zoukankan html css js c++ java

Linux基础入门之vsFTP+MySQL/MariaDB认证实现虚拟用户配置详解

https://www.dwhd.org/20150603_144841.html

摘要

VSFTP可以使用系统账户或者匿名账户登录，但是出于安全的考虑，通常建议使用vsftp虚拟账户来登录ftp服务器，虚拟用户是指使用独立的文件保存vsftp用户帐号，虚拟账户只能登录ftp服务器。

一、配置基于MySQL认证的的vsftpd

1、安装vsftpd、启动vsftpd、配置vsftpd开机启动

[root@Legion100 ~]# yum install vsftpd pam_mysql -y
[root@Legion100 ~]# service vsftpd start
为 vsftpd 启动 vsftpd：                                    [确定]
[root@Legion100 ~]# netstat -tnlp | grep 21
tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      7574/vsftpd
[root@Legion100 ~]# chkconfig vsftpd on
[root@Legion100 ~]# chkconfig --list vsftpd
vsftpd          0:关闭  1:关闭  2:启用  3:启用  4:启用  5:启用  6:关闭
[root@Legion100 ~]#

2、安装MySQL/MariaDB

1)、编译安装MariaDB、设置开机启动

[root@Legion100 ~]# cd /tmp/
[root@Legion100 /tmp]# groupadd -g 1500 mysql && useradd -g mysql -u 1500 -s /sbin/nologin -M mysql
[root@Legion100 /tmp]# yum install cmake -y
[root@Legion100 /tmp]# wget "https://downloads.mariadb.org/interstitial/mariadb-10.0.19/source/mariadb-10.0.19.tar.gz/from/http%3A//mirrors.opencas.cn/mariadb" -O mariadb-10.0.19.tar.gz
[root@Legion100 /tmp]# tar xf mariadb-10.0.19.tar.gz
[root@Legion100 /tmp]# cd mariadb-10.0.19
[root@Legion100 /tmp/mariadb-10.0.19]# cmake . -DCMAKE_INSTALL_PREFIX=/usr/local/mysql 
-DMYSQL_DATADIR=/data/mysql 
-DWITH_SSL=system 
-DWITH_INNOBASE_STORAGE_ENGINE=1 
-DWITH_ARCHIVE_STORAGE_ENGINE=1 
-DWITH_BLACKHOLE_STORAGE_ENGINE=1 
-DWITH_SPHINX_STORAGE_ENGINE=1 
-DWITH_ARIA_STORAGE_ENGINE=1 
-DWITH_XTRADB_STORAGE_ENGINE=1 
-DWITH_PARTITION_STORAGE_ENGINE=1 
-DWITH_FEDERATEDX_STORAGE_ENGINE=1 
-DWITH_MYISAM_STORAGE_ENGINE=1 
-DWITH_PERFSCHEMA_STORAGE_ENGINE=1 
-DWITH_EXTRA_CHARSETS=all 
-DWITH_EMBEDDED_SERVER=1 
-DWITH_READLINE=1 
-DWITH_ZLIB=system 
-DWITH_LIBWRAP=0 
-DEXTRA_CHARSETS=all 
-DENABLED_LOCAL_INFILE=1 
-DMYSQL_UNIX_ADDR=/tmp/mysql.sock 
-DDEFAULT_CHARSET=utf8 
-DDEFAULT_COLLATION=utf8_general_ci
[root@Legion100 /tmp/mariadb-10.0.19]# make -j $(awk '/processor/{i++}END{print i}' /proc/cpuinfo) && make install  && echo $?
[root@Legion100 /tmp/mariadb-10.0.19]# cd /usr/local/mysql/
[root@Legion100 /usr/local/mysql]# echo "export PATH=/usr/local/mysql/bin:$PATH" > /etc/profile.d/mariadb10.0.19.sh
[root@Legion100 /usr/local/mysql]# . /etc/profile.d/mariadb10.0.19.sh
[root@Legion100 /usr/local/mysql]# sed -i "$(awk '$1=="MANPATH"{a=NR}END{print a}' /etc/man.config)a MANPATH	/usr/local/mysql/man" /etc/man.config
[root@Legion100 /usr/local/mysql]# cp -a support-files/mysql.server /etc/rc.d/init.d/mysqld
[root@Legion100 /usr/local/mysql]# cp support-files/my-large.cnf /etc/my.cnf
[root@Legion100 /usr/local/mysql]# sed -i '/query_cache_size/a datadir = /data/mysql' /etc/my.cnf
[root@Legion100 /usr/local/mysql]# mkdir -p /data/mysql
[root@Legion100 /usr/local/mysql]# chown -R mysql.mysql /data/mysql
[root@Legion100 /usr/local/mysql]# /usr/local/mysql/scripts/mysql_install_db --user=mysql --datadir=/data/mysql/ --basedir=/usr/local/mysql
[root@Legion100 /usr/local/mysql]# chkconfig mysqld on
[root@Legion100 /usr/local/mysql]# chkconfig --list mysqld
mysqld          0:关闭  1:关闭  2:启用  3:启用  4:启用  5:启用  6:关闭
[root@Legion100 /usr/local/mysql]# service mysqld start
Starting MySQL.                                            [确定]
[root@Legion100 /usr/local/mysql]# ss -tnlp | grep 3306
LISTEN     0      150                      :::3306                    :::*      users:(("mysqld",33450,21))
[root@Legion100 /usr/local/mysql]#

