diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b72f9be --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +*~ +*.swp diff --git a/README.md b/README.md index 722be28..33a1efd 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,111 @@ # puppet-vsftpd +From Latch Mihaylov (zverocool) + +Enhanced funtionality to the vsftpd module to include FTPS compatbility and etc. +In summary +1. enables you to select vsftpd version +2. Adding the chrooted directory to SELINUX if its enabled +3. enables FTPS support +This is very light documentation and needs to be enhanced. + +Examples (wrappers) +Regular FTP Server, defining version, chrooting, not so different from existing +```puppet + class { 'vsftpd': + version => '2.2.2-11.el6_4.1', + ftpd_banner => 'FTP Server', + anonymous_enable => 'NO', + chroot_local_user => 'YES', + local_root => '/data/ftp/$USER', + user_sub_token => '$USER', + local_enable => 'YES', + write_enable => 'YES', + local_umask => '022', + dirmessage_enable => 'YES', + xferlog_enable => 'YES', + connect_from_port_20 => 'YES', + xferlog_std_format => 'YES', + listen => 'YES', + pam_service_name => 'vsftpd', + userlist_enable => 'YES', + userlist_log => 'YES', + tcp_wrappers => 'NO', + session_support => 'YES', + } +``` +FTPS Server with version and chrooting +```puppet + # Various FTPS Variables + $ftps_cert = 'ftps.cer' + $ftps_key = 'ftps.key' + + # PASV Settings for FTPS + $masquerade_min_port = '36000' + $masquerade_max_port = '36999' + $masquerade_address = '127.0.0.1' #use your masq address here + + if $masquerade_address != undef { + class { 'vsftpd': + version => '2.2.2-11.el6_4.1', + ftpd_banner => 'FTPS Server', + anonymous_enable => 'NO', + chroot_local_user => 'YES', + local_root => '/data/ftps/$USER', + user_sub_token => '$USER', + local_enable => 'YES', + write_enable => 'YES', + local_umask => '022', + dirmessage_enable => 'YES', + xferlog_enable => 'YES', + connect_from_port_20 => 'YES', + xferlog_std_format => 'YES', + listen => 'YES', + pam_service_name => 'vsftpd', + userlist_enable => 'YES', + userlist_log => 'YES', + tcp_wrappers => 'NO', + session_support => 'YES', + + # SSL SUPPORT + ssl_enable => 'YES', + rsa_cert_file => "/etc/vsftpd/cert/$ftps_cert", + rsa_private_key_file => "/etc/vsftpd/cert/$ftps_key", + require_ssl_reuse => 'YES', + allow_anon_ssl => 'YES', + force_local_data_ssl => 'NO', + force_local_logins_ssl => 'YES', + ssl_tlsv1 => 'YES', + ssl_sslv2 => 'NO', + ssl_sslv3 => 'NO', + ssl_ciphers => 'HIGH', + + # Adding masquerade abilities for VIP + pasv_min_port => '13000', + pasv_max_port => '13999', + pasv_address => '127.0.0.1', # masquarade address here 127 is for the example + } + + # ADDS THE CERT + file { "$::vsftpd::params::confdir/cert/$ftps_cert": + ensure => present, + source => "puppet:///cert/${ftps_cert}", + mode => 0644, + owner => root, + group => root, + notify => Service[$::vsftpd::params::service_name], + } + + # ADDS THE CERT KEY + file { "$::vsftpd::params::confdir/cert/${ftps_key}": + ensure => present, + source => "puppet:///cert/${ftps_key}", + mode => 0644, + owner => root, + group => root, + notify => Service[$::vsftpd::params::service_name], + } +``` ## Overview This module enables and configures a vsftpd FTP server instance. diff --git a/manifests/init.pp b/manifests/init.pp index fce36de..c7a7fc8 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -17,9 +17,11 @@ $confdir = $::vsftpd::params::confdir, $package_name = $::vsftpd::params::package_name, $service_name = $::vsftpd::params::service_name, + $version = $::vsftpd::params::version, $template = 'vsftpd/vsftpd.conf.erb', + $confname = 'vsftpd.conf', # vsftpd.conf options - $anonymous_enable = 'YES', + $anonymous_enable = 'NO', $local_enable = 'YES', $write_enable = 'YES', $local_umask = '022', @@ -39,31 +41,63 @@ $ascii_upload_enable = 'NO', $ascii_download_enable = 'NO', $ftpd_banner = undef, + $guest_enable = 'NO', + $virtual_use_local_privs = 'YES', + $log_ftp_protocol = 'NO', + # intentionally not interpolated + $user_sub_token = '$USER', + $local_root = '/ftp/virtual/$USER', $chroot_local_user = 'NO', $chroot_list_enable = 'NO', $chroot_list_file = '/etc/vsftpd/chroot_list', + $local_root = undef, + $user_sub_token = undef, $ls_recurse_enable = 'NO', $listen = 'YES', $listen_port = undef, $pam_service_name = 'vsftpd', $userlist_enable = 'YES', + $userlist_log = 'NO', $userlist_deny = undef, $tcp_wrappers = 'YES', + $session_support = 'NO', $hide_file = undef, $hide_ids = 'NO', $setproctitle_enable = 'NO', $text_userdb_names = 'NO', $max_clients = undef, $max_per_ip = undef, + $pasv_enable = true, + $port_enable = true, + $pasv_address = undef, $pasv_min_port = undef, $pasv_max_port = undef, + $pasv_address = undef, $ftp_username = undef, $banner_file = undef, $allow_writeable_chroot = undef, + $ssl_enable = 'NO', + $rsa_cert_file = undef, + $rsa_private_key_file = undef, + $require_ssl_reuse = 'YES', + $allow_anon_ssl = 'YES', + $force_local_data_ssl = 'NO', + $force_local_logins_ssl = 'YES', + $ssl_tlsv1 = 'YES', + $ssl_sslv2 = 'NO', + $ssl_sslv3 = 'NO', + $ssl_ciphers = 'HIGH', $directives = {}, + $users = ['user1', 'user2'], + $userlist_file = "/etc/vsftpd.users.conf", ) inherits ::vsftpd::params { - - package { $package_name: ensure => installed } + + if $version == undef { + package { $package_name: ensure => installed } + } else { + package { $package_name: ensure => $version } + } + service { $service_name: require => Package[$package_name], @@ -72,11 +106,30 @@ hasstatus => true, } - file { "${confdir}/vsftpd.conf": + file { "${confdir}/${confname}": require => Package[$package_name], content => template($template), notify => Service[$service_name], } + + file { "${confdir}/cert": + ensure => directory, + } + + selboolean { 'ftp_home_dir': + persistent => true, + value => on, + } + + if ("$userlist_enable" == "YES") { + notify{"userlist is YES":} + } + + file { "${confdir}/vsftpd.users.conf": + require => Package[$package_name], + content => template('vsftpd/vsftpd.users.conf.erb'), + notify => Service[$service_name], + } } diff --git a/manifests/params.pp b/manifests/params.pp index e17a800..4c0671b 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -4,6 +4,7 @@ $package_name = 'vsftpd' $service_name = 'vsftpd' + $version = undef case $::operatingsystem { 'RedHat', diff --git a/templates/vsftpd.conf.erb b/templates/vsftpd.conf.erb index b6594fa..23a9325 100644 --- a/templates/vsftpd.conf.erb +++ b/templates/vsftpd.conf.erb @@ -13,7 +13,25 @@ anonymous_enable=<%= @anonymous_enable %> # # Uncomment this to allow local users to log in. local_enable=<%= @local_enable %> -# + +# If enabled, all non-anonymous logins are classed as "guest" logins. i +# A guest login is remapped to the user specified in the guest_username setting. +guest_enable=<%= @guest_enable %> + +# If enabled, virtual users will use the same privileges as local users. +# By default, virtual users will use the same privileges as