Shulou(Shulou.com)05/31 Report--

This article shows you how to configure VSFTP+MySQL virtual users. The content is concise and easy to understand. It will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

VSFTPD is a very secure and fast FTP server in UNIX/Linux, which has been adopted by many large sites. VSFTPD supports saving usernames and passwords in database files or database servers. VSFTPD calls this type of user a virtual user. Compared with the local (system) users of FTP, virtual users are only exclusive users of FTP server, and virtual users can only access the resources provided by FTP server, which greatly enhances the security of the system itself. Compared with anonymous users, virtual users need usernames and passwords to access files in the FTP server, which increases the manageability of users and downloads. For FTP sites that need to provide download services, but do not want everyone to download anonymously; not only need to manage download users, but also consider the security and convenience of the host, virtual users are an excellent solution. This article describes how to save the virtual user name and password of VSFTPD in the MySQL database server on RedHat Linux 9.

1. Installation of VSFTPD

Currently, the latest version of VSFTPD is version 1.2.0. The official download address is ftp://vsftpd.beasts.org/users/cevans/vsftpd-1.2.0.tar.gz. The following preparations need to be done before installation:

The "nobody" user is required in the default configuration of VSFTPD. Add this user to the system, and the useradd command prompts you if the user already exists.

[root@hpe45 root] # useradd nobody

Useradd: user nobody exists

The "/ usr/share/empty" directory is required in the default configuration of VSFTPD. On the system, if this directory already exists, the mkdir command prompts you accordingly.

[root@hpe45 root] # mkdir / usr/share/empty/

Mkdir: cannot create directory'/ usr/share/empty': File exists

When VSFTPD provides anonymous FTP services, you need a "ftp" user and a valid anonymous directory.

[root@hpe45 root] # mkdir / var/ftp/

[root@hpe45 root] # useradd-d / var/ftp ftp

The next action is useful as to whether the ftp user already exists.

[root@hpe45 root] # chown root.root / var/ftp

[root@hpe45 root] # chmod og-w / var/ftp

After the above preparations are complete, we can start compiling the source code. Assuming the vsftpd-1.2.0.tar.gz we downloaded is in the / root directory, execute the following command:

[root@hpe45 root] # tar zxvf vsftpd-1.2.0.tar.gz

[root@hpe45 root] # cd vsftpd-1.2.0

[root@hpe45 vsftpd-1.2.0] # make

[root@hpe45 vsftpd-1.2.0] # make install

The "make install" command above copies the compiled binaries, manuals, and so on to the appropriate directory. On RHL9, you may need to manually perform the following replication:

[root@hpe45 vsftpd-1.2.0] # cp vsftpd / usr/local/sbin/vsftpd

[root@hpe45 vsftpd-1.2.0] # cp vsftpd.conf.5 / usr/local/share/man/man5

[root@hpe45 vsftpd-1.2.0] # cp vsftpd.8 / usr/local/share/man/man8

Next, we copy a simple configuration file as the basis for later modification.

[root@hpe45 vsftpd-1.2.0] # cp vsftpd.conf / etc

[root@hpe45 vsftpd-1.2.0] # cp RedHat/vsftpd.pam / etc/pam.d/ftp

Copy the PAM authentication file to allow local users to log in to VSFTPD.

[root@hpe45 vsftpd-1.2.0] # cp RedHat/vsftpd.pam / etc/pam.d/ftp

Second, create guest users

VSFTPD uses PAM to authenticate virtual users. Because the user name / password of the virtual user is saved separately, VSFTPD needs to read the database file or database server as a system user to complete the authentication, which is the guest user of VSFTPD. This is just like anonymous users also need to have a system user ftp. Of course, we can also think of guest users as representatives of virtual users in the system. Let's add the vsftpdguest user to the system as the guest of VSFTPD.

[root@hpe45 vsftpd-1.2.0] # useradd vsftpdguest

When the virtual user logs in, the location is vsftpdguest's home directory / home/vsftpdguest. If you want the virtual user to log in to another directory, such as / var/ftp, modify vsftpdguest's own directory.

Set up the VSFTPD configuration file

In the / etc/vsftpd.conf file, add the following options:

Guest_enable=YES

Guest_username=vsftpdguest

Then execute the following command to have VSFTPD run in the background:

[root@hpe45 vsftpd-1.2.0] # / usr/local/sbin/vsftpd &

Save the virtual user in the MySQL database server

We set up the database vsftpdvu, table users, fields name and passwd to hold the user name and password of the virtual user, while adding two virtual users, xiaotong and xiaowang.

