About vsftpd User Authentication

Source: Internet
Author: User
Tags crypt sha1 encryption egrep
A long time ago, I wanted to learn about vsftpd user authentication, especially in pam. I think it is very powerful, but it is also complicated. I have not found any good information on the Internet.

I can't help but study it myself.

Today, I suddenly saw Fang Jun's blog with his notes. I took a look at it. I really benefited a lot and successfully used vsftpd for db4 and mysql.

User Authentication experiment. There are also a lot of errors in the middle, mainly due to making mistakes on the keyboard. Fang Jun's notes are too serious. Put his notes directly here

Post for your convenience in the future. You can also give some tips to others.

Writer Information
Alin Fang (Fang Yunlin)
Blog: http://www.alinblog.cn/
Modification date
2 Dec, 2008
1st modifications
Copyright
GNU
Statement
My lab notes, non-authoritative documents. If any error occurs, please inform us. Thank you!
Lab Environment
Red Hat Enterprise Linux 5 update 2
Domain: dhcp-0-145
Network: 10.66.0.145/23
Lab procedure
Install db4 and related tools
[Root @ dhcp-0-145 ~] # Rpm-q db4
Db4-4.3.29-9.fc6
[Root @ dhcp-0-145 ~] # Rpm-q db4-utils
Package db4-utils is not installed
[Root @ dhcp-0-145 ~] # Cd/misc/cd/Server
[Root @ dhcp-0-145 Server] # rpm-ivh db4-utils-4.3.29-9.fc6.i386.rpm
Warning: db4-utils-4.3.29-9.fc6.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
Preparing... ######################################## ### [100%]
1: db4-utils ####################################### #### [100%]
[Root @ dhcp-0-145 Server] #
Install vsftpd
[Root @ dhcp-0-145 Server] # rpm-q vsftpd
Package vsftpd is not installed
[Root @ dhcp-0-145 Server] # rpm-ivh vsftpd-2.0.5-12.el5.i386.rpm
Warning: vsftpd-2.0.5-12.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
Preparing... ######################################## ### [100%]
1: vsftpd ####################################### #### [100%]
[Root @ dhcp-0-145 Server] #
Add an ftp user list and generate database files
[Root @ dhcp-0-145 Server] # cd/etc/vsftpd/
[Root @ dhcp-0-145 vsftpd] # vim ftplogin
The configuration is as follows:
User1
Redhat
User2
Redhat
User3
Redhat
Single-Action account and double-action password.
Enhance user database security and generate database files
[Root @ dhcp-0-145 vsftpd] # chmod 700 ftplogin
[Root @ dhcp-0-145 vsftpd] # db_load-T-t hash-f ftplogin. db
[Root @ dhcp-0-145 vsftpd] # ls
Ftplogin. db ftpusers user_list vsftpd. conf vsftpd_conf_migrate.sh
[Root @ dhcp-0-145 vsftpd] # cat ftplogin. db
# A #2 #9
### Region h ^ ####### redhat # user3 # redhat # user1 ##### 2 ##9��
# Login h ^ ### redhat # user2 [root @ dhcp-0-145
Vsftpd] #
A bunch of garbled characters indicates that the database file has been generated.
Configure pam to specify ftplogin. db to verify the user.
Create a pam verification rule named virtualftpuser in/etc/pam. d.
[Root @ dhcp-0-145 vsftpd] # cd/etc/pam. d/
[Root @ dhcp-0-145 Pam. d] # ls
ATD pm-hibernate system-auth
Authconfig pm-powersave system-auth-ac
Authconfig-GTK pm-suspend system-cdinstall-helper
Authconfig-tui pm-suspend-hybrid system-config-Authentication
Chfn poweroff system-config-Date
Chsh ppp system-config-Display
Config-util pup system-config-kdump
Crond reboot system-config-keyboard
Cups Remote System-config-language
Dateconfig rhn_register system-config-LVM
Eject run_init system-config-netboot
Ekshell runuser system-config-network
Gssftp runuser-L system-config-Network-cmd
Halt sabayon system-config-printer
Kbdrate setup system-config-rootpassword
Kshell SMTP system-config-securitylevel
Login SMTP. Sendmail system-config-Soundcard
Neat sshd system-config-time
Newrole su system-config-users
Other sudo system-install-packages
Passwd sudo-I vsftpd
Pirut su-l
[Root @ dhcp-0-145 pam. d] # vim virtualftpuser
The content is
Auth required pam_userdb.so db =/etc/vsftpd/ftplogin
Account required pam_userdb.so db =/etc/vsftpd/ftplogin
Verification database
Create a ing between the virtual user and the actual user, and modify the access permission of the folder mapped to the user
Create a virtual user Personal Configuration folder
[Root @ dhcp-0-145 pam. d] # useradd virtualftpuser
[Root @ dhcp-0-145 pam. d] # chmod 755 ~ Virtualftpuser
[Root @ dhcp-0-145 pam. d] # mkdir/etc/vsftpd/userconf
[Root @ dhcp-0-145 pam. d] #
Then modify the/etc/vsftpd. conf file.
Specify the pam to verify the user.
[Root @ dhcp-0-145 pam. d] # cd/etc/vsftpd/
[Root @ dhcp-0-145 vsftpd] # vim vsftpd. conf
Change
#========= Modify by Yunlin Fang ============ #
Anonymous_enable = No
#========= Modify line end ========== #
Local_enable = Yes
Write_enable = Yes
Local_umask = 022
Dirmessage_enable = Yes
Xferlog_enable = Yes
Connect_from_port_20 = Yes
Xferlog_std_format = Yes
Listen = Yes
#========= Modify by Yunlin Fang ============ #
Pam_service_name = virtualftpuser
Guest_enable = Yes
Guest_username = virtualftpuser
User_config_dir =/etc/vsftpd/userconf
#========= Modify line end ========== #
Userlist_enable = Yes
Tcp_wrappers = Yes
Start vsftpd
[Root @ dhcp-0-145 ~] # Service vsftpd restart
Shutting down vsftpd: [OK]
Starting vsftpd For vsftpd: [OK]
[Root @ dhcp-0-145 ~] # Chkconfig -- level 35 vsftpd on
[Root @ dhcp-0-145 ~] #
Test FTP service
[Root @ dhcp-0-145 vsftpd] # Touch/home/virtualftpuser/file1
[Root @ dhcp-0-145 vsftpd] # ftp dhcp-0-145.
Connected to dhcp-0-145.pek.redhat.com.
220 (vsftpd 2.0.5)
530 please login with user and pass.
530 please login with user and pass.
Kerberos_v4 rejected as an authentication type
Name (dhcp-0-145: Root): user1
331 please specify the password.
Password:
230 login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
Ftp> ls
227 entering passive mode (0,145,240,191)
150 here comes the directory listing.
-RW-r -- 1 0 0 0 dec 02 08:26 file1
226 Directory send OK.
Ftp> quit
221 Goodbye.
[Root @ dhcp-0-145 vsftpd] #
Successful.
Analysis
Verify the vsftpd user through the db4 database. Each time you modify the user list, you must modify the text file of the user list and re-
Db_load, I think this management method is better to use the default/etc/passwd-based user authentication method for ease of management.
Recommended solutions:
• Use mysql as the verification database
• Optimize user modification by writing scripts on your own
Below is a script I wrote to automatically add and delete users.
#! /Bin/bash
VAL = 0
If [-z "$ {1}"-o "$ {1}" = "(null)"]; then
Echo "Usage :"
Echo "\ t 'basename $ {0} 'add"
Echo "\ t 'basename $ {0} 'del USERNAME"
Fi
Case $ {1} in
Del)
If [-z "$ {2}"-o "$ {2}" = "(null)"]; then
Echo "Usage: 'basename $ {0} 'add USERNAME"
VAL = 1
Exit $ {VAL}
Fi
Line = $ (egrep-n ^ $ {2} $/etc/vsftpd/ftplogin | cut-d:-f 1)
If [-z "$ {line}"-o "$ {line}" = "(null)"]; then
Echo "No such user :$ {2 }"
VAL = 1
Exit $ {VAL}
Fi
Sed-I-e "$ line, $ ($ line + 1) d"/etc/vsftpd/ftplogin
;;
Add)
Echo "Username :"
Read username
Line = $ (egrep-n ^ $ {username} $/etc/vsftpd/ftplogin)
If [$ {?} -Eq 0]; then
Echo "User has exist :$ {username }"
VAL = 1
Exit $ {VAL}
Fi
Echo "password :"
Read password
Echo $ username>/etc/vsftpd/ftplogin
Echo $ password>/etc/vsftpd/ftplogin
;;
Esac
Db_load-T-t hash-f/etc/vsftpd/ftplogin. db
Exit $ {VAL}

