標籤:vsftpd+openssl+mysql實現sftp和ftp虛擬使用者
FTP:File Transfer protocol ,連接埠:控制:tcp/21;資料:tcp/20或隨機高連接埠
ftp有兩個串連:
命令串連(控制串連):tcp/21
資料連線(按需開啟):
主動模式:tcp/20(ftp伺服器主動串連用戶端)
被動模式:隨機高連接埠
ftp有兩種傳輸模式:二進位、文本(預設為auto,會根據檔案特性動匹配)
sftp是以openssl來實現;ftps是ssh的子功能。
系統平台:rhel5.8(32位),ip:32.12.32.227,採用系統內建的rpm包安裝
安裝ftp:
#yum install vsftpd
#service vsftpd start
#finger ftp (安裝vsftpd會自動建立ftp使用者和使用者組,查看ftp對應的家目錄
測試(此時匿名登入,使用者名稱可以anonymous或ftp,密碼為空白):
C:\Users\yangyuan>ftp 32.12.32.227
串連到 32.12.32.227。
220 (vsFTPd 2.0.5)
使用者(32.12.32.227:(none)): ftp
331 Please specify the password.
密碼:
230 Login successful.
ftp>
注意:匿名使用者是不能上傳檔案,建立目錄,刪除檔案,除非改設定檔/etc/vsftpd/vsftpd.conf
#vim /etc/vsftpd/vsftpd.conf
anon_upload_enable=YES (允許匿名使用者上傳檔案)
anon_mkdir_write_enable=YES (允許匿名使用者建立目錄)
anon_other_write_enable=YES (允許匿名使用者刪除檔案)
#mkdir /var/ftp/upload (建立一個上傳目錄)
#setfacl -m u:ftp:rwx /var/ftp/upload
#service vsftpd restart
#setenforce 0
#iptables -F (清空防火牆)
測試:
Xshell:\> ftp 32.12.32.227
Connecting to 32.12.32.227:21...
Connection established.
To escape to local shell, press ‘Ctrl+Alt+]‘.
220 (vsFTPd 2.0.5)
Name (32.12.32.227:yangyuan): ftp
331 Please specify the password.
Password:
230 Login successful.
ftp:/> cd upload
250 Directory successfully changed.
ftp:/upload> lpwd
D:\Users\yangyuan\Desktop
ftp:/upload> put fd.png
227 Entering Passive Mode (32,12,32,227,222,90)
150 Ok to send data.
fd.png: 12.8 KB sent in 0.001 sec (13,129 bytes, 12.5 MB/sec).
226 File receive OK.
ftp:/upload> mkdir test3
257 "/upload/test3" created
ftp:/upload> delete fd.png
250 Delete operation successful.
用系統的普通使用者訪問ftp會進入普通使用者家目錄,建議不要使用:
#useradd hadoop
#echo "redhat" | passwd --stdin hadoop
Xshell:\> ftp 32.12.32.227
Connecting to 32.12.32.227:21...
Connection established.
To escape to local shell, press ‘Ctrl+Alt+]‘.
220 (vsFTPd 2.0.5)
Name (32.12.32.227:yangyuan): hadoop
331 Please specify the password.
Password:
230 Login successful.
ftp:/home/hadoop>
另外可以/etc/vsftpd/vsftpd.conf中增加如下兩個指令:
max_clients=數值 (用來定義訪問最大使用者數)
mas_per_ip=數值 (用來定義單獨一IP地址使用者數)
sftp的實現:CA---->sftp
# (umask 077;openssl genrsa -out private/cakey.pem 2048)
# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
.........
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:JS
Locality Name (eg, city) [Newbury]:SZ
Organization Name (eg, company) [My Company Ltd]:bocs
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server‘s hostname) []:ca.bocs.com
Email Address []:
# vim /etc/pki/tls/openssl.cnf
dir = /etc/pki/CA
# mkdir /etc/vsftpd/ssl
# cd /etc/vsftpd/ssl
# (umask 077;openssl genrsa -out vsftpd.key 2048)
# openssl req -new -key vsftpd.key -out vsftpd.csr
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:JS
Locality Name (eg, city) [Newbury]:SZ
Organization Name (eg, company) [My Company Ltd]:bocs
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server‘s hostname) []:ftp.bocs.com
Email Address []:
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# openssl ca -in vsftpd.csr -out vsftpd.crt (y y)
#vim /etc/vsftpd/vsftpd.conf (增加如下內容)
######### SSL or TLS #########
ssl_enable=YES
ssl_tlsv1=YES
ssl_sslv3=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
rsa_cert_file=/etc/vsftpd/ssl/vsftpd.crt
rsa_private_key_file=/etc/vsftpd/ssl/vsftpd.key
#service vsftpd restart
測試
650) this.width=650;" src="http://s5.51cto.com/wyfs02/M00/7F/BB/wKiom1cquC3DujDEAABq6PIIE-Y902.png" style="float:none;" title="12.PNG" alt="wKiom1cquC3DujDEAABq6PIIE-Y902.png" />
650) this.width=650;" src="http://s5.51cto.com/wyfs02/M01/7F/B9/wKioL1cquQTBx2IrAAD63L3WWgc226.png" style="float:none;" title="12.1.PNG" alt="wKioL1cquQTBx2IrAAD63L3WWgc226.png" />
基於PAM、Mysql實現虛擬使用者
# yum -y install mysql-server mysql-devel
# service mysqld start
# chkconfig mysqld on
由於系統的pam與mysql關聯還一個包:pam_mysql-0.7RC1.tar.gz,下載位置:http://download.chinaunix.net/download.php?id=15901&ResourceID=7820
# tar xf pam_mysql-0.7RC1.tar.gz
# cd pam_mysql-0.7RC1
# ./configure --with-msyql --with-openssl
# make
# make install
建立資料庫、表,給用庫使用者賦許可權
# mysql
mysql> CREATE DATABASE vsftpd;
Query OK, 1 row affected (0.02 sec)
mysql> USE vsftpd;
Database changed
mysql> CREATE TABLE users (
-> id SMALLINT AUTO_INCREMENT NOT NULL,
-> name CHAR(20) BINARY NOT NULL,
-> password CHAR(48) BINARY NOT NULL,
-> PRIMARY KEY(id)
-> );
Query OK, 0 rows affected (0.03 sec)
mysql> DESC users;
+----------+-------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+----------+-------------+------+-----+---------+----------------+
| id | smallint(6) | NO | PRI | NULL | auto_increment |
| name | char(20) | NO | | NULL | |
| password | char(48) | NO | | NULL | |
+----------+-------------+------+-----+---------+----------------+
3 rows in set (0.01 sec)
mysql> GRANT SELECT ON vsftpd.* TO [email protected] IDENTIFIED BY ‘vsftpd‘;
Query OK, 0 rows affected (0.00 sec)
mysql> GRANT SELECT ON vsftpd.* TO [email protected]‘127.0.0.1‘ IDENTIFIED BY ‘vsftpd‘;
Query OK, 0 rows affected (0.00 sec)
mysql> INSERT INTO users (name,password) values (‘tom‘,‘redhat‘);
Query OK, 1 row affected (0.00 sec)
mysql> INSERT INTO users (name,password) values (‘jerry‘,‘redhat‘);
Query OK, 1 row affected (0.00 sec)
mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)
mysql> \q
建立pam認證所需的檔案
# vim /etc/pam.d/vsftpd.mysql
auth required /usr/lib/security/pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=0
account required /usr/lib/security/pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=0
# useradd -s /sbin/nologin -d /var/vuser vuser
# chmod go+rx /var/vuser
# vim /etc/vsftpd/vsftpd.conf
pam_service_name=vsftpd.mysql
force_local_data_ssl=NO
force_local_logins_ssl=NO
######## guset ##########
guest_enable=YES
guest_username=YES
user_config_dir=/etc/vsftpd/vuser_list
# mkdir /etc/vsftpd/vuser_list
# touch /etc/vsftpd/vuser_list/{tom,jerry}
# vim /etc/vsftpd/vuser_list/jerry (jerry使用者有上傳、建立目錄、刪除檔案功能)
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
# service vsftpd restart
測試
[[email protected] ~]# ftp 32.12.32.227
Connected to 32.12.32.227.
220 (vsFTPd 2.0.5)
504 Unknown AUTH type.
504 Unknown AUTH type.
KERBEROS_V4 rejected as an authentication type
Name (32.12.32.227:root): tom
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
[[email protected] ~]# ftp 32.12.32.227
Connected to 32.12.32.227.
220 (vsFTPd 2.0.5)
504 Unknown AUTH type.
504 Unknown AUTH type.
KERBEROS_V4 rejected as an authentication type
Name (32.12.32.227:root): jerry
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> lcd /etc
Local directory now /etc
ftp> put inittab
local: inittab remote: inittab
227 Entering Passive Mode (32,12,32,227,93,85)
150 Ok to send data.
226 File receive OK.
1666 bytes sent in 0.021 seconds (77 Kbytes/s)
ftp> mkdir test
257 "/test" created
ftp> ls
227 Entering Passive Mode (32,12,32,227,230,252)
150 Here comes the directory listing.
-rw------- 1 502 502 1666 May 05 16:21 inittab
drwx------ 2 502 502 4096 May 05 16:21 test
226 Directory send OK.
ftp> delete inittab
250 Delete operation successful.
vsftpd+openssl+mysql實現sftp和ftp虛擬使用者
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
