Linux基础入门之vsFTP+MySQL/MariaDB认证实现虚拟用户配置详解

  • A+
所属分类:Linux  Linux基础
摘要

VSFTP可以使用系统账户或者匿名账户登录,但是出于安全的考虑,通常建议使用vsftp虚拟账户来登录ftp服务器,虚拟用户是指使用独立的文件保存vsftp用户帐号,虚拟账户只能登录ftp服务器。

一、配置基于MySQL认证的的vsftpd

1、安装vsftpd、启动vsftpd、配置vsftpd开机启动

[root@Legion100 ~]# yum install vsftpd pam_mysql -y
[root@Legion100 ~]# service vsftpd start
为 vsftpd 启动 vsftpd:                                    [确定]
[root@Legion100 ~]# netstat -tnlp | grep 21
tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      7574/vsftpd
[root@Legion100 ~]# chkconfig vsftpd on
[root@Legion100 ~]# chkconfig --list vsftpd
vsftpd          0:关闭  1:关闭  2:启用  3:启用  4:启用  5:启用  6:关闭
[root@Legion100 ~]# 

2、安装MySQL/MariaDB

1)、编译安装MariaDB、设置开机启动

[root@Legion100 ~]# cd /tmp/
[root@Legion100 /tmp]# groupadd -g 1500 mysql && useradd -g mysql -u 1500 -s /sbin/nologin -M mysql
[root@Legion100 /tmp]# yum install cmake -y
[root@Legion100 /tmp]# wget "https://downloads.mariadb.org/interstitial/mariadb-10.0.19/source/mariadb-10.0.19.tar.gz/from/http%3A//mirrors.opencas.cn/mariadb" -O mariadb-10.0.19.tar.gz
[root@Legion100 /tmp]# tar xf mariadb-10.0.19.tar.gz
[root@Legion100 /tmp]# cd mariadb-10.0.19
[root@Legion100 /tmp/mariadb-10.0.19]# cmake . -DCMAKE_INSTALL_PREFIX=/usr/local/mysql \
-DMYSQL_DATADIR=/data/mysql \
-DWITH_SSL=system \
-DWITH_INNOBASE_STORAGE_ENGINE=1 \
-DWITH_ARCHIVE_STORAGE_ENGINE=1 \
-DWITH_BLACKHOLE_STORAGE_ENGINE=1 \
-DWITH_SPHINX_STORAGE_ENGINE=1 \
-DWITH_ARIA_STORAGE_ENGINE=1 \
-DWITH_XTRADB_STORAGE_ENGINE=1 \
-DWITH_PARTITION_STORAGE_ENGINE=1 \
-DWITH_FEDERATEDX_STORAGE_ENGINE=1 \
-DWITH_MYISAM_STORAGE_ENGINE=1 \
-DWITH_PERFSCHEMA_STORAGE_ENGINE=1 \
-DWITH_EXTRA_CHARSETS=all \
-DWITH_EMBEDDED_SERVER=1 \
-DWITH_READLINE=1 \
-DWITH_ZLIB=system \
-DWITH_LIBWRAP=0 \
-DEXTRA_CHARSETS=all \
-DENABLED_LOCAL_INFILE=1 \
-DMYSQL_UNIX_ADDR=/tmp/mysql.sock \
-DDEFAULT_CHARSET=utf8 \
-DDEFAULT_COLLATION=utf8_general_ci
[root@Legion100 /tmp/mariadb-10.0.19]# make -j $(awk '/processor/{i++}END{print i}' /proc/cpuinfo) && make install  && echo $?
[root@Legion100 /tmp/mariadb-10.0.19]# cd /usr/local/mysql/
[root@Legion100 /usr/local/mysql]# echo "export PATH=/usr/local/mysql/bin:\$PATH" > /etc/profile.d/mariadb10.0.19.sh
[root@Legion100 /usr/local/mysql]# . /etc/profile.d/mariadb10.0.19.sh
[root@Legion100 /usr/local/mysql]# sed -i "$(awk '$1=="MANPATH"{a=NR}END{print a}' /etc/man.config)a MANPATH\t/usr/local/mysql/man" /etc/man.config
[root@Legion100 /usr/local/mysql]# cp -a support-files/mysql.server /etc/rc.d/init.d/mysqld
[root@Legion100 /usr/local/mysql]# \cp support-files/my-large.cnf /etc/my.cnf
[root@Legion100 /usr/local/mysql]# sed -i '/query_cache_size/a datadir = /data/mysql' /etc/my.cnf
[root@Legion100 /usr/local/mysql]# mkdir -p /data/mysql
[root@Legion100 /usr/local/mysql]# chown -R mysql.mysql /data/mysql
[root@Legion100 /usr/local/mysql]# /usr/local/mysql/scripts/mysql_install_db --user=mysql --datadir=/data/mysql/ --basedir=/usr/local/mysql
[root@Legion100 /usr/local/mysql]# chkconfig mysqld on
[root@Legion100 /usr/local/mysql]# chkconfig --list mysqld
mysqld          0:关闭  1:关闭  2:启用  3:启用  4:启用  5:启用  6:关闭
[root@Legion100 /usr/local/mysql]# service mysqld start
Starting MySQL.                                            [确定]
[root@Legion100 /usr/local/mysql]# ss -tnlp | grep 3306
LISTEN     0      150                      :::3306                    :::*      users:(("mysqld",33450,21))
[root@Legion100 /usr/local/mysql]# 

