Create a VSFTPD server MySQL-based virtual user authentication

Source: Internet
Author: User

Simply list the basic commands and share only my thoughts!

First, the purpose

Requirements: Configure VSFTPD servers that allow virtual users to access , virtual users are stored on another MySQL server, and virtual user accounts are two of Tom and Jerry, The password is Tom and Jerry, which requires restrictions on the privileges of the two accounts (as per the actual requirements, self-regulation).

Environment: MySQL Server (172.16.49.1),CentOS 6.6 and MariaDB-5.5.43. The other is installed via yum vsftpd(192.168.0.22), theOS is the CentOS 6.6.

    • MySQL is a generic binary format installation, the previous blog has been described how to install.

    • VSFTPD.

1. Introduction VSFTPD

vsftpd is ftp windows users can also use. itself based on the c/s mode, server-side always listens on 21 port because 21 port is the command connection port, and 20 port is the port of data transfer, When data transmission needs to be established, then removed, rather than consistent in the listening state, so, client and Server

"active": by Server random port connection server 21 port, when the command to download data is received, Server end actively open 20 port, connecting client random +1 port will be "removed", generally not "active" connection mode, because if client Client manual to release or set.

Client the connection created. Is the first client random port connection server 21 port, in 21 port Client has been "negotiated", server The end uses which random port to connect to client not actively connected server 20 20 port does not resemble 21 Span style= "font-family: ' The song Body '; > port, vsftpd always listening, building and closing as needed).

the FTP transmission format is to look at the data, if the data is text on the text transmission, if the data is a binary program, that is, binary transmission, which is different from the HTTP protocol, can only be transmitted as a text stream.

FTP also has a message code:

1 Series: Information code.

2 Series: success.

3 Series: A status code that requires additional hints (when you enter an account, there will be, because there is a password).

4 Series: Client error.

5 Series: server-side error.

because vsftpd is only implemented on Unix-like servers, authentication is primarily through the OS own Pam module certification,OS system users, Anonymous users (no users and Passwords), authentication of virtual users (accounts and passwords stored in databases or other files).

2,yum install vsftpd after the main file generated.

user authentication (PAM) configuration file:/etc/pam.d/vsftpd(Note: The PAM_SERVICE_NAME=VSFTPD in the main configuration file is called this configuration file).

main application:/user/sbin/vsftpd

resources shared by anonymous users:/var/ftp(Note: All anonymous users need to be mapped to users in the OS, for security reasons, it is better to be a system user, but to create a home directory when creating a system user, Because the schema is open to the home directory, only the users mapped to the OS you can access the file, because the local file also requires permissions, but cannot change the permissions of/var/ftp, you can create a new directory, And then modify the writable permissions).

The system user is the user's home directory.

configuration file directory:/etc/vsftpd

master configuration file:/etc/vsftpd/vsftpd.conf

3, for the main configuration file part of the content to explain

Anonymous_enable=yes//Whether to enable anonymous user Anon_upload_enable=yes//whether to turn on anonymous user uploads Anon_mkdir_write_enable=yes//Whether anonymous users are allowed to create directories Anon_ Ohter_write_enable=yes//Whether to allow anonymous users to delete files Local_enable=yes//Whether local system users are enabled Write_enable=yes//Whether local system users are allowed to delete, create local_umask= 022/Restrict Permissions


Imprison all FTP Local Users in their home directory:

Chroot_local_user=yes

The FTP local users specified in the imprison file are in their home directory:

Chroot_list_enable=yeschroot_list_file=/etc/vsftpd/chroot_list

Log:

Xferlog_enable=yesxferlog_std_format=yesxferlog_file=/var/log/xferlog

Change the owner of the uploaded file:

Chown_uploads=yeschown_username=whoever

whether to enable a list file that controls user logons /etc/vsftpd/user_list

Userlist_enable=yesuserlist_deny=yes|no

Connection limits:

Max_clients://MAX Concurrent connections MAX_PER_IP://number of concurrent requests per IP that can be initiated concurrently


Transfer rate:

Anon_max_rate: Maximum transfer rate for anonymous users, in bytes per second local_max_rate://maximum transfer rate for local users, in bytes per second


Forcing the text stream to be streamed, it is possible that the files opened by the client are garbled

Ascii_upload_enable=yesascii_download_enable=yes

4. Configuration

A, the installation of the necessary procedures

1. Installation of vsftpd,pam_mysql and mysql_server

Note:pam_mysql is provided by the Epel source

B. Create a virtual user account

1.prepare the database and related forms

mysql>create database vsftpd;//mysql>grant select on vsftpd.* to [ Email protected] identified by ' Mima ';  database can be used on this machine mysql>grant select on  vsftpd.* to [email protected] ' 172.16.%.% '  IDENTIFIEDBY  ' Mima '; mysql>flush  PRIVILEGES; mysql>use vsftp;                                                                                                               &nbsP;           mysql>create table users   (Id int unsigned auto_increment not nullprimary key,name char (20)  binary not null,password char ( binary not null);

2. Adding a Test virtual account

in order to secure the password using the internal MySQL function to encrypt, then the number of digits of the password is the decimal bit.

