Deploy FTP services based on virtual users
On the vsftpd server, the main advantage of using a virtual user is that you can distinguish the login account from the account logged on to the system. The user name and password are different, this further enhances the security of the FTP server.
1. Create an account database for a virtual user
The vsftpd service uses database files in the Berkeley DB format to store virtual user accounts. Creating this database file requires the use of the db_load tool, which is provided by the db4-utils software package, and the db4-utils software package needs to be installed first from the Server on the system disc. Install the db4-utils package as follows.
[Root @ localhost/] # rpm-ivh/media/Server/db4-utils-4.3.29-10.el5.i386.rpm
2. Create a user name and password list in text format
First, you need to create a text user name/password list file, an odd behavior user name, and an even behavior of the previous user pair password.
[Root @ localhost/] # vim/etc/vsftpd/vusers. list
Zhangsan
123
Lisi
123
3. Create a database file in the Berkeley DB format
With the user name/password list file in text format, the database file in Berkeley DB format is created using the db_load tool as the data source.
[Root @ localhost/] # cd/etc/vsftpd
[Root @ localhost vsftpd] # db_load-T-t hash-f vusers. list vusers. db
In the db_load command, the "-T" option allows non-Berkeley DB applications to use DB database files converted from text format, the "-t hash" option specifies the basic method for reading data files. The "-f" option is used to specify the source file of data. For more information about the db_load command, see the/usr/share/doc/db4-utils-4.3.29/ustils/db_load.html file.
To improve the security of the virtual user account, the file permission should be set to 600 to avoid data leakage.
[Root @ localhost/] # chmod 600/etc/vsftpd/vusers .*
4. Add the ing account of the virtual user and create the FTP root directory
The vsftpd server uses a ing control method to control virtual users. All virtual users are mapped to the same system user, the user's home directory is the FTP root directory shared by all virtual users after logon. Therefore, you also need to add a corresponding system user account. You do not need to set a password or log on to the shell account)
[Root @ localhost/] # useradd-d/var/ftproot-s/sbin/nologin vuser
[Root @ localhost/] # chmod 755/var/ftproot -- adjust permissions to allow viewing Directories
5. Create a PAM Authentication file for the virtual user
On the vsftpd server, user authentication is implemented through the PAM mechanism, which includes flexible authentication methods. The default PAM Authentication file of the vsftpd service is located in/etc/pam. d/vsftpd. This file is applicable to system user account authentication on Linux Hosts. To read the account data file of a virtual user, you need to create a new PAM Authentication configuration.
[Root @ localhost/] # vim/etc/pam. d/vsftpd. vu
Auth required pam_userdb.so db =/etc/vsftpd/vusers
Auth required pam_userdb.so db =/etc/vsftpd/vusers
In the above PAM Configuration content, the location of the virtual user database file to be used is specified through the "db =/etc/vaftpd/vusers" parameter. db extension), that is, corresponding to/etc/vsfpd/vusers. db file.
6. Modify vsftpd configuration and add virtual user support
In vsftpd. in the conf configuration file, add the guest_enable and guest_username configuration items, map all virtual users accessing the FTP service to the vuser of the same system user account, and modify the pam_service_name configuration item to point to the/etc/pam created in the previous step. d/vsftpd. vu authentication file.
[Root @ localhost/] # vim/etc/vsftpd. conf
Some content is omitted.
Local_enable = YES // The local user needs to be mapped, so this option is enabled
Write_enable = YES // enable upload and write support
Anon_umask = 022 // specify the upload permission mask
Guest_enable = YES // Enable User ing
Guest_username = vuser // specify the ing System User Name
Pam_service_name = vsftpd. vu // specify the new PAM Authentication File
In the vsftpd service, virtual users are processed as anonymous users by default to reduce permissions. Therefore, the corresponding configuration items usually start with anon.
Now, you only need to reload the vsftpd. conf configuration file, and then the client can use a virtual user to access FTP.
[Root @ localhost/] # service vsftpd reload
7. Create different configuration files for different virtual users so that different users have different Permissions
To set different access permissions for different virtual user accounts, you can create an independent configuration file for each virtual user. To enable an independent configuration file for an FTP user, modify the vsftpd. conf configuration file and add the "user_config_dir =/etc/vsftpd/vusers_dir" configuration item.
[Root @ localhost/] # vim/etc/vsftpd. conf
Some content is omitted.
User_config_dir =/etc/vsftpd/vusrs_dir
With the above configuration, you can create an independent configuration file for each virtual user in the/etc/vsftpd/vusers_dir/directory.
[Root @ localhost/] # mkdir/etc/vsftpd/vusers_dir // create a user configuration folder
[Root @ localhost/] # cd/etc/vsftpd/vusers_dir/
[Root @ localhost/] # vim zhangsan // create an independent configuration file for the zhangsan user
Aono_upload_enable = YES // you have the permission to upload files.
Anon_mkdir_write_enable = YES // permission for uploading Directories
After the user_config_dir configuration item is enabled in the vsftpd. conf file, a separate configuration file should be created for each virtual user to be empty. Otherwise, the user may not be able to log on to FTP.
[Root @ localhost/] # touch lisi // create an empty configuration file for lisi
Then, the vsftpd. conf configuration file can be reloaded and accessed by the client.
[Root @ localhost/] # service vsftpd reload
To verify different permissions, you can set different permissions for different users, as shown below:
You can log on to zhangsan and browse and download files, but cannot upload files.
Lisi users can log on, browse, download, or upload files normally.
You can log on to wangwu and view, download, upload, and delete files and directories.
This article is from the "initialize" blog, please be sure to keep this source http://cshbk.blog.51cto.com/5685776/1202983