实现基于MYSQL验证的vsftpd虚拟用户
前述概要
- 本实验需要两台主机,一台充当FTP服务器,一台充当MySQL服务器
- FTP服务器:CentOS 7系统,IP地址为172.20.54.1
- MySQL服务器:CentOS 7系统,IP地址为172.20.54.2
1️⃣配置mysql服务器
/ 安装Mariadb数据库
yum -y install mariadb-server
systemctl enable --now mariadb
/ 配置虚拟用户数据库
MariaDB [(none)]> CREATE DATABASE ftpdb;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> USE ftpdb;
Database changed
MariaDB [ftpdb]> CREATE TABLE ftpvusers (
-> id INT UNSIGNED AUTO_INCREMENT NOT NULL PRIMARY KEY,
-> username CHAR(50),
-> password CHAR(50) BINARY NOT NULL
-> );
Query OK, 0 rows affected (0.00 sec)
/ 使用password()函数加密密码,避免明文存储密码
MariaDB [ftpdb]> INSERT ftpvusers (username,password)VALUES('ftpuse1',password('centos'));
Query OK, 1 row affected (0.00 sec)
MariaDB [ftpdb]> INSERT ftpvusers (username,password)VALUES('ftpuse2',password('centos'));
Query OK, 1 row affected (0.00 sec)
/ 建立授权通信账户
MariaDB [ftpdb]> GRANT ALL ON ftpdb.* TO ftpuser@'172.20.54.%' IDENTIFIED BY 'centos';
Query OK, 0 rows affected (0.00 sec)
MariaDB [ftpdb]> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)
2️⃣FTP服务器上安装vsftpd和编译pam_mysql
- 安装vsftpd
yum -y install vsftpd
systemctl start vsftpd
- 编译pam_mysql
/ 下载编译工具相关包
yum -y install vsftpd gcc gcc-c++ make mariadb-devel pam-devel
/ 下载pam-mysql源码进行编译
/ 下载pam_mysql-0.7RC1.tar.gz
wget http://prdownloads.sourceforge.net/pam-mysql/pam_mysql-0.7RC1.tar.gz
tar xf pam_mysql-0.7RC1.tar.gz
cd pam_mysql-0.7RC1
./configure --with-pam-mods-dir=/lib64/security/
make && make install
[root@Centos7 pam_mysql-0.7RC1]# ll /lib64/security/pam_mysql*
-rwxr-xr-x 1 root root 883 Dec 18 14:40 /lib64/security/pam_mysql.la
-rwxr-xr-x 1 root root 141712 Dec 18 14:40 /lib64/security/pam_mysql.so
3️⃣FTP服务器上建立系统用户
[root@Centos7 ~]# useradd -d /data/ftpsite -s /sbin/nologin ftpvuser
/ 去除根目录写权限
[root@Centos7 ~]# chmod 555 /data/ftpsite/
[root@Centos7 ~]# mkdir -p /data/ftpsite/upload
[root@Centos7 ~]# setfacl -m u:ftpvuser:rwx /data/ftpsite/upload
4️⃣FTP服务器上创建pam配置文件
vim /etc/pam.d/vsftpd.mysql
auth required pam_mysql.so user=ftpuser passwd=centos host=172.20.54.2 db=ftpdb \
table=ftpvusers usercolumn=username passwdcolumn=password crypt=2
account required pam_mysql.so user=ftpuser passwd=centos host=172.20.54.2 db=ftpdb \
table=ftpvusers usercolumn=username passwdcolumn=password crypt=2
- crypt是加密方式,0表示不加密,1表示crypt(3)加密,2表示使用mysql password()函数加密,3表示md5加密,4表示sha1加密
- 配置字段说明
auth 表示认证
account 验证账号密码正常使用
required 表示认证要通过
pam_mysql.so模块是默认的相对路径,是相对/lib64/security/路径而言,也可以写绝对路径;后
面为给此模块传递的参数
user=vsftpd为登录mysql的用户
passwd=magedu 登录mysql的的密码
host=mysqlserver mysql服务器的主机名或ip地址
db=vsftpd 指定连接msyql的数据库名称
table=users 指定连接数据库中的表名
usercolumn=name 当做用户名的字段
passwdcolumn=password 当做用户名字段的密码
crypt=2 密码的加密方式为mysql password()函数加密
5️⃣FTP服务器上指定pam配置文件
vim /etc/vsftpd/vsftpd.conf
pam_service_name=vsftpd.mysql
/ 映射系统用户