2)、做vsftpd用户认证的授权

[root@Legion100 ~]# mysql   #登录数据库
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 4
Server version: 10.0.19-MariaDB-log Source distribution

Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> USE mysql; #进入mysql库
Database changed
MariaDB [mysql]> UPDATE user set password=PASSWORD('lookback') WHERE USER='root'; #给所有的root帐户设置密码为lookback
Query OK, 4 rows affected (0.01 sec)
Rows matched: 4  Changed: 4  Warnings: 0

MariaDB [mysql]> DELETE FROM user WHERE User='';   #删除MariaDB所有的匿名帐号
Query OK, 2 rows affected (0.00 sec)

MariaDB [mysql]> create database vsftpd;   #新建vsftpd库
Query OK, 1 row affected (0.01 sec)

MariaDB [mysql]> grant select on vsftpd.* to vsftpd@localhost identified by 'lookback'; #新建一个vsftpd的用户密码是lookback权限是查询select,本地访问
Query OK, 0 rows affected (0.00 sec)

MariaDB [mysql]> grant select on vsftpd.* to vsftpd@127.0.0.1 identified by 'lookback'; #新建一个vsftpd的用户密码是lookback权限是select,本地访问
Query OK, 0 rows affected (0.00 sec)

MariaDB [mysql]> grant select on vsftpd.* to vsftpd@'172.16.%.%' identified by 'lookback'; #新建一个vsftpd的用户密码是lookback权限是select,可以在172.16.0.0/8网段内访问
Query OK, 0 rows affected (0.00 sec)

MariaDB [mysql]> SELECT USER,PASSWORD,HOST FROM user; #查看下MariaDB上的用户用户名和host
+--------+-------------------------------------------+--------------------+
| USER   | PASSWORD                                  | HOST               |
+--------+-------------------------------------------+--------------------+
| root   | *153CCFAEAA83407D8DBDBFAA3D17B1A95553E60C | localhost          |
| root   | *153CCFAEAA83407D8DBDBFAA3D17B1A95553E60C | legion100.dwhd.org |
| root   | *153CCFAEAA83407D8DBDBFAA3D17B1A95553E60C | 127.0.0.1          |
| root   | *153CCFAEAA83407D8DBDBFAA3D17B1A95553E60C | ::1                |
| vsftpd | *153CCFAEAA83407D8DBDBFAA3D17B1A95553E60C | localhost          |
| vsftpd | *153CCFAEAA83407D8DBDBFAA3D17B1A95553E60C | 127.0.0.1          |
| vsftpd | *153CCFAEAA83407D8DBDBFAA3D17B1A95553E60C | 172.16.%.%         |
+--------+-------------------------------------------+--------------------+
7 rows in set (0.00 sec)

MariaDB [mysql]> use vsftpd;  #进入vsftpd库
Database changed
MariaDB [vsftpd]> create table users (
    -> id int AUTO_INCREMENT NOT NULL,
    -> name char(20) binary NOT NULL,
    -> password char(48) binary NOT NULL,
    -> primary key(id)
    -> );    #新建一个名为users的表,表中有id、name、password字段,id是自动增长,name是20个字符长度二进制存放区分大小写,password最大48字符二进制存放区分大小写,
Query OK, 0 rows affected (0.12 sec)

MariaDB [vsftpd]> insert into users(name,password) values('Legion',password('lookback')); #在users表中新建个Legion的用户密码是lookback
Query OK, 1 row affected (0.00 sec)

MariaDB [vsftpd]> insert into users(name,password) values('LookBack',password('lookback')); #在users表中新建个LookBack的用户密码是lookback
Query OK, 1 row affected (0.01 sec)

MariaDB [vsftpd]> SELECT id,name,password FROM users; #查看下users表
+----+----------+-------------------------------------------+
| id | name     | password                                  |
+----+----------+-------------------------------------------+
|  1 | Legion   | *153CCFAEAA83407D8DBDBFAA3D17B1A95553E60C |
|  2 | LookBack | *153CCFAEAA83407D8DBDBFAA3D17B1A95553E60C |
+----+----------+-------------------------------------------+
2 rows in set (0.00 sec)

MariaDB [vsftpd]> FLUSH PRIVILEGES; #刷新生效上面的配置
Query OK, 0 rows affected (0.00 sec)

MariaDB [vsftpd]> \q
Bye
[root@Legion100 ~]# 

3)、测试MariaDB的连接

[root@Legion100 ~]# mysql -uvsftpd -plookback -h172.16.6.100 -P3306
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 10
Server version: 10.0.19-MariaDB-log Source distribution

Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> SHOW DATABASES;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| test               |
| vsftpd             |
+--------------------+
3 rows in set (0.00 sec)

MariaDB [(none)]> USE vsftpd
Database changed
MariaDB [vsftpd]> SHOW tables;
+------------------+
| Tables_in_vsftpd |
+------------------+
| users            |
+------------------+
1 row in set (0.00 sec)

MariaDB [vsftpd]> SELECT id,name,password FROM users;
+----+----------+-------------------------------------------+
| id | name     | password                                  |
+----+----------+-------------------------------------------+
|  1 | Legion   | *153CCFAEAA83407D8DBDBFAA3D17B1A95553E60C |
|  2 | LookBack | *153CCFAEAA83407D8DBDBFAA3D17B1A95553E60C |
+----+----------+-------------------------------------------+
2 rows in set (0.00 sec)

MariaDB [vsftpd]> \q
Bye
[root@Legion100 ~]# 

3、配置vsFTPD

1)、建立pam认证所需的文件
新建个/etc/pam.d/vsftpd.mariadb文件

[root@Legion100 ~]# touch /etc/pam.d/vsftpd.mariadb

2)、64位系统写入下面的内容

auth required /lib64/security/pam_mysql.so user=vsftpd passwd=lookback host=172.16.6.100 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
account required /lib64/security/pam_mysql.so user=vsftpd passwd=lookback host=172.16.6.100 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2

32位系统写入下面的内容

auth required /lib/security/pam_mysql.so user=vsftpd passwd=lookback host=172.16.6.100 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
account required /lib/security/pam_mysql.so user=vsftpd passwd=lookback host=172.16.6.100 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2

32位和64位通用写法

auth required pam_mysql.so user=vsftpd passwd=lookback host=172.16.6.100 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
account required pam_mysql.so user=vsftpd passwd=lookback host=172.16.6.100 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2

3)、修改vsftpd配置文件

[root@Legion100 ~]# cd /etc/vsftpd/
[root@Legion100 /etc/vsftpd]# cp vsftpd.conf vsftpd.conf_`date +%F`
[root@Legion100 /etc/vsftpd]# ls
ftpusers user_list vsftpd.conf vsftpd.conf_2015-06-03 vsftpd_conf_migrate.sh
[root@Legion100 /etc/vsftpd]# groupadd -g 1501 vftpuser && useradd -g vftpuser -u 1501 -s /sbin/nologin -d /home/vftpuser vftpuser
[root@Legion100 /etc/vsftpd]# id vftpuser
uid=1501(vftpuser) gid=1501(vftpuser) 组=1501(vftpuser)
[root@Legion100 /etc/vsftpd]# finger vftpuser
Login: vftpuser                         Name:
Directory: /home/vftpuser               Shell: /sbin/nologin
Never logged in.
No mail.
No Plan.
[root@Legion100 /etc/vsftpd]# mkdir -p /home/vftpuser
[root@Legion100 /etc/vsftpd]# chown -R vftpuser.vftpuser /home/vftpuser
[root@Legion100 /etc/vsftpd]# chmod go+rx /home/vftpuser
[root@Legion100 /etc/vsftpd]# ls -ld /home/vftpuser/
drwxr-xr-x 4 vftpuser vftpuser 4096 6月   3 16:14 /home/vftpuser/
[root@Legion100 /etc/vsftpd]# grep -Ev '(^#\s.*|^#|^$)' vsftpd.conf
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
anon_upload_enable=NO
anon_mkdir_write_enable=NO
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
chroot_local_user=YES
listen=YES
pam_service_name=vsftpd.mariadb
#这里直接把pam的认证文件换成了vsftpd.mariadb后系统用户就不能登录ftp了
userlist_enable=YES
tcp_wrappers=YES
guest_enable=YES
guest_username=vftpuser

reload下vsftpd使刚才上面的配置文件修改生效

[root@Legion100 /etc/vsftpd]# service vsftpd reload
关闭 vsftpd:                                              [确定]
为 vsftpd 启动 vsftpd:                                    [确定]
[root@Legion100 /etc/vsftpd]# 

4、测试登录

1)、Linux下

[root@Legion101 ~]# ifconfig | sed -rn '/^[^ \t]/{N;s/(^[^ ]*).*addr:([^ ]*).*/\1 \2/p}' | \
> awk '$2!~/^192\.168|^10\.|^127|^0|^$/{print $1"="$2}'
eth0=172.16.6.101
[root@Legion101 ~]# ftp 172.16.6.100
Connected to 172.16.6.100 (172.16.6.100).
220 (vsFTPd 2.2.2)
Name (172.16.6.100:root): Legion
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> bye
221 Goodbye.
[root@Legion101 ~]# ftp 172.16.6.100
Connected to 172.16.6.100 (172.16.6.100).
220 (vsFTPd 2.2.2)
Name (172.16.6.100:root): LookBack
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> bye
221 Goodbye.
[root@Legion101 ~]# 

Linux基础入门之vsFTP+MySQL/MariaDB认证实现虚拟用户配置详解

2)、Windows下

Microsoft Windows [版本 6.3.9600]
(c) 2013 Microsoft Corporation。保留所有权利。

C:\Users\Administrator>ftp 172.16.6.100
连接到 172.16.6.100。
220 (vsFTPd 2.2.2)
用户(172.16.6.100:(none)): Legion
331 Please specify the password.
密码:
230 Login successful.
ftp> pwd
257 "/"
ftp> bye
221 Goodbye.

C:\Users\Administrator>ftp 172.16.6.100
连接到 172.16.6.100。
220 (vsFTPd 2.2.2)
用户(172.16.6.100:(none)): LookBack
331 Please specify the password.
密码:
230 Login successful.
ftp> pwd
257 "/"
ftp> bye
221 Goodbye.

C:\Users\Administrator>

Linux基础入门之vsFTP+MySQL/MariaDB认证实现虚拟用户配置详解

3)、客户端
Linux基础入门之vsFTP+MySQL/MariaDB认证实现虚拟用户配置详解
Linux基础入门之vsFTP+MySQL/MariaDB认证实现虚拟用户配置详解

5、配置基于单个虚拟用的权限
从上面可以看出我们创建的两个虚拟用户只能登录 但是不上传文件。下面将说说具体的虚拟用户权限配置

[root@Legion100 /etc/vsftpd]# echo "user_config_dir=/etc/vsftpd/vftpusers" >> /etc/vsftpd/vsftpd.conf
[root@Legion100 /etc/vsftpd]# mkdir -p /etc/vsftpd/vftpusers
[root@Legion100 /etc/vsftpd]# cd /etc/vsftpd/vftpusers
[root@Legion100 /etc/vsftpd/vftpusers]# touch /etc/vsftpd/vftpusers/{Legion,LookBack}
[root@Legion100 /etc/vsftpd/vftpusers]# cat > /etc/vsftpd/vftpusers/Legion <<EOF
anon_upload_enable=YES
#允许Legion用户可以上传文件
anon_mkdir_write_enable=YES
#允许Legion用可以创建文件
anon_other_write_enable=YES
#允许Legion可以删除文件
EOF
[root@Legion100 /etc/vsftpd/vftpusers]# cat /etc/vsftpd/vftpusers/Legion > /etc/vsftpd/vftpusers/LookBack
[root@Legion100 /etc/vsftpd/vftpusers]# sed -i 's/NO/YES/' /etc/vsftpd/vftpusers/LookBack #修改LookBack没有上传 创建 删除权限
[root@Legion100 /etc/vsftpd/vftpusers]# service vsftpd restart
关闭 vsftpd:                                              [确定]
为 vsftpd 启动 vsftpd:                                    [确定]
[root@Legion100 /etc/vsftpd/vftpusers]# 

2)、测试

[root@Legion101 ~]# ftp 172.16.6.100
Connected to 172.16.6.100 (172.16.6.100).
220 (vsFTPd 2.2.2)
Name (172.16.6.100:root): Legion
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> lcd /etc/
Local directory now /etc
ftp> put inittab
local: inittab remote: inittab
227 Entering Passive Mode (172,16,6,100,253,120).
150 Ok to send data.
226 Transfer complete.
884 bytes sent in 7.4e-05 secs (11945.94 Kbytes/sec)
ftp> ls -l
227 Entering Passive Mode (172,16,6,100,244,244).
150 Here comes the directory listing.
-rw-------    1 1501     1501          884 Jun 03 09:02 inittab
226 Directory send OK.
ftp> bye
221 Goodbye.
[root@Legion101 ~]# ftp 172.16.6.100
Connected to 172.16.6.100 (172.16.6.100).
220 (vsFTPd 2.2.2)
Name (172.16.6.100:root): Lookback
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp> lcd /etc/
Local directory now /etc
ftp> put fstab
local: fstab remote: fstab
530 Please login with USER and PASS.
Passive mode refused.
ftp> bye
221 Goodbye.
[root@Legion101 ~]# 

Linux基础入门之vsFTP+MySQL/MariaDB认证实现虚拟用户配置详解
Linux基础入门之vsFTP+MySQL/MariaDB认证实现虚拟用户配置详解

lookback

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: