实现基于MYSQL验证的vsftpd虚拟用户
- cos7(192.168.31.7) 当ftp服务器;cos17(192.168.31.17)当数据库服务器
1、安装包和包组
#pam-mysql是ftp连接数据库认证模块centos7上没有,需要编译安装,打开网址为 Last Update: 2013-04-17 下载安装包
[root@centos6 ~ ]#yum info pam_mysql
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
Available Packages
Name : pam_mysql
Arch : i686
Epoch : 1
Version : 0.7
Release : 0.12.rc1.el6
Size : 38 k
Repo : epel
Summary : PAM module for auth UNIX users using MySQL data base
URL : http://sf.net/projects/pam-mysql/
cos7(192.168.31.7) 当ftp服务器
[root@cos7:~]# yum install vsftpd mariadb-devel pam-devel "development tools" -y
#17当数据库服务器
[root@cos17:~]# yum install mariadb-server -y
[root@cos17:~]# systemctl start mariadb #启动mariadb-server服务
[root@cos17:~]# ss -ntl #确认3306端口打开了
#编译安装pam_mysql
[root@cos7:~]# ls
pam_mysql-0.7RC1.tar.gz \*\*省略\*\*
[root@cos7:~]# tar xf pam_mysql-0.7RC1.tar.gz
[root@cos7:~]# cd pam_mysql-0.7RC1/
[root@cos7:pam_mysql-0.7RC1]# ls
acinclude.m4 config.h.in COPYING ltmain.sh mkinstalldirs pam_mysql.spec.in
aclocal.m4 config.sub CREDITS Makefile.am NEWS pkg.m4
ChangeLog configure INSTALL Makefile.in pam_mysql.c README
config.guess configure.in install-sh missing pam_mysql.spec stamp-h.in
[root@cos7:pam_mysql-0.7RC1]# cat INSTALL #有安装说明步骤及选项参数
[root@cos7:pam_mysql-0.7RC1]# ./configure --with-pam-mods-dir=/lib64/security --with-mysql=/usr --with-pam=/usr
[root@cos7:pam_mysql-0.7RC1]# ls /lib64/security/ #此时此目录下还没有pam_mysql.so模块
[root@cos7:pam_mysql-0.7RC1]# make && make install #编译安装,报错信息无需过问
[root@cos7:pam_mysql-0.7RC1]# ls /lib64/security/ #此时此目录生成了pam_mysql.so模块
2、FTP服务器实现PAM配置
[root@cos7:pam_mysql-0.7RC1]# cat README #查看连接数据库的相关信息
[root@cos17:~]# vim /etc/pam.d/vsftpd.mysql
auth required pam_mysql.so user=vsftpd passwd=centos host=192.168.31.17 db=ftpdb table=users usercolumn=name passwdcolumn=password crypt=2
account required pam_mysql.so user=vsftpd passwd=centos host=192.168.31.17 db=ftpdb table=users usercolumn=name passwdcolumn=password crypt=2
3、准备数据库中ftp相关的表
[root@cos17:~]# mysql
MariaDB [(none)]> create database ftpdb;
MariaDB [(none)]> grant select on ftpdb.* to vsftpd@'192.168.31.7' identified by 'centos';
MariaDB [(none)]> use ftpdb
MariaDB [ftpdb]> create table users ( #创建表
-> id INT AUTO_INCREMENT NOT NULL PRIMARY KEY,
-> name CHAR(50) BINARY NOT NULL,
-> password CHAR(48) BINARY NOT NULL
-> );
#创建两个ftp虚拟账号
MariaDB [ftpdb]> INSERT INTO users(name,password) values('ftp1',password('centos'));
MariaDB [ftpdb]> INSERT INTO users(name,password) values('ftp2',password('centos'));
MariaDB [ftpdb]> select * from users;
+----+------+-------------------------------------------+
| id | name | password |
+----+------+-------------------------------------------+
| 1 | ftp1 | *07012D77331829FBC7415FCFE0041354CE238D41 |
| 2 | ftp2 | *1CF9815FD56E839A519A21CFABB148B4109FEDB7 |
+----+------+-------------------------------------------+
4、修改vsftpd配置文件,调用pam_msyql模块
[root@cos7:~]# useradd -s /sbin/nologin vftpuser #创建系统账号,让虚拟账号映射到系统账号
[root@cos7:~]# vim /etc/vsftpd/vsftpd.conf
pam_service_name=vsftpd.mysql #修改为vsftd.mysql
guest_enable=YES #添加此行到配置文件最后一行
guest_username=vftpuser #启用guest用户为vftpuser,操作系统账号都映射为guest
5、虚拟用户映射到系统用户
[root@cos7:~]# ll /home/vftpuser/ -d
drwx------ 3 vftpuser vftpuser 78 Aug 14 20:32 /home/vftpuser/
[root@cos7:~]# chmod 555 /home/vftpuser #setfacl -m u:vftpuser:rx /home/vftpuser/
#脚注1 登录根不能有写权限
[root@cos7:~]# systemctl start vsftpd
[root@cos7:~]# ss -ntl
#拿centos7-2当客户端,访问ftp服务器
[root@cos7-2:~ ]# yum install ftp -y
[root@cos7-2:~ ]# ftp 192.168.31.7
Connected to 192.168.31.7 (192.168.31.7).
