溫馨提示×
您好,登錄后才能下訂單哦!
點擊 登錄注冊 即表示同意《億速云用戶服務條款》
您好,登錄后才能下訂單哦!
實驗環境:
| IP地址 | 描述 |
|---|---|
| 192.168.5.181 | CentOS7系統,base源安裝好了mariadb,作為ftp服務端,作為認證服務端 |
| 192.168.5.121 | CentOS6系統,作為ftp客戶端 |
認證模塊pam_mysql.so的安裝
需要從網上下載pam_mysql.so的源碼包,pam_mysql-0.7RC1.tar.gz
在解壓安裝之前,確保在CentOS7上面的開發組包已經安裝,如果沒有安裝,則需要運行如下命令:
$ yum groupinstall "Development Tools" -y
之后安裝mariadb和pam的開發包:
$ yum install mariadb-devel pam-devel -y
解壓pam_mysql的源碼包,進入源碼目錄,進行編譯安裝。其中–with-mysql引用了mariadb的頭文件以及lib,–with-pam引用了pam的頭文件以及lib。–with-pam-mods-dir指明將模塊安裝的位置。
$ ./configure --with-mysql=/usr --with-pam=/usr --with-pam-mods-dir=/usr/lib64/security $ make $ make install
安裝完畢之后,在/usr/lib64/security目錄下面,可以查看到新的pam_mysql.so模塊。
$ ls /usr/lib64/security/ | grep mysql.so pam_mysql.so
mariadb創建數據
下面規劃一下mariadb里面的用戶。建立一個名為vsftpd的數據庫,在這個數據庫里面建立一個名為auth的數據表,在數據表里面建立兩個用戶作為vsftpd的虛擬用戶:user1,密碼為user1;user2,密碼為user2。密碼采用mysql自帶的PASSWORD()函數進行加密。使用名為vsftpd@’127.0.0.1’的用戶進行登錄查詢,只授予該用戶select權限,登錄密碼為vsftpd。建立之后的結果如下:
Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 3 Server version: 5.5.44-MariaDB MariaDB Server Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> use vsftpd; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed MariaDB [vsftpd]> show tables; +------------------+ | Tables_in_vsftpd | +------------------+ | auth | +------------------+ 1 row in set (0.00 sec) MariaDB [vsftpd]> desc auth; +----------+-----------+------+-----+---------+-------+ | Field | Type | Null | Key | Default | Extra | +----------+-----------+------+-----+---------+-------+ | name | char(20) | YES | | NULL | | | password | char(100) | YES | | NULL | | +----------+-----------+------+-----+---------+-------+ 2 rows in set (0.01 sec) MariaDB [vsftpd]> select * from auth; +-------+-------------------------------------------+ | name | password | +-------+-------------------------------------------+ | user1 | *34D3B87A652E7F0D1D371C3DBF28E291705468C4 | | user2 | *12A20BE57AF67CBF230D55FD33FBAF5230CFDBC4 | +-------+-------------------------------------------+ 2 rows in set (0.00 sec) MariaDB [vsftpd]> select host,user,password from mysql.user where user='vsftpd'; +-----------+--------+-------------------------------------------+ | host | user | password | +-----------+--------+-------------------------------------------+ | 127.0.0.1 | vsftpd | *653E55BC34328FD9504096B9DFB2434DE24AAE86 | +-----------+--------+-------------------------------------------+ 1 row in set (0.00 sec)
建立來賓賬戶
所有mysql里面存儲的虛擬用戶在登錄之后都會被映射為本地的來賓用戶,這里建立一個名為vuser的來賓賬戶,家目錄為/ftproot/vuser,修改其權限為544,即去除所有的’寫’權限。在里面新建一個pub目錄,用setfacl給pub目錄賦予vuser用戶的讀寫執行權限。
$ mkdir ftproot $ cd ftproot $ useradd -d /ftproot/vuser vuser $ chmod 544 /ftproot/vuser $ mkdir /ftproot/vuser/pub $ setfacl -m u:vuser:rwx /ftproot/vuser/pub
