Implementation of vsftpd virtual user based on MYSQL authentication
- 1. Install packages and package groups
- 2. FTP server realizes PAM configuration
- 3. Prepare ftp related tables in the database
- 4. Modify vsftpd configuration file and call PAM ﹣ MSYQL module
- 5. Virtual users mapping to system users
- 6. Implement different permissions or directories for different virtual users
- summary
- cos7(192.168.31.7) is the ftp server; cos17(192.168.31.17) is the database server
1. Install packages and package groups
#PAM MySQL is not available on the ftp connection database authentication module centos7. It needs to be compiled and installed. Open the website at Last Update: 2013-04-17 to download the installation package
[root@centos6 ~ ]#yum info pam_mysql
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
Available Packages
Name : pam_mysql
Arch : i686
Epoch : 1
Version : 0.7
Release : 0.12.rc1.el6
Size : 38 k
Repo : epel
Summary : PAM module for auth UNIX users using MySQL data base
URL : http://sf.net/projects/pam-mysql/
cos7(192.168.31.7) When ftp The server
[root@cos7:~]# yum install vsftpd mariadb-devel pam-devel "development tools" -y
#17 when the database server
[root@cos17:~]# yum install mariadb-server -y
[root@cos17:~]# systemctl start mariadb #Start MariaDB server service
[root@cos17:~]# ss -ntl #Verify that port 3306 is open
#Compile and install PAM? MySQL
[root@cos7:~]# ls
pam_mysql-0.7RC1.tar.gz \*\*ellipsis\*\*
[root@cos7:~]# tar xf pam_mysql-0.7RC1.tar.gz
[root@cos7:~]# cd pam_mysql-0.7RC1/
[root@cos7:pam_mysql-0.7RC1]# ls
acinclude.m4 config.h.in COPYING ltmain.sh mkinstalldirs pam_mysql.spec.in
aclocal.m4 config.sub CREDITS Makefile.am NEWS pkg.m4
ChangeLog configure INSTALL Makefile.in pam_mysql.c README
config.guess configure.in install-sh missing pam_mysql.spec stamp-h.in
[root@cos7:pam_mysql-0.7RC1]# cat INSTALL #There are installation instructions, steps and option parameters
[root@cos7:pam_mysql-0.7RC1]# ./configure --with-pam-mods-dir=/lib64/security --with-mysql=/usr --with-pam=/usr
[root@cos7:pam_mysql-0.7RC1]# ls /lib64/security/ #At this time, there is no pam_mysql.so module in this directory
[root@cos7:pam_mysql-0.7RC1]# make && make install #Compile and install, no need to ask for error information
[root@cos7:pam_mysql-0.7RC1]# ls /lib64/security/ #At this time, this directory generates the pam_mysql.so module2. FTP server realizes PAM configuration
[root@cos7:pam_mysql-0.7RC1]# cat README #View information about connecting to the database
[root@cos17:~]# vim /etc/pam.d/vsftpd.mysql
auth required pam_mysql.so user=vsftpd passwd=centos host=192.168.31.17 db=ftpdb table=users usercolumn=name passwdcolumn=password crypt=2
account required pam_mysql.so user=vsftpd passwd=centos host=192.168.31.17 db=ftpdb table=users usercolumn=name passwdcolumn=password crypt=23. Prepare ftp related tables in the database
[root@cos17:~]# mysql
MariaDB [(none)]> create database ftpdb;
MariaDB [(none)]> grant select on ftpdb.* to vsftpd@'192.168.31.7' identified by 'centos';
MariaDB [(none)]> use ftpdb
MariaDB [ftpdb]> create table users ( #Create table
-> id INT AUTO_INCREMENT NOT NULL PRIMARY KEY,
-> name CHAR(50) BINARY NOT NULL,
-> password CHAR(48) BINARY NOT NULL
-> );
#Create two ftp virtual accounts
MariaDB [ftpdb]> INSERT INTO users(name,password) values('ftp1',password('centos'));
MariaDB [ftpdb]> INSERT INTO users(name,password) values('ftp2',password('centos'));
MariaDB [ftpdb]> select * from users;
+----+------+-------------------------------------------+
| id | name | password |
+----+------+-------------------------------------------+
| 1 | ftp1 | *07012D77331829FBC7415FCFE0041354CE238D41 |
| 2 | ftp2 | *1CF9815FD56E839A519A21CFABB148B4109FEDB7 |
+----+------+-------------------------------------------+4. Modify vsftpd configuration file and call PAM ﹣ MSYQL module
[root@cos7:~]# useradd -s /sbin/nologin vftpuser #Create system account and map virtual account to system account
[root@cos7:~]# vim /etc/vsftpd/vsftpd.conf
pam_service_name=vsftpd.mysql #Change to vsftd.mysql
guest_enable=YES #Add this line to the last line of the configuration file
guest_username=vftpuser #Enable the guest user as vftpuser, and the operating system accounts are mapped as guest5. Virtual users mapping to system users
[root@cos7:~]# ll /home/vftpuser/ -d
drwx------ 3 vftpuser vftpuser 78 Aug 14 20:32 /home/vftpuser/
[root@cos7:~]# chmod 555 /home/vftpuser #setfacl -m u:vftpuser:rx /home/vftpuser/
#Footnote 1 login root cannot have write permission
[root@cos7:~]# systemctl start vsftpd
[root@cos7:~]# ss -ntl
#Use centos7-2 as the client to access the ftp server
[root@cos7-2:~ ]# yum install ftp -y
[root@cos7-2:~ ]# ftp 192.168.31.7
Connected to 192.168.31.7 (192.168.31.7).
