VSFTPD Authentication with pam_mysql.so connection mariadb

Lab Environment :

IP Address	Description
192.168.5.181	CentOS7 system, Base source installed MARIADB, as the FTP server, as the authentication service side
192.168.5.121	CentOS6 system, as an FTP client

• Installation of the authentication module pam_mysql.so

Need to download pam_mysql.so source package from the Internet, pam_mysql-0.7rc1.tar.gz
Before extracting the installation, make sure that the development package above the CENTOS7 is installed, and if it is not installed, you need to run the following command:

$ yum Groupinstall "Development Tools"-y

After installing the MARIADB and Pam development package:

$ yum Install Mariadb-devel pam-devel-y

Unzip the Pam_mysql source package, enter the source directory, to compile and install. Where –with-mysql refers to Mariadb's header file and Lib,–with-pam references the header file of Pam and Lib. –with-pam-mods-dir indicates the location where the module will be installed.

$./configure--with-mysql=/usr--with-pam=/usr--with-pam-mods-dir=/usr/lib64/security$ make$ make install

After the installation is complete, under the/usr/lib64/security directory, you can view the new pam_mysql.so module.

$ ls/usr/lib64/security/| grep mysql.sopam_mysql.so

• MARIADB Creating data

Let's plan the users inside MARIADB. Establish a database named VSFTPD, in which a data table named Auth is established, in which two users are created as vsftpd virtual users: User1, password is user1;user2, password is user2. The password is encrypted using MySQL's own password () function. Using a user named [email protected] ' 127.0.0.1 ' for login queries, only the user is granted SELECT permission and the login password is vsftpd. The following results are created:

Welcome to the mariadb monitor.  commands end with ; or  \g.your mariadb connection id is 3server version: 5.5.44-mariadb  MariaDB ServerCopyright  (c)  2000, 2015, oracle, mariadb corporation  ab and others. type  ' help; '  or  ' \h '  for help. Type  ' \c '  to clear the current input  statement. mariadb [(None)]> use vsftpd; reading table information for completion of table and column  Namesyou can turn off this feature to get a quicker startup  with -adatabase changedmariadb [vsftpd]> show tables;+------------------+|  tables_in_vsftpd |+------------------+| auth              |+------------------+1 row in set  (0.00 sec) mariadb [vsftpd]> desc  auth;+----------+-----------+------+-----+---------+-------+| field    | type       | null | key | default | extra |+- ---------+-----------+------+-----+---------+-------+| name     | char (20)   | YES  |     | NULL    |        | |  password | char ( | yes  |     | null)     |       |+----------+-----------+------+-----+----- ----+-------+2 rows in set  (0.01 sec) mariadb [vsftpd]> select *  from auth;+-------+-------------------------------------------+| name  | password                                   |+ -------+-------------------------------------------+| user1 | * 34d3b87a652e7f0d1d371c3dbf28e291705468c4 | |  user2 | *12a20be57af67cbf230d55fd33fbaf5230cfdbc4 |+-------+----------------------------- --------------+2 rows in set  (0.00 sec) mariadb [vsftpd]> select  Host,user,password from mysql.user where user= ' vsftpd '; +-----------+--------+------------- ------------------------------+| host      | user   |  password                                   |+-----------+--------+-------------------------------------------+| 127.0.0.1 | vsftpd |  *653e55bc34328fd9504096b9dfb2434de24aae86 |+-----------+--------+---------------------------------- ---------+1 row in set  (0.00 SEC)

• Create a Guest account

All of the virtual users stored in MySQL are mapped to local guest users after logging in, a guest account named VUser is created, the home directory is/ftproot/vuser, and the permissions are modified to 544, which removes all ' write ' permissions. Create a new pub directory with the setfacl Pub directory to give the VUser user read and write execution permissions.

$ mkdir ftproot$ cd ftproot$ useradd-d/ftproot/vuser vuser$ chmod 544/ftproot/vuser$ mkdir/ftproot/vuser/pub$ setfacl -M U:vuser:rwx/ftproot/vuser/pub

• Configuring the Pam File

Create a new/etc/pam.d/ftp-mysql file, add two lines of the following content, detailed configuration items, see the pam_mysql.so source code package inside the Readme document:

Auth required/usr/lib64/security/pam_mysql.so user=vsftpd passwd=vsftpd host=127.0.0.1 db=vsftpd Table=auth Usercolumn=name passwdcolumn=password crypt=2account required/usr/lib64/security/pam_mysql.so user=vsftpd passwd= VSFTPD host=127.0.0.1 db=vsftpd table=auth usercolumn=name Passwdcolumn=password crypt=2