anonymous users, +# which tends to be more restrictive (especially in terms of write access). +virtual_use_local_privs=<%=@virtual_use_local_privs%> + +# It is used to automatically generate a home directory for each virtual user, based on a template. +user_sub_token=<%=@user_sub_token%> + +# This option represents a directory which vsftpd will try to change into after a local (i.e. non-anonymous) login. +local_root=<%=@local_root%> + +# When enabled, all FTP requests and responses are logged, providing the option xferlog_std_format is not enabled. Useful for debugging. +log_ftp_protocol=<%=@log_ftp_protocol%> + # Uncomment this to enable any form of FTP write command. write_enable=<%= @write_enable %> # @@ -144,6 +162,22 @@ chroot_list_file=<%= @chroot_list_file %> # (default follows) #chroot_list_file=/etc/vsftpd/chroot_list <% end -%> +<% if @local_root -%> +local_root=<%= @local_root %> +<% end -%> +<% if @user_sub_token -%> +user_sub_token=<%= @user_sub_token %> +<% end -%> +#session_support +#This controls whether vsftpd attempts to maintain sessions for logins. +#If vsftpd is maintaining sessions, it will try and update utmp and wtmp. +#It will also open a pam_session if using PAM to authenticate, and only +#close this upon logout. You may wish to disable this if you do not need +#session logging, and you wish to give vsftpd more opportunity to run +#with less processes and / or less privilege. +# NOTE - utmp and wtmp support is only provided with PAM enabled builds. +# Default: NO +session_support=<%= @session_support %> # # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large @@ -170,9 +204,11 @@ listen_port=<%= @listen_port %> pam_service_name=<%= @pam_service_name %> userlist_enable=<%= @userlist_enable %> +userlist_log=<%= @userlist_log %> <% if @userlist_deny -%> userlist_deny=<%= @userlist_deny %> <% end -%> +userlist_file=<%= @userlist_file %> tcp_wrappers=<%= @tcp_wrappers %> <% if @hide_file -%> hide_file=<%= @hide_file %> @@ -186,12 +222,24 @@ max_clients=<%= @max_clients %> <% if @max_per_ip -%> max_per_ip=<%= @max_per_ip %> <% end -%> +<% if @pasv_enable -%> +pasv_enable=YES +<% end -%> +<% if @port_enable -%> +port_enable=YES +<% end -%> +<% if @pasv_address -%> +pasv_address=<%= @pasv_address %> +<% end -%> <% if @pasv_min_port -%> pasv_min_port=<%= @pasv_min_port %> <% end -%> <% if @pasv_max_port -%> pasv_max_port=<%= @pasv_max_port %> <% end -%> +<% if @pasv_address -%> +pasv_address=<%= @pasv_address %> +<% end -%> <% if @ftp_username -%> ftp_username=<%= @ftp_username %> <% end -%> @@ -204,3 +252,16 @@ allow_writeable_chroot=<%= @allow_writeable_chroot %> <% @directives.reject {|key,value| value == :undef}.sort_by {|key,value| key}.each do |key,value| -%> <%= key %>=<%= value %> <% end -%> +<% if @ssl_enable == 'YES' -%> +ssl_enable=<%= @ssl_enable %> +rsa_cert_file=<%= @rsa_cert_file %> +rsa_private_key_file=<%= @rsa_private_key_file %> +require_ssl_reuse=<%= @require_ssl_reuse %> +allow_anon_ssl=<%= @allow_anon_ssl %> +force_local_data_ssl=<%= @force_local_data_ssl %> +force_local_logins_ssl=<%= @force_local_logins_ssl %> +ssl_tlsv1=<%= @ssl_tlsv1 %> +ssl_sslv2=<%= @ssl_sslv2 %> +ssl_sslv3=<%= @ssl_sslv3 %> +ssl_ciphers=<%= @ssl_ciphers %> +<% end -%> diff --git a/templates/vsftpd.users.conf.erb b/templates/vsftpd.users.conf.erb new file mode 100644 index 0000000..196dee5 --- /dev/null +++ b/templates/vsftpd.users.conf.erb @@ -0,0 +1,3 @@ +<% @users.each do |val| -%> +<%= val %> +<% end -%>