User Account Management in Cerberus FTP Server
Cerberus FTP Server can manage user accounts from three different sources. The first is the default Cerberus FTP Server user database, also referred to as Cerberus native user accounts. The Cerberus native user account database is displayed in the User List box on the Users page of the User Manager. Cerberus native user accounts are users created just for Cerberus FTP Server, and managed through the Cerberus desktop admin console or through web administration. The directions on this page are for adding a user to this default user database.
Other User Account Sources
You may also use Cerberus FTP Server to authenticate Active Directory users when the machine hosting Cerberus is part of a domain (or the local NT account database), even if the computer Cerberus FTP Server is installed on is not the domain controller. See the page Active Directory Authentication for more information on how to configure Cerberus to allow authentication of Active Directory domain users.
Finally, users can also be authenticated against an LDAP service. See the section on configuring Cerberus for LDAP authentication for more information.
NOTE: Active Directory and LDAP authentication are only available in the Professional and Enterprise editions of Cerberus FTP Server.
Adding a new user
Users can be added and modified in the Cerberus FTP Server user database by opening up the User Manager and selecting the Users tab. To add a user, select “New” from the button to the right of the Cerberus User Accounts group box. A new user will appear under the user list box. The newly created user will already be in rename mode, so simply type in the new name of the user. All user names must be unique and are case insensitive. Once you have entered the new user name, press enter to commit the change. The user can then be configured by clicking on the user’s name in the user list box.
|Password||The password for the user.
Note: The Password always displays as 7 (*) characters.
|Group||A Cerberus FTP Server Group that this user belongs to.|
|Is Anonymous||If checked, the user password is ignored and the user can be logged in using any password.|
|Is Simple Directory||In simple directory mode the administrator can only assign one directory to represent the virtual directory for a user. See below for an explanation of this setting.|
|Is Disabled||Determines whether the account can login or not. A disabled account cannot login into the server.|
|Simultaneous Logins||The maximum number of connections this user can make to the server at the same time.|
|Require Secure Control||(Applies to FTP only) If enabled, this user can only login to the server using a secure TLS/SSL encrypted connection.|
|Require Secure Data||(Applies to FTP only) If enabled, file transfers will only be allowed over secure TLS/SSL encrypted connections.|
|Disable After Date||If a date is set here then the account will become disabled after the date specified.
Note: The granularity of the timer is 30 minutes. The account will be disabled within 30 minutes of the time set.
|Allow Protocols to Login||Controls which protocols a user is allowed to login with. If a protocol is not checked then the user will not be allowed to login using that protocol.|
|SSH Authentication||Determines the authentication requirements for logging into an SFTP interface. Valid options are:
|Maximum Upload File Size||This field can be used to limit the maximum size of an uploaded file. This value defaults to unlimited. The file size is specified in bytes. Specify 0 or any non-positive value to reset the maximum file size to unlimited.|
|Allowed IP Addresses||A comma-separated list of IP addresses that this user can login from. If no IP addresses are specified then no per-user IP address filtering is enforced. IP addresses can be specified as a single IP, a range of IP addresses separated by a dash, e.g. 192.168.0.100 – 192.168.0.150, or a CIDR-formatted IP address range. Multiple formats can be combined, with each single IP or range separated by a comma. Note, global IP address blacklists or whitelists are always enforced first, regardless of this setting.|
Configuring a user for SSH Public Key Authentication
See our help section on configuring a user for SSH Public Key Authentication in Cerberus FTP Server.
Our SSH public key authentication page has background information, step-by-step instructions, and a detailed video walk-through on how to configure a user account for public key authentication.
The Virtual Directory System
The virtual directory (VD) system allows the administrator to attach any directory or drive to a user account’s root folder. When a client requests the root directory from the server, the VDs you specify are sent to the client. The client can also navigate to any of the VD directories’ subdirectories. The VD system takes care of all path translation.
Security settings can be specified for each virtual directory. All subdirectories under the VD inherit the security settings of the VD.
There are 2 modes that a user account can operate in with respect to the virtual file system. The two modes are simple and standard mode.
Simple Virtual Directory mode
When a user account uses simple directory mode, the administrator can only assign one directory to represent the virtual directory for that user. Instead of that directory being seen as a subdirectory off of the root, the virtual directory selected will be the directory the user is placed in when they first log into the server. In other words, the directory selected as the virtual root directory will be the root directory. A user account is placed in simple directory mode by selecting the Is Simple Directory checkbox for the user account.
Standard Virtual Directory mode
In standard mode (the Is Simple Directory option is un-checked), the administrator may attach as many directories to a user account as desired. The directories selected will appear as subdirectories off of the root directory when the designated user logs into the server.
Simple and Standard Virtual Directory Mode Walk-though Video
Watch our video on the differences between simple and standard virtual directory mode, or continue below for examples of using the two directory systems.
A Virtual Directory Mode Example
Let’s take a user with one virtual directory called ftproot that maps to C:\ftproot.
In Simple Directory mode, the remote root directory that the user sees, “/“, is mapped directly to C:\ftproot on the server. The actual virtual directory name is ignored (you can think of it as always being named “/“). The user will see all files and folders in C:\ftproot listed in their root directory. They can upload and download files directly into the root directory and they will be uploaded or downloaded to C:\ftproot on the server.
When not in simple directory mode, the root directory “/” doesn’t map to anything. Instead, the root directory “/” becomes a virtual file system that you can attach sub-directories to. When not in simple directory mode, you can add as many virtual directories to a user account as you like, and the virtual directory name will become a sub-directory in the virtual root. However, you have to change to that sub-directory before you can upload or download anything. If you try to upload a file to the root folder “/“, then the operation is invalid because the path “/” doesn’t map directly to a folder on the server. You would need to specify the path /ftproot to upload or download files from the virtual directory ftproot.
Variables that can appear in Virtual Directory Names and Paths
The special variable %USER% can be present in a virtual directory name or path. When present, the %USER% variable is replaced by the user’s username during login.
Adding a virtual directory to a user account
Each user can be assigned different virtual directories. A virtual directory is added to a user account by using the User Manager, pictured above. To add a virtual directory to a user account, first:
- Select the user in the “Cerberus Users” list.
- Next, click on the folder selection button. The folder selection button is located below the “User List” list box, in the “Virtual Directory” group, and is labelled with a folder icon, . Once you have clicked on the folder button, a Browse for Folder dialog will appear.
- Navigate to the directory you wish to add and press the OK button on the dialog box. The directory you selected should appear in the edit box to the right of the folder button.
- Finally, select the Add to Root (this button will be labeled “Assign as Root” in simple mode) button located to the right of the folder selection button.
The directory should appear in the “Virtual Root directory” list box. To configure the newly added directory, click on the directory name in the list box. The directory’s permission options should appear in the list box to the right of the directory list. Place a check beside any permission that you would like to grant to the virtual directory and all of that directory’s subdirectories.
Virtual Directory Permissions
Each virtual directory that you add for a user can have a separate and distinct set of access permissions. The settings applied to a top level virtual directory filter down to all of that root directory’s subdirectories.
Permissions can only be assigned at the top, root level. To edit the permissions for a virtual directory:
- Select the user in the Users page of the User Manager
- Select the virtual directory from the user’s virtual directory list
- Check or uncheck the permissions associated with that directory from the list box that appears when you select the virtual directory.