配置pam文件
新建一個/etc/pam.d/ftp-mysql的文件,在里面添加兩行如下內容,詳細的配置項,請參見pam_mysql.so源碼包里面的README文檔:
auth required /usr/lib64/security/pam_mysql.so user=vsftpd passwd=vsftpd host=127.0.0.1 db=vsftpd table=auth usercolumn=name passwdcolumn=password crypt=2 account required /usr/lib64/security/pam_mysql.so user=vsftpd passwd=vsftpd host=127.0.0.1 db=vsftpd table=auth usercolumn=name passwdcolumn=password crypt=2
配置vsftpd.conf文件
新建一個vsftpd.conf文件,配置如下所示。注意pam_service_name由默認的vsftpd替換為剛才建立的ftp-mysql,啟用來賓賬戶guest_enable=YES,使用來賓賬戶vuser,并且配置虛擬用戶user1和user2的權限文件到/etc/vsftpd/vusers_config目錄下面:
anonymous_enable=YES local_enable=YES write_enable=YES local_umask=022 dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_std_format=YES listen=NO listen_ipv6=YES pam_service_name=ftp-mysql userlist_enable=YES tcp_wrappers=YES guest_enable=YES guest_username=vuser user_config_dir=/etc/vsftpd/vusers_config/
/etc/vsftpd/vusers_config目錄下面的user1和user2的權限配置如下所示,給予user1上傳的權限,但是給予user2上傳、刪除目錄、刪除文件的權限。配置完畢后,用systemctl start mariadb.service vsftpd.service命令重啟mariadb和vsftpd服務:
$ cat /etc/vsftpd/vusers_config/user1 anon_upload_enable=YES anon_other_write_enable=NO $ cat /etc/vsftpd/vusers_config/user2 anon_upload_enable=YES anon_mkdir_write_enable=YES anon_other_write_enable=YES
客戶端測試
在客戶端上面,確保安裝了ftp客戶端工具:
yum install ftp
利用上述工具和服務端進行通信,對user1進行測試,可以看到,登錄成功,并且user1有上傳的權限,但是并沒有刪除的權限:
$ ftp 192.168.5.181 Connected to 192.168.5.181 (192.168.5.181). 220 (vsFTPd 3.0.2) Name (192.168.5.181:root): user1 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (192,168,5,181,187,35). 150 Here comes the directory listing. drwxrwxr-x 2 0 0 6 Jun 05 18:33 pub 226 Directory send OK. ftp> cd pub 250 Directory successfully changed. ftp> ls 227 Entering Passive Mode (192,168,5,181,180,167). 150 Here comes the directory listing. 226 Directory send OK. ftp> lcd /etc Local directory now /etc ftp> put hosts local: hosts remote: hosts 227 Entering Passive Mode (192,168,5,181,142,11). 150 Ok to send data. 226 Transfer complete. 256 bytes sent in 0.000155 secs (1651.61 Kbytes/sec) ftp> ls 227 Entering Passive Mode (192,168,5,181,108,36). 150 Here comes the directory listing. -rw------- 1 1001 1001 256 Jun 06 05:06 hosts 226 Directory send OK. ftp> delete hosts 550 Permission denied. ftp> exit 221 Goodbye.
下面對user2進行測試,可以看到,user2登錄成功,并且有上傳權限,刪除權限,創建目錄的權限。:
$ ftp 192.168.5.181 Connected to 192.168.5.181 (192.168.5.181). 220 (vsFTPd 3.0.2) Name (192.168.5.181:root): user2 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> cd pub 250 Directory successfully changed. ftp> ls 227 Entering Passive Mode (192,168,5,181,96,57). 150 Here comes the directory listing. 226 Directory send OK. ftp> lcd /etc Local directory now /etc ftp> put hosts local: hosts remