FTP implementation of virtual user access control based on Pam and MYSQL/MARIADB

Objective

VSFTPD is the most respected FTP server program in the Linux distribution, characterized by its compact and light-hearted, safe and easy to use, currently in the open source operating system commonly used in the FTP suite is mainly proftpd, pureftp, Servu and WU-FTPD. This article will explain the basic functions of vsftpd and how to implement virtual user access control based on Pam and MYSQL/MARIADB.

Introduction to Basic Configuration

Working principle

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/6B/AB/wKioL1U0crDDiyOgAAFcT6Kq79I735.jpg "title=" How FTP works. jpg "alt=" wkiol1u0crddiyogaafct6kq79i735.jpg "/>

Status Response code

1XX: Information Code

2XX: Success Status Code

3XX: Status code to further indicate completion information

4XX: Client Error

5XX: Server-side error

User authentication

Virtual User: Used only to access resources in a particular service

Nsswitch:network Server switch, name resolution Framework configuration file:/etc/nsswitch.conf module:/lib64/libnss*,/usr/lib64/libnss*pam:pluggable Authentication module, user authentication framework:/lib64/security/configuration file:/etc/pam.conf,/etc/pam.d/*

Location of resources accessed by the system user via ftp: User's own home directory

Location of resources accessed by the virtual user via ftp: The home directory of the system user to which the virtual user specified the mapping becomes

Configuration file

VSFTPD configuration file in CentOS6.6

User Authentication profile:/etc/pam.d/vsftpd Service script:/etc/rc.d/init.d/vsftpd configuration file directory:/ETC/VSFTPD Master profile:/etc/vsftpd/ vsftpd.conf Anonymous user (mapped to FTP user) shared resource location:/var/ftp

Detailed configuration file

Anonymous user settings     anonymous_enable=yes: Allow Anonymous Logon     anonymous_upload_enable= YES: Allow file upload     anonymous_other_write_enable=yes: Allow files to be deleted     anonymous_ Mkdir_write_enable=yes: Allow directory creation      Note: Enable this feature, FTP users still have no permissions to the/VAR/FTP directory, you can create a new directory under the/var/ftp/directory,      as/var/ftp/upload/, and set permissions for FTP users  setfacl -m u:ftp:rw /var/ftp/upload system User Configuration     local_enable=yes: Allow login     write_enable=yes: Allow upload file to imprison all FTP local users in their home directory     chroot_local_user={yes|no} imprison the specified user in the home directory     chroot_list_enable=yes     chroot_list_file=/etc/vsftpd/chroot_list  Log Configuration     xferlog_ enable=yes    xferlog_std_format=yes    xferlog_file=/var/log/ Xferlog change the owner of the uploaded file     chown_uploads=yes    chown_username= Whoever uploading a file Umask    anon_umaSK: Anonymous user upload file umask    local_umask: Local user uploads the file umaskvsftpd use Pam to complete user authentication, the PAM profile used in the file      pam_service_name=vsftpd     Control User login: FTP service is not allowed for users in/etc/vsftpd/ftpusers. A list file that controls user logons is enabled based on Pam     userlist_enable=yes    userlist_deny=yes|no      default file is/etc/vsftpd/user_list connection limit     max_clients:  Maximum number of concurrent connections      max_per_ip:  number of simultaneous concurrent requests per IP transfer rate     anon_max_rate: Maximum transfer rate for anonymous users, Unit is bytes/s    local_max_rate: The maximum transfer rate for local users, in BYTES/S custom information configuration          ftpd_banner=Welcome to FTP Server  #自定义          dirmessage_enable=YES    #需创建. Message file

Virtual User Access Control

Virtual user

All virtual users will be uniformly mapped to a designated system account, and the shared location is the home directory for this system account.

Each virtual user can be given different access rights, specified by the permission control parameters of the anonymous user

How virtual users are stored:

Hash encoded file (odd-numbered user name, even-numbered code)

relational database (authentication via third-party module Pam-mysql)

Working principle

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/6B/AE/wKioL1U0lX7SMeqEAADUzbJtf8I522.jpg "title=" Virtual user access control principle. jpg "alt=" wkiol1u0lx7smeqeaaduzbjtf8i522.jpg "/>

Configuration process

Environment preparation

FTP server: 172.16.10.10 (CentOS6.6)

Database server: 172.16.10.211 (CentOS6.6), MariaDB

Install the required program

First, the FTP server needs to install VSFTPD and Pam_mysql, the database server needs to install MySQL or mariadb, I have installed here, and then directly began to configure the