220 (vsFTPd 3.0.2)
Name (192.168.31.7:root): ftp1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 6. Implement different permissions or directories for different virtual users
[root@cos7:~]# vim /etc/vsftpd/vsftpd.conf
user_config_dir=/etc/vsftpd/vftpuser.d #Add this line to the last line of the configuration file
[root@centos7:~]# mkdir /etc/vsftpd/vftpuser.d/
[root@centos7:~]# mkdir /etc/vsftpd/vftpuser.d/
[root@cos7:~]# vim /etc/vsftpd/vftpuser.d/ftp1
local_root=/data/ftp1
anon_upload_enable=YES
anon_mkdir_write_enable=YES
#Or users vftpuer Have rwx, #Upload requires write permission, footnote 2
[root@cos7:~]# setfacl -m u:vftpuser:rwx /data/ftp1/upload
[root@centos7:data]# mkdir /data/ftp1/upload
[root@cos7:~]# vim /etc/vsftpd/vftpuser.d/ftp2
local_root=/data/ftp2
[root@centos7:data]# mkdir /data/ftp2
-----------#Footnote 1
[root@cos7-2:~ ]# ftp 192.168.31.7
Connected to 192.168.31.7 (192.168.31.7).
220 (vsFTPd 3.0.2)
Name (192.168.31.7:root): ftp1
331 Please specify the password.
Password:
500 OOPS: vsftpd: refusing to run with writable root inside chroot()
Login failed.
-----------#Footnote 2
ftp> !ls
anaconda-ks.cfg Documents initial-setup-ks.cfg Pictures Templates
Desktop Downloads Music Public Videos
ftp> put initial-setup-ks.cfg
local: initial-setup-ks.cfg remote: initial-setup-ks.cfg
227 Entering Passive Mode (192,168,31,7,114,200).
550 Permission denied.
ftp> summary
Experiment: FTP virtual user based on MYSQL
Two hosts: 1 FTP server and 2 MYSQL server
1 FTP server installation package
yum install mariadb-devel pam-devel
yum groupinstall "development tools"
2 FTP server compilation module
tar xf pam_mysql-0.7RC1.tar.gz
cd pam_mysql-0.7RC1/
cat INSTALL
./configure –with-pam-mods-dir=/lib64/security –with-mysql=/usr –with-pam=/usr
make && make install
3 another host implements MYSQL
create database ftpdb;
grant select on ftpdb.* to vsftpd@'192.168.31.7' identified by 'magedu';
use ftpdb
create table users (
id INT AUTO_INCREMENT NOT NULL PRIMARY KEY,
name CHAR(50) BINARY NOT NULL,
password CHAR(48) BINARY NOT NULL
);
#create table users ( id INT AUTO_INCREMENT NOT NULL PRIMARY KEY, name CHAR(50) BINARY NOT NULL, password CHAR(48) BINARY NOT NULL );
INSERT INTO users(name,password) values('ftp1',password('magedu'));
INSERT INTO users(name,password) values('ftp2',password('magedu'));
select * from users;
4 FTP server to realize PAM configuration
vim /etc/pam.d/vsftpd.mysql
auth required pam_mysql.so user=vsftpd passwd=magedu host=192.168.31.17 db=ftpdb table=users usercolumn=name passwdcolumn=password crypt=2
account required pam_mysql.so user=vsftpd passwd=magedu host=192.168.31.17 db=ftpdb table=users usercolumn=name passwdcolumn=password crypt=2
5 FTP server vsftpd configuration file
pam_service_name=vsftpd.mysql
guest_enable=YES
guest_username=vftpuser
user_config_dir=/etc/vsftpd/vftpuser.d
6 system users mapped by virtual users
useradd -s /sbin/nologin vftpuser
chmod 555 /home/vftpuser
mkdir /home/vftpuser/upload
chown vftpuser.vsftpuser /home/vftpuser/upload
7 implement different permissions or directories for different virtual users
mkdir /etc/vsftpd/vftpuser.d
vim /etc/vsftpd/vftpuser.d/ftp1
local_root=/data/ftp1
anon_upload_enable=YES
anon_mkdir_write_enable=YES
Other users in setfacl - m u: vftpuser: RWX / data / ftp1 / upload ා / data / ftp1 do not have write permission
vim /etc/vsftpd/vftpuser.d/ftp2
local_root=/data/ftp2