guest_enable=YES
guest_username=ftpvuser
/ 虚拟用户独立配置目录
user_config_dir=/etc/vsftpd/vusers.conf.d/
6️⃣FTP服务器上建立每个虚拟用户的独立配置文件
vim /etc/vsftpd/vusers.conf.d/ftpuse1
anon_upload_enable=YES
vim /etc/vsftpd/vusers.conf.d/ftpuse2
anon_upload_enable=YES
local_root=/data/ftpsite2
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
7️⃣FTP服务器上配置共享根目录,重启vsftpd服务
[root@Centos7 ~]# mkdir -p /data/ftpsite2/upload
[root@Centos7 ~]# chmod 555 /data/ftpsite2
[root@Centos7 ~]# setfacl -m u:ftpvuser:rwx /data/ftpsite2/upload/
[root@Centos7 ~]# touch /data/ftpsite/ftptest1.txt
[root@Centos7 ~]# touch /data/ftpsite2/ftptest2.txt
8️⃣客户端测试
- ftpuser1账户登录测试,进入了正确的目录,可以在子目录/upload上传文件
[root@Centos7 ~]# ftp 172.20.54.1
Connected to 172.20.54.1 (172.20.54.1).
220 (vsFTPd 3.0.2)
Name (172.20.54.1:root): ftpuse1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls / 查看目录文件
227 Entering Passive Mode (172,20,54,1,188,170).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 0 Dec 18 07:06 ftptest1.txt
drwxrwxr-x 2 0 0 6 Dec 18 06:44 upload
226 Directory send OK.
ftp> cd upload
250 Directory successfully changed.
ftp> put anaconda-ks.cfg / 上传文件
local: anaconda-ks.cfg remote: anaconda-ks.cfg
227 Entering Passive Mode (172,20,54,1,34,230).
150 Ok to send data.
226 Transfer complete.
1615 bytes sent in 0.00106 secs (1516.43 Kbytes/sec)
ftp> ls
227 Entering Passive Mode (172,20,54,1,64,78).
150 Here comes the directory listing.
-rw------- 1 1001 1001 1615 Dec 18 07:27 anaconda-ks.cfg
226 Directory send OK.
- ftpuser2账户登录测试,进入了正确的目录,创建目录 可以在子目录/upload上传文件
[root@Centos7 ~]# ftp 172.20.54.1
Connected to 172.20.54.1 (172.20.54.1).
220 (vsFTPd 3.0.2)
Name (172.20.54.1:root): ftpuse2
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls / 查看目录文件
227 Entering Passive Mode (172,20,54,1,217,9).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 0 Dec 18 07:06 ftptest2.txt
drwxrwxr-x 2 0 0 6 Dec 18 07:05 upload
226 Directory send OK.
ftp> mkdir testdir / 创建新目录
550 Create directory operation failed.
ftp> ls
227 Entering Passive Mode (172,20,54,1,42,122).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 0 Dec 18 07:06 ftptest2.txt
drwxrwxr-x 2 0 0 6 Dec 18 07:05 upload
226 Directory send OK.
ftp> cd upload
250 Directory successfully changed.
ftp> put anaconda-ks.cfg / 上传文件
local: anaconda-ks.cfg remote: anaconda-ks.cfg
227 Entering Passive Mode (172,20,54,1,169,45).
150 Ok to send data.
226 Transfer complete.
1615 bytes sent in 0.000266 secs (6071.43 Kbytes/sec)
ftp> ls
227 Entering Passive Mode (172,20,54,1,73,4).
150 Here comes the directory listing.
-rw------- 1 1001 1001 1615 Dec 18 07:30 anaconda-ks.cfg
226 Directory send OK.
Entering Passive Mode (172,20,54,1,73,4).
150 Here comes the directory listing.
-rw------- 1 1001 1001 1615 Dec 18 07:30 anaconda-ks.cfg
226 Directory send OK.