Linux FTP and FTPS and FTP based on MySQL virtual user authentication server Building

Source: Internet
Author: User
Tags crypt ftp file ftp login openssl ftp client file permissions filezilla ftp protocol

Linux FTP and FTPS and FTP based on MySQL virtual user authentication server Building

1.FTP protocol: With command and data connection two kinds

command connection, control connection: 21/TCP

Data connection: Active mode, running on 20/TCP port and passive mode, running on random port

Data transfer Mode (AUTO mode): Binary (mp3,jpg, etc.) and text (HTML) two modes of transmission

FTP Server-side program: WU-FTPD:VSFTPD pureftpd Filezilla serv-u

FTP client program: CLI text mode command: FTP lftp

GUI graphical interface software: gftpd FlashFXP cuteftp Filezilla

VSFTPD: Named very Secure FTP Daemon proftpd

/ETC/VSFTPD: Configuration file directory

/ETC/INIT.D/VSFTPD: Service Script

/USR/SBIN/VSFTPD: Main program

/VAR/FTP:FTP Service and user's root directory or home directory, also anonymous user access directory

User authentication based on Pam:

/etc/pam.d/*: Certification Program Location

/LIB/SECURITY/*: Certification Program Module location

can support virtual users

ftp: System users, with the following three types of users

Anonymous User: Anonymous

System User: Local System User

Virtual users: Need to map to system users

FTP File Service permissions: Includes system file directory permissions and configuration file authorization, take intersection permissions

Secure Communication mode: Clear text and ciphertext two, as follows:

ftp: Clear Text

FTPS:FTP+SSL/TLS, ciphertext

Sftp:openssh, SubSystem, SFTP (SSH), ciphertext

2. Configure vsftpd.conf File

Installing the VSFTPD Server Software

Yum Install vsftpd

Edit Configuration vsftpd.conf File

Vim/etc/vsftpd/vsftpd.conf

The contents of the configuration file are as follows:

Anonymous_enable=yes #开启匿名用户访问

Local_enable=yes #开启本地用户访问

Write_enable=yes #开启本地用户上传权限

Anon_upload_enable=yes #开启匿名用户上传权限

#anon_mkdir_write_enable =yes #开启匿名用户创建目录权限

#anon_other_write_enable =yes #开启匿名用户其他权限, such as Create, delete files and other permissions

#dirmessage_enable =yes #如在共享目录创建. Messages hide files and add prompts to log in user prompts

#xferlog_enable =yes #开启日志功能

Connect_from_port_20=yes #命令连接20/tcp Port Open

#chown_uploads =yes #开启修改上传用户的属主功能

#chown_username =whoever #改变上传用户属主是谁

#xferlog_file =/var/log/xferlog #对应上面的日志开启功能, log file path location

Xferlog_std_format=yes #日志文件格式

#idle_session_timeout =600 #ftp命令连接时最大空闲连接时间

#data_connection_timeout =120 #ftp数据连接最大传输时间

#ftpd_banner =welcome to blah FTP service. #ftp用户连接服务器提示语

#chroot_list_enable =yes #开启锁定用户家目录 to prevent users from entering other directories in the system

#chroot_list_file =/etc/vsftpd/chroot_list #此文件下的ftp用户才会被锁定在家具录

#chroot_local_user =yes #开启本地系统用户全部开启chroot机制

Listen=yes #独立守护进程, vsftpd can be changed to transient daemon based on other settings

#max_clients = #同一时间最大并发用户连接数

#max_per_ip = #同一时刻每个IP地址最大连接数

PAM_SERVICE_NAME=VSFTPD #基于pam认证服务名字

Userlist_enable=yes #user_list文件中的用户禁止登入ftp服务器

Note: If the above configuration turns on upload download or delete file permissions, but the shared directory specified by the FTP login user is not written

permissions, so you can't upload or download files

3.ftp Clear Text Transport server Setup,

Experimental purpose: Create a upload directory under the/var/ftp/directory

New Local User Willow

Allow anonymous users and local system users willow to create delete files in the upload directory upload download

Yum Install vsftpd

Mkdir/var/ftp/upload

Useradd Willow

echo "Willow" | passwd--stdin Willow

Setfact-m u:willow:rwx/var/ftp/upload #这步骤很重要, Authorization Willow has write access to this directory

Vim/etc/vsftpd/vsftpd.conf

Ensure that the following configuration is in effect:

Anonymous_enable=yes

Local_enable=yes

Write_enable=yes

Anon_upload_enable=yes

Anon_mkdir_write_enable=yes

Anon_other_write_enable=yes

FTP localhost uses willow user Login test effect

4.ftps ciphertext transmission server Setup, i.e. FTP + TLS encryption authentication

Create a self-signed certificate

Cd/etc/pki/ca

mkdir certs Newcerts CRL

Touch Index.txt

echo > Serial

Vim/etc/pki/tls/openssl.cnf

dir = .. /.. /ca

Modify the preceding statement to one of the following statements

dir = /etc/pki/ca

(umask 077,openssl genrsa-out PRIVATE/CAKEY.PEM 1024)

