Centos6.5部署vsftpd+mysql認證
一、FTP傳輸原理
FTP,文件傳輸協議,是工做在應用層,基於TCP實現,依賴於互聯網便可通信。mysql
1)鏈接模式算法
控制(命令)鏈接,用來通訊,一直在線,客戶端隨機端口鏈接服務端TCP:21端口。sql
數據鏈接,用來傳輸,客戶端請求數據時服務端打開,傳輸完成時即關閉shell
主動模式:客戶端發送控制鏈接後,ftp用本身TCP:20端口鏈接客戶端。數據庫
被動模式:客戶端發送控制鏈接後,服務端隨機打開一個端口(一般>5000)並經過命令鏈接通知客戶端,客戶端用控制鏈接端口號+1的端口號(如控制鏈接用3001號口, 那麼數據傳輸時就用3002號)vim
2)傳輸模式:二進制&文本,模式由服務端和客戶端商定。windows
3)數據類型:結構化數據、半結構化數據、非結構化數據centos
4)其餘有關協議服務器
RPC(remote procedure call,典型的像NFS,微軟的遠程桌面)基於二進制的不一樣主機間實現數據通訊session
Samba,基於CIFS/SMB協議實現,可實現跨平臺的數據通訊
二、經常使用FTP軟件
服務端
Linux:vsftpd(very secure ftp daemon);proftpd,功能豐富;wu-ftpd,非模塊化結構,鼻祖。;pureftpd;Filezilla
Windows:IIS、Serv-U、Filezilla、
客戶端
Linux:ftp、tftp
windows:gftp、filezilla
三、vsftpd認證
基於pam實現用戶認證,認證目錄/etc/pam.d/* 依賴於/lib(64)/security/*下的認證模塊來實現。因爲vsftpd受SELinux控制,因此要關閉SELinux才能使vsftpd正常工做
支持虛擬用戶,默認使用/var/ftp(只有root擁有寫權限)提供服務的根目錄,不容許運行vsftpd進程的用戶具備寫權限,爲了讓用戶具備寫權限,在var/ftp目錄下創建目錄賦予用戶寫權限。
四、vsftpd安裝配置
本文環境:centos6.5 64位。
4.一、安裝
#yum install vsftpd -y
查看安裝時(後)生成的文件
[root@uu ~]# rpm -qa | grep vsftpd vsftpd-2.2.2-24.el6.x86_64 [root@uu ~]# rpm -ql vsftpd /etc/logrotate.d/vsftpd #日誌文件 /etc/pam.d/vsftpd #基於pam完成認證的pam認證文件 /etc/rc.d/init.d/vsftpd #服務控制腳本 /etc/vsftpd #配置文件目錄 /etc/vsftpd/ftpuserst #控制用戶登陸文件1 /etc/vsftpd/user_list #控制用戶登陸文件2 /etc/vsftpd/vsftpd.conf #主配置文件 /etc/vsftpd/vsftpd_conf_migrate.sh #遷移腳本 /usr/sbin/vsftpd
/*文檔*/ /usr/share/doc/vsftpd-2.2.2 /usr/share/doc/vsftpd-2.2.2/AUDIT /usr/share/doc/vsftpd-2.2.2/BENCHMARKS /usr/share/doc/vsftpd-2.2.2/BUGS /usr/share/doc/vsftpd-2.2.2/COPYING /usr/share/doc/vsftpd-2.2.2/Changelog /usr/share/doc/vsftpd-2.2.2/EXAMPLE /usr/share/doc/vsftpd-2.2.2/EXAMPLE/INTERNET_SITE /usr/share/doc/vsftpd-2.2.2/EXAMPLE/INTERNET_SITE/README /usr/share/doc/vsftpd-2.2.2/EXAMPLE/INTERNET_SITE/README.configuration /usr/share/doc/vsftpd-2.2.2/EXAMPLE/INTERNET_SITE/vsftpd.conf /usr/share/doc/vsftpd-2.2.2/EXAMPLE/INTERNET_SITE/vsftpd.xinetd /usr/share/doc/vsftpd-2.2.2/EXAMPLE/INTERNET_SITE_NOINETD /usr/share/doc/vsftpd-2.2.2/EXAMPLE/INTERNET_SITE_NOINETD/README /usr/share/doc/vsftpd-2.2.2/EXAMPLE/INTERNET_SITE_NOINETD/README.configuration /usr/share/doc/vsftpd-2.2.2/EXAMPLE/INTERNET_SITE_NOINETD/vsftpd.conf /usr/share/doc/vsftpd-2.2.2/EXAMPLE/PER_IP_CONFIG /usr/share/doc/vsftpd-2.2.2/EXAMPLE/PER_IP_CONFIG/README /usr/share/doc/vsftpd-2.2.2/EXAMPLE/PER_IP_CONFIG/README.configuration /usr/share/doc/vsftpd-2.2.2/EXAMPLE/PER_IP_CONFIG/hosts.allow /usr/share/doc/vsftpd-2.2.2/EXAMPLE/README /usr/share/doc/vsftpd-2.2.2/EXAMPLE/VIRTUAL_HOSTS /usr/share/doc/vsftpd-2.2.2/EXAMPLE/VIRTUAL_HOSTS/README /usr/share/doc/vsftpd-2.2.2/EXAMPLE/VIRTUAL_USERS /usr/share/doc/vsftpd-2.2.2/EXAMPLE/VIRTUAL_USERS/README /usr/share/doc/vsftpd-2.2.2/EXAMPLE/VIRTUAL_USERS/README.configuration /usr/share/doc/vsftpd-2.2.2/EXAMPLE/VIRTUAL_USERS/logins.txt /usr/share/doc/vsftpd-2.2.2/EXAMPLE/VIRTUAL_USERS/vsftpd.conf /usr/share/doc/vsftpd-2.2.2/EXAMPLE/VIRTUAL_USERS/vsftpd.pam /usr/share/doc/vsftpd-2.2.2/EXAMPLE/VIRTUAL_USERS_2 /usr/share/doc/vsftpd-2.2.2/EXAMPLE/VIRTUAL_USERS_2/README /usr/share/doc/vsftpd-2.2.2/FAQ /usr/share/doc/vsftpd-2.2.2/INSTALL /usr/share/doc/vsftpd-2.2.2/LICENSE /usr/share/doc/vsftpd-2.2.2/README /usr/share/doc/vsftpd-2.2.2/README.security /usr/share/doc/vsftpd-2.2.2/REWARD /usr/share/doc/vsftpd-2.2.2/SECURITY /usr/share/doc/vsftpd-2.2.2/SECURITY/DESIGN /usr/share/doc/vsftpd-2.2.2/SECURITY/IMPLEMENTATION /usr/share/doc/vsftpd-2.2.2/SECURITY/OVERVIEW /usr/share/doc/vsftpd-2.2.2/SECURITY/TRUST /usr/share/doc/vsftpd-2.2.2/SIZE /usr/share/doc/vsftpd-2.2.2/SPEED /usr/share/doc/vsftpd-2.2.2/TODO /usr/share/doc/vsftpd-2.2.2/TUNING /usr/share/doc/vsftpd-2.2.2/vsftpd.xinetd /usr/share/man/man5/vsftpd.conf.5.gz /usr/share/man/man8/vsftpd.8.gz /var/ftp #ftp服務的根目錄 /var/ftp/pub #ftp服務公共目錄
4.二、用戶
匿名用戶,默認映射爲ftp用戶
系統用戶,訪問ftp時進入的默認爲系統用戶的家目錄,若是不由錮在本身家目錄的話,是能夠切換到其餘目錄的。
虛擬用戶---->映射爲系統用戶
[root@uu ~]# finger ftp Login: ftp Name: FTP User Directory: /var/ftp Shell: /sbin/nologin Never logged in. No mail. No Plan.
