorial Windows – Domain Account Creation

VSFTPD – Kerberos authentication on the Active Directory

Tutorial Ubuntu – Installing VSFTPD

Tutorial Ubuntu – Testing the VSFTPD installation

Related Posts

VSFTPD – Secure FTP server installation on Ubuntu Linux

VSFTPD – Installation on Ubuntu Linux