• Configuring the Vsftpd.conf File

Create a new vsftpd.conf file, as shown in the following configuration. Note Pam_service_name is replaced by the default VSFTPD with the Ftp-mysql that was just established, enabling the Guest account Guest_enable=yes, using the Guest account VUser, and configuring the virtual user user1 and User2 permissions files to/etc /vsftpd/vusers_config Directory below:

anonymous_enable=yeslocal_enable=yeswrite_enable=yeslocal_umask=022dirmessage_enable=yesxferlog_enable= Yesconnect_from_port_20=yesxferlog_std_format=yeslisten=nolisten_ipv6=yespam_service_name=ftp-mysqluserlist_ enable=yestcp_wrappers=yesguest_enable=yesguest_username=vuseruser_config_dir=/etc/vsftpd/vusers_config/

The permissions of User1 and User2 under the/etc/vsftpd/vusers_config directory are as follows, giving User1 permission to upload, but giving user2 permission to upload, delete directories, and delete files. After the configuration is complete, restart the systemctl start mariadb.service vsftpd.service mariadb and VSFTPD services with the command:

$ cat/etc/vsftpd/vusers_config/user1 anon_upload_enable=yesanon_other_write_enable=no$ Cat/etc/vsftpd/vusers_ Config/user2 Anon_upload_enable=yesanon_mkdir_write_enable=yesanon_other_write_enable=yes

• Client Testing

On the client side, make sure that the FTP client tool is installed:

Yum Install FTP

Using the above tools and services to communicate, to test the User1, you can see that the login is successful, and User1 have permission to upload, but did not delete the permissions:

$ ftp 192.168.5.181connected to 192.168.5.181  (192.168.5.181) .220  (vsFTPd  3.0.2) name  (192.168.5.181:root):  user1331 please specify the password. Password:230 login successful. Remote system type is unix. Using binary mode to transfer files.ftp> ls227 entering passive  Mode  (192,168,5,181,187,35) .150 here comes the directory  listing.drwxrwxr-x    2 0        0                6 Jun 05  18:33 pub226 directory send ok.ftp> cd pub250 directory  successfully changed.ftp> ls227 entering passive mode  (192,168,5,181,180,167) .150 here comes the directory listing.226 directory send ok.ftp> lcd /etclocal directory now /etcftp> put  hostslocal: hosts remote: hosts227 entering passive mode  ( 192,168,5,181,142,11). 150 ok to send data.226 transfer complete.256 bytes  sent in 0.000155 secs  (1651.61 kbytes/sec) ftp> ls227 entering  Passive Mode  (192,168,5,181,108,36) .150 here comes the directory  LISTING.-RW-------    1 1001     1001           256 Jun 06 05:06 hosts226 Directory  Send ok.ftp> delete hosts550 permission denied.ftp> exit221 goodbye.

under the face of User2 to test, you can see that User2 login success, and have upload permissions, delete permissions, create directory permissions. :

$ ftp 192.168.5.181connected to 192.168.5.181  (192.168.5.181) .220  (vsFTPd  3.0.2) name  (192.168.5.181:root):  user2331 please specify the password. Password:230 login successful. Remote system type is unix. using binary mode to transfer files.ftp> cd pub250 directory  successfully changed.ftp> ls227 entering passive mode  (192,168,5,181,96,57). 150 here comes the directory listing.226 directory send ok.ftp>  lcd /etcLocal directory now /etcftp> put hostslocal: hosts  remote: hosts227 entering passive mode  (192,168,5,181,36,41). 150 Ok to  send data.226 transfer complete.256 bytes sent in 0.000145 secs   (1765.52 KBYTES/SEC) ftp> ls227 entering passive mode  (192,168,5,181,141,235). 150 here comes the directory  LISTING.-RW-------    1 1001     1001           256 jun 06 05:10 hosts226 directory  send OK.ftp> delete hosts250 Delete operation successful.ftp>  ls227 entering passive mode  (192,168,5,181,56,230) .150 here comes the  directory listing.226 directory send ok.ftp> mkdir dir257  "/pub/dir"  createdftp> ls227 Entering Passive Mode  (192,168,5,181,208,106) .150  HERE COMES THE DIRECTORY LISTING.DRWX------    2 1001      1001            6 Jun  06 05:10 dir226&nbsP;directory send ok. 

The following for the system user Ftpuser and a non-existent user ABC login test, found unable to log in, prove that only the user exists in the MySQL database to be able to authenticate:

$ ftp 192.168.5.181Connected to 192.168.5.181 (192.168.5.181). (VsFTPd 3.0.2) Name (192.168.5.181:root): ftpuser331 Please specify the password. password:530 Login incorrect. Login failed.$ ftp 192.168.5.181Connected to 192.168.5.181 (192.168.5.181). (VsFTPd 3.0.2) Name (192.168.5.181:root): abc331 Specify the password. password:530 Login incorrect. Login failed.ftp>

This article is from the "Technical Achievement Dream" blog, please be sure to keep this source http://jiangche00.blog.51cto.com/4377920/1932725

VSFTPD authentication with pam_mysql.so connection mariadb