The first few introduced the foundation, this article will implement several cases concretely
Implement file-based verification of VSFTPD virtual users, each user separate folder 1, create user database files
Vim/etc/vsftpd/vusers.txtqqcentosmomocentos
Note: The file content format is odd behavior username, even behavior password
2. Set permissions and compile this file
Note: Modifying permissions is for security
3. Create a Linux user and FTP directory (this account will be mapped into a future virtual account)
Useradd-s/sbin/nologin vftpuserchmod 555/home/vftpuser/ # # #把用户家目录的写权限去掉
Note: The mapping account has no write permission to the root
mkdir upload # #创建上传用的文件夹chown Vftpuser upload/
Note: The owner of this folder to change to Vftpuser users, the second user although the/home/vftpuser/is also the root, no write permission, but the root of the directory has write permissions.
Open the anonymous Write permission
4. Modify the PAM configuration file
Vim/etc/pam.d/vusers.db #这个名字叫什么都可
Auth Required pam_userdb.so Db=/etc/vsftpd/vusers
Note: This vusers name must be the same as the xxxx.db name created in the second step.
Account Required Pam_userdb.so Db=/etc/vsftpd/vusers
5. Let the main configuration file know you want to modify the PAM module
Note: The vusers.txt inside is a legitimate user, you can log on
6. Map all system accounts to the Vftpuser account we created and close the Linux system account login
Vim/etc/vsftpd/vsftpd.conf
Guest_enable=yesguest_username=vftpuser
7, the virtual user to establish a separate configuration file
Vim/etc/vsftpd/vsftpd.conf
user_config_dir=/etc/vsftpd/vftpuser.d/
Create the above folder to create it
mkdir/etc/vsftpd/vftpuser.d/
Create a configuration for the virtual user in this folder directory
[Root@centos7_77 vftpuser.d]# cat > Qqanon_upload_enable=yesanon_mkdir_write_enable=yes Note: This means that the virtual user QQ has anonymous write permission
8. Allow two virtual users to see different folders when they come in
Vim/etc/vsftpd/vftpuser.d/qq
Local_root=/data/qq
Note: If this folder does not exist, create
Mkdir/data/qq
Note: Create a file in the QQ directory for testing
Touch/data/qq/qq.txt
Restart, test
Note: To add users, write in the Vusers.txt file, and then generate the DB file
Implementation: VSFTPD virtual user based on MySQL authentication
Description: This experiment is implemented on two CentOS hosts, one as FTP server and one for database server.
Install the required packages and package groups on the database server to install the package:
CENTOS7: Installing on the database server
Yum–y Install mariadb-serversystemctl start Mariadb.servicesystemctl enable MARIADB
CENTOS6: Installing on the database server
Yum–y Install Mysql-server
Installing the VSFTPD and Pam_mysql packages on the FTP server
Centos6:pam_mysql is provided by the source of the EPEL6
Yum Install vsftpd Pam_mysql
CENTOS7: no corresponding RPM package, manual compilation and installation required
Yum-y Groupinstall "Development Tools"
Yum-y Install Mariadb-devel pam-devel vsftpd
Download pam_mysql-0.7rc1.tar.gz
sourceforge.net/projects/pam-mysql/
1. Decompression Pam Module
[Root@centos7_77 ~]# tar xvf pam_mysql-0.7rc1.tar.gz
CD pam_mysql-0.7rc1/
2. Compiling
[root@centos7_77 pam_mysql-0.7rc1]#./configure--with-pam-mods-dir=/lib64/security--with-mysql=/usr--with-pam=/ Usr
Note: This requires attention to the specified location, MySQL
It's not pam_mysql.so yet.
Start make
[root@centos7_77 pam_mysql-0.7rc1]# make && make install
3. Creating databases and Tables
1) Create a ftpdb database
MariaDB [(None)]> CREATE Database ftpdb;
2) Authorize a user to connect to this database (with Read permission on the line)
MariaDB [(None)]> Grant Select on ftpdb.* to vsftpd@ ' localhost ' identified by ' CentOS ';
3) Create a table
MariaDB [ftpdb]> CREATE TABLE users (ID INT auto_increment NOT null PRIMARY KEY, name CHAR (a) BINARY not NULL, PASSWOR D CHAR (n) BINARY not NULL);
4) Add virtual users to the table
MariaDB [ftpdb]> INSERT into users (Name,password) VALUES (' GG ', password (' CentOS '));
MariaDB [ftpdb]> INSERT into users (Name,password) values (' mm ', password (' CentOS '));
3. Prepare a Pam profile (the files required to establish PAM authentication on the FTP server)
Cd/etc/pam.d/vim Vsftpd.mysqlauth required pam_mysql.so user=vsftpd passwd=centos host=localhost db=ftpdb table=users Usercolumn=name Passwdcolumn=password crypt=2account required pam_mysql.so user=vsftpd passwd=centos Host=localhost db =ftpdb table=users usercolumn=name Passwdcolumn=password crypt=2
Note:
Configuration Field Description
Auth means certification
account Verify that the account password is used properly
required that certification is going through
The pam_mysql.so module is the default relative path, which is relative to the/lib64/security/path and can also be written
To the path, followed by the parameters passed to the module
user=vsftpd for users who log in to MySQL
passwd=magedu password to log in to MySQL
Host=mysqlserver the host name or IP address of the MySQL server
db=vsftpd specifying the database name of the connection MSYQL
table=users specifying table names in the connected database
usercolumn=name field as user name
Passwdcolumn=password as User name field password
crypt=2 Password encryption method for MySQL password () function encryption
4. Let the FTP server know that the PAM module configuration file that we configured is called
Vim/etc/vsftpd/vsftpd.conf
5. Map to System account Vftpuser
Vim/etc/vsftpd/vsftpd.conf
Guest_enable=yesguest_username=vftpuser
Note: To start the Guest user, the system user is mapped to the guest user, and the guest user is Vftpuser,
Don't forget to remove the Read W permission for this user's home directory
6, let the login account permissions are not the same (for each user has its own profile)
Specify the folder where the user holds the configuration
Vim/etc/vsftpd/vsftpd.confuser_config_dir=/etc/vsftpd/vftpuser.dcd/etc/vsftpd/vftpuser.d[root@centos7_77 vftpuser.d]# cat > Mmlocal_root=/data/mmcat > Gglocal_root=/data/gg
Note: to want GG mm to act as the root of the virtual user must have no write permission
[root@centos7_77 data]# chmod a=rx mm[root@centos7_77 data]# chmod a=rx GG again gg, mm directory to create a file good test [root@centos7_77 gg]# touch GG . txt[root@centos7_77 mm]# Touch Mm.txt
Restart
Test
Note: In order to let GG users have write permission, in the/etc/vsftpd/vftpuser.d/gg file to add
Anon_upload_enable=yes
Anon_mkdir_write_enable=yes
And you have to have write access to the/DATA/GG directory.
Setfacl-m U:vftpuser:rwx/data/gg