[root@hpe45 vsftpd-1.2.0] # mysql-p

Mysql > create database vsftpdvu

Mysql > use vsftpdvu

Mysql > create table users (name char (16) binary,passwd char (16) binary)

Mysql > insert into users (name,passwd) values ('xiaotong',password (' qqmywife'))

Mysql > insert into users (name,passwd) values ('xiaowang',password (' ttmywife'))

Mysql > quit

The authorized vsftpdguest can then read the users table of the vsftpdvu database. Execute the following command:

[root@hpe45 vsftpd-1.2.0] # mysql-u root mysql-p

Mysql > grant select on vsftpdvu.users to vsftpdguest@localhost identified by 'i52serial0'

Mysql > quit

If you want to verify that the operation was successful, you can execute the following command:

[root@hpe45 vsftpd] # mysql-u vsftpdguest-pi52serial0 vsftpdvu

Mysql > select * from users

If successful, xiaotong, xiaowang, and encrypted password will be listed

5. Set PAM verification for MySQL

Here we will use an open source project (http://sourceforge.net/projects/pam-mysql/)) that uses mysql for pam verification. First download its package pam_myql-0.5.tar.gz from the website and copy it to the / root directory. Before compiling and installing, make sure that the RPM package for mysql-devel is installed on your machine. If not, install the package from the RHL installation CD. Then, execute the following command:

[root@hpe45 root] # tar xvzf pam_mysql-0.5.tar.gz

[root@hpe45 root] # cd pam_mysql

[root@hpe45 pam_mysql] # make

[root@hpe45 pam_mysql] # make install

There may be an error in this step of make install, so you have to manually copy the pam_mysql.o generated in this directory to the / lib/security directory.

Next, we will set up the PAM authentication file for vsftpd. Open the / etc/pam.d/ftp file and add the following:

Auth required pam_mysql.o user=vsftpdguest passwd=i52serial0 host=localhost db=vsftpdvu table=users usercolumn=name passwdcolumn=passwd crypt=2

Account required pam_mysql.o user=vsftpdguest passwd=i52serial0 host=localhost db=vsftpdvu table=users usercolumn=name passwdcolumn=passwd crypt=2

The above parameters can be understood as long as they correspond to the previous database settings. What needs to be explained here is the crypt parameter. Crypt indicates that the password in the password field is encrypted: crypt=0, the password is stored in the database in clear text (not encrypted); crypt=1, the password is encrypted using the DES encryption method of the UNIX system and saved in the database; crypt=2, the password is encrypted and saved by the password () function of MySQL.

VI. Further virtual user settings

After the above steps, the virtual user can use it normally. Further virtual user settings are described here. First of all, introduce the permission settings of the virtual user.

VSFTPD-1.2.0 adds the virtual_use_local_privs parameter, which, when activated (YES), gives the virtual user the same permissions as the local user. When this parameter is off (NO), virtual users use the same permissions as anonymous users, which is how previous versions of VSFTPD-1.2.0 handled virtual user rights. Compared with the two approaches, the latter is more stringent, especially when there is write access. This parameter is off by default (NO).

When virtual_use_local_privs=YES, only need to set write_enable=YES, the virtual user can have write permission. On the other hand, when using virtual_use_local_privs=NO, the setting of virtual user rights is more and more strict.

Control the virtual user browsing the directory: if the user can not browse the directory, but can still operate on the file, then need to perform the following two steps: first, in the configuration file, anon_world_readable_only=YES. Second, the permissions of the virtual user directory can only be operated by vsftpdguest:

[root@hpe45 root] # chown vsftpdguest.vsftpdguest / home/vsftpdguest

[root@hpe45 root] # chmod 700 / home/vsftpdguest

Allow virtual users to upload files:

Write_enable=YES

Anon_upload_enable=YES

Allow virtual users to modify file names and delete files:

Anon_other_write_enable=YES

Because the setting of the above options will also take effect for anonymous users. If you don't want anonymous users to have the same permissions, it's best to disable anonymous users from logging in.

Second, because the virtual user is vsftpdguest in the system, you can access other directories of the system. To be more secure, we can limit virtual users to their own directory. There are two approaches: first, add the following options to the configuration file

Chroot_local_user=NO

Chroot_list_enable=YES

Chroot_list_file=/etc/vsftpd.chroot_list

Then, add the virtual usernames xiaotong and xiaowang to the / etc/vsftpd.chroot_list file.

Second, modify the chroot_local_user=YES in the configuration file.

After modification, the root directory of the virtual user is restricted to / home/vsftpdguest after logging in, and other directories cannot be accessed.

7. The personal directory of virtual users

You can find that no matter which virtual user is logged in, the directory is / home/vsftpdguest, that is, the home directory of the guest_username user. Next, how to set up your own directory for each virtual user. First, add the following options to the main configuration file:

User_config_dir=/etc/vsftpd/vsftpd_user_conf

Then, generate the / etc/vsftpd/vsftpd_user_conf directory and create a file with the same name as the specific virtual user in that directory:

[root@hpe45 root] # mkdir / etc/vsftpd/vsftpd_user_conf

[root@hpe45 root] # cd / etc/vsftpd/vsftpd_user_conf

The above content is how to configure VSFTP+MySQL virtual users. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.