Mysql>insert into Users (Name,password) VALUES (' Tom ', password (' Tom ')), (' Jerry ', Password (' Jerry ')
);

C, configuration vsftpd

1, the establishment of PAM certification required documents

Vim/etc/pam.d/vsftpd.mysql//In order to not with the original VSFTPD authentication file conflict, so rename add the following two lines (can be directly written pam_mysql.so, will automatically/lib64/ Security directory below): Auth required/lib64/security/pam_mysql.so user=vsftp passwd=mima host=mysql the IP db=vsftpd table for that machine =users usercolumn=name passwdcolumn=passwordcrypt=2//Authentication account, why is CRYPT=2,RPM-QL pam_mysql in the Readme solution accounts required/ lib64/security/pam_mysql.so user=vsftp Passwd=mima host=mysql that machine's IP db=vsftpd table=users usercolumn=name passwdcolumn=passwordcrypt=2//Check whether the account is within the validity period


2, modify vsftpd configuration file, make it adapt to MySQL authentication

Establish a virtual user mapping of the system users and corresponding home directory

Useradd-s/sbin/nologin-d/var/ftproot vuserchmod go+rx/var/ftproot

ensure that the Master profile is/etc/vsftpd/vsftpd.conf and can be modified as needed

Anonymous_enable=yeslocal_enable=yeswrite_enable=yesanon_upload_enable=noanon_mkdir_write_enable=nochroot_ Local_user=yes

Then add the following options

Guest_enable=yesguest_username=vuser

ensure that the value of the pam_service_name

Pam_service_name=vsftpd.mysql//Login only via MySQL authentication


D. Start vsftpd service

/ETC/INIT.D/VSFTPD Startchkconfig vsftpd on

Use the virtual user login, verify the configuration results, you can through win IE or cmd, etc.

E.Configure virtual users with different access rights

VSFTPD can provide each user with a separate profile in the profile directory that has its FTP service access defined, the profile name of each virtual user, and the user name of the virtual user. The profile directory can be any unused directory, just specify the path and name in vsftpd.conf.

1. Configure vsftpd to use the profile directory for virtual users

Vim/etc/vsftpd/vsftpd.conf

Add the following

User_config_dir=/etc/vsftpd/vusers_config

2.create the required directory and provide the configuration file for the virtual user

Mkdir/etc/vsftpd/vusers_configtouch/etc/vsftpd/vusers_config/{tom,jerry}

3. Configure access rights for virtual users

The virtual user 's access to the VSFTPD service is done through the instructions of the anonymous user. For example, if you need to let Tom users have permission to upload the download, you can modify the/etc/vsftpd/vuser_config/tom file, add

Anon_upload_enable={yes|no}anon_mkdir_write_enable={yes|no}anon_other_write_enable={yes|no}

Four, the following

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/6C/D7/wKiom1VTPVPicnRkAALL_GjMNY0011.jpg "title=" The virtual user creates a. jpg "alt=" in the Database "Wkiom1vtpvpicnrkaall_gjmny0011.jpg"/>

Figure 1, creation of the database

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/6C/D2/wKioL1VTPwHiH84FAANNQKbCny4686.jpg "title=" Log in via Windows cmd. jpg "alt=" wkiol1vtpwhih84faannqkbcny4686.jpg "/>

Figure 2, virtual user Tom login

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/6C/D2/wKioL1VTP5qw1ArsAAHCS30FI9c371.jpg "title=" Virtual users upload files and download files. jpg "alt=" wkiol1vtp5qw1arsaahcs30fi9c371.jpg "/>

Figure 3,Tom user uploads and creates a directory

Note: the 227 enteringpassive mode (192,168,0,22,28,236) in Figure 3 tells you that thedata is downloaded in passive mode, in fact the port number of the server is 28*256+236.

have like-minded "comrades" can add me qq:865765761. (Note:Linux)


This article comes from "write-only feeling!" "Blog, be sure to keep this provenance http://damihua.blog.51cto.com/6537272/1651073

Create a VSFTPD server MySQL-based virtual user authentication

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.