3.5. vsftpd基于mysql的验证
本篇文章主要实现基于mysql的ftp认证,包含3台机器,数据库服务器、ftp服务器、客户机。
3.5.1. 数据库服务器配置
3.5.1.1. 安装软件和安全初始化
1[root@centos-159 yum.repos.d]# yum install mariadb-server
2[root@centos-159 yum.repos.d]# systemctl restart mariadb
3:::3306 :::*
4[root@centos-159 yum.repos.d]# ss -tunl |grep 3306
5tcp LISTEN 0 80 :::3306 :::*
6[root@centos-159 yum.repos.d]# mysql_secure_installation
3.5.1.2. 创建数据库对象
1[root@centos-159 yum.repos.d]# mysql -u root -p
2Enter password:
3Welcome to the MariaDB monitor. Commands end with ; or \g.
4Your MariaDB connection id is 27
5Server version: 10.2.12-MariaDB MariaDB Server
6
7Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.
8
9Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
10
11MariaDB [(none)]> create database vsftpd;
12Query OK, 1 row affected (0.00 sec)
13
14MariaDB [(none)]> show databases;
15+--------------------+
16| Database |
17+--------------------+
18| information_schema |
19| mysql |
20| performance_schema |
21| vsftpd |
22+--------------------+
235 rows in set (0.00 sec)
24
25MariaDB [(none)]> grant select on vsftpd.* to vsftpd@'192.168.46.%' identified by 'user';
26Query OK, 0 rows affected (0.00 sec)
27
28MariaDB [(none)]> flush privileges;
29Query OK, 0 rows affected (0.00 sec)
30
31MariaDB [(none)]> use vsftpd;
32Database changed
33
34MariaDB [vsftpd]> create table users ( id int auto_increment primary key , name char(50) binary not null , password char(50) binary not null );
35Query OK, 0 rows affected (0.01 sec)
36
37MariaDB [vsftpd]> insert into users (name,password) values('user1' , password('user1'));
38Query OK, 1 row affected (0.01 sec)
39
40MariaDB [vsftpd]> insert into users (name,password) values('user2' , password('user2'));
41Query OK, 1 row affected (0.00 sec)
42
43MariaDB [vsftpd]> select * from users;
44+----+--------+-------------------------------------------+
45| id | name | password |
46+----+--------+-------------------------------------------+
47| 1 | user1 | *27BA6759E5C46E9564CA47033CA0FA65507DB3D0 |
48| 2 | user2 | *9D961D6FF5C5B00850EFF7DA36AC400326748EE0 |
49+----+--------+-------------------------------------------+
502 rows in set (0.00 sec)
3.5.2. ftp服务器配置
3.5.2.1. 安装vsftpd
1[root@centos-152 src]# yum install vsftpd
3.5.2.2. 编译pam-mysql
1# 安装必要的环境包
2[root@centos-152 pam_mysql-0.7RC1]# yum install mariadb-devel pam-devel
3[root@centos-152 pam_mysql-0.7RC1]# yum groupinstall "development tools"
4
5# 下载编译安装
6[root@centos-152 ~]# cd /usr/src
7[root@centos-152 src]# wget https://jaist.dl.sourceforge.net/project/pam-mysql/pam-mysql/0.7RC1/pam_mysql-0.7RC1.tar.gz
8[root@centos-152 src]# tar xf pam_mysql-0.7RC1.tar.gz
9[root@centos-152 pam_mysql-0.7RC1]# cat README
10[root@centos-152 pam_mysql-0.7RC1]# cat INSTALL
11[root@centos-152 pam_mysql-0.7RC1]# ./configure --with-pam-mods-dir=/lib64/security
12[root@centos-152 pam_mysql-0.7RC1]# make && make install
13
14# 查看模块
