Vsftpd uses pam_mysql.so to connect to mariadb for authentication 04/06 Update SLTechnology News&Howtos

Vsftpd uses pam_mysql.so to connect to mariadb for authentication

2025-04-06 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Database >

Shulou(Shulou.com)06/01 Report--

Experimental environment:

The IP address describes the 192.168.5.181CentOS7 system, and the base source installs mariadb as the ftp server, as the authentication server 192.168.5.121CentOS6 system, as the ftp client

Installation of authentication module pam_mysql.so

You need to download pam_mysql.so source package, pam_mysql-0.7RC1.tar.gz, from the Internet.

Before unzipping the installation, make sure that the development package on CentOS7 is installed, if not, you need to run the following command:

$yum groupinstall "Development Tools"-y

Then install the development packages for mariadb and pam:

$yum install mariadb-devel pam-devel-y

Extract the pam_mysql source code package, enter the source code directory, and compile and install it. Where-with-mysql refers to mariadb's header file and lib,-with-pam refers to pam's header file and lib. -with-pam-mods-dir indicates where the module will be installed.

$. / configure-with-mysql=/usr-with-pam=/usr-with-pam-mods-dir=/usr/lib64/security$ make$ make install

After installation, you can view the new pam_mysql.so module in the / usr/lib64/security directory.

$ls / usr/lib64/security/ | grep mysql.sopam_mysql.so

Mariadb creation data

Let's plan the users in mariadb. Set up a database called vsftpd, create a data table called auth in this database, and create two users in the data table as virtual users of vsftpd: user1, password user1;user2, password user2. The password is encrypted using the PASSWORD () function that comes with mysql. Use a user named vsftpd@'127.0.0.1' to make a login query and only grant that user select permissions with a login password of vsftpd. The results after establishment are as follows:

Set up a guest account

After logging in, all virtual users stored in mysql are mapped to local guest users. Here, a guest account named vuser is created, and the home directory is / ftproot/vuser. Change its permissions to 544, that is, remove all write permissions. Create a new pub directory in it and use setfacl to give the pub directory the read and write permissions of the vuser user.

$mkdir ftproot$ cd ftproot$ useradd-d / ftproot/vuser vuser$ chmod 544 / ftproot/vuser$ mkdir / ftproot/vuser/pub$ setfacl-m u:vuser:rwx / ftproot/vuser/pub

Configure the pam file

Create a new / etc/pam.d/ftp-mysql file and add the following two lines to it. For detailed configuration items, please see the README document in the pam_mysql.so source package:

Auth required / usr/lib64/security/pam_mysql.so user=vsftpd passwd=vsftpd host=127.0.0.1 db=vsftpd table=auth usercolumn=name passwdcolumn=password crypt=2account required / usr/lib64/security/pam_mysql.so user=vsftpd passwd=vsftpd host=127.0.0.1 db=vsftpd table=auth usercolumn=name passwdcolumn=password crypt=2

Configure the vsftpd.conf file

Create a new vsftpd.conf file with the configuration shown below. Notice that pam_service_name is replaced by the default vsftpd with the ftp-mysql just established, enable the guest account guest_enable=YES, use the guest account vuser, and configure the permissions files for the virtual users user1 and user2 to the / etc/vsftpd/vusers_config directory:

Anonymous_enable=YESlocal_enable=YESwrite_enable=YESlocal_umask=022dirmessage_enable=YESxferlog_enable=YESconnect_from_port_20=YESxferlog_std_format=YESlisten=NOlisten_ipv6=YESpam_service_name=ftp-mysqluserlist_enable=YEStcp_wrappers=YESguest_enable=YESguest_username=vuseruser_config_dir=/etc/vsftpd/vusers_config/

The permissions of user1 and user2 under the / etc/vsftpd/vusers_config directory are as follows. User1 is given the permission to upload, but user2 is given the permission to upload, delete directories and delete files. Once configured, restart the mariadb and vsftpd services with the systemctl start mariadb.service vsftpd.service command:

$cat / etc/vsftpd/vusers_config/user1 anon_upload_enable=YESanon_other_write_enable=NO$ cat / etc/vsftpd/vusers_config/user2 anon_upload_enable=YESanon_mkdir_write_enable=YESanon_other_write_enable=YES

Client test

"on the client, ensure that the ftp client tools are installed:"

Yum install ftp

Use the above tools to communicate with the server, and test the user1. You can see that the login is successful, and user1 has the permission to upload, but not the permission to delete:

$ftp 192.168.5.181Connected to 192.168.5.181 (192.168.5.181). 220 (vsFTPd 3.0.2) Name (192.168.5.181:root): user1331 Please specify the password.Password:230 Login successful.Remote system type is UNIX.Using binary mode to transfer files.ftp > ls227 Entering Passive Mode 181 Here comes the directory listing.drwxrwxr-x 200 6 Jun 05 18:33 pub226 Directory send OK.ftp > cd pub250 Directory successfully changed.ftp > ls227 Entering Passive Mode. 150 Here comes the directory listing.226 Directory send OK.ftp > lcd / etcLocal directory now / etcftp > put hostslocal: hosts227 Entering Passive Mode (192 Ok to send data.226 Transfer complete.256 bytes sent in 0.000155 secs (1651.61 Kbytes/sec) ftp > ls227 Entering Passive Mode 181 Here comes the directory listing.-rw- 108 Jun 36) .150 hosts226 Directory send OK.ftp 1 1001 1001 256 Jun 06 05:06 hosts226 Directory send OK.ftp > delete hosts550 Permission denied.ftp > exit221 Goodbye.

After testing user2, you can see that user2 has successfully logged in and has the permission to upload, delete and create a directory. :

$ftp 192.168.5.181Connected to 192.168.5.181 (192.168.5.181). 220 (vsFTPd 3.0.2) Name (192.168.5.181:root): user2331 Please specify the password.Password:230 Login successful.Remote system type is UNIX.Using binary mode to transfer files.ftp > cd pub250 Directory successfully changed.ftp > ls227 Entering Passive Mode. (192Meime168pr 5pr 181pcm96pr 57) .150 Here comes the directory listing.226 Directory send OK.ftp > lcd / etcLocal directory now / etcftp > put hostslocal: hosts remote: hosts227 Entering Passive Mode (192Min 168Co5 181 Ok to send data.226 Transfer complete.256 bytes sent in 0.000145 secs (1765.52 Kbytes/sec) ftp > ls227 Entering Passive Mode. 150 Here comes the directory listing.-rw- 1 1001 1001 256 Jun 06 05:10 hosts226 Directory send OK.ftp > delete hosts250 Delete operation successful.ftp > ls227 Entering Passive Mode. 150 Here comes the directory listing.226 Directory send OK.ftp > mkdir dir257 "/ pub/dir" createdftp > ls227 Entering Passive Mode 181208106) .150 Here comes the directory listing.drwx- 2 1001 1001 6 Jun 06 05:10 dir226 Directory send OK.

The following login tests are conducted for the system user ftpuser and a non-existent user abc, and it is found that the login cannot be carried out, which proves that only users who exist in the mysql database can authenticate:

$ftp 192.168.5.181Connected to 192.168.5.181 (192.168.5.181). 220 (vsFTPd 3.0.2) Name (192.168.5.181:root): ftpuser331 Please specify the password.Password:530 Login incorrect.Login failed.$ ftp 192.168.5.181Connected to 192.168.5.181 (192.168.5.181). 220 (vsFTPd 3.0.2) Name (192.168.5.181:root): abc331 Please specify the password.Password:530 Login incorrect.Login failed.ftp >

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.