Vsftpd+pam+mysql implementing Virtual User Access control

1. Install MySQL database and development environment

# yum-y Install Mysql-server Mysql-devel

2, Installation Pam_mysql-0.7rc1

# Tar XF pam_mysql-0.7rc1.tar.gz

# CD PAM_MYSQL-0.7RC1

#./configure--with-mysql=/usr--with-openssl

# make

# make Install

# start MySQL

# service Mysqld Start

3. Create databases, tables, and virtual users

Mysqladmin-uroot password ' redhat '

Mysql-uroot-p

mysql> CREATE DATABASE vsftpd;

mysql> use VSFTPD;

Mysql> CREATE table users (ID smallint auto_increment NOT NULL, name char (a) binary NOT null, password char Binar Y not NULL, PRIMARY key (ID));

mysql> desc users;

mysql> INSERT into Users (Name,password) value (' Tom ', password (' Redhat ')), (' Jerry ', password (' Redhat '));

Mysql> Grant Select on vsftpd.* to [e-mail protected] identified by ' vsftpd ';

Mysql> Grant Select on vsftpd.* to [e-mail protected] identified by ' vsftpd ';

Mysql> select * from users;

mysql> flush Privileges;

4, Installation vsftpd

# Yum Install vsftpd lftp FTP

5. Configure the required files for PAM Certification

# Vim/etc/pam.d/vsftpd.mysql

Auth required/lib/security/pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn= Name Passwdcolumn=password crypt=2

Account required/lib/security/pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn= Name Passwdcolumn=password crypt=2

# Note: Pam_mysql-0.7rc1 source directory of the Readme has introduced several mechanisms of crypt

6, the establishment of virtual user mapping system users and corresponding directory

# useradd-s/sbin/nologin-d/data/ftproot VUser

# chmod go+rx/data/ftproot/

7, Configuration vsftpd

# vim/etc/vsftpd/vsftpd.conf

Anonymous_enable=yes

Local_enable=yes

Write_enable=yes

Anon_upload_enable=no

Anon_mkdir_write_enable=no

Chroot_local_user=yes

Pam_service_name=vsftpd.mysql # Make sure the file name is correct

Guest_enable=yes

Guest_username=vuser

8. Start VSFTPD

# service VSFTPD Start

# Chkconfig VSFTPD on

9. Test VSFTPD

#  ftp localhost

Trying:: 1 ...

Ftp:connect to Address:: 1Connection refused

Trying 127.0.0.1 ...

Connected to localhost (127.0.0.1).

(VsFTPd 2.2.2)

Name (localhost:root): Tom

331 Specify the password.

Password:

Successful Login.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> pwd

Ftp> lcd/tmp

Ftp> Get Issue

Ftp> put Inittab

Local:inittab Remote:inittab

227 Entering Passive Mode (127,0,0,1,27,53).

550 Permission denied.

Ftp> bye

10. Configure virtual users to have different access rights

VSFTPD can provide each user with a separate profile in the profile directory to define their FTP service access rights, with each virtual user's profile name and the virtual user's user name. The configuration file directory can be any unused directory, just specify its path and name in vsftpd.conf.

# Configure the configuration file directory used by VSFTPD virtual users

# vim/etc/vsftpd/vsftpd.conf

user_config_dir=/etc/vsftpd/vuser/

# Create the desired directory and configuration file

# mkdir/etc/vsftpd/vuser/

# cd/etc/vsftpd/vuser/

# Touch Tom Jerry

# Configure the corresponding virtual user permissions

# VIM Tom

Anon_upload_enable=no

# vim Jerry

Anon_upload_enable=yes

Anon_mkdir_write_enable=yes

Anon_other_write_enable=yes

# Restart VSFTPD

# Service VSFTPD Restart

# test VSFTPD

# FTP localhost

Trying:: 1 ...

Ftp:connect to Address:: 1Connection refused

Trying 127.0.0.1 ...

Connected to localhost (127.0.0.1).

(VsFTPd 2.2.2)

Name (localhost:root): Jerry

331 Specify the password.

Password:

Successful Login.

Remote system type is UNIX.

Using binary mode to transfer files.

Ftp> put Inittab

Local:inittab Remote:inittab

227 Entering Passive Mode (127,0,0,1,73,116).

Ok to send data.

226 Transfer complete.

884 bytes sent in 2.2e-05 secs (40181.82 kbytes/sec)

Ftp> ls

227 Entering Passive Mode (127,0,0,1,71,165).

Here comes the directory listing.

-RW-------1 884 may 13:00 Inittab

-rw-r--r--1 0 0 12:55 issue

226 Directory send OK.

Ftp> bye

# # # Configuration VSFTPD support OpenSSL Secure Communication # # #

# Configure the Build CA certificate

# CD/ETC/PKI/CA

# (Umask 077; OpenSSL genrsa-out Private/cakey.pem 2048)

# Vim: /tls/openssl.cnf

Countryname_default= CN

Stateorprovincename_default= Guangdong

Localityname_default= GuangZhou

0.organizationname_default= Test

Organizationalunitname_default= Tech

Dir=/etc/pki/ca

# OpenSSL Req-new-x509-key private/cakey.pem-out cacert.pem-days 3656

# mkdir Certs CRL Newcerts

# Touch Index.txt

# echo > Serial

# mkdir-p/etc/vsftpd/ssl

# cd/etc/vsftpd/ssl/

# (Umask 077;openssl genrsa-out vsftpd.key 2048)

# OpenSSL Req-new-key vsftpd.key-out VSFTPD.CSR

# OpenSSL ca-in vsftpd.csr-out vsftpd.crt-days 3656

# Configure VSFTPD to support SSL authentication

# vim/etc/vsftpd/vsftpd.conf

Ssl_enable=yes

Ssl_tlsv1=yes

Ssl_sslv2=no

Ssl_sslv3=yes

Allow_anon_ssl=no

Force_local_data_ssl=yes

Force_local_logins_ssl=yes

Rsa_cert_file=/etc/vsftpd/ssl/vsftpd.crt

Rsa_private_key_file=/etc/vsftpd/ssl/vsftpd.key

# Restart VSFTPD

# Service VSFTPD Restart

# test

# FTP localhost

Trying:: 1 ...

Ftp:connect to Address:: 1Connection refused

Trying 127.0.0.1 ...

Connected to localhost (127.0.0.1).

(VsFTPd 2.2.2)

Name (localhost:root): Tom

530 Non-anonymous sessions must use encryption.

Login failed.

# Display the above information indicates OK, because the Linux FTP command does not support SSL connection, the solid can be used other FTP client tools (such as FileZilla) connection test, and use the Tcpdump tool capture package view.

Vsftpd+pam+mysql implementing Virtual User Access control