2)、做vsftpd用户认证的授权

[root@Legion100 ~]# mysql   #登录数据库
Welcome to the MariaDB monitor.  Commands end with ; or g.
Your MariaDB connection id is 4
Server version: 10.0.19-MariaDB-log Source distribution
 
Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.
 
Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.
 
MariaDB [(none)]> USE mysql; #进入mysql库
Database changed
MariaDB [mysql]> UPDATE user set password=PASSWORD('lookback') WHERE USER='root'; #给所有的root帐户设置密码为lookback
Query OK, 4 rows affected (0.01 sec)
Rows matched: 4  Changed: 4  Warnings: 0
 
MariaDB [mysql]> DELETE FROM user WHERE User='';   #删除MariaDB所有的匿名帐号
Query OK, 2 rows affected (0.00 sec)
 
MariaDB [mysql]> create database vsftpd;   #新建vsftpd库
Query OK, 1 row affected (0.01 sec)
 
MariaDB [mysql]> grant select on vsftpd.* to vsftpd@localhost identified by 'lookback'; #新建一个vsftpd的用户密码是lookback权限是查询select，本地访问
Query OK, 0 rows affected (0.00 sec)
 
MariaDB [mysql]> grant select on vsftpd.* to vsftpd@127.0.0.1 identified by 'lookback'; #新建一个vsftpd的用户密码是lookback权限是select，本地访问
Query OK, 0 rows affected (0.00 sec)
 
MariaDB [mysql]> grant select on vsftpd.* to vsftpd@'172.16.%.%' identified by 'lookback'; #新建一个vsftpd的用户密码是lookback权限是select，可以在172.16.0.0/8网段内访问
Query OK, 0 rows affected (0.00 sec)
 
MariaDB [mysql]> SELECT USER,PASSWORD,HOST FROM user; #查看下MariaDB上的用户用户名和host
+--------+-------------------------------------------+--------------------+
| USER   | PASSWORD                                  | HOST               |
+--------+-------------------------------------------+--------------------+
| root   | *153CCFAEAA83407D8DBDBFAA3D17B1A95553E60C | localhost          |
| root   | *153CCFAEAA83407D8DBDBFAA3D17B1A95553E60C | legion100.dwhd.org |
| root   | *153CCFAEAA83407D8DBDBFAA3D17B1A95553E60C | 127.0.0.1          |
| root   | *153CCFAEAA83407D8DBDBFAA3D17B1A95553E60C | ::1                |
| vsftpd | *153CCFAEAA83407D8DBDBFAA3D17B1A95553E60C | localhost          |
| vsftpd | *153CCFAEAA83407D8DBDBFAA3D17B1A95553E60C | 127.0.0.1          |
| vsftpd | *153CCFAEAA83407D8DBDBFAA3D17B1A95553E60C | 172.16.%.%         |
+--------+-------------------------------------------+--------------------+
7 rows in set (0.00 sec)
 
MariaDB [mysql]> use vsftpd;  #进入vsftpd库
Database changed
MariaDB [vsftpd]> create table users (
    -> id int AUTO_INCREMENT NOT NULL,
    -> name char(20) binary NOT NULL,
    -> password char(48) binary NOT NULL,
    -> primary key(id)
    -> );    #新建一个名为users的表，表中有id、name、password字段，id是自动增长，name是20个字符长度二进制存放区分大小写，password最大48字符二进制存放区分大小写，
Query OK, 0 rows affected (0.12 sec)
 
MariaDB [vsftpd]> insert into users(name,password) values('Legion',password('lookback')); #在users表中新建个Legion的用户密码是lookback
Query OK, 1 row affected (0.00 sec)
 
MariaDB [vsftpd]> insert into users(name,password) values('LookBack',password('lookback')); #在users表中新建个LookBack的用户密码是lookback
Query OK, 1 row affected (0.01 sec)
 
MariaDB [vsftpd]> SELECT id,name,password FROM users; #查看下users表
+----+----------+-------------------------------------------+
| id | name     | password                                  |
+----+----------+-------------------------------------------+
|  1 | Legion   | *153CCFAEAA83407D8DBDBFAA3D17B1A95553E60C |
|  2 | LookBack | *153CCFAEAA83407D8DBDBFAA3D17B1A95553E60C |
+----+----------+-------------------------------------------+
2 rows in set (0.00 sec)
 
MariaDB [vsftpd]> FLUSH PRIVILEGES; #刷新生效上面的配置
Query OK, 0 rows affected (0.00 sec)
 
MariaDB [vsftpd]> q
Bye
[root@Legion100 ~]#

3)、测试MariaDB的连接

[root@Legion100 ~]# mysql -uvsftpd -plookback -h172.16.6.100 -P3306
Welcome to the MariaDB monitor.  Commands end with ; or g.
Your MariaDB connection id is 10
Server version: 10.0.19-MariaDB-log Source distribution
 
Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.
 
Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.
 
MariaDB [(none)]> SHOW DATABASES;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| test               |
| vsftpd             |
+--------------------+
3 rows in set (0.00 sec)
 
MariaDB [(none)]> USE vsftpd
Database changed
MariaDB [vsftpd]> SHOW tables;
+------------------+
| Tables_in_vsftpd |
+------------------+
| users            |
+------------------+
1 row in set (0.00 sec)
 
MariaDB [vsftpd]> SELECT id,name,password FROM users;
+----+----------+-------------------------------------------+
| id | name     | password                                  |
+----+----------+-------------------------------------------+
|  1 | Legion   | *153CCFAEAA83407D8DBDBFAA3D17B1A95553E60C |
|  2 | LookBack | *153CCFAEAA83407D8DBDBFAA3D17B1A95553E60C |
+----+----------+-------------------------------------------+
2 rows in set (0.00 sec)
 
MariaDB [vsftpd]> q
Bye
[root@Legion100 ~]#

3、配置vsFTPD

1)、建立pam认证所需的文件
新建个/etc/pam.d/vsftpd.mariadb文件

[root@Legion100 ~]# touch /etc/pam.d/vsftpd.mariadb

2)、64位系统写入下面的内容

auth required /lib64/security/pam_mysql.so user=vsftpd passwd=lookback host=172.16.6.100 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
account required /lib64/security/pam_mysql.so user=vsftpd passwd=lookback host=172.16.6.100 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2