4.三、啓動
[root@uu ~]# /etc/init.d/vsftpd start Starting vsftpd for vsftpd: [ OK ] [root@uu ~]# chkconfig vsftpd on
默認目錄
[root@uu ~]# cd /var/ftp/ [root@uu ftp]# ll total 4 drwxr-xr-x. 2 root root 4096 Mar 22 2017 pub
防火牆設置
[root@uu ftp]# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination
#開放21端口
[root@uu ftp]# vi /etc/sysconfig/iptables # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT #添加這一行 -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT ~ ~ "/etc/sysconfig/iptables" 14L, 541C written [root@uu ftp]# /etc/init.d/iptables restart iptables: Flushing firewall rules: [ OK ] iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Unloading modules: [ OK ] iptables: Applying firewall rules: [ OK ]
[root@uu ftp]# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination
4.四、登陸
Microsoft Windows [版本 6.1.7601] 版權全部 (c) 2009 Microsoft Corporation。保留全部權利。 C:\Users\mango>ftp 107.175.240.114 鏈接到 107.175.240.114。 220 (vsFTPd 2.2.2) 用戶(107.175.240.114:(none)): anonymous 331 Please specify the password. 密碼: 230 Login successful. ftp> help 命令多是縮寫的。 命令爲: ! delete literal prompt send ? debug ls put status append dir mdelete pwd trace ascii disconnect mdir quit type bell get mget quote user binary glob mkdir recv verbose bye hash mls remotehelp cd help mput rename close lcd open rmdir
#mget 一次下載多個文件
#lcd 登陸後進入其餘目錄
ftp> dir 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 2 0 0 4096 Mar 22 2017 pub 226 Directory send OK. ftp: 收到 61 字節,用時 0.00秒 61.00千字節/秒。 ftp> pwd 257 "/" #此處實際爲/var/ftp/ 由於默認將ftp用戶鎖定在此目錄下,ftp則認爲是「/」目錄 ftp>
4.五、配置文件
[root@uu ftp]# vim /etc/vsftpd/vsftpd.conf # Example config file /etc/vsftpd/vsftpd.conf # # The default compiled in settings are fairly paranoid. This sample file # loosens things up a bit, to make the ftp daemon more usable. # Please see vsftpd.conf.5 for all compiled in defaults. # # READ THIS: This example file is NOT an exhaustive list of vsftpd options. # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's # capabilities. # # Allow anonymous FTP? (Beware - allowed by default if you comment this out). anonymous_enable=YES #是否容許匿名用戶登陸 # # Uncomment this to allow local users to log in. local_enable=YES #是否容許系統用戶登陸 # # Uncomment this to enable any form of FTP write command. write_enable=YES #是否容許本地(系統)用戶上傳文件 # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) local_umask=022 #服務端口 # # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. #anon_upload_enable=YES #是否容許匿名用戶上傳文件(注意若是是建立文件的話要將「要建立文件的目錄改成匿名用戶所屬或具備寫權限。」)
/*
#好比要在upload中建立文件,由於/var/ftp這個目錄屬主屬組都是root。因此把upload開放給ftp用戶後ftp用戶才能夠建立文件。
[root@uu ftp]# ll -d /var/ftp/
drwxr-xr-x. 3 root root 4096 May 18 11:16 /var/ftp/
[root@uu ftp]# mkdir /var/ftp/upload
[root@uu ftp]# setfacl -m u:ftp:rwx /var/ftp/upload/
*/ # # Uncomment this if you want the anonymous FTP user to be able to create # new directories. #anon_mkdir_write_enable=YES #是否容許匿名用戶建立目錄
#anon_other_write_enable=YES #是否容許匿名用戶其餘權限(此行默認不存在,可新添加) # # Activate directory messages - messages given to remote users when they # go into a certain directory. dirmessage_enable=YES #顯示登陸歡迎信息(要建立一個含歡迎信息的.messges文件,) # The target log file can be vsftpd_log_file or xferlog_file. # This depends on setting xferlog_std_format parameter xferlog_enable=YES #是否將ftp記錄到日誌 # # Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES # # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not # recommended! #chown_uploads=YES #是否將上傳後的文件更改屬主屬組,root除外 #chown_username=whoever #更改的屬主屬組是誰 # # The name of log file when xferlog_enable=YES and xferlog_std_format=YES # WARNING - changing this filename affects /etc/logrotate.d/vsftpd.log #xferlog_file=/var/log/xferlog#ftp記錄的日誌文件 # # Switches between logging into vsftpd_log_file and xferlog_file files. # NO writes to vsftpd_log_file, YES to xferlog_file xferlog_std_format=YES #是否以標準模式記錄日誌 # # You may change the default value for timing out an idle session. #idle_session_timeout=600 #控制鏈接時間 # # You may change the default value for timing out a data connection. #data_connection_timeout=120 #數據鏈接時間 # # It is recommended that you define on your system a unique user which the # ftp server can use as a totally isolated and unprivileged user. #nopriv_user=ftpsecure # # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. #async_abor_enable=YES # # By default the server will pretend to allow ASCII mode but in fact ignore # the request. Turn on the below options to have the server actually do ASCII # mangling on files when in ASCII mode. # Beware that on some FTP servers, ASCII support allows a denial of service # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd # predicted this attack and has always been safe, reporting the size of the # raw file. # ASCII mangling is a horrible feature of the protocol. #ascii_upload_enable=YES #ascii_download_enable=YES # # You may fully customise the login banner string: #ftpd_banner=Welcome to blah FTP service. #設定Vsftpd的登錄標語。
#Banner_file =/… #設定Vsftpd的登錄標語的文件。(默認不存在,需添加) # # You may specify a file of disallowed anonymous e-mail addresses. Apparently # useful for combatting certain DoS attacks. #deny_email_enable=YES # (default follows) #banned_email_file=/etc/vsftpd/banned_emails # # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). #chroot_local_user=YES #是否禁錮全部用戶家目錄,想禁用所有用此選項,想禁錮部分用下面兩行註釋組合 #chroot_list_enable=YES #啓用禁錮的用戶列表 # (default follows) #chroot_list_file=/etc/vsftpd/chroot_list#禁錮的用戶列表
# # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option, so there is a strong case for enabling it. #ls_recurse_enable=YES # # When "listen" directive is enabled, vsftpd runs in standalone mode and # listens on IPv4 sockets. This directive cannot be used in conjunction # with the listen_ipv6 directive. listen=YES #定義vsftpd是否爲獨立守護進程,建議加上註釋 # # This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6 # sockets, you must run two copies of vsftpd with two configuration files. # Make sure, that one of the listen options is commented !! #listen_ipv6=YES pam_service_name=vsftpd #vsftpd接受pam控制認證,指定vsftpd在/etc/pam.d/下的名稱
/*守護進程
獨立守護,適用於訪問量大,在線時間長的服務
瞬時守護,用戶量少,在線時間不長,由超級守護進程(xinetd)代爲管理,超級守護進程本身是一個獨立守護
*/
userlist_enable=YES #是否啓用/etc/vsftpd/user_list這個文件,配合userlist_deny=YES/NO(此行下面增長)使用。關於這項請查看下面的詳細介紹
