Shulou(Shulou.com)06/01 Report--

Unified Management of vsftp Virtual users realized by mysql+pam Module

Recently began to learn mysql, do a small experiment, to sum up, relatively easy to understand, there are not too many theoretical things.

I. preparation of the experimental environment

1. Download the software and dependency packages you need first.

[root@localhost ~] # yum-y install mariadb-server mariadb-devel pam-devel gcc-c++ vsftpd

two。 Install pam_mysql module (Plugable Authentication Module plug-in authentication module)

[root@localhost ~] # tar zxf pam_mysql-0.7RC1.tar.gz

[root@localhost ~] # cd pam_mysql-0.7RC1

[root@localhost pam_mysql-0.7RC1] # / configure-- with-mysql=/usr-- with-openssl-- with-pam-mods-dir=/lib/pam_mysql/

[root@localhost pam_mysql-0.7RC1] # make

[root@localhost pam_mysql-0.7RC1] # make install

3. Start related services

[root@localhost ~] # systemctl start mariadb

[root@localhost ~] # systemctl start vsftpd

[root@localhost ~] # systemctl enable mariadb

[root@localhost ~] # systemctl enable vsftpd

4. Database security settings

[root@localhost ~] # mysql_secure_installation

Set root password? [Y/n] Y

Remove anonymous users? [Y/n] Y

Disallow root login remotely? [Y/n] Y

Remove test database and access to it? [Y/n] Y

Reload privilege tables now? [Y/n] Y

Second, create virtual users

1. Create databases and tables (for storing information about virtual users)

[root@localhost] # mysql-u root-p

Enter password:

MariaDB [(none)] > create database testdb; # create test database

MariaDB [(none)] > grant select on testdb.* to linos@localhost identified by 'linux'; # create user

MariaDB [(none)] > flush privileges

MariaDB [(none)] > use testdb

Database changed

MariaDB [testdb] > create table users (id int AUTO_INCREMENT NOT NULL,name char (20) binary NOT NULL,password char (20) binary NOT NULL,primary key (id)); # create a table to store users

two。 Add a virtual user

MariaDB [testdb] > insert into users (name,password) values ('tom','linux'); # create user

MariaDB [testdb] > insert into users (name,password) values ('sam','linux'); # create user

MariaDB [testdb] > flush privileges

3. Configure vsftp service

1. Create a pam certification file

[root@localhost ~] # cat / etc/pam.d/vsftpd.mysql

Auth required / lib/pam_mysql/pam_mysql.so user=linos passwd=linux host=localhost db=testdb table=users usercolumn=name passwdcolumn=password crypt=0

Account required / lib/pam_mysql/pam_mysql.so user=linos passwd=linux host=localhost db=testdb table=users usercolumn=name passwdcolumn=password crypt=0

two。 To modify the vsftp configuration file, you mainly need to modify the following configuration

Anonymous_enable=NO # does not allow anonymous users to log in

Local_enable=YES # allows system users to log in

Write_enable=YES # allows system users to have write permission

Anon_upload_enable=NO # does not allow anonymous users to upload files

Anon_mkdir_write_enable=NO # does not allow anonymous users to create directories

Chroot_local_user=YES # by default, after logging in to ftp with the system user, the user can cd to any directory, which has certain security risks. Enabling this option can imprison the user in his own home directory.

Guest_enable=YES # enable this option to enable the remapping of non-anonymous users to system users

Guest_username=virtuser # mapped system user

Since version 2.3.5 of allow_writeable_chroot=YES #, vsftpd has enhanced security checks so that if a user is limited to his or her home directory, the user's home directory can no longer have write permissions! If the check finds that there is still write permission, the error will be reported. To fix this error, you can remove write permissions from the user's home directory with the command chmod a Murw / home/username, or you can add the following item to the vsftpd configuration file: allow_writeable_chroot=YES

Pam_service_name=vsftpd.mysql # specifies the configuration file of the plug-in pam module

IV. Verification

1. Restart the service

[root@localhost ~] # systemctl restart mariadb

[root@localhost ~] # systemctl restart vsftpd

two。 Add the system user to which the virtual user is mapped

[root@localhost ~] # useradd-s / sbin/nologin virtuser # specifies shell as / sbin/nologin and forbids users from logging in to the system

3. Login virtual user authentication

4. Verify user Mappin

[root@localhost virtuser] # pwd

/ home/virtuser

[root@localhost virtuser] # mkdir pub

[root@localhost virtuser] # touch pub/test # virtuser create a test file under the home directory, and then log in to ftp with the sam user. You can see the home directory mapped to the virtuser user.

5. Configure authorization permissions

Sometimes we need to set different permissions for different virtual users

[root@localhost] # tail-1 / etc/vsftpd/vsftpd.conf

User_config_dir=/etc/vsftpd/users_permission/

[root@localhost ~] # mkdir / etc/vsftpd/users_permission/

[root@localhost ~] # cd / etc/vsftpd/users_permission/

[root@localhost users_permission] # echo # anon_upload_enable=YES > > sam

[root@localhost home] # chmod-R 777 virtuser/

Before enabling anonymous user upload permission, you can see that upload is prohibited, using sam users

Enable anonymous user upload function and use sam user to upload a file

Other permissions can be granted to the user in the same way.

If there are any mistakes, please correct them.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.