 Virtual
Hosting on SolarisTM and NcFTPd
Ron McCarty
But of the box, FTP on Solaris lacks two features necessary to
enterprises and service providers -- dedicated user authentication
and virtual hosting. Many FTP daemons rely on giving the user a
user account and a UNIX user id (UID) on the system. Although a
user account can be locked down by not providing a login shell,
the user account is still available as a UNIX ID and susceptible
to security hacks that rely on local user accounts. By separating
the authentication from the /etc/passwd and /etc/shadow, FTP becomes
much more secure. In this article, I'll describe virtual hosting
on Solaris with NcFTPd.
Virtual Hosting
Virtual hosting became quite popular on the Internet through service
providers providing mail and Web services. A service provider cannot
dedicate a real server to Web and mail servers for customers just
wanting basic Web and mail functionality. Therefore, virtual services
are added. For email, virtual hosts are not required, because there
is no domain requirement for a mail exchange (MX) record to point
to a host within the same domain.
For example, Sys Admin's MX records point to gw.ddj.com:
# dig samag.com. mx
; <<>> DiG 9.2.0 <<>> samag.com. mx
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8517
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;samag.com. IN MX
;; ANSWER SECTION:
samag.com. 259200 IN MX 10 gw.ddj.com.
;; AUTHORITY SECTION:
samag.com. 259200 IN NS gw.ddj.com.
samag.com. 259200 IN NS ads.ddj.com.
;; Query time: 345 msec
;; SERVER: 192.168.1.252#53(192.168.1.252)
;; WHEN: Sun Jul 21 19:48:22 2002
;; MSG SIZE rcvd: 82
Many domains can point to the same mail exchanger, and the mail exchanger
can use the destination address to determine how to route the email
either locally, by rewriting addresses, or by further routing.
There are two general methods of providing Web services: IP based
and domain (or host name) based. With IP-based hosting, each virtual
Web server uses an IP address to identify the particular server.
IP-based virtual Web servers are popular among service providers
who have no shortage of IP addresses or where service is based on
traffic to and from the IP address (many European service providers
have traffic-based tariffs.)
Version 1.1 of the HTTP protocol, which is now widely deployed,
provides a domain name virtual host support. With HTTP 1.1, the
destination domain name is provided in the initial communication
by the user's browser. Thus, the Web server can determine which
virtual host to serve content from. The following snoop output
shows virtual host support in action using HTTP 1.1. Note that the
host name is actually in the payload of the packet.
snoop -x 50 port 80# snoop -x 50 port 80
Using device /dev/hme (promiscuous mode)
...
0: c828 0000 4745 5420 2f20 4854 5450 2f31 .(..GET / HTTP/1
16: 2e31 0d0a 486f 7374 3a20 6461 796e 6f74 .1..Host: daynot
32: 6573 2e6d 6377 7269 7465 2e6e 6574 0d0a es.mcwrite.net..
48: 5573 6572 2d41 6765 6e74 3a20 4d6f 7a69 User-Agent: Mozi
Virtual FTP
Unlike HTTP 1.1, the FTP protocol does not support a virtual host.
Therefore, FTP virtual services are typically deployed using IP-based
virtual hosts.
NcFTPd
NcFTPd is a high-performance FTP daemon that supports dedicated
user authentication and accounts, virtual hosting, and bandwidth
management at the user level. NcFTPd is available for most versions
of UNIX, and I will discuss the Solaris 2.6 distribution for purposes
of this article. NcFTPd is licensed at $99 for 50 or fewer users,
and $199 for 51 or more users. There is also a free personal license
supporting 3 or fewer sessions. The software can also be downloaded
for a 30-day evaluation. The software can be purchased and downloaded
at:
http://www.ncftp.com/download/
Once you've purchased the software or downloaded it for a test
drive, go to http://www.ncftp.com/ncftpd/doc/install.html for
installation instructions. The install script will create the appropriate
startup script in /etc/rc.2.d/ and create the ftp user and group in
/etc/passwd, /etc/shadow, and /etc/group. The install script will
also disable FTP, if it is running, so do not run the install unless
you are sure you are ready for NcFTPd to be running.
Virtual Host with NcFTPd
To support virtual hosting, an IP address must be assigned to
the server (and server's startup scripts). For this example,
the host "sunny" has an IP address of 192.168.1.252 on
hme0 already configured. The IP address 192.168.1.253 will be configured
on the logical interface hme0:1:
ifconfig hme0:1 192.168.1.253 netmask 255.255.255.0 up
The output of ifconfig -a shows both interfaces being configured:
# ifconfig -a
lo0: flags=849<UP,LOOPBACK,RUNNING,MULTICAST> mtu 8232
inet 127.0.0.1 netmask ff000000
hme0: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.252 netmask ffffff00 broadcast 192.168.1.255
ether 8:0:20:b2:f3:43
hme0:1: flags=843<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.253 netmask ffffff00 broadcast 192.168.1.255
Network connectivity should work at this point, and the interface
can be pinged.
