CentOS6配置Vsftpd基于MySQL虚拟用户验证登录

一、服务端配置

1、环境准备

[root@server ~]# cat /etc/redhat-release 
CentOS release 6.7 (Final)
[root@server ~]# uname -r
2.6.32-573.el6.x86_64
[root@server ~]# wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-6.repo  #pam_mysql需要配置epel源
[root@server ~]# curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
[root@server ~]# /etc/init.d/iptables stop
[root@server ~]# getenforce
Disabled

2、服务端安装mysql，vsftpd及pam_mysql

[root@server ~]# yum install mysql-server vsftpd pam_mysql -y

3、创建用于vsftpd的数据库，创建相关表及用户

[root@server ~]# /etc/init.d/mysqld start
[root@server ~]# mysql
mysql> create database vsftpd;
mysql> use vsftpd
mysql> create table users(id int AUTO_INCREMENT NOT NULL,   #创建users表
    -> name char(20) binary NOT NULL,
    -> password char(48) binary NOT NULL, 
    -> primary key(id));
mysql> insert into users (name,password) values ('tom',password('tom'));   #创建连接ftp的用户
mysql> insert into users (name,password) values ('test',password('test'));
mysql> grant all on vsftpd.* to vsftpd@'%' identified by '123456';    #授权
mysql> flush privileges;
mysql> q
Bye

4、查看pam模块并创建认证文件

[root@server ~]# rpm -ql pam_mysql
/lib64/security/pam_mysql.so   #pam模块生成认证时需要的共享库
/usr/share/doc/pam_mysql-0.7
/usr/share/doc/pam_mysql-0.7/COPYING
/usr/share/doc/pam_mysql-0.7/CREDITS
/usr/share/doc/pam_mysql-0.7/ChangeLog
/usr/share/doc/pam_mysql-0.7/NEWS
/usr/share/doc/pam_mysql-0.7/README

#创建认证文件
[root@server ~]# vim /etc/pam.d/vsftpd.mysql
auth required /lib64/security/pam_mysql.so user=vsftpd passwd=123456 host=10.0.0.23 db=vsftpd  table=users usercolu
mn=name passwdcolumn=password crypt=2
account required /lib64/security/pam_mysql.so user=vsftpd passwd=123456 host=10.0.0.23 db=vsftpd table=users userco
lumn=name passwdcolumn=password crypt=2
--------------------------------------------------------------------------------
#认证文件字段解释
auth 	#表示认证
account #验证账号密码正常使用
required #表示认证要通过
/lib64/security/pam_mysql.so	#认证模块
user=vsftpd		#登录mysql的用户
passwd=123456 	#登录mysql的的密码
host=10.0.0.22 	#在mysql中定义的允许连接的主机名或ip地址
db=vsftpd 		#连接msyql的哪一个库
table=users 	#连接库里的哪一个表
usercolumn=name #当做用户名的字段
passwdcolumn=password #当做用户名字段的密码
crypt=2 #密码的加密方式为mysql password()函数加密
---------------------------------------------------------------------------------

5、创建虚拟用户的映射用户

[root@server ~]# mkdir /var/ftproot -p
[root@server ~]# useradd -s /sbin/nologin -d /var/ftproot/ vuser
[root@server ~]# chmod go+rx /var/ftproot/
[root@server ~]# chown -R vuser:vuser /var/ftproot/
[root@server ~]# ll /var/ftproot/ -d
drwxr-xr-x 2 vuser vuser 4096 Aug 29 04:03 /var/ftproot/  #特别注意权限，否则报错响应:550 Create directory operation failed.

6、编辑vsftpd主配置文件，并为单个用户提供配置文件

[root@server ~]# vim /etc/vsftpd/vsftpd.conf
[root@server ~]# cat /etc/vsftpd/vsftpd.conf|egrep -v '^#|^$'
anonymous_enable=NO   #匿名用户不允许访问
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
pam_service_name=vsftpd.mysql   #修改pam_service_name
userlist_enable=YES
tcp_wrappers=YES
guest_enable=YES      #允许guest访问
guest_username=vuser  #guest用户名
user_config_dir=/etc/vsftpd/vuser_config   #用户配置文件路径

#创建用户配置文件路径及文件
[root@server ~]# mkdir /etc/vsftpd/vuser_config
[root@server ~]# cd /etc/vsftpd/vuser_config
[root@server vuser_config]# vim tom   
anon_upload_enable=YES        #允许用户上传文件
anon_mkdir_write_enable=YES   #允许创建目录
anon_other_write_enable=YES   #允许其他写权限
[root@server vuser_config]# vim test 
anon_upload_enable=YES        #允许用户上传文件
anon_mkdir_write_enable=NO    #允许创建目录
anon_other_write_enable=NO    #允许其他写权限

7、重启vsftpd服务并验证权限

登录tom用户验证
[root@client ~]# ftp 10.0.0.23
Connected to 10.0.0.23 (10.0.0.23).
220 (vsFTPd 2.2.2)
Name (10.0.0.23:root): tom
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (10,0,0,23,75,169).
150 Here comes the directory listing.
226 Directory send OK.
ftp> lcd /etc
Local directory now /etc
ftp> put issue   #可以上传文件
local: issue remote: issue
227 Entering Passive Mode (10,0,0,23,71,103).
150 Ok to send data.
226 Transfer complete.
47 bytes sent in 3.3e-05 secs (1424.24 Kbytes/sec)
ftp> mkdir 111   #可以创建目录
257 "/111" created
ftp> mkdir 123
257 "/123" created
ftp> delete issue   #可以删除文件
250 Delete operation successful.
ftp> 

登录test用户验证
[root@client ~]# ftp 10.0.0.23
Connected to 10.0.0.23 (10.0.0.23).
220 (vsFTPd 2.2.2)
Name (10.0.0.23:root): test
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (10,0,0,23,209,129).
150 Here comes the directory listing.
drwx------    2 500      500          4096 Aug 28 21:31 111
drwx------    2 500      500          4096 Aug 28 21:32 123
226 Directory send OK.
ftp> mkdir 444    #不能创建目录
550 Permission denied.
ftp> lcd /etc
Local directory now /etc
ftp> put services    #可以上传文件
local: services remote: services
227 Entering Passive Mode (10,0,0,23,190,148).
150 Ok to send data.
226 Transfer complete.
641020 bytes sent in 0.00434 secs (147632.43 Kbytes/sec)
ftp> delete services   #不能删除文件
550 Permission denied.
ftp>

8、使用filezilla登录ftp