32位系统写入下面的内容

auth required /lib/security/pam_mysql.so user=vsftpd passwd=lookback host=172.16.6.100 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
account required /lib/security/pam_mysql.so user=vsftpd passwd=lookback host=172.16.6.100 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2

32位和64位通用写法

auth required pam_mysql.so user=vsftpd passwd=lookback host=172.16.6.100 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
account required pam_mysql.so user=vsftpd passwd=lookback host=172.16.6.100 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2

3)、修改vsftpd配置文件

[root@Legion100 ~]# cd /etc/vsftpd/
[root@Legion100 /etc/vsftpd]# cp vsftpd.conf vsftpd.conf_`date +%F`
[root@Legion100 /etc/vsftpd]# ls
ftpusers user_list vsftpd.conf vsftpd.conf_2015-06-03 vsftpd_conf_migrate.sh
[root@Legion100 /etc/vsftpd]# groupadd -g 1501 vftpuser && useradd -g vftpuser -u 1501 -s /sbin/nologin -d /home/vftpuser vftpuser
[root@Legion100 /etc/vsftpd]# id vftpuser
uid=1501(vftpuser) gid=1501(vftpuser) 组=1501(vftpuser)
[root@Legion100 /etc/vsftpd]# finger vftpuser
Login: vftpuser                         Name:
Directory: /home/vftpuser               Shell: /sbin/nologin
Never logged in.
No mail.
No Plan.
[root@Legion100 /etc/vsftpd]# mkdir -p /home/vftpuser
[root@Legion100 /etc/vsftpd]# chown -R vftpuser.vftpuser /home/vftpuser
[root@Legion100 /etc/vsftpd]# chmod go+rx /home/vftpuser
[root@Legion100 /etc/vsftpd]# ls -ld /home/vftpuser/
drwxr-xr-x 4 vftpuser vftpuser 4096 6月   3 16:14 /home/vftpuser/

[root@Legion100 /etc/vsftpd]# grep -Ev '(^#s.*|^#|^$)' vsftpd.conf
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
anon_upload_enable=NO
anon_mkdir_write_enable=NO
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
chroot_local_user=YES
listen=YES
pam_service_name=vsftpd.mariadb
#这里直接把pam的认证文件换成了vsftpd.mariadb后系统用户就不能登录ftp了
userlist_enable=YES
tcp_wrappers=YES
guest_enable=YES
guest_username=vftpuser

reload下vsftpd使刚才上面的配置文件修改生效

[root@Legion100 /etc/vsftpd]# service vsftpd reload
关闭 vsftpd：                                              [确定]
为 vsftpd 启动 vsftpd：                                    [确定]
[root@Legion100 /etc/vsftpd]#

4、测试登录

1)、Linux下

[root@Legion101 ~]# ifconfig | sed -rn '/^[^ 	]/{N;s/(^[^ ]*).*addr:([^ ]*).*/1 2/p}' | 
> awk '$2!~/^192.168|^10.|^127|^0|^$/{print $1"="$2}'
eth0=172.16.6.101
[root@Legion101 ~]# ftp 172.16.6.100
Connected to 172.16.6.100 (172.16.6.100).
220 (vsFTPd 2.2.2)
Name (172.16.6.100:root): Legion
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> bye
221 Goodbye.
[root@Legion101 ~]# ftp 172.16.6.100
Connected to 172.16.6.100 (172.16.6.100).
220 (vsFTPd 2.2.2)
Name (172.16.6.100:root): LookBack
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> bye
221 Goodbye.
[root@Legion101 ~]#

2)、Windows下

Microsoft Windows [版本 6.3.9600]
(c) 2013 Microsoft Corporation。保留所有权利。
 
C:UsersAdministrator>ftp 172.16.6.100
连接到 172.16.6.100。
220 (vsFTPd 2.2.2)
用户(172.16.6.100:(none)): Legion
331 Please specify the password.
密码:
230 Login successful.
ftp> pwd
257 "/"
ftp> bye
221 Goodbye.
 
