Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to install CentOS and configure vsftp virtual user login". Interested friends may wish to have a look. The method introduced in this paper is simple, fast and practical. Next let the editor to take you to learn "CentOS how to install and configure vsftp virtual user login"!

When using Linux, it is inevitable to transfer all kinds of files remotely, such as website code, shared resources, etc., and the most frequently used transmission method is probably FTP. There are many FTP servers available under Linux, such as vsftp, proftp, uw-ftp, etc., among which vsftp is more popular. In view of this, I chose vsftp on my own CentOS. Moreover, vsftp supports virtual user settings under PAM (pluggable authentication modules), which is a way that Mitchell Chu likes, and then invite vsftp to play.

Among the users used by Vsftp, three user modes are supported: entity users, anonymous users and virtual users (guest, also known as guest identity). Physical users (Real User) are users who exist in the system themselves, and they exist in / etc/passwd and / etc/shadow files. Anonymous user (Anonymous) means that the client does not need to provide any user identity, and ftp provides visitors with a special user named anonymous for their use. Virtual user (Virtual User) is understood as a kind of user between an entity user and an anonymous user. The reason is that although the virtual user does not exist in the physical user file of the system, it will be recorded elsewhere in the system (this article is Berkeley DB) for vsftp to authenticate ftp visitors. After the authentication is completed, when the user operates the file, it will be done by ftp, the running user of vsftp. Since physical users need real system accounts, opening this permission will undoubtedly increase the risk of the system, while virtual users use a different user authentication system from physical users, and there is no actual mapping relationship between virtual users and physical users in the system, so the risk brought by FTP to the system is reduced. In the actual production environment, virtual users can manage independently more flexibly. For example, virtual hosts need to provide users with FTP accounts. With all these benefits, let's see how to configure it.

Preparatory type

Berkeley DB database: used to store login information for virtual users.

Pam_userdb.so: used to authenticate virtual users.

Db4_utils: a tool for converting virtual users to DB data.

Install the required packages

CentOS seems to have its own vsftp by default, so there is no need to install it. If you are not sure, you can use which to take a look:

If which vsftpd # is installed, it should have output similar to the following: # / usr/sbin/vsftpd # if not installed, similar to the following output # / usr/bin/which: no xd in (/ home/limituser...)

If there is no installation, please install:

Yum install vsftpd # or: yum-y install vsftpd

Of course, you can also clear the yum cache under:

Pushd / etc/yum.repos.d/ rm-rf * wget http://docs.linuxtone.org/soft/lemp/CentOS-Base.repo yum clean all yum-y install vsftpd # # is still the point.

For simplicity, we can install all the required packages at once:

Yum install db4-utils db4 vsftpd # # Mitchell Chu reminder: some do not need to be installed, please add or subtract by yourself

Create a virtual user

We use Berkeley DB database to store virtual users. * step is to create a plain text to add the user and password, each with a user name and password on one line. For example, if we want to create a user with a user name of useasp with a password of blog.useasp.net and a user with a password of adminpasswd with admin, then the plain text will look like this:

Pushd / etc/vsftpd cat > vusers.txt useasp blog.useasp.net admin adminpasswd

After creating the vusers.txt, the second step we need is to convert plain text to an db file, which requires the use of db_load:

Db_load-T-t hash-f vusers.txt vsftpd-virtual-users.db

To be on the safe side, remember to set root read / write only (currently root):

Chmod 600 vsftpd-virtual-users.db

Then clean up the original plain text file:

Rm vusers.txt

At this point, we have prepared the users who need to log in to FTP, and then we need to configure vsftpd so that vsftpd can correctly identify and support virtual users.

Configuration of VSFTPD virtual user

Locate the vsftpd.conf configuration file and add or modify the following configuration options:

# disable anonymous login to anonymous_enable=NO anon_upload_enable=YES anon_other_write_enable=YES # enable local user local_enable=YES # Virtual user uses local user rights virtual_use_local_privs=YES # writable write_enable=YES # PAM configuration pam_service_name=vsftpd # enable virtual user guest_enable=YES # user suffix: use with the following local_root The login user name will be replaced with $USER user_sub_token=$USER # root directory local_root=/var/ftp/$USER # enable chroot, and after login will be located to the specified root directory chroot_local_user=YES # to display all users and groups as ftp hide_ids=YES

Vsftpd configuration file is in / etc/vsftpd/vsftpd.conf, the original configuration item can keep the default value, if you need logs, vsftpd has two logs available, one is the standard xferlog format, the other is vsftpd format, the readability of the latter is better, of course, you can also enable both logs, you can set: xferlog_enable, xferlog_std_format, xferlog_file, vsftpd_log_file and other parameters to get the desired log effect.

PAM configuration of virtual user

To enable PAM for virtual users, we also need to configure PAM carefully. In the above vsftpd configuration file, we use pam_service_name to configure the configuration file that PAM will use. This file exists by default after installation. If you find it necessary to keep the original configuration, you can back up a copy first, and then change the contents of the configuration file as follows:

#% PAM-1.0 auth required pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-users account required pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-users # session required pam_loginuid.so

To enable session, you can comment out the above #. If you are on a 32-bit system, there is a configuration method on the Internet as follows:

#% PAM-1.0 auth sufficient pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-users account sufficient pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-users

As I do not know much about PAM under Linux, and do not know the difference between required and sufficient, it is not easy to make too many conclusions here. If you have any understanding, you can give us some advice. Thank you!

In the PAM configuration, the location where the account is saved is indicated. The path in our configuration file is the file path of the Berkeley DB created using db_load.

Create a FTP directory

Before vsftpd has configured the ftp directory, we need to first create the FTP root directory and the directory needed by the user, because once these users log in, they will be relocated by vsftpd to the specified home directory. In vsftpd, we configure / var/ftp, so we need to make sure that this directory exists. If it does not exist, we need to create the root directory of the virtual user. The directory name is the user name.

Mkdir-p / var/ftp/ {useasp,admin} chown-R ftp:ftp / var/ftp

In order to ensure that the files can be read smoothly, we make all the files in the root directory owned by the user ftp-the ftp account system is set by default, and vsftpd uses this account to operate.

Restart the FTP service and test the FTP

After following the above process, we can restart the vsftpd service to allow the new configuration to take effect-if you cannot use this command, please refer to the save trouble section below to set vsftpd to boot:

Service vsftpd restart

After the restart, theoretically, you should be able to access the FTP server using the FTP client. If you need to test, you can also directly access the FTP server under the local access test:

Ftp 127.0.0.1

At this point, you should be able to return normally, similar to the following:

Connected to 127.0.0.1 (127.0.0.1). 220-Welcome to Mitchell Personal Web Server (MPWS) 220-Please use user name and password to login... 220-if you have any question, please contact MitchellChu 220Name (127.0.0.1:root): useasp 331Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. Ftp >

The login information should also be seen in the log of the system (the following are multiple log files, and some log files cannot be seen if vsftpd is not configured):

# tail-f / var/log/secure Sep 4 23:36:11 CentOS vsftpd [8721]: pam_userdb (vsftpd:auth): user 'useasp' granted access # tail-f / var/log/vsftpd.log Fri Sep 4 23:36:15 2015 [pid 8721] [useasp] FTP response: Client "127.0.0.1", "150 Here comes the directory listing."

At this point, we have configured a FTP server that can be accessed normally.

Turn on the firewall and open it to others.

After the above test is normal, if you turn on iptables, remember to add rules to open the port range that you will use in passive mode:

Iptables-An INPUT-m state-- state NEW-m tcp-p tcp-- dport 21-j ACCEPT iptables-An INPUT-m state-state NEW-m tcp-p tcp-- dport 20-j ACCEPT iptables-An INPUT-m state-state NEW-m tcp-p tcp-dport 65300 state NEW 65360-j ACCEPT service iptables save

The above is my iptables configuration, which opens ports 21 and 20, and port 20 is used by ftp-data to transmit data.

Save trouble

In order not to have to climb to the machine to turn on FTP after every restart, we can set vsftpd to boot-if the system already has this service, ignore:

Chkconfig-levels 345 vsftpd on service vsftpd start

At this point, we almost got a more FTP Server.

Postscript:

The above is the basic process of configuring vsftpd to use virtual users, but in the configuration, we can always find problems of one kind or another, so we need to constantly DEBUG the whole process. Because of the existence of SELinux in Linux, the root of many problems lies in the setting of SELinux. If you need to be simple and fast, you can solve most of the problems by using the following command, which is how many friends on the Internet solve the problem:

Setenforce 0 # or setenforce Permissive

Of course, if you, like Mitchell Chu, are a person who doesn't want to get things done so easily, then let's continue our journey. After configuring the entire FTP server according to the above method, I have more or less encountered the following problems. Now I gather them together for the convenience of the newcomers (if I have time, I will talk about it and record it for the time being):

1. Cannot locate the directory of their respective users. We can try to set ftp_home_dir in SELinux to solve this problem:

Setsebool-P ftp_home_dir on

two。 The contents of the FTP directory cannot be listed. This problem is also caused by SELinux. The possible reason is that vsftpd does not have permission for the directory. Check whether your permissions are correct. Vsftpd uses ftp user access to see if you have set the permissions correctly.

3. Still can not list directory files, and then see if the type of the destination folder is correct, generally need public_content_r_t, if you are not sure, you can use the following command to check:

Ls-alZ

You will see output similar to the following:

Drwxr-xr-x. Root root system_u:object_r:public_content_t:s0. Drwxr-xr-x. Root root system_u:object_r:var_t:s0.. Drwxr-xr-x. Root root system_u:object_r:var_t:s0 useasp drwxr-xr-x. Root root system_u:object_r:var_t:s0 admin

As you can see, the default is var_t. We need to set it up. We need to use the tool semanage here. If not, we need to install policycoreutils-python:

Yum-y install policycoreutils-python

Because I used the self-compiled version of Python, semanage did not work properly and reported an error:

Traceback (most recent call last): File "/ usr/sbin/semanage", line 23, in import policycoreutils.default_encoding_utf8 ImportError: No module named policycoreutils.default_encoding_utf8

After correction, use semanage directly to set:

Restorecon-R-v / var/ftp/ {useasp,admin}

4. Unable to upload files, unable to create folders, or SELinux problem, set:

Setsebool-P allow_ftpd_anon_write on

5. Still can't upload the file? Try it:

Semanage fcontext-a-t public_content_rw_t "/ var/ftp (/. *)?" Restorecon-R-v / var/ftp/ {useasp,admin}

This is similar to the above settings, but with greater permissions, please operate with caution!

At this point, I believe you have a deeper understanding of "how to install and configure vsftp virtual user login for CentOS". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.