Setting up FTP-----Virtual users based on file authentication

Objective:

The FTP service built with VSFTPD has three authentication modes, namely anonymous, local Users and virtual users, this time we come together to implement the virtual user based on file authentication. (Bo Master Basically all the environment is CENTOS7, generally speaking and centos6 not much difference)

Body

Although, we can build a new user on Linux to authenticate, but this method of user management is not convenient and also have to pay attention to a lot of security issues, this time we directly to the virtual user's username and password to save to the file, login and then through the PAM module authentication, and the same to local FTP users, and give different two users with different permissions, one can upload files, one only download. Then start to realize

The first step, of course, is to install our FTP service program, we use a software called VSFTPD.

Yum Install Vsftpd-y

Configuration file in the/ETC/VSFTPD directory, the default use of FTP users, their home directory in/var/ftp. The first step is to start with the most basic initialization configuration (only the modified configuration entries are shown below), and modify the configuration file/etc/vsftpd/vsftpd.conf

#/etc/vsftpd/vsftpd.confanonymous_enable=no #禁止匿名用户访问guest_enable =yes guest_username=ftp #上面两个选项表示, any user who logs on will be assumed Called Guest, and the identity is ftppam_service_name=vsftpd.db #指定pam的命令, placed in/etc/pam.d/vsftpd.db

The last one we specified a file vsftpd.db stored the PAM Module command, this file does not exist, we have to manually create, in the/etc/pam.d/directory, because it will automatically find this path, so we specify the file name, Next we create a new file under this directory vsftpd.db

#/etc/pam.d/vsftpd.dbauth required pam_userdb.so Db=/etc/vsftpd/ftpaccount required pam_userdb.so db=/etc/vsftpd/ftp #指定pam模块要验证的用户数据库的位置为/etc/vsftpd/ftp

Note here that although we specify/ETC/VSFTPD/FTP but the file FTP actually name is ftp.db must end in. db Oh, no extension is written in the configuration file. This database file also does not exist and we have to create it manually. This process has two steps, so we'll switch to the/ETC/VSFTPD directory

#cd/etc/vsftpd#vim ftp.txt #我们得先创建一个文本文件, enter the following to convert the db file Xiaofengfeng #单数行为登录ftp的帐号1234 #双数行为登录ftp的密码xiaofengfe Ng2 #帐号1234 #密码 #db_load-t-t hash-f ftp.txt ftp.db #通过命令进行hash运算生成db文件 #chmod ftp.db #为了安全起见设置较低的权限

So far, we have basically done a basic configuration of virtual users, should be able to use these two accounts login FTP. Before we do that we have to check whether our firewalls and selinux are off, or release our FTP service.

Getenforce #查看selinux是否为 Enforcing, if you have to close the IPTABLES-VNL #查看是否有规则限制ftp first, if you have to adjust or close Setenforce 0 #暂时关闭selinuxiptables-F #清空iptables规则

Bloggers first build FTP service, always show no directory, or open the upload function can not upload files for a long time to suddenly think of selinux this pit dad. 650) this.width=650; "src=" Http://img.baidu.com/hi/jx2/j_0012.gif "alt=" J_0012.gif "/> So, but what to do, this thing is still closed good ...

Now we start the service and restart the service if it has already started

#systemctl Restart VSFTPD

Here we can log in via Xiaofengfeng and xiaofengfeng2 FTP, if you encounter an error when logging in, you can view the log file tail/var/log/ Secure. If we enable Xiaofengfeng to upload files, create a new directory, and Xiaofengfeng2 can't do it? We can set the profile individually for each user to have different permissions for different users. The first thing to do is to set the user's own profile location in profile/etc/vsftpd/vsftpd.conf:

#/etc/vsftpd/vsftpd.confuser_config_dir=/etc/vsftpd/ftp.dmkdir/etc/vsftpd/ftp.d

Then create a new configuration file Xiaofengfeng with the same name as the user Xiaofengfeng in the/ETC/VSFTPD/FTP.D directory, and turn on anonymous uploads, configured as follows:

Anon_upload_enable=yes Anon_mkdir_write_enable=yesanon_other_write_enable=yes

Configuration is so simple, but we still can't upload files, why? But when we log in with the small wind in the FTP, in fact, the server is to us as an FTP user, and the FTP user does not have write permission to/var/ftp/pub, so we can not upload files, so we could separate for the FTP user in the/var/ftp/pub directory to open Write permissions, Here we use ACLs to control permissions. The command is as follows:

#setfacl-M u:ftp:rwx/var/ftp/pub

At this point we are restarting the FTP service

#systemctl Restart VSFTPD

At this time to test will find that Xiaofengfeng login ftp can upload files, download files, create directories, and xiaofengfeng2 can only download files ~ ~

We're done here.

To this file-based authentication of the FTP has been set up ~ There are questions can leave a message, can be sent by email. General Email Reply the quickest ~

This article is from the "mechanism of small Wind" blog, please be sure to keep this source http://xiaofengfeng.blog.51cto.com/8193303/1885896

Setting up FTP-----Virtual users based on file authentication