OpenSSL req-new-x509-key private/cakey.pem-out cacert.pem-days 365

Mkdir/etc/vsftpd/ssl

Cd/etc/vsftpd/ssl

(umask 077,openssl genrsa-out vsftpd.key 1024)

OpenSSL Req-new-key vsftpd.key-out VSFTPD.CSR

OpenSSL ca-in vsftpd.key-out vsftpd.crt

Note that this is the end, I only give the creation certificate and then request the certificate step, and did not give the detailed process, depending on your own experimental environment

To learn more about certificate building steps, check out my previous blog, where we have the following information:

Private key file location:/etc/vsftpd/ssl/vsftpd.key

Certificate file Location:/ETC/VSFTPD/SSL/VSFTPD.CRT


Vim/etc/vsftpd/vsftpd.conf

Add the following capacity:

Ssl_enable=yes

Ssl_tlsv1=yes

Ssl_sslv3=yes

Allow_anon_ssl=no

Force_local_data_ssl=yes

Force_local_logins_ssl=yes

RSA_CERT_FILE=/ETC/VSFTPD/SSL/VSFTPD.CRT #证书位置

Rsa_private_key_file=/etc/vsftpd/ssl/vsftpd.key #私钥位置

Restart VSFTPD Service

Service VSFTPD Restart

Use the FLASHFXP client software test to encrypt the transfer

5. Construction of FTP server based on MySQL virtual user authentication

5.1. Compile and install Pam_mysql-0.7rc1

Tar zxvf pam_mysql-0.7rc1.tar.gz

CD PAM_MYSQL-0.7RC1

./configure--WITH-MYSQL=/USR--with-openssl

Make

Make install

Cp/usr/lib/security/pam_mysql.*/lib/security/

5.2. Installing VSFTPD

Yum-y Install VSFTPD

5.3. Installing Mysql-server and Mysql-devel

Yum install-y mysql-server Mysql-devel

Service mysqld Start

5.4. Create a Virtual user account

5.4.1 Preparation database and related tables

#mysql locally connected MySQL database

mysql> CREATE DATABASE vsftpd;

Mysql> Grant Select on vsftpd.* to [e-mail protected] identified by ' vsftpd ';

Mysql> Grant Select on vsftpd.* to [e-mail protected] identified by ' vsftpd ';

mysql> flush Privileges;

mysql> use VSFTPD;

Mysql> CREATE TABLE Users (

-ID int auto_increment not NULL,

, name char (a) binary not NULL,

Password char () binary not NULL,

-primary key (ID)

);

5.4.2. Adding a test to a virtual user

mysql> INSERT into users (Name,password) VALUES (' Willow ', ' willow ');

mysql> INSERT into users (Name,password) VALUES (' Tom ', ' Tom ');

Note that the password is stored in clear text format because the pam_mysql and MySQL password () functions may be different.

The encryption interpretation can be viewed through the Redme file in the Pam_mysql directory, i.e. less redme

6. Establish the required files for PAM Certification

#vim/etc/pam.d/vsftpd.mysql

Add the following two lines

Auth required/lib/security/pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn= Name Passwdcolumn=password crypt=0

Account required/lib/security/pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn= Name Passwdcolumn=password crypt=0

7. Modify the VSFTPD configuration file to adapt it to MySQL authentication

Establish a virtual user mapping of the system users and corresponding directories

#useradd-S/sbin/nologin-d/var/ftpvuser VUser

#chmod Go+rx/var/ftprootvuser

Make sure that the following options are enabled in/etc/vsftpd.conf

Anonymous_enable=yes

Local_enable=yes

Write_enable=yes

Anon_upload_enable=yes

Anon_mkdir_write_enable=yes

Chroot_local_user=yes

The following options must be added

Guest_enable=yes

Guest_username=vuser #虚拟用户映射本地用户vuser

Pam_service_name=vsftpd.mysql #对照前面新增的/etc/pam.d/vsftpd.mysql Name

Start the VSFTPD service and test the effect

# service VSFTPD Start

# Chkconfig VSFTPD on

# FTP localhost

8. Configure virtual users to have different access rights

8.1. Configure VSFTPD to use the profile directory for virtual users

# Vim Vsftpd.conf

Turn off all permissions for anonymous users

Anon_upload_enable=no

Anon_mkdir_write_enable=no

Anon_other_write_enable=no

You must add the following options

User_config_dir=/etc/vsftpd/vusers_dir

mkdir/etc/vsftpd/vusers_dir/

cd/etc/vsftpd/vusers_dir/

Touch Willow Tom


8.2. Configure access rights for virtual users

8.2.1. Make virtual user Tom Unable to upload, only download permission

Vim/etc/vsftpd/vusers/tom

Anon_upload_enable=no

8.2.2. Let the virtual user willow have permission to upload, download, create, delete, etc.

Vim/etc/vsftpd/vusers/willow

Anon_upload_enable=yes

Anon_mkdir_write_enable=yes

Anon_other_write_enable=yes

This article is from the "Xavier Willow" blog, please be sure to keep this source http://willow.blog.51cto.com/6574604/1786264

Linux FTP and FTPS and FTP based on MySQL virtual user authentication server Building

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.