VSFTPD based on Pam virtual user authentication, but also afraid of leaking accounts?

First, FTP Brief introduction

FTP is a very old protocol, and is a C/S architecture protocol based on plaintext transmission. FTP is based on TPC21, 20 ports, where 21 ports are command ports and 20 ports are data ports. The FTP command connection is the same as other TCP connections, but there are two modes of data connection:

Active mode, also known as Port mode: When a command requests a port, the server side reduces the wait and proactively sends the data to the client: Use the native 20 port to request the port of the client. Here's the problem: the server side wants to actively connect the client to know the port number of the client, but the client does not start any port to the server side at all. Protocol design in the server side according to the client's command connection port (of course it is a random port) +1 as the request data connection port, if used, then again +1 .... Of course, the client firewall is hard to do in this mode. This gives you a passive mode.

Passive mode, also known as PASV mode: The client actively requests the server port connection to transfer data: The server starts a random port and sends the port through the command port to the client, the client knows and then connects to the port to complete the data transfer. This looks like the server port is more difficult than a firewall. Of course, the firewall can be done, but this does not mention, there will be a post to explain the firewall to the FTP passive mode settings.

The FTP service has three users: anonymous user, local user, virtual user. The anonymous user is the user right that is mapped to the system user on the server, generally by default the FTP user, the default path mapping path to/VAR/FTP. The first two types of users are not very complex, and this only understands the settings based on the virtual user.

Second, VSFTPD virtual user authentication based on Pam MySQL database

Install Vsftd,mysql, here do not introduce, self Google.

Compile and install 1.pam_msyql.so. A Pam MySQL library file is needed here, and the general default installation of Pam does not contain the library, it needs to be downloaded and compiled into Pam, ready to compile the environment and the necessary components to compile and install it:

Install the necessary components: Yum-y Install openssl-devel   Pam-devel 

Compile and install: Tar XF pam_mysql-0.7rc1.tar.gz && CD pam*

./configure--with-mysql=/usr--with-openssl=/usr-with-pam=/usr-with-pam-mods-dir=/lib64/security && make && make

After installation, you can see the library files installed in/lib64/secuirty/pam_mysql.so;

# ls/lib64/security |grep mysqlpam_mysql.lapam_mysql.so

2. Establishing the corresponding database

# msyql-urootcreate Database vuser;use vuser;create table users (id int auto_increment NOT NULL primary key,name char (30) Not Null,password char ("NOT NULL"); INSERT into users (Name,password) VALUES (' Obama ', password (' magedu ')); INSERT INTO Users (Name,password) VALUES (' Changchun ', password (' magedu ')); Grant Select on Vuser.*-' vsftpd ' @ '% ' identified by ' Mage Du '; flush privileges;

3. setting up a PAM configuration file

The

Pam format differs according to the module, but it can be written here.

Auth Required pam_mysql.so user=vuser passwd=magedu host=172.18.29.132 db=vuser table=users usercolumn=name Passwdcolumn=password crypt=2 debugaccount required pam_mysql.so user=vuser passwd=magedu host=172.18.29.132 db=vuser Table=users usercolumn=name Passwdcolumn=password Debug

Note The library user, password, library name, the corresponding row in the User name library, the corresponding line in the password library to write. Plus debug can see the debug information in/var/log/secure. What you see is presented to you.

4. Create a virtual user

Mkdir/ftprootuseradd-s/sbin/nologin-d/ftproot vuserchmod go+w/ftproot

5. Modify the configuration vsftpd.conf file

Anonymous_enable=no # Anonymous user Switch Write_enable=yes # global Write permission Switch Local_enable=yes # non-anonymous user switch Listen_ipv6=yesguest_enable=yes # Guest user (i.e. virtual user account) switch Guest_username=vuser # Guest user name Pam_service_name=vsftpd.mysql # PAM Authentication profile

So it's done. Can log in to see, there is no meaning, no longer.

Three, the period may encounter the error, the main need to close the SELinux and the corresponding directory permissions: Because the FTP access is also based on user rights control, so whether you are the kind of user login FTP is mapped to a user, the permission to log in is mapped to the user's permissions.

This article is from the "Deep Sea Fish" blog, please be sure to keep this source http://kingslanding.blog.51cto.com/9130940/1769348

VSFTPD based on Pam virtual user authentication, but also afraid of leaking accounts?