tcp_wrappers=YES
max_clients #可增長參數,定義最多鏈接數
max_per_ip #可增長參數,定義每一個ip最多鏈接數
4.六、用戶列表說明
####來看pam認證,說file=/etc/vsftpd/ftpusers裏的用戶sense=deny,即拒絕訪問ftp#####
[root@uu vsftpd]# cat /etc/pam.d/vsftpd #%PAM-1.0 session optional pam_keyinit.so force revoke auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed auth required pam_shells.so auth include password-auth account include password-auth session required pam_loginuid.so session include password-auth
####看下/etc/vsftpd下的文件#####
[root@uu ~]# cd /etc/vsftpd/ [root@uu vsftpd]# ll total 20 -rw-------. 1 root root 125 Mar 22 2017 ftpusers -rw-------. 1 root root 361 Mar 22 2017 user_list -rw-------. 1 root root 4599 Mar 22 2017 vsftpd.conf -rwxr--r--. 1 root root 338 Mar 22 2017 vsftpd_conf_migrate.sh [root@uu vsftpd]# cat ftpusers # Users that are not allowed to login via ftp root bin daemon adm lp sync shutdown halt mail news uucp operator games nobody [root@uu vsftpd]# cat user_list # # vsftpd userlist # If userlist_deny=NO,(不拒絕表裏用戶登陸) only allow users in this file # If userlist_deny=YES (default), (拒絕表裏用戶登陸)never allow users in this file, and # do not even prompt for a password. # Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers # for users that are denied. root bin daemon adm lp sync shutdown halt mail news uucp operator games nobody
五、基於SSL的vsftpd配置
通信方式
ftps:ftp+ssl/tls
sftp:ssh,openssh
5.一、生成證書
[root@uu ~]# cd /etc/pki/CA/
[root@uu CA]# touch index.txt [root@uu CA]# echo 01 > serial [root@uu CA]# ll total 20 drwxr-xr-x. 2 root root 4096 May 19 10:51 certs drwxr-xr-x. 2 root root 4096 Mar 22 2017 crl -rw-r--r--. 1 root root 0 May 19 10:52 index.txt drwxr-xr-x. 2 root root 4096 May 19 10:26 newcerts drwx------. 2 root root 4096 May 19 10:09 private -rw-r--r--. 1 root root 3 May 19 10:52 serial [root@uu CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ....................................................................................................................................+++ ...............................+++ e is 65537 (0x10001) [root@uu CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:SD Locality Name (eg, city) [Default City]:JN Organization Name (eg, company) [Default Company Ltd]:cmelo Organizational Unit Name (eg, section) []:tech Common Name (eg, your name or your server's hostname) []:ca.cmelo.com Email Address []: [root@uu CA]# cd /etc/vsftpd/ssl/ [root@uu ssl]# (umask 077;openssl genrsa -out vsftpd.key 2048;) Generating RSA private key, 2048 bit long modulus .....................................................+++ ..................................+++ e is 65537 (0x10001) [root@uu ssl]# openssl req -new -key vsftpd.key -out vsftpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:SD Locality Name (eg, city) [Default City]:JN Organization Name (eg, company) [Default Company Ltd]:cmelo Organizational Unit Name (eg, section) []:tech Common Name (eg, your name or your server's hostname) []:ftp.cmelo.