Ansible Role vsftpd

This role installs and configures vsftpd, optionally with SSL (FTPS) and user-specific configs.

Tags

Tag

What it does

vsftpd

Installs and configures vsftpd

vsftpd:configure

Configues /etc/vsftpd/vsftpd.conf and user-specific configs

vsftpd:state

Manages the state of the vsftpd.service

Optional Role Variables

Variable

Description

Default Value

vsftpd__conf_allow_writeable_chroot

Boolean. Allow chroot()‘ing a user to a directory writable by that user. Note that setting this to YES is potentially dangerous. This setting is only necessary if the root directory of the user’s chroot jail itself is writable. Uploading in subfolders works even if this setting is false.

false

vsftpd__conf_chroot_local_user

Boolean. If the user should be placed in a chroot() or not. See man vsftpd.conf.

false

vsftpd__conf_debug_ssl

Boolean. If true, OpenSSL connection diagnostics are dumped to the vsftpd log file. See man vsftpd.conf.

false

vsftpd__conf_dual_log_enable

Boolean. If enabled, two log files are generated in parallel, going by default to /var/log/xferlog and /var/log/vsftpd.log. See man vsftpd.conf.

false

vsftpd__conf_guest_enable

Boolean. If enabled, all non-anonymous logins are classed as „guest“ logins. A guest login is remapped to the user specified in the guest_username setting.

false

vsftpd__conf_guest_username

String. See the boolean setting guest_enable for a description of what constitutes a guest login. This setting is the real username which guest users are mapped to.

ftp

vsftpd__conf_local_root

String. Path to which vsftpd will try to change into after a local (i.e. non-anonymous) login.

unset

vsftpd__conf_log_ftp_protocol

Boolean. When enabled, all FTP requests and responses are logged, providing the option vsftpd__conf_xferlog_std_format is not enabled. Useful for debugging. See man vsftpd.conf.

false

vsftpd__conf_pasv_addr_resolve

Boolean. Set to true if you want to use a hostname (as opposed to IP address) in vsftpd__conf_pasv_address.

false

vsftpd__conf_pasv_address

String. Use this option to override the IP address that vsftpd will advertise in response to the PASV command. Use this when running behind a firewall or loadbalancer. Also see vsftpd__conf_pasv_addr_resolve.

unset

vsftpd__conf_pasv_max_port

Number. The maximum port to allocate for PASV style data connections. 0 means any port.

0

vsftpd__conf_pasv_min_port

Number. The minimum port to allocate for PASV style data connections. 0 means any port.

0

vsftpd__conf_rsa_cert_file

String. Path of the RSA certificate to use for SSL encrypted connections.

'/usr/share/ssl/certs/vsftpd.pem'

vsftpd__conf_rsa_private_key_file

String. Path of the RSA private key to use for SSL encrypted connections. If unset, the private key is expected to be in the same file as the certificate.

unset

vsftpd__conf_session_support

Boolean. Controls whether vsftpd attempts to maintain sessions for logins using PAM authentication. Use in combination with vsftpd__pam_use_sss: true to get users from Active Directory. See man vsftpd.conf.

false

vsftpd__conf_ssl_enable

Boolean. If enabled vsftpd will support secure connections via SSL. See man vsftpd.conf.

false

vsftpd__conf_user_config_dir

String. Path where the user-specific config should be placed.

'/etc/vsftpd/user_config'

vsftpd__conf_user_sub_token

String. This option is useful is conjunction with virtual users. It is used to automatically generate a home directory for each virtual user, based on a template. For example, if the home directory of the real user specified via guest_username is /home/virtual/$USER, and user_sub_token is set to $USER, then when virtual user fred logs in, he will end up (usually chroot()‘ed) in the directory /home/virtual/fred. This option also takes affect if local_root contains user_sub_token.

unset

vsftpd__conf_userlist_deny

Boolean. This option is examined if userlist_enable is activated. If you set this setting to false, then users will be denied login unless they are explicitly listed in the file specified by userlist_file. When login is denied, the denial is issued before the user is asked for a password.

true

vsftpd__conf_userlist_enable

Boolean. If enabled, vsftpd will load a list of usernames, allowing or denying them based on userlist_deny. See man vsftpd.conf.

false

vsftpd__conf_userlist_log

Boolean. If enabled, every login denial based on the userlist will be logged. See man vsftpd.conf.

false

vsftpd__conf_virtual_use_local_privs

Boolean. If enabled, virtual users will use the same privileges as local users. By default, virtual users will use the same privileges as anonymous users, which tends to be more restrictive (especially in terms of write access).

false

vsftpd__conf_xferlog_std_format

Boolean. If enabled, the transfer log file will be written in standard xferlog format, as used by wu-ftpd, which is less readable but can be parsed by existing tools. See man vsftpd.conf.

false

vsftpd__pam_use_sss

Boolean. If true, SSSD will be used during PAM authentication. Use in combination with vsftpd__conf_session_support: true to get users from Active Directory.

false

vsftpd__service_enabled

Boolean. Enables or disables the service, analogous to systemctl enable/disable --now.

true

vsftpd__user_config__host_var /
vsftpd__user_config__group_var

List of dictionaries. Set user-specific configs, especially useful for the chroot directory (local_root). Note: When using a default Active Directory domain in sssd, user configs are required to cover the username with and without the domain. Subkeys:

  • name: Mandatory, string. The username to which the config applies.
  • raw: Optional, multiline string. Raw content.
  • state: Optional, string. State of the config, one of present, absent. Defaults to present.
  • template: Mandatory, string. Template to use. One of raw.

[]

Example:

# optional
vsftpd__conf_allow_writeable_chroot: false
vsftpd__conf_chroot_local_user: true
vsftpd__conf_debug_ssl: true
vsftpd__conf_dual_log_enable: true
vsftpd__conf_guest_enable: false
vsftpd__conf_guest_username: 'ftp'
vsftpd__conf_local_root: '/data'
vsftpd__conf_log_ftp_protocol: true
vsftpd__conf_pasv_addr_resolve: true
vsftpd__conf_pasv_address: 'ftp.example.com'
vsftpd__conf_pasv_max_port: 51000
vsftpd__conf_pasv_min_port: 50000
vsftpd__conf_rsa_cert_file: '/etc/pki/tls/certs/vsftpd.pem'
vsftpd__conf_rsa_private_key_file: '/etc/pki/tls/private/vsftpd.key'
vsftpd__conf_session_support: true
vsftpd__conf_ssl_enable: true
vsftpd__conf_user_config_dir: '/etc/vsftpd/user_config'
vsftpd__conf_user_sub_token: '$USER'
vsftpd__conf_userlist_deny: true
vsftpd__conf_userlist_enable: false
vsftpd__conf_userlist_log: true
vsftpd__conf_virtual_use_local_privs: false
vsftpd__conf_xferlog_std_format: false

vsftpd__service_enabled: true

vsftpd__user_config__host_var:
  - name: 'user1@example.com'
    template: 'raw'
    state: 'present'
    raw: |-
      local_root=/data/share1

License

The Unlicense

Author Information

Linuxfabrik GmbH, Zurich