C:UsersAdministrator>ftp 172.16.6.100
连接到 172.16.6.100。
220 (vsFTPd 2.2.2)
用户(172.16.6.100:(none)): LookBack
331 Please specify the password.
密码:
230 Login successful.
ftp> pwd
257 "/"
ftp> bye
221 Goodbye.
 
C:UsersAdministrator>

3)、客户端

5、配置基于单个虚拟用的权限
从上面可以看出我们创建的两个虚拟用户只能登录但是不上传文件。下面将说说具体的虚拟用户权限配置

[root@Legion100 /etc/vsftpd]# echo "user_config_dir=/etc/vsftpd/vftpusers" >> /etc/vsftpd/vsftpd.conf
[root@Legion100 /etc/vsftpd]# mkdir -p /etc/vsftpd/vftpusers
[root@Legion100 /etc/vsftpd]# cd /etc/vsftpd/vftpusers
[root@Legion100 /etc/vsftpd/vftpusers]# touch /etc/vsftpd/vftpusers/{Legion,LookBack}
[root@Legion100 /etc/vsftpd/vftpusers]# cat > /etc/vsftpd/vftpusers/Legion <<EOF
anon_upload_enable=YES
#允许Legion用户可以上传文件
anon_mkdir_write_enable=YES
#允许Legion用可以创建文件
anon_other_write_enable=YES
#允许Legion可以删除文件
EOF
[root@Legion100 /etc/vsftpd/vftpusers]# cat /etc/vsftpd/vftpusers/Legion > /etc/vsftpd/vftpusers/LookBack
[root@Legion100 /etc/vsftpd/vftpusers]# sed -i 's/NO/YES/' /etc/vsftpd/vftpusers/LookBack #修改LookBack没有上传 创建 删除权限
[root@Legion100 /etc/vsftpd/vftpusers]# service vsftpd restart
关闭 vsftpd：                                              [确定]
为 vsftpd 启动 vsftpd：                                    [确定]
[root@Legion100 /etc/vsftpd/vftpusers]#

2)、测试

[root@Legion101 ~]# ftp 172.16.6.100
Connected to 172.16.6.100 (172.16.6.100).
220 (vsFTPd 2.2.2)
Name (172.16.6.100:root): Legion
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> lcd /etc/
Local directory now /etc
ftp> put inittab
local: inittab remote: inittab
227 Entering Passive Mode (172,16,6,100,253,120).
150 Ok to send data.
226 Transfer complete.
884 bytes sent in 7.4e-05 secs (11945.94 Kbytes/sec)
ftp> ls -l
227 Entering Passive Mode (172,16,6,100,244,244).
150 Here comes the directory listing.
-rw-------    1 1501     1501          884 Jun 03 09:02 inittab
226 Directory send OK.
ftp> bye
221 Goodbye.
[root@Legion101 ~]# ftp 172.16.6.100
Connected to 172.16.6.100 (172.16.6.100).
220 (vsFTPd 2.2.2)
Name (172.16.6.100:root): Lookback
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp> lcd /etc/
Local directory now /etc
ftp> put fstab
local: fstab remote: fstab
530 Please login with USER and PASS.
Passive mode refused.
ftp> bye
221 Goodbye.
[root@Legion101 ~]#

查看全文

相关阅读:
享元模式（Flyweight）
策略模式（strategy）
访问者模式（Visitor）
适配器模式（Adapter）
外观模式（Facade）
代理模式（Proxy）
ORACLE 表空间扩展方法
 Oracle XML Publisher
DB.Package procedure Report
case ... end 语句

原文地址：https://www.cnblogs.com/linkenpark/p/9185619.html