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@uu ssl]# openssl ca -in vsftpd.csr -out vsftpd.crt Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: May 19 14:55:55 2018 GMT Not After : May 19 14:55:55 2019 GMT Subject: countryName = CN stateOrProvinceName = SD organizationName = cmelo organizationalUnitName = tech commonName = ftp.cmelo.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 30:37:5F:C7:FC:F6:6E:1C:E7:64:02:D9:57:FA:DD:24:F8:DD:12:E1 X509v3 Authority Key Identifier: keyid:AC:24:D6:3A:DA:F6:70:1D:86:1A:B7:A8:33:45:28:FA:4D:F3:BB:60 Certificate is to be certified until May 19 14:55:55 2019 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
5.二、修改配置文件
#ssl or tls ssl_enable=YES ssl_tlsv1=YES ssl_sslv3=YES allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES rsa_cert_file=/etc/vsftpd/ssl/vsftpd.crt
rsa_private_key_file=/etc/vsftpd/ssl/vsftpd.key
5.三、鏈接
5.四、使用交互式登陸
六、pam認證登陸
介紹兩種,一種是基於數據庫(MySQL)認證,一種是用戶帳號文件認證
6.一、基於數據庫認證
拓撲以下
用戶請求vsftp服務器,vsftp在配置文件中設置把認證權交由/etc/pam.d/vsftp.mysql(名稱自定義),vsftp.mysql設置使用/lib/security/pam_mysql.so(pam-mysql安裝時生成)作認證檢查,
因爲pam不支持直接去MySQL請求數據,故需安裝pam-mysql-0.7RC1(已停更)插件
數據庫:vsftpd
表:vusers
字段:name, password
6.1.一、安裝MySQL及插件
MySQL
[root@uu ~]# yum install mysql-server mysql-devel mysql -y
安裝pam-mysql插件
[root@uu ftp]# tar xf pam_mysql-0.7RC1.tar.gz [root@uu ftp]# cd pam_mysql-0.7RC1 [root@uu pam_mysql-0.7RC1]# ./configure --with-mysql #出錯:configure: error: Cannot locate mysql client library. Please check your mysql installation. #驗證是否安裝mysql成功 [root@uu pam_mysql-0.7RC1]# rpm -q mysql mysql-5.1.73-8.el6_8.x86_64 #驗證MySQL安裝位置 [root@uu pam_mysql-0.7RC1]# rpm -ql mysql /usr/bin/msql2mysql ..... /usr/share/man/man1/mysqlslap.1.gz [root@uu pam_mysql-0.7RC1]# ./configure --with-mysql=/usr #出錯:configure: error: Cannot find pam headers. Please check if your system is ready for pam module development. [root@uu pam_mysql-0.7RC1]# yum install pam-devel -y
安裝後/lib/security/已經有pam_mysql.so,若是沒有須要複製一份過來。
[root@uu pam_mysql-0.7RC1]# ll /lib/security/ total 136 -rwxr-xr-x 1 root root 871 May 21 16:15 pam_mysql.la -rwxr-xr-x 1 root root 133348 May 21 16:15 pam_mysql.so
6.1.二、數據庫配置
/etc/init.d/mysqld start
鏈接到數據庫,準備相關的數據庫和表
mysql> create database vsftpd ; Query OK, 1 row affected (0.00 sec) mysql> use vsftpd; Database changed
#建立users表
用戶id 小整型 自動增長ID號 不爲空
用戶名 最多20個字符 區分字符大小寫
密碼 最多48個字符 區分大小寫
主鍵 id爲主鍵
mysql> CREATE TABLE users( -> id SMALLINT AUTO_INCREMENT NOT NULL, -> name CHAR(20) BINARY NOT NULL, -> password CHAR(48) BINARY NOT NULL, -> PRIMARY key(id)); Query OK, 0 rows affected (0.01 sec)
mysql> desc users;
+----------+-------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+----------+-------------+------+-----+---------+----------------+
| id | smallint(6) | NO | PRI | NULL | auto_increment |
| name | char(20) | NO | | NULL | |
| password | char(48) | NO | | NULL | |
+----------+-------------+------+-----+---------+----------------+
3 rows in set (0.00 sec)
#添加vsftpd用戶並受權查詢的權限
mysql> grant select on vsftpd.* to vsftpd@localhost identified by 'vsftpd'; Query OK, 0 rows affected (0.00 sec) mysql> grant select on vsftpd.* to vsftpd@127.0.0.1 identified by 'vsftpd'; Query OK, 0 rows affected (0.00 sec)
#在users表中批量加入兩個用戶
注:password方法來加密密碼這個能夠理論上是能夠的,可是pam-mysql和mysql加密算法不同會致使錯誤,後面也有詳細介紹,建議使用encrypt加密:
mysql> insert into users (name,password) value ('uqian',encrypt('centos'));
Query OK, 1 row affected (0.00 sec)
mysql> insert into users(name,password) VALUE ('tom',password('centos')),('jerry',password('centos')); Query OK, 2 rows affected (0.00 sec) Records: 2 Duplicates: 0 Warnings: 0 mysql> select * from users; +----+-------+-------------------------------------------+ | id | name | password | +----+-------+-------------------------------------------+ | 1 | tom | *128977E278358FF80A246B5046F51043A2B1FCED | | 2 | jerry | *128977E278358FF80A246B5046F51043A2B1FCED | +----+-------+-------------------------------------------+ 2 rows in set (0.00 sec) mysql> flush privileges; Query OK, 0 rows affected (0.00 sec)
測試vsftpd用戶可否登陸
[root@uu ~]# mysql -uvsftpd -p
Enter password:vsftpd
驗證數據庫
mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | test | | vsftpd | +--------------------+ 3 rows in set (0.00 sec) mysql> use vsftpd; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> show tables; +------------------+ | Tables_in_vsftpd | +------------------+ | users | +------------------+ 1 row in set (0.00 sec) mysql> select * from users; +----+-------+-------------------------------------------+ | id | name | password | +----+-------+-------------------------------------------+ | 1 | tom | *128977E278358FF80A246B5046F51043A2B1FCED | | 2 | jerry | *128977E278358FF80A246B5046F51043A2B1FCED | +----+-------+-------------------------------------------+ 2 rows in set (0.00 sec)
#刪除的用法
mysql> delete from users where name='tom'; Query OK, 1 row affected (0.00 sec) mysql> delete from users where name='jerry'; Query OK, 1 row affected (0.00 sec)
6.1.三、創建pam認證所需的文件
[root@uu ~]# vim /etc/pam.d/vsftp.mysql(名稱可自定義) auth required /lib/security/pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=1 accout required /lib/security/pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=1
#使用pam_mysql.so作認證檢查,鏈接MySQL數據庫時使用的帳號和密碼,crypt爲加密類型
這裏須要提出一點的是crypt=0,即不加密。或crypt=1是成功的
crypt=2的話,因爲pam-mysql和MySQL使用的加密算法不同,認證時可能不會匹配,實際也是如此
我用md5和sha1都不支持,提示
[root@uu pam.d]# tail /var/log/secure May 22 13:26:49 uu vsftpd[42373]: pam_mysql - non-crypt()ish MD5 hash is not supported in this build. May 22 13:35:51 uu vsftpd[42417]: pam_mysql - non-crypt()ish SHA1 hash is not supported in this build.
參考pam-mysql-0.7RC的REDME文件:
[root@uu ~]# cd /var/ftp/pam_mysql-0.7RC1 [root@uu pam_mysql-0.7RC1]# more README ............ crypt (plain) The method to encrypt the user's password: 0 (or "plain") = No encryption. Passwords stored in plaintext. HIGHLY DISCOURAGED. 1 (or "Y") = Use crypt(3) function. 2 (or "mysql") = Use MySQL PASSWORD() function. It is possible that the encryption function used by PAM-MySQL is different from that of the MySQL server, as PAM-MySQL uses the function defined in MySQL's C-client API instead of using PASSWORD() SQL function in the query. 3 (or "md5") = Use plain hex MD5. 4 (or "sha1") = Use plain hex SHA1. ..............
#添加本地用戶vuser做爲被映射用戶,家目錄爲/var/ftproot
[root@uu ~]# useradd -s /sbin/nologin -d /var/ftproot vuser #讓其餘用戶具備讀和執行的權限,不然映射的用戶無權限訪問此目錄 [root@uu ~]# chmod go+rx /var/ftproot/ [root@uu ~]# ll -d /var/ftproot/ drwxr-xr-x 2 vuser vuser 4096 May 21 16:49 /var/ftproot/
6.1.四、修改vsftpd配置文件,使其適應MySQL認證
pam_service_name=vsftpd=====>pam_service_name=vsftpd.mysql force_local_data_ssl=YES===>force_local_data_ssl=NO #可不操做,此處W爲避免意外,修改此選項 force_local_logins_ssl=YES===>force_local_logins_ssl=NO #可不操做,同上 將虛擬用戶與映射用戶作關聯,增長 guest_enable=YES #啓用來賓(虛擬)用戶 guest_username=vuser #來賓(虛擬)映射爲本地用戶vuser
local_enable=YES (必須置YES,由於虛擬用戶是映射到virtual這個本地用戶來訪問的)
6.二、基於db4-utils(rpm包)用戶帳號文件認證
db_load將文件轉換爲二進制文件存儲用戶名和密碼。 注:奇數行爲用戶名,偶數行爲密碼。
vim /etc/ftp/logins
name
password
#建立db文件須要db4支持,若是系統沒安裝請安裝
[root@uu vsftpd]# yum -y install db4 db4-devel db4-utils
#修改db文件的權限,以避免被非法用戶修改
[root@uu vsftpd]# chmod 600 /etc/vsftpd/vu_list.db
1)創建用戶列表logins內容以下
wang (賬號)
****** (用戶密碼)
download (賬號)
******* (用戶密碼)
admin (賬號)
******* (用戶密碼)
2)安裝: libdb4-util,目的:可使用db4_load
#apt-get install libdb4-util
3)創建訪問者數據文件
#db4_load -T -t hash -f /etc/ftp/logins /etc/vsftpd/vsftpd_login.db
4)在/etc/pam.d/中建立文件ftp.vu, 添加以下內容:
auth required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login
account required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login
local_root=/data/repository/snapshot
anon_umask=022
write_enable=YES
anon_mkdir_write_enable=YES
anon_upload_enable=YES
download_enable=NO
亂碼補丁:
其它發行版本則要手動安裝:
下載源碼-解壓-把補丁複製到源碼目錄
命令:
#patch -p0 < vsftpd-2.0.5-encoding.patch
#patch -p0 < chinese_log.patch
#.configure
#make
#make install
七、vsftpd匿名用戶權限控制
1)虛擬用戶的權限都是和匿名用戶的權限一致的。且虛擬用戶都(且必須)映射到同一用戶上,因此爲禁止虛擬用戶上傳和建立文件:
anon_mkdir_write_enable=NO
anon_upload_enable=NO
anon_****_enable=NO
2)實現不一樣虛擬用戶具備不一樣權限
vim /etc/vsftpd/vsftpd.conf加入 #defined default user get slef power user_config_dir=/etc/vsftpd/vusers
在/etc/vsftpd/vusers下爲每一個用戶新建與用戶名相同的文件
[root@uu vusers]# ll total 8 -rw-r--r-- 1 root root 134 May 22 16:44 qian -rw-r--r-- 1 root root 24 May 22 16:48 uqian [root@uu vusers]# vim uqian anon_world_readable_only=NO(使uqian用戶的能下載,也只能下載;寫成YES,將不能列出文件和目錄) write_enable=YES(寫權限) anon_mkdir_write_enable=YES(新建目錄權限) anon_upload_enable=YES(上傳權限) anon_other_write_enable=YES(刪除/重命名的權限)
八、Q&A
解決方式爲:
ftp>passive(推薦)
ftp>quote(可能不會起做用)
相關文章
- 1. CentOS6.5部署SaltStack
- 2. Centos6.5部署mongodb3.4
- 3. CentOS6.5部署rabbit-MQ
- 4. Centos6.5安裝部署Hive
- 5. centos6.5安裝部署rabbitmq
- 6. Redis3.0集羣部署(centos6.5)
- 7. CentOS6.5部署Cobbler服務器
- 8. Centos6.5下kafka部署安裝
- 9. K linux 部署手機 centos6.5
- 10. centos6.5部署owncloud(私有云)
- 更多相關文章...
- • Maven 自動化部署 - Maven教程
- • ionic 頭部與底部 - ionic 教程
- • 使用阿里雲OSS+CDN部署前端頁面與加速靜態資源
- • NewSQL-TiDB相關
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. js中 charCodeAt
- 2. Android中通過ViewHelper.setTranslationY實現View移動控制(NineOldAndroids開源項目)
- 3. 【Android】日常記錄:BottomNavigationView自定義樣式,修改點擊後圖片
- 4. maya 文件檢查 ui和數據分離 (一)
- 5. eclipse 修改項目的jdk版本
- 6. Android InputMethod設置
- 7. Simulink中Bus Selector出現很多? ? ?
- 8. 【Openfire筆記】啓動Mac版Openfire時提示「系統偏好設置錯誤」
- 9. AutoPLP在偏好標籤中的生產與應用
- 10. 數據庫關閉的四種方式
歡迎關注本站公眾號,獲取更多信息