Use pam_mysql for vsftp Authentication
Statement
Author: Fang Yunlin
Site: http://www.afang.org/
My experiment documentation is not an authoritative guide for your reference only.
We advocate a good academic atmosphere. For more information, see the original source.
15. Apr, 2009
2nd modifications
Environment
OS: Red Hat Enterprise Linux 5 update 3
Network: 192.168.122.101/24
Procedure
First, let's talk about pam_mysql directly yum on fedora.
However, RHEL5.3 has not been added yet, and you need to compile it yourself.
This is the official website.
Http://pam-mysql.sourceforge.net/
Prepare the compiling environment and compile pam_mysql.so
Wget http://prdownloads.sourceforge.net/pammysql/
Pam_mysql0.7RC1.
Tar.gz
Yum install mysqldevel
Pamdevel
Gcc gccc ++
Tar zxvf pam_mysql0.7RC1.
Tar.gz
Cd pam_mysql0.7RC1
Ln s
/Usr/include/openssl/md5.h/usr/include/
If this soft link is not used, the md5.h header file cannot be found during configure.
./Configure-withopenssl
If the-with-openssl parameter is not added, md5 password verification is not supported.
Put the compiled pam_mysql.so under/usr/lib/security.
Ln s
/Usr/lib/security/pam_mysql.so/lib/security/
/Lib/security is the default path of pam.
Create Database Information
[Root @ localhost pam_mysql0.7RC1] #
Mysql u
Root p
Enter password:
Welcome to the MySQL monitor. Commands end with; or \ g.
Your MySQL connection id is 3
Server version: 5.0.45 Source distribution
Type 'help; 'or' \ H' for help. Type '\ C' to clear the buffer.
Mysql> create database vsftp;
Query OK, 1 row affected (0.00 sec)
Mysql> grant all privileges on vsftp. * To vsftp @ "%" identified by 'redhat ';
Query OK, 0 rows affected (0.00 Sec)
Mysql> Use vsftp;
Database changed
Mysql> Create Table account (
>
'Id' int not null auto_increment primary key,
>
'User' varchar (128) not null unique,
>
'Passwd' varchar (128) not null
>
);
Query OK, 0 rows affected (0.02 Sec)
The preceding command creates an account table.
Mysql> Create Table log (
>
'Msg 'varchar (128 ),
>
'User' varchar (128 ),
>
'Pid 'int,
>
'Host' varchar (128 ),
>
'Rhost' varchar (128 ),
>
'Time' TIMESTAMP
>
);
Query OK, 0 rows affected (0.00 sec)
The above command creates a record table to record user access records.
Mysql> create trigger trigger_format_passwd
>
BEFORE INSERT
>
ON account
>
FOR EACH ROW
>
Set new. passwd = md5 (NEW. passwd );
Query OK, 0 rows affected (0.00 sec)
Mysql> create trigger trigger_format_passwd_update
>
BEFORE UPDATE
>
ON account
>
FOR EACH ROW
>
Set new. passwd = md5 (NEW. passwd );
Query OK, 0 rows affected (0.00 sec)
The above two commands create a trigger to automatically encrypt the Updated Password with md5 encryption.
Mysql> quit
Bye
[Root @ localhost pam_mysql0.7rc1] #
Create PAM Authentication rules
The content is as follows:
[Root @ localhost pam_mysql0.7rc1] #
CAT/etc/PAM. d/vsftpd_mysql
Auth required pam_mysql.so user = vsftp passwd = RedHat host = 192.168.122.101
DB = vsftp table = Account usercolumn = user passwdcolumn = passwd crypt = MD5 sqllog = true
Logtable = Log logmsgcolumn = MSG logusercolumn = user logpidcolumn = PID
Loghostcolumn = Host logrhostcolumn = rHost logtimecolumn = Time
Account required pam_mysql.so user = vsftp passwd = RedHat host = 192.168.122.101
DB = vsftp table = Account usercolumn = user passwdcolumn = passwd crypt = MD5 sqllog = true
Logtable = Log logmsgcolumn = MSG logusercolumn = user logpidcolumn = PID
Loghostcolumn = Host logrhostcolumn = rHost logtimecolumn = Time
[Root @ localhost pam_mysql0.7rc1] #
User
User connected to MySQL
Passwd
Password used to connect to mysql
Host
Mysql server address, in the format
Ip
Ip: port
Unix socket, such as/tmp/mysql. sock
Db
Database for storing vsftp verification information
Table
User information table
Usercolumn
User information table username Column
Passwdcolumn
User Info table password Column
Crypt
Encryption Method, supported in total
1/plain plaintext password.
2/Y crypt encryption method, which corresponds to the encrypt function in the mysql query statement.
3/mysql passwd encryption method, which corresponds to the password function in the mysql query statement.
4. md5 encryption: corresponds to the md5 function in the mysql query statement.
5/sha1 sha1 encryption method, corresponding to the sha1 function in the mysql query statement.
If you want to use 3 encryption on RHEL5, always set old_passwords in/etc/my. cnf to 1.
Change to old_passwords = 0. Otherwise, mysql will use the old encryption algorithm to verify the password with pam_mysql.so.
Failed.
Logtable
Log table
Logmsgcolumn
The message column in the log table, which records the message body.
Logusercolumn
The user column in the log table, which records the users who access FTP.
Logpidcolumn
The PID column of the log table, which records the PID of the process that calls pam_mysql.so.
Loghostcolumn
The host column in the log table, which records the FTP server IP address.
Logrhostcolumn
The rHost column in the log table, which records the FTP Client IP address.
Logtimecolumn
The Time column of the log table, which records the user access time.
I will not explain the above configuration too much. For details, refer to the README of pam_mysql.
Modify the vsftpd configuration file and specify that the PAM Configuration file is used for user authentication.
The configuration of/etc/vsftpd. conf is as follows:
Anonymous_enable = Yes
Local_enable = Yes
Write_enable = Yes
Local_umask = 022
Dirmessage_enable = Yes
Xferlog_enable = Yes
Connect_from_port_20 = Yes
Xferlog_std_format = Yes
Listen = Yes
Pam_service_name = vsftpd_mysql
Guest_enable = Yes
Guest_username = FTP
User_config_dir =/etc/vsftpd/userconfig
Userlist_enable = YES
Tcp_wrappers = YES
Test
Start ftp service
[Root @ localhost vsftpd] # service vsftpd start
Starting vsftpd for vsftpd: [OK]
[Root @ localhost vsftpd] # chkconfig level
35 vsftpd on
[Root @ localhost vsftpd] #
Add test user
[Root @ localhost vsftpd] # mkdir userconfig
[Root @ localhost vsftpd] # vim userconfig/department01
[Root @ localhost vsftpd] # cat userconfig/department01
Local_root =/var/ftp
[Root @ localhost vsftpd] # mysql u
Vsftp p
Enter password:
Welcome to the MySQL monitor. Commands end with; or \ g.
Your MySQL connection id is 12
Server version: 5.0.45 Source distribution
Type 'help; 'or' \ H' for help. Type '\ C' to clear the buffer.
Mysql> use vsftp;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with
Database changed
Mysql> insert into account (user, passwd) VALUES ("department01", "redhat ");
Query OK, 1 row affected (0.00 sec)
Mysql> select * from account;
++
+
+
| Id | user | passwd |
++
+
+
| 1 | department01 | e2798af12a7a0f4f70b4d69efbc25f4d |
++
+
+
1 row in set (0.01 sec)
Mysql> quit
Bye
[Root @ localhost vsftpd] #
Test Logon
[Root @ localhost vsftpd] # ftp 192.168.122.101
Connected to 192.168.122.101.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.122.101: root): department01
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
Ftp> ls
227 Entering Passive Mode (192,168,122,101,240, 33)
150 Here comes the directory listing.
Drwxrxrx
2 0 0 4096 Dec 13 2007 pub
226 Directory send OK.
Ftp>
View logs
[Root @ localhost vsftpd] # mysql u
Vsftp p
Enter password:
Welcome to the MySQL monitor. commands end with; or \ G.
Your MySQL connection ID is 17
Server version: 5.0.45 Source Distribution
Type 'help; 'or' \ H' for help. Type '\ C' to clear the buffer.
Mysql> Use vsftp;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with
Database changed
Mysql> select * From log;
++
+
+
+
+
+
| MSG | user | PID | host | rHost
| Time |
++
+
+
+
+
+
| Authentication falure (first_pass) | RedHat | 24364 | 127.0.0.1 |
Localhost. localdomain | 20090415
At 10:27:45 |
| Authentication failure | redhat | 24364 | 127.0.0.1 |
Localhost. localdomain | 20090415
At 10:27:45 |
| Authentication falure (FIRST_PASS) | department01 | 24385 | 127.0.0.1 |
192.168.122.101. | 20090415
At 10:33:38 |
| Authentication success | department01 | 24385 | 127.0.0.1 |
192.168.122.101. | 20090415
At 10:33:38 |
| Querying success | department01 | 24385 | 127.0.0.1 |
192.168.122.101. | 20090415
At 10:33:38 |
++
+
+
+
+
+
5 rows in set (0.00 sec)
Mysql>
Lab objectives are achieved.
Postscript
In fact, there is a problem that has been around for a long time-if you use baidu to search for some technical keywords, it is basically the same as that of the former basic industry.
For the same content, the same error occurs. In addition, these websites have very few original content. In order to increase traffic
Taking their ulterior motives (for example, earning advertising fees), I tried my best to extract others' articles without specifying the source.
I think this is really bad. Now many Community friends are writing articles for everyone's hard work. Thanks to them
Some people who have fallen in academic morality will destroy the Chinese academic circle of Linux with meaningless plagiarism for their own private purposes.
Context (search for technical keywords in google English, and more useful information is often found, with few duplicate information ).
I don't think I am selfish. I am happy to share my learning experience with you. Otherwise, I will not release my study notes.
However, this is not directly related to respecting the author. I advocate that everyone, especially those who have blogs, should create a good
In a technical learning environment, you and Community friends in China should do their best to extract as little as possible because of inpure motives.
Thank you for writing your article.

There is nothing to say. Learn from Fang Jun.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.