I. Overview of virtual users
VSFTPD when using a virtual user, a system user needs to be created for all virtual users, because regardless of the type of user (anonymous, system, virtual) that VSFTPD uses, it is ultimately mapped to a user on the operating system, and each file resource has its own permissions. Only users on the operating system can determine whether the file resource can be accessed based on the permission model. Only the use of VSFTPD based on pam_mysql virtual user mechanism is described here.
Second, VSFTPD virtual user mechanism based on Pam_mysql
1. Compile and install Pam_mysql
(1) Development package to provide the development environment and install its dependent packages before compiling Pam_mysql
[Email protected] ~]# yum-y groupinstall "Development Tools" "Server Platform development" [[email protected] ~]# yum-y Install Pam-devel Openssl-devel mariadb-devel
(2) Download Pam_mysql's source code compression package
#在pam_mysql官网上下载其压缩包
650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M02/98/60/wKiom1k6s0GDJLyjAAEtfun57rk094.png "title=" 1111. PNG "alt=" Wkiom1k6s0gdjlyjaaetfun57rk094.png "/>
(3) Compile and install after decompression
[[Email protected] ~]# tar XF pam_mysql-0.7rc1.tar.gz[[email protected] ~]# CD Pam_mysql-0.7rc1/[[email protected] Pam_my sql-0.7rc1]# [[email protected] pam_mysql-0.7rc1]#./configure--with-mysql=/usr--with-openssl=/usr--with-pam=/usr- -with-pam-mods-dir=/lib64/security[[email protected] pam_mysql-0.7rc1]# make && make install
2. Use MySQL to create a table to hold the user account password
(1) Start the MySQL service and set it to boot automatically
[[email protected] ~]# systemctl start mariadb.service[[email protected] ~]# Systemctl enable Mariadb.service
(2) Create database vsftpd and tables users
[[Email protected] ~]# mysqlmysql> create database vsftpd;mysql> use vsftpd;mysql> CREATE TABLE users (id int auto_increment not Null pirmary key,name char ( not null,password char) BINARY NOT NULL ) # mysql The result of encrypting with the password () function is 48 characters mysql> desc users;+----------+----------- -+------+-----+---------+----------------+| field | type | Null | Key | Default | Extra |+----------+------------+------+-----+---------+----------------+| id | int (one) | NO | pri | null | auto_increment | | name | char (+) | NO | | NULL | | | password | binary ( | NO | | ) null | |+----------+------------+------+-----+---------+----------------+
(3) Inserting data into a table
Mysql> INSERT into Usrs (Name,password) VALUES (' Tom ', password (' mageedu ')), (' Jerry ', password (' mageedu.com '));(4) Authorization
Mysql> Grant Select on vsftpd.* to [e-mail protected] identified by ' mageedu ';mysql> GRANT Select on vsftpd.* to [EMA Il protected] ' 127.0.0.1 ' identified by ' mageedu ';mysql> FLUSH privileges;
3. Create a PAM configuration file
[Email protected] ~]# Vim/etc/pam.d/vsftpd.mysqlauth required pam_mysql.so user=vsftpd passwd=mageedu host=localhost DB=VSFTPD table=usersusercolumn=name Passwdcolumn=password crypt=2account required pam_mysql.so user=vsftpd passwd= mageedu host=localhost db=vsftpd table=usersusercolumn=name Passwdcolumn=password crypt=2
4, create the system user, as a mapping user for all virtual users
[Email protected] ~]# useradd-s/sbin/nologin-d/ftproot vuser[[email protected] ~]# ll-d/ftproot/drwx------. 4 VUser VUser June 9 21:48/ftproot/# Group users and other users do not have any permissions [[email protected] ~]# chmod go+rx/ftproot/# Add to group users and other users Read and execute permissions [[email protected] ~]# chmod-w/ftproot # Map User VUser Home directory cannot have write permission [[email protected] ~]# Mkdir/ftproot/{pub,uplo AD} # If you want to have write permission, you can create a subdirectory with Write permission in your home directory5, edit the VSFTPD configuration file, modify the relevant configuration
[[email protected] ~]# Vim/etc/vsftpd/vsftpd.confguest_enable=yes # allow Guest account Access Guest_username=vuser # Bring it All The Bing account is mapped to the system user Vuserpam_service_name=vsftpd.mysql # to modify the corresponding Pam configuration file
6. Start the service
[[email protected] ~]# systemctl start vsftpd.service[[email protected] ~]# SS-TNL | Grep:21listen 0::: £ º::*
7. Testing
(1) Test Virtual user Tom
[[email protected] ~]# ftp 192.168.10.99connected to 192.168.10.99 ( 192.168.10.99) .220 (vsftpd 3.0.2) name (192.168.10.99:root): tom # Enter virtual user Tom331 please specify the password. password: # Enter the password for the virtual user Tom 230 login Successful. Remote system type is unix. Using binary mode to transfer files.ftp> ftp> ls227 entering Passive Mode (192,168,10,99,223,134) .150 here comes the directory listing.drwxr-xr-x 2 0 0 6 Jun 09 13:35 pubdrwxr-xr-x 2 1000 0 64 jun 09 14:25 upload226 directory send ok.
(2) Test Virtual user Jerry
[[email protected] ~]# ftp 192.168.10.99connected to 192.168.10.99 ( 192.168.10.99) .220 (vsftpd 3.0.2) name (192.168.10.99:root): jerry # Enter virtual user Jerry331 please specify the password. password: # Enter virtual user Jerry's password 230 Login successful. Remote system type is unix. Using binary mode to transfer files.ftp> ls227 entering passive Mode (192,168,10,99,251,69) .150 here comes the directory listing.drwxr-xr-x 2 0 0 6 Jun 09 13:35 pubdrwxr-xr-x 2 1000 0 64 Jun 09 14:25 upload226 Directory Send ok.
