Setting up vsftp for Virtual Users (Ubuntu)

vsftpd setup for virtual users is fairly straght-forward but most guides don't go through the 'why', so here I'm attempting to explain this in brief.

Install vsftpd

- I'll assume you've already done this(!)

Update Configuration

The configuration file is typically in /etc/vsftpd.conf.

Make the following changes:

virtual_use_local_privs=YES
guest_enable=YES
guest_username=xxxxx
user_sub_token=$USER
local_root=/home/ftpusers/$USER
chroot_local_user=YES
hide_ids=YES
user_config_dir=/etc/vsftpd/vsftpd-user-conf

where,

guest_enable=YES
sets 'guest' logon allowed. With Virtual Users, you'll actually be logging on as this guest logon, so this is the id that needs the appropriate access to any folders you point the virtual user at.

guest_username=xxxxx
the local user to actually run under - should be a 'real' user, not a system one. Something like 'vftp' might be appropriate. Create them as 'normal' and either root the virtual user's in /home/vftp; or create a new folder structure and chown it to 'vftp'.

user_sub_token=$USER
how to identify the remote/virtual user. In this case using their 'user' name (what they logon with).

local_root=/home/vftp/$USER
which local root/home directory they will be sent to. So for a user 'test' they will start in '/home/vftp/test' in this example.

chroot_local_user=YES
'YES' means they will be confined to that local_root directory.

user_config_dir=/etc/vsftpd/vsftpd-user-conf 
A directory to use for 'per user' overrides. This is optional, but if you want one of your virtual users to operate under a different local user, or go to a different home directory you can create a file in this folder to do this.

Example 
You have virtual users 'test' and 'admin'. Test should have the basic access of '/home/vftp/test' and will create files as the (local) user 'xxxxx'. The 'admin' user you want to be able to access and update any of the virtual user's data within '/home/vftps'. 
Therefore create a file called 'admin' in /etc/vsftpd/vsftpd-user-conf with:

local_root=/home/vftp

which overrides the local_root setting and puts the user into the server at the higher-up node. 
This is where you could restrict access to 'read-only' if required at user-level (using write_enable=NO).

Amend PAM

The typical pam used (although it's set in the .conf file) is /etc/pam.d/vsftpd.

Update this to use just password authentication:

auth required pam_pwdfile.so pwdfile /etc/ftphtpasswd
account required pam_permit.so

where /etc/ftphtpasswd is the user/password file to hold your virtual users.
Everything else in the PAM can go - that's for enabling only locally defined (real) users to logon via ftp.
(there's a chance that the local PAM does not include pam_pwdfile ability - it's missing from /lib/security - in which case it can be installed from package libpam-pwdfile)

Create Users

Build the file mentioned above - /etc/ftphtpasswd using the htpasswd utility.

Verify

Logon with a suitable FTP client to check that each user is confined to the appropriate location, with the correct access rights.

(this info gathered in part from this post)


EDIT
*****
Ubuntu 12.04 (or maybe vsftpd) at some point decided not to like the crypt passwords htpasswd creates, so following guide here, use:

  sudo htpasswd -c -p -b ftphtpasswd user $(openssl passwd -1 -noverify password)