Create a virtual user

[[Email protected] ~]# mysqlmariadb [(None)]> create database vsftpd; mariadb [(None)]> use vsftpd; Mariadb [vsftpd]> grant select on vsftpd.* to [email protected] ' 172.16.10.10 '  IDENTIFIED BY  ' vpass '; mariadb [vsftpd]> flush privileges; mariadb [vsftpd]> create table users  (    -> id  Int unsigned not null auto_increment primary key,    ->  name varchar ( binary not null,     -> password)  char ( BINARY NOT NULL ), #添加虚拟用户    MariaDB [vsftpd]>  insert into users  (Name,password)  VALUES  (' Tom ', password (' scholar ')); #password (' PASSWORD ') encryption password mariadb [vsftpd]> insert into users  (Name,password) &NBSp values  (' Alice ', password (' scholar '));

[[email protected] ~]# vim /etc/pam.d/vsftpd.mysql   #创建pam认证文件auth  required  pam_mysql.so user=vsftp passwd=vpass host=172.16.10.211 db=vsftpd table=users  usercolumn=name passwdcolumn=password crypt=2  #密码经过加密, crypt value is 2account required  pam_mysql.so user=vsftp passwd=vpass host=172.16.10.211 db=vsftpd table=users  Usercolumn=name passwdcolumn=password crypt=2[[email protected] ~]# useradd -s  /sbin/nologin -d /var/ftproot vuser# Create virtual user mappings for system users and their corresponding directories [[email protected] ~]#  chmod go+rx /var/ftproot   #给予权限 [[email protected] ~]# vim /etc/ vsftpd/vsftpd.conf  #请确保已经启用了以下选项anonymous_enable =yeslocal_enable=yeswrite_enable=yesanon_upload_enable= noanon_mkdir_write_enable=nochroot_local_user=yes# Add the following options guest_enable=yesguest_username=vuser  #设置的映射系统用户 # and ensure that the pam_service_name optionThe values are as follows pam_service_name=vsftpd.mysql  #创建的pam认证文件 

Configure virtual users to have different access rights

VSFTPD can provide each user with a separate profile in the profile directory to define their FTP service access rights, with each virtual user's profile name and the virtual user's user name. The configuration file directory can be any unused directory, just specify its path and name in vsftpd.conf.

Configure VSFTPD to use the profile directory for virtual users

[[email protected] ~]# vim/etc/vsftpd/vsftpd.conf# Add the following options User_config_dir=/etc/vsftpd/vusers_config

Create the required directory and provide the configuration file for the virtual user

[Email protected] ~]# mkdir/etc/vsftpd/vusers_config[[email protected] ~]# Cd/etc/vsftpd/vusers_config/[[email Protected] vusers_config]# touch Tom Alice

Configure access rights for virtual users

The virtual user's access to the VSFTPD service is done through the instructions of the anonymous user. For example, if you need to let Tom users have permission to upload files, you can modify the/etc/vsftpd/vusers_config/tom file, add the following options.

[Email protected] vusers_config]# vim tomanon_upload_enable=yesanon_mkdir_write_enable=yesanon_other_write_enable =yes[[email protected] vusers_config]# vim Alice Anon_upload_enable=noanon_mkdir_write_enable=noanon_other_write_ Enable=no

Start the service, set the boot up, and see if Port 21 is being monitored

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/6B/B0/wKioL1U0o7aySHnUAABzZrUoe9w172.jpg "title=" 1.jpg " alt= "Wkiol1u0o7ayshnuaabzzruoe9w172.jpg"/>

Testing virtual Users

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/6B/B5/wKiom1U0ujLjFDnqAAHiQJfvXi8688.jpg "title=" 2.jpg " alt= "Wkiom1u0ujljfdnqaahiqjfvxi8688.jpg"/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6B/B1/wKioL1U0u6fBt_wYAAE1pXpZmxg827.jpg "title=" 3.jpg " alt= "Wkiol1u0u6fbt_wyaae1pxpzmxg827.jpg"/>

The end

OK, FTP based on the PAM and MYSQL/MARIADB virtual user access control, it is here, the configuration of the FTP process please make sure not to knock multiple spaces, or it will be error or login failure, I was deeply hurt, this is indeed a pit, deployment process encountered problems can leave a message, thank attention yo. The above is only for individual learning to organize, if there are mistakes, big God do not spray ~ ~ ~

This article is from the "North Scholar" blog, please make sure to keep this source http://scholar.blog.51cto.com/9985645/1636190

FTP implementation of virtual user access control based on Pam and MYSQL/MARIADB