The test was successful.
Third, other needs
1, how to let the virtual users have permission to upload files?
(1) Ensure that anonymous users in the VSFTPD configuration have write permissions
[[email protected] ~]# Vim/etc/vsftpd/vsftpd.confanon_upload_enable=yes # This one needs to be enabled because the virtual user is also an anonymous user
(2) Ensure that the virtual user's system mapping user Vuer has write access to the file system
[Email protected] ~]# chown vuser/ftproot/upload
(3) test
#测试虚拟用户tom
[[email protected] ~]# ftp 192.168.10.99connected to 192.168.10.99 ( 192.168.10.99) .220 (vsftpd 3.0.2) name (192.168.10.99:root): tom # Enter virtual user Tom331 please specify the password. password: # Enter the password for the virtual user Tom Ftp> ftp > cd upload # switch to a directory with write permissions for the user ftp> lcd /etc # external shell switch to/etc directory ftp> put fstab # Uploading Files fstablocal: fstab remote: fstab227 entering passive mode ( 192,168,10,99,213,217) .150 ok to send data.226 transfer complete. # Transfer complete 541 bytes sent in 0.000189 secs (2862.43  KBYTES/SEC) FTP> LS-RW------- 1 1000 1000 541 jun 09 15:08 fstab226 directory send ok.
#测试虚拟用户jerry
[[email protected] ~]# ftp 192.168.10.99connected to 192.168.10.99 ( 192.168.10.99) .220 (vsftpd 3.0.2) name (192.168.10.99:root): jerry # Enter virtual user Jerry331 please specify the password. password: # Enter virtual user Jerry's password ftp> ftp > cd upload # switch to a directory with write permissions for the user ftp> lcd /etc # external shell switch to/etc directory ftp> put issue # Uploading Files issuelocal: issue remote: issue227 entering passive mode ( 192,168,10,99,169,197) .150 ok to send data.226 transfer complete. # Transmission complete 23 bytes sent in 5.8e-05 secs (396.55 KBYTES/SEC) ftp> ls227 entering passive mode (192,168,10,99,144,240). 150  HERE COMES THE DIRECTORY LISTING.-RW------- 1 1000 1000 541 jun 09  15:08 FSTAB-RW------- 1 1000 1000 23 Jun 09 15:14 issue226 Directory send ok.
The test was successful.
2, Virtual user Tom and Jerry are mapped to a user vuser on the system, can set Tom and Jerry's permissions are inconsistent, such as set to Tom can upload files, and Jerry can't upload files?
1. Add a separate configuration file for each virtual user, respectively
#vsftpd支持每个虚拟用户单独使用一个配置文件, and the configuration file must be the same as the user name
[Email protected] ~]# mkdir/etc/vsftpd/vuser.conf.d[[email protected] ~]# Cd/etc/vsftpd/vuser.conf.d/[[email Protected] vuser.conf.d]# vim Tomanon_upload_enable=yes # allow Tom to upload files [[email protected] vuser.conf.d]# vim Jerryanon_uplo Ad_enable=no # Don't allow Jerry to upload files
2. Edit the main configuration file/etc/vsftpd/vsftpd.conf
(1) Setting does not allow anonymous users to upload
[[email protected] ~]# Vim/etc/vsftpd/vsftpd.conf#anon_upload_enable=yes # comment out the line configuration in the main configuration file
(2) explicitly set the configuration file in the load VUSERS.CONF.D directory
[Email protected] ~]# VIM/ETC/VSFTPD/VSFTPD.CONFUSER_CONFIG_DIR=/ETC/VSFTPD/VUSERS.CONF.D
3. Restart VSFTPD Service
[Email protected] ~]# systemctl restart Vsftpd.service
4. Testing
#预期虚拟用户tom能够上传文件, and Jerry can't upload the file.
#测试虚拟用户tom
[Email protected] ~]# FTP 192.168.10.99Connected to 192.168.10.99 (192.168.10.99). (VsFTPd 3.0.2) Name (192.168.10.99 : root): Tom # Enter virtual user tom331 specify the password. Password: # Enter virtual user Tom's password ftp> ftp> cd uploadftp> lcd/etc/ftp> put grub2.cfg # upload file g Rub2.cfglocal:grub2.cfg remote:grub2.cfg227 Entering Passive Mode (192,168,10,99,220,164). Ok to send data.226 transf ER complete. # Transfer Success 4209 bytes sent in 0.000162 secs (25981.48 kbytes/sec)
#测试虚拟用户jerry
[Email protected] ~]# FTP 192.168.10.99Connected to 192.168.10.99 (192.168.10.99). (VsFTPd 3.0.2) Name (192.168.10.99 : root): Jerry # Enter virtual user jerry331 Please specify the password. Password: # Enter virtual user Jerry's password ftp> ftp> cd uploadftp> lcd/etc/ftp> put MOTD # upload file mo TDLOCAL:MOTD remote:motd227 Entering Passive Mode (192,168,10,99,188,33). 550 Permission denied. # Permissions are denied!
The test was successful.
This article is from the "tab" blog, so be sure to keep this source http://xuweitao.blog.51cto.com/11761672/1933979
VSFTPD Virtual user mechanism based on Pam_mysql
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
