To improve the security of the system, we use virtual users rather than system (anonymous) users to access FTP. The overall idea is to verify the legality of the user through MySQL by opening the virtual account function in Vsftp and invoking the new Pam authentication module and then modifying the PAM module. The following is an experimental process.
First step pack:
Yum install-y vsftpd mysql-server mysql-devel pam-devel
Yum groupinstall-y Development Tools
TAR-XF pam_mysql-0.7rc1.tar.gz-c/usr/src/
Cd/usr/src/pam_mysql-0.7rc1
./configure
Make && make install
The second step is to configure MySQL
Service mysqld Start
Mysql-p
Create Database ftpusers;
Use Ftpusers;
CREATE table users (ID int auto_increment not null,name char (a) NOT null UNIQUE KEY, passwd char is not NULL, p Rimary key (ID));
Insert into users (NAME,PASSWD) VALUES (' Nick ', password (' Redhat '));
Grant Select on ftpusers.* to [e-mail protected] identified by ' Vftpadm ';
Flush privileges;
The third step of editing vsftpd.conf, the following is my configuration:
Anonymous_enable=no
Local_enable=yes
Write_enable=yes
local_umask=022
Anon_upload_enable=yes
Dirmessage_enable=yes
Xferlog_enable=yes
Xferlog_std_format=yes
Connect_from_port_20=yes
Xferlog_std_format=yes
Chroot_local_user=yes
Chroot_list_enable=yes
Chroot_list_file=/etc/vsftpd/chroot_list
Listen=yes
User_config_dir=/etc/vsftpd/user_config
Local_root=/var/ftp/pub
Guest_enable=yes
Guest_username=virftp
Pam_service_name=vftp
Userlist_enable=yes
Tcp_wrappers=yes
Userlist_deny=yes
Fourth Step edit Pam file: vim/etc/pam.d/vftp
Session optional pam_keyinit.so Force revoke
Auth sufficient/lib64/security/pam_mysql.so user=virftp passwd=vftpadm host=localhost db=ftpusers table=users Usercolumn=name passwdcolumn=passwd crypt=2
Auth Required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
Auth Required pam_shells.so
Auth include Password-auth
Account sufficient/lib64/security/pam_mysql.so user=virftp passwd=vftpadm host=localhost db=ftpusers table=users Usercolumn=name passwdcolumn=passwd crypt=2
Account include Password-auth
Session Required Pam_loginuid.so
Session include Password-auth
The above red font is used to verify the virtual account, the rest is the default vsftpd authentication, and the local account is validated.
Fifth step: Add a Virtual account
Useradd virftp-s/sbin/nologin-d/home/virftp virftp
Chown virftp. -r/home/virftp/
Sixth step: Create a Virtual account configuration file
Mkdir/etc/vsftpd/user_config
Cd/etc/vsftpd/user_config
Create a virtual account nick:
Vim Nick
local_root=/home/virftp/
This only restricts its root directory, which is not defined here to inherit the settings of the master configuration file (/etc/vsftp/vsftpd.conf)
CP a file to this directory to verify the experiment
Cp/etc/inittab/home/virftp
Service VSFTPD Restart
Last login account Nick password Redhat view results
Test Summary: Start I in the Pam file MySQL verification useless sufficient and use the required, directly resulting in cannot log in with the local account.
Here to explain the meaning of the two, sufficient representative once the rule is satisfied, the direct exit does not match down, if not satisfied, then continue to match down.
Required indicates that if the mismatch exits directly, if the match continues to match down.
So when I use required, the local account does not match and exits directly.