Cover V11, I13


Virtual Hosting on SolarisTM and NcFTPd

Ron McCarty

But of the box, FTP on Solaris lacks two features necessary to enterprises and service providers -- dedicated user authentication and virtual hosting. Many FTP daemons rely on giving the user a user account and a UNIX user id (UID) on the system. Although a user account can be locked down by not providing a login shell, the user account is still available as a UNIX ID and susceptible to security hacks that rely on local user accounts. By separating the authentication from the /etc/passwd and /etc/shadow, FTP becomes much more secure. In this article, I'll describe virtual hosting on Solaris with NcFTPd.

Virtual Hosting

Virtual hosting became quite popular on the Internet through service providers providing mail and Web services. A service provider cannot dedicate a real server to Web and mail servers for customers just wanting basic Web and mail functionality. Therefore, virtual services are added. For email, virtual hosts are not required, because there is no domain requirement for a mail exchange (MX) record to point to a host within the same domain.

For example, Sys Admin's MX records point to

# dig mx

; <<>> DiG 9.2.0 <<>> mx
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8517
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;                     IN      MX

;; ANSWER SECTION:              259200  IN      MX      10

;; AUTHORITY SECTION:              259200  IN      NS              259200  IN      NS

;; Query time: 345 msec
;; WHEN: Sun Jul 21 19:48:22 2002
;; MSG SIZE  rcvd: 82
Many domains can point to the same mail exchanger, and the mail exchanger can use the destination address to determine how to route the email either locally, by rewriting addresses, or by further routing.

There are two general methods of providing Web services: IP based and domain (or host name) based. With IP-based hosting, each virtual Web server uses an IP address to identify the particular server. IP-based virtual Web servers are popular among service providers who have no shortage of IP addresses or where service is based on traffic to and from the IP address (many European service providers have traffic-based tariffs.)

Version 1.1 of the HTTP protocol, which is now widely deployed, provides a domain name virtual host support. With HTTP 1.1, the destination domain name is provided in the initial communication by the user's browser. Thus, the Web server can determine which virtual host to serve content from. The following snoop output shows virtual host support in action using HTTP 1.1. Note that the host name is actually in the payload of the packet.

snoop -x 50 port 80# snoop -x 50 port 80
Using device /dev/hme (promiscuous mode)

           0: c828 0000 4745 5420 2f20 4854 5450 2f31    .(..GET / HTTP/1
          16: 2e31 0d0a 486f 7374 3a20 6461 796e 6f74    .1..Host: daynot
          32: 6573 2e6d 6377 7269 7465 2e6e 6574 0d0a
          48: 5573 6572 2d41 6765 6e74 3a20 4d6f 7a69    User-Agent: Mozi
Virtual FTP

Unlike HTTP 1.1, the FTP protocol does not support a virtual host. Therefore, FTP virtual services are typically deployed using IP-based virtual hosts.


NcFTPd is a high-performance FTP daemon that supports dedicated user authentication and accounts, virtual hosting, and bandwidth management at the user level. NcFTPd is available for most versions of UNIX, and I will discuss the Solaris 2.6 distribution for purposes of this article. NcFTPd is licensed at $99 for 50 or fewer users, and $199 for 51 or more users. There is also a free personal license supporting 3 or fewer sessions. The software can also be downloaded for a 30-day evaluation. The software can be purchased and downloaded at:
Once you've purchased the software or downloaded it for a test drive, go to for installation instructions. The install script will create the appropriate startup script in /etc/rc.2.d/ and create the ftp user and group in /etc/passwd, /etc/shadow, and /etc/group. The install script will also disable FTP, if it is running, so do not run the install unless you are sure you are ready for NcFTPd to be running.

Virtual Host with NcFTPd

To support virtual hosting, an IP address must be assigned to the server (and server's startup scripts). For this example, the host "sunny" has an IP address of on hme0 already configured. The IP address will be configured on the logical interface hme0:1:

ifconfig hme0:1 netmask up
The output of ifconfig -a shows both interfaces being configured:

# ifconfig -a
lo0: flags=849<UP,LOOPBACK,RUNNING,MULTICAST> mtu 8232
        inet netmask ff000000
        inet netmask ffffff00 broadcast
        ether 8:0:20:b2:f3:43
hme0:1: flags=843<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
        inet netmask ffffff00 broadcast
Network connectivity should work at this point, and the interface can be pinged.

NcFTP is configured through the use of two files. A global file called applies parameters to all instances of NcFTPd, and the specifies configuration parameters to specific domains or virtual hosts. With the standard install on Solaris, the configuration files are stored in /usr/local/etc/ncftpd/.

To configure NcFTPd to support the additional server, two server entries are created. One for the new server, here called, and one for the sunny FTP instance:
Restart NcFTPd:

/etc/rc2.d/S75ncftpd restart
When a user connects to the FTP port, NcFTPd examines the IP address and determines the configuration parameters to use. In this case, when the user connects to, the server will serve up the name to the ftp client:

Connected to
220 NcFTPd Server ready.
Name (
If the server name parameter is not used, then the configuration parameters will still function correctly. However, the server will not respond with the appropriate server name.

Authentication Without /etc/passwd

The above configuration uses authentication based on the UNIX ID and password. NcFTPd provides tools to support its own IDs. This configuration makes use of virtual users, which are by default limited to their home directories. (This is also known as a change root or CHROOT environment.) By combining the virtual user with a separate password database, the FTP service is restricted to what most consider best practice.

The NcFTPd user is assigned a UID integer than is recognized by the operating system. Therefore, dedicated UIDs should be used for virtual user IDs unless the intent is to give the virtual user access to the files.

To use dedicated password files with NcFTPd, two steps must be taken before telling the server to use dedicated password files. The password database must be created, and the file must be configured accordingly. To create the file, add new entries to the file, and manage the file, the NcFTPd command, aptly named ncftp_passwd, file is used. To add a new user, which will create the database file the first time, use:

/usr/local/sbin/ncftpd_passwd -f /usr/local/etc/ncftpd/passwd -c -a "tes
tuser:password:5000:5000:Test User:/export/home/ftpusers/testuser:/bin/ksh"
Create the users' home directory and set permissions appropriately:

mkdir /export/home/ftpusers
mkdir /export/home/ftpusers/testuser
chown 5000:5000 /export/home/ftpusers/testuser
NcFTPd's documentation covers most aspects of the password database management at:
Once the user ID has been created, the file must be adjusted accordingly. Based upon the configuration covered earlier, replace the two entries of passwd=/etc/passwd to passwd=/usr/local/etc/ncftpd/passwd and restart the NcFTPd server with:

/etc/rc2.d/S75ncftpd restart
Using this account, the NcFTPd server should authenticate the user "testuser" with the password "password". A PWD command should also show the user as being in the root / directory, with no directory contents -- validating the CHROOT environment.

In this example, the same password database file is used. However, this is not a requirement of NcFTPd; NcFTPd can support a database per instance.

More Goodies

Besides the advanced features of dedicated user authentication, virtual hosting NcFTP provides support for bandwidth manager. Unlike the World Wide Web where the user experience and perception of speed are some of the ultimate goals, FTP services are generally considered bandwidth hogs and the full bandwidth pipe should not be given to a particular user or the protocol itself. Therefore, bandwidth management on a per-user basis can be implemented at the FTP server. (Bandwidth management of the protocol or session is often also managed at the edge of networks through traffic policing.)

NcFTPd also supports: quota management, the number of supported users limitation (check the max-users parameter), its own reports with graphics support, and an external authentication interface to support other methods of authentication. NcFTPd should meet pretty much any of your needs and is a good addition to the sys admin toolbox.

Ronald McCarty received his bachelor's degree in Computer and Information Systems at the University of Maryland's international campus at Schwaebisch Gmuend, Germany. He works for First American Real Estate Information Services ( as the manager, Unix Services. Ron is the co-author of New Rider's Linux Routing. He spends his free time with his two best friends in the world: his daughter, Janice, and his wife, Claudia. Ron can be reached at: