Shulou(Shulou.com)06/01 Report--

I. Overview of virtual users

When vsftpd uses virtual users, it needs to create a system user for all virtual users, because no matter which user type vsftpd uses (anonymous user, system user, virtual user), it is ultimately mapped to a user on the operating system, and each file resource has its own permissions. Only users on the operating system can judge whether they can access the file resources according to the permission model. Only the use of vsftpd's pam_mysql-based virtual user mechanism is introduced here.

2. Vsftpd's virtual user mechanism based on pam_mysql.

1. Compile and install pam_mysql

(1) provide the development environment and install the development package of the dependent package before compiling pam_mysql.

[root@ftp ~] # yum-y groupinstall "Development Tools"Server Platform Development" [root@ftp ~] # yum-y install pam-devel openssl-devel mariadb-devel

(2) download the source code package of pam_mysql

# download its compressed package on pam_mysql 's official website

(3) compile and install after decompression

[root@ftp] # tar xf pam_mysql-0.7RC1.tar.gz [root@ftp ~] # cd pam_mysql-0.7RC1/ [root@ftp pam_mysql-0.7RC1] # [root@ftp pam_mysql-0.7RC1] #. / configure-- with-mysql=/usr-- with-openssl=/usr-- with-pam=/usr-- with-pam-mods-dir=/lib64/security [root@ftp pam_mysql-0.7RC1] # make & & make install

2. Use mysql to create a table for storing user account passwords.

(1) start the mysql service and set it to boot automatically

[root@ftp ~] # systemctl start mariadb.service [root@ftp ~] # systemctl enable mariadb.service

(2) create database vsftpd and table users

[root@ftp ~] # mysqlmysql > CREATE DATABASE vsftpd;mysql > use vsftpd;mysql > CREATE TABLE users (id INT AUTO_INCREMENT NOT NULL PIRMARY KEY, name CHAR (30) NOT NULL, password CHAR (48) BINARY NOT NULL); the result encrypted by # mysql using the password () function has 48 characters mysql > DESC users +-+ | Field | Type | Null | Key | Default | Extra | + -+ | id | int (11) | NO | PRI | NULL | auto_increment | | name | char (30) | NO | | NULL | | password | binary (48) | NO | | NULL | | +-+- -+

(3) insert data for the table

Mysql > INSERT INTO usrs (name,password) VALUES ('tom',password (' mageedu')), ('jerry',password (' mageedu.com'))

(4) Authorization

Mysql > GRANT SELECT ON vsftpd.* TO vsftpd@localhost IDENTIFIED BY 'mageedu';mysql > GRANT SELECT ON vsftpd.* TO vsftpd@'127.0.0.1' IDENTIFIED BY' mageedu';mysql > FLUSH PRIVILEGES

Create a pam configuration file

[root@ftp ~] # vim / etc/pam.d/vsftpd.mysqlauth required pam_mysql.so user=vsftpd passwd=mageedu host=localhost db=vsftpd table=usersusercolumn=name passwdcolumn=password crypt=2account required pam_mysql.so user=vsftpd passwd=mageedu host=localhost db=vsftpd table=usersusercolumn=name passwdcolumn=password crypt=2

4. Create a system user as a mapped user for all virtual users

[root@ftp ~] # useradd-s / sbin/nologin-d / ftproot vuser [root@ftp ~] # ll-d / ftproot/drwx-. 4 vuser vuser 87 Jun 9 21:48 / ftproot/ # Group users and other users do not have any permissions [root@ftp ~] # chmod go+rx / ftproot/ # add read and execute permissions for group users and other users [root@ftp ~] # chmod-w / ftproot # Mapping user vuser's home directory cannot have write access [root@ftp ~] # mkdir / ftproot/ {pub,upload} # if you want to have write permission You can create a subdirectory with write permissions under the home directory

5. Edit the vsftpd configuration file and modify the relevant configuration

[root@ftp ~] # vim / etc/vsftpd/vsftpd.confguest_enable=YES # whether to allow guest accounts to access guest_username=vuser # map all guest accounts to system user vuserpam_service_name=vsftpd.mysql # to modify the corresponding pam configuration file

6. Start the service

[root@ftp ~] # systemctl start vsftpd.service [root@ftp ~] # ss-tnl | grep: 21LISTEN 0 32: 21:: *

7. Testing

(1) Test virtual user tom

[root@ftp ~] # ftp 192.168.10.99Connected to 192.168.10.99 (192.168.10.99) .220 (vsFTPd 3.0.2) Name (192.168.10.99:root): tom # enter virtual user tom331 Please specify the password.Password: # enter password of virtual user tom 230Login successful.Remote system type is UNIX.Using binary mode to transfer files.ftp > ftp > ls227 Entering Passive Mode. 150 Here comes the directory listing.drwxr-xr-x 2000 6 Jun 09 13:35 pubdrwxr-xr-x 2 1000 064 Jun 09 14:25 upload226 Directory send OK.

(2) Test virtual user jerry

[root@ftp ~] # ftp 192.168.10.99Connected to 192.168.10.99 (192.168.10.99) .220 (vsFTPd 3.0.2) Name (192.168.10.99:root): jerry # enter virtual user jerry331 Please specify the password.Password: # enter password of virtual user jerry 230Login successful.Remote system type is UNIX.Using binary mode to transfer files.ftp > ls227 Entering Passive Mode. 150 Here comes the directory listing.drwxr-xr-x 2000 6 Jun 09 13:35 pubdrwxr-xr-x 2 1000 064 Jun 09 14:25 upload226 Directory send OK.

The test was successful.

III. Other needs

1. How to make virtual users have permission to upload files?

(1) make sure that anonymous users in the vsftpd configuration have write permissions

[root@ftp ~] # vim / etc/vsftpd/vsftpd.confanon_upload_enable=YES # needs to be enabled because virtual users are also anonymous users

(2) ensure that the system mapping user vuer of the virtual user has write access to the file system

[root@ftp ~] # chown vuser / ftproot/upload

(3) testing

# Test virtual user tom

[root@ftp ~] # ftp 192.168.10.99Connected to 192.168.10.99 (192.168.10.99) 220 (vsFTPd 3.0.2) Name (192.168.10.99:root): tom # enter the virtual user tom331 Please specify the password.Password: # enter the password of the virtual user tom ftp > ftp > cd upload # switch to the Directory ftp > lcd / etc # external shell switch to / etc directory ftp > put fstab # upload file fstablocal: fstab remote: fstab227 Entering Passive Mode. # transfer completed bytes sent in 0.000189 secs (2862.43 Kbytes/sec) ftp > ls-rw- 1 1000 1000 541 Jun 09 15:08 fstab226 Directory send OK.

# Test virtual user jerry

[root@ftp ~] # ftp 192.168.10.99Connected to 192.168.10.99 (192.168.10.99) 220 (vsFTPd 3.0.2) Name (192.168.10.99:root): jerry # enter the virtual user jerry331 Please specify the password.Password: # enter the password of the virtual user jerry ftp > ftp > cd upload # switch to the Directory ftp > lcd / etc # external shell switch to / etc directory ftp > put issue # upload file issuelocal: issue remote: issue227 Entering Passive Mode. # Transmission completed 23 bytes sent in 5.8e-05 secs (396.55 Kbytes/sec) ftp > ls227 Entering Passive Mode (192 396.55 Jun 10) .150 Here comes the directory listing.-rw- 1 1000 1000 541 Jun 09 15:08 fstab-rw- 1 1000 1000 23 Jun 09 15:14 issue226 Directory send OK

The test was successful.

2. Virtual users tom and jerry are both mapped to a user vuser on the system, and the permissions of tom and jerry are different. For example, tom can upload files, but jerry cannot upload files?

1. Add a separate profile for each virtual user

# vsftpd supports each virtual user to use a separate profile, and the profile must be the same as the user name

[root@ftp ~] # mkdir / etc/vsftpd/vuser.conf.d [root@ftp ~] # cd / etc/vsftpd/vuser.conf.d/ [root@ftp vuser.conf.d] # vim tomanon_upload_enable=YES # allows tom to upload files [root@ftp vuser.conf.d] # vim jerryanon_upload_enable=NO # does not allow jerry to upload files

2. Edit the main configuration file / etc/vsftpd/vsftpd.conf

(1) set not to allow anonymous users to upload

[root@ftp ~] # vim / etc/vsftpd/vsftpd.conf#anon_upload_enable=YES # comment out the line configuration in the main configuration file

(2) explicitly set and load the configuration file in the vusers.conf.d directory

[root@ftp ~] # vim / etc/vsftpd/vsftpd.confuser_config_dir=/etc/vsftpd/vusers.conf.d

3. Restart the vsftpd service

[root@ftp ~] # systemctl restart vsftpd.service

4. Test

# it is expected that virtual user tom can upload files, while jerry cannot upload files

# Test virtual user tom

[root@ftp ~] # ftp 192.168.10.99Connected to 192.168.10.99 (192.168.10.99) 220 (vsFTPd 3.0.2) Name (192.168.10.99:root): tom # enter the virtual user tom331 Please specify the password.Password: # enter the password of the virtual user tom ftp > ftp > cd uploadftp > lcd / etc/ftp > put grub2.cfg # upload the file Grub2.cfglocal: grub2.cfg remote: grub2.cfg227 Entering Passive Mode (192, 168, 10, 99220164). 150 Ok to send data.226 Transfer complete. # successfully transferred 4209 bytes sent in 0.000162 secs (25981.48 Kbytes/sec)

# Test virtual user jerry

[root@ftp ~] # ftp 192.168.10.99Connected to 192.168.10.99 (192.168.10.99) .220 (vsFTPd 3.0.2) Name (192.168.10.99:root): jerry # enter the virtual user jerry331 Please specify the password.Password: # enter the password of the virtual user jerry ftp > ftp > cd uploadftp > lcd / etc/ftp > put motd # upload file motdlocal : motd remote: motd227 Entering Passive Mode (192, 168, 10, 99, 188, 33) .550 Permission denied. # permission denied!

The test was successful.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.