NcFTP is configured through the use of two files. A global file
called general.cf applies parameters to all instances of NcFTPd,
and the domain.cf specifies configuration parameters to specific
domains or virtual hosts. With the standard install on Solaris,
the configuration files are stored in /usr/local/etc/ncftpd/.
To configure NcFTPd to support the additional server, two server
entries are created. One for the new server, here called test.mcwrite.net,
and one for the sunny FTP instance:
set-name=test.mcwrite.net
server-address=192.168.1.253
server-name=@SETNAME@
server-type=all-users
passwd=/etc/passwd
u-vchroot-restricted-users=yes
log-xfer=/var/log/ncftpd/xfer.%Y%m%d
log-session=/var/log/ncftpd/sess.%Y%m%d
set-name=sunny.mcwrite.net
server-address=192.168.1.252
server-name=@SETNAME@
server-type=all-users
server-type=all-users
passwd=/etc/passwd
u-vchroot-restricted-users=yes
log-xfer=/var/log/ncftpd/xfer.%Y%m%d
log-session=/var/log/ncftpd/sess.%Y%m%d
Restart NcFTPd:
/etc/rc2.d/S75ncftpd restart
When a user connects to the FTP port, NcFTPd examines the IP address
and determines the configuration parameters to use. In this case,
when the user connects to test.mcwrite.net, the server will serve
up the name test.mcwrite.net to the ftp client:
ftp test.mcwrite.net
Connected to test.mcwrite.net.
220 test.mcwrite.net NcFTPd Server ready.
Name (test.mcwrite.net:mccarty):
If the server name parameter is not used, then the configuration parameters
will still function correctly. However, the server will not respond
with the appropriate server name.
Authentication Without /etc/passwd
The above configuration uses authentication based on the UNIX
ID and password. NcFTPd provides tools to support its own IDs. This
configuration makes use of virtual users, which are by default limited
to their home directories. (This is also known as a change root
or CHROOT environment.) By combining the virtual user with a separate
password database, the FTP service is restricted to what most consider
best practice.
The NcFTPd user is assigned a UID integer than is recognized by
the operating system. Therefore, dedicated UIDs should be used for
virtual user IDs unless the intent is to give the virtual user access
to the files.
To use dedicated password files with NcFTPd, two steps must be
taken before telling the server to use dedicated password files.
The password database must be created, and the domain.cf file must
be configured accordingly. To create the file, add new entries to
the file, and manage the file, the NcFTPd command, aptly named ncftp_passwd,
file is used. To add a new user, which will create the database
file the first time, use:
/usr/local/sbin/ncftpd_passwd -f /usr/local/etc/ncftpd/passwd -c -a "tes
tuser:password:5000:5000:Test User:/export/home/ftpusers/testuser:/bin/ksh"
Create the users' home directory and set permissions appropriately:
mkdir /export/home/ftpusers
mkdir /export/home/ftpusers/testuser
chown 5000:5000 /export/home/ftpusers/testuser
NcFTPd's documentation covers most aspects of the password database
management at:
http://www.ncftpd.com/ncftpd/doc/passwd.html
Once the user ID has been created, the domain.cf file must be adjusted
accordingly. Based upon the configuration covered earlier, replace
the two entries of passwd=/etc/passwd to passwd=/usr/local/etc/ncftpd/passwd
and restart the NcFTPd server with:
/etc/rc2.d/S75ncftpd restart
Using this account, the NcFTPd server should authenticate the user
"testuser" with the password "password". A PWD
command should also show the user as being in the root / directory,
with no directory contents -- validating the CHROOT environment.
In this example, the same password database file is used. However,
this is not a requirement of NcFTPd; NcFTPd can support a database
per instance.
More Goodies
Besides the advanced features of dedicated user authentication,
virtual hosting NcFTP provides support for bandwidth manager. Unlike
the World Wide Web where the user experience and perception of speed
are some of the ultimate goals, FTP services are generally considered
bandwidth hogs and the full bandwidth pipe should not be given to
a particular user or the protocol itself. Therefore, bandwidth management
on a per-user basis can be implemented at the FTP server. (Bandwidth
management of the protocol or session is often also managed at the
edge of networks through traffic policing.)
NcFTPd also supports: quota management, the number of supported
users limitation (check the max-users parameter), its own reports
with graphics support, and an external authentication interface
to support other methods of authentication. NcFTPd should meet pretty
much any of your needs and is a good addition to the sys admin toolbox.
Ronald McCarty received his bachelor's degree in Computer
and Information Systems at the University of Maryland's international
campus at Schwaebisch Gmuend, Germany. He works for First American
Real Estate Information Services (http://www.firstam.com/)
as the manager, Unix Services. Ron is the co-author of New Rider's
Linux Routing. He spends his free time with his two best friends
in the world: his daughter, Janice, and his wife, Claudia. Ron can
be reached at: mccarty@mcwrite.net.
| 