220 (vsFTPd 3.0.2)
Name (192.168.31.7:root): ftp1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
6、实现不同虚拟用户不同权限或目录
[root@cos7:~]# vim /etc/vsftpd/vsftpd.conf
user_config_dir=/etc/vsftpd/vftpuser.d #添加此行到配置文件最后一行
[root@centos7:~]# mkdir /etc/vsftpd/vftpuser.d/
[root@centos7:~]# mkdir /etc/vsftpd/vftpuser.d/
[root@cos7:~]# vim /etc/vsftpd/vftpuser.d/ftp1
local_root=/data/ftp1
anon_upload_enable=YES
anon_mkdir_write_enable=YES
#或者使用户vftpuer具有rwx, #上传需要写权限,脚注2
[root@cos7:~]# setfacl -m u:vftpuser:rwx /data/ftp1/upload
[root@centos7:data]# mkdir /data/ftp1/upload
[root@cos7:~]# vim /etc/vsftpd/vftpuser.d/ftp2
local_root=/data/ftp2
[root@centos7:data]# mkdir /data/ftp2
-----------#脚注1
[root@cos7-2:~ ]# ftp 192.168.31.7
Connected to 192.168.31.7 (192.168.31.7).
220 (vsFTPd 3.0.2)
Name (192.168.31.7:root): ftp1
331 Please specify the password.
Password:
500 OOPS: vsftpd: refusing to run with writable root inside chroot()
Login failed.
-----------#脚注2
ftp> !ls
anaconda-ks.cfg Documents initial-setup-ks.cfg Pictures Templates
Desktop Downloads Music Public Videos
ftp> put initial-setup-ks.cfg
local: initial-setup-ks.cfg remote: initial-setup-ks.cfg
227 Entering Passive Mode (192,168,31,7,114,200).
550 Permission denied.
ftp>
总结
实验:基于MYSQL的FTP虚拟用户
两台主机:1 FTP服务器,2 MYSQL服务器
1 FTP服务器安装包
yum install mariadb-devel pam-devel
yum groupinstall “development tools”
2 FTP服务器编译模块
tar xf pam_mysql-0.7RC1.tar.gz
cd pam_mysql-0.7RC1/
cat INSTALL
./configure –with-pam-mods-dir=/lib64/security –with-mysql=/usr –with-pam=/usr
make && make install
3 另一台主机实现MYSQL
create database ftpdb;
grant select on ftpdb.* to vsftpd@’192.168.31.7’ identified by ‘magedu’;
use ftpdb
create table users (
id INT AUTO_INCREMENT NOT NULL PRIMARY KEY,
name CHAR(50) BINARY NOT NULL,
password CHAR(48) BINARY NOT NULL
);
#create table users ( id INT AUTO_INCREMENT NOT NULL PRIMARY KEY, name CHAR(50) BINARY NOT NULL, password CHAR(48) BINARY NOT NULL );
INSERT INTO users(name,password) values(‘ftp1’,password(‘magedu’));
INSERT INTO users(name,password) values(‘ftp2’,password(‘magedu’));
select * from users;
4 FTP服务器实现PAM配置
vim /etc/pam.d/vsftpd.mysql
auth required pam_mysql.so user=vsftpd passwd=magedu host=192.168.31.17 db=ftpdb table=users usercolumn=name passwdcolumn=password crypt=2
account required pam_mysql.so user=vsftpd passwd=magedu host=192.168.31.17 db=ftpdb table=users usercolumn=name passwdcolumn=password crypt=2
5 FTP服务器vsftpd配置文件
pam_service_name=vsftpd.mysql
guest_enable=YES
guest_username=vftpuser
user_config_dir=/etc/vsftpd/vftpuser.d
6 虚拟用户映射的系统用户
useradd -s /sbin/nologin vftpuser
chmod 555 /home/vftpuser
mkdir /home/vftpuser/upload
chown vftpuser.vsftpuser /home/vftpuser/upload
7 实现不同虚拟用户不同权限或目录
mkdir /etc/vsftpd/vftpuser.d
vim /etc/vsftpd/vftpuser.d/ftp1
local_root=/data/ftp1
anon_upload_enable=YES
anon_mkdir_write_enable=YES
setfacl -m u:vftpuser:rwx /data/ftp1/upload #/data/ftp1中其它用户无写权限
vim /etc/vsftpd/vftpuser.d/ftp2
local_root=/data/ftp2