作者：香農青島數據恢復中心

2013-11-07 11:01

Overview

VSFTPD (Very Secure FTP Daemon) is a Secure FTP server for unix/linux systems. It protects or encrypts transferred data using SSL. It is well known because of its security, performance and stability over other servers. Vsftpd supports virtual users with PAM (pluggable authentication modules). A virtual user is a user login which does not exist as a real login on the system in /etc/passwd and /etc/shadow file. Virtual users can therefore be more secure than real users, because a compromised account can only use the FTP server but cannot login to system to use other services. You can put your virtual users into a local db or myql db. This guide is for RHEL/CentOS 5/6 and focuses on mysql based ftp authentication.

Procedure

1. Install the vsftpd package using yum.

# yum install vsftpd mysql-server

# service mysqld restart

# mysqldadmin -u root password 'newpassword'

2. Create the mysql database for use with vsftpd.

$ mysql -u root -p

mysql> CREATE DATABASE vsftpd;

mysql> GRANT SELECT ON vsftpd.* TO 'vsftpd'@'localhost' IDENTIFIED BY 'vsftpdpassword';

mysql> FLUSH PRIVILEGES;

mysql> USE vsftpd;

mysql> CREATE TABLE `accounts` (

`id` INT NOT NULL AUTO_INCREMENT PRIMARY KEY ,

`username` VARCHAR( 30 ) NOT NULL ,

`pass` VARCHAR( 50 ) NOT NULL ,

UNIQUE (`username`)

) ENGINE = MYISAM ;

mysql> exit;

3. Configure vsftpd. Create a non-privileged user called 'vsftpd' (with the home directory /home/vsftpd ) belonging to thegroup 'users'. The vsftpd can run with this user's privileges to further reduce risk of a system. The FTP directories of our virtual users will be beneath the '/home/vsftpd/' directory (e.g./home/vsftpd/user1, /home/vsftpd/user2, etc.) or as defined in VSFTPDPERUSER config file.

# useradd -G users -s /bin/false -d /home/vsftpd vsftpd

4. Open and configure default vsftpd.conf file.

# vim /etc/vsftpd/vsftpd.conf

anonymous_enable=NO

# Allow 'local' users with WRITE permissions (0755)

local_enable=YES

write_enable=YES

local_umask=022

dirmessage_enable=YES

xferlog_enable=YES

log_ftp_protocol=YES

connect_from_port_20=YES

xferlog_file=/var/log/xferlog

nopriv_user=vsftpd

chroot_local_user=YES

listen=YES

pam_service_name=vsftpd

userlist_enable=YES

tcp_wrappers=YES

guest_enable=YES

guest_username=vsftpd

local_root=/home/vsftpd/$USER

user_sub_token=$USER

virtual_use_local_privs=YES

user_config_dir=/etc/vsftpd/vsftpd_user_conf

5. Create a pam file that will use the new user database.

# cp /etc/pam.d/vsftpd /etc/pam.d/vsftpd-orig

# cat /dev/null > /etc/pam.d/vsftpd

# vi /etc/pam.d/vsftpd

# vi /etc/pam.d/vsftpd

#%PAM-1.0

session optional pam_keyinit.so force revoke

auth required pam_mysql.so user=vsftpd passwd=vsftpdpassword host=localhost db=vsftpd table=accounts usercolumn=username passwdcolumn=pass crypt=3

account required pam_mysql.so user=vsftpd passwd=vsftpdpassword host=localhost db=vsftpd table=accounts usercolumn=username passwdcolumn=pass crypt=3

6. Install pam_mysql.so. Only available in EPEL.

# wget ftp://ftp.pbone.net/mirror/centos.karan.org/el5/extras/testing/i386/RPMS/pam_mysql-0.7-0.5.rc1.el5.kb.2.i386.rpm

# rpm -ivh pam_mysql-0.7-0.5.rc1.el5.kb.2.i386.rpm

Check to make sure it installed correctly. When installed, you should find it:

# ls -al /lib/security/pam_m*

-rwxr-xr-x 1 root root 8024 Sep 4 00:51 /lib/security/pam_mail.so

-rwxr-xr-x 1 root root 15848 Sep 4 00:51 /lib/security/pam_mkhomedir.so

-rwxr-xr-x 1 root root 3892 Sep 4 00:51 /lib/security/pam_motd.so

-rwxr-xr-x 1 root root 36920 Feb 28 2008 /lib/security/pam_mysql.so

7. Create some mysql users.

$ mysql -u root -p

mysql> USE vsftpd;

mysql> INSERT INTO accounts (username, pass) VALUES('user1', md5('secret'));

mysql> select * from accounts;

+----+-----------+----------------------------------+

| id | username | pass |

+----+-----------+----------------------------------+

| 1 | user1 | 5ebe2294ecd0e0f08eab7690d2a6ee69 |

+----+-----------+----------------------------------+

1 rows in set (0.00 sec)

mysql> exit;

8. Now user1's homedir is /home/vsftpd/user1 . Unfortunately vsftpd doesn't create that directory automatically if it doesn't exist. Therefore one has to create it as root manually now and give it proper ownership by the vsftpd user and group 'users':

# mkdir /home/vsftpd/user1

# chown vsftpd:users /home/vsftpd/user1

9. Start service and make it persistent across reboots.

service vsftpd restart; chkconfig vsftpd on

10. Confirm the service is listening:

lsof -i -n | egrep 'FTP|21'

11. If you have Iptables enabled, allow ftp traffic to 21/tcp,

# vim /etc/sysconfig/iptables

-A INPUT -m state –state NEW -p tcp –dport 21 -j ACCEPT

12. Load the required module by,

# vim /etc/sysconfig/iptables-config

IPTABLES_MODULES=”ip_conntrack_ftp”

Save and close the file.

13. Save iptables and restart the service.

# service iptables save; service iptables restart

14. Restart vsftpd.

# service vsftpd restart

Now open two different terminals. In one terminal try to connect ftp using local user and in another terminal view FTP log message,

# tail -f /var/log/vsftpd.log

總結

以上是生活随笔為你收集整理的db_mysql.so_vsftpd在mysql上配置虚拟用户指南的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。