15[root@centos-152 pam_mysql-0.7RC1]# ll /lib64/security/ |grep mysql
16-rwxr-xr-x 1 root root 882 Feb 4 06:23 pam_mysql.la
17-rwxr-xr-x 1 root root 141680 Feb 4 06:23 pam_mysql.so
3.5.2.3. 配置文件
pam模块配置
1[root@centos-152 pam_mysql-0.7RC1]# vim /etc/pam.d/vsftpd.mysql
2[root@centos-152 pam_mysql-0.7RC1]# cat /etc/pam.d/vsftpd.mysql
3auth required pam_mysql.so user=vsftpd passwd=user host=192.168.46.159 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
4account required pam_mysql.so user=vsftpd passwd=user host=192.168.46.159 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
vsftpd配置
1[root@centos-152 pam_mysql-0.7RC1]# vim /etc/vsftpd/vsftpd.conf
2# 添加如下3行
3guest_enable=YES
4guest_username=ftpuser
5user_config_dir=/etc/vsftpd/mysql.users.conf.d/
6[root@centos-152 vsftpd]# mkdir mysql.users.conf.d
7[root@centos-152 vsftpd]# cd mysql.users.conf.d/
8[root@centos-152 mysql.users.conf.d]# vim user1
9[rootn@centos-152 mysql.users.conf.d]# cat user1
10anon_upload_enable=YES
11anon_mkdir_write_enable=YES
添加虚拟用户的目录
1[root@centos-152 vsftpd]# useradd -d /data/ftpuser -s /sbin/nologin ftpuser
2[root@centos-152 vsftpd]# chmod a-w /data/ftpuser/
3[root@centos-152 vsftpd]# mkdir /data/ftpuser/{pub,upload}
4[root@centos-152 vsftpd]# setfacl -m u:ftpuser:rwx /data/ftpuser/upload/
5[root@centos-152 vsftpd]# setfacl -m u:ftpuser:rx /data/ftpuser/pub/
3.5.3. 测试
测试前重启服务
1[root@centos-152 mysql.users.conf.d]# ftp 192.168.46.152
2Connected to 192.168.46.152 (192.168.46.152).
3220 (vsFTPd 3.0.2)
4Name (192.168.46.152:root): user1
5331 Please specify the password.
6Password:
7230 Login successful.
8Remote system type is UNIX.
9Using binary mode to transfer files.
10ftp> pwd
11257 "/"
12ftp> cd upload
13250 Directory successfully changed.
14ftp> !ls
15user1
16ftp> lcd /root
17Local directory now /root
18ftp> !ls
19anaconda-ks.cfg anaconda-ks.cfg.bak ansible bigfile bin hosts.txt localhost.localdomain.txt q test.sh
20ftp> put bigfile
21local: bigfile remote: bigfile
22227 Entering Passive Mode (192,168,46,152,163,95).
23150 Ok to send data.
24226 Transfer complete.
251900544 bytes sent in 0.303 secs (6267.05 Kbytes/sec)
26ftp> quit
27221 Goodbye.
28[root@centos-152 mysql.users.conf.d]# ftp 192.168.46.152
29Connected to 192.168.46.152 (192.168.46.152).
30220 (vsFTPd 3.0.2)
31Name (192.168.46.152:root): user2
32331 Please specify the password.
33Password:
34230 Login successful.
35Remote system type is UNIX.
36Using binary mode to transfer files.
37ftp> cd uploads
38550 Failed to change directory.
39ftp> cd upload
40250 Directory successfully changed.
41ftp> lcd /root
42Local directory now /root
43ftp> !ls
44anaconda-ks.cfg anaconda-ks.cfg.bak ansible bigfile bin hosts.txt localhost.localdomain.txt q test.sh
45ftp> put bigfile
46local: bigfile remote: bigfile
47227 Entering Passive Mode (192,168,46,152,46,63).
48550 Permission denied.
49ftp> quit
50221 Goodbye.
可以发现,user1和user2都是通过认证成功的用户,只是user1有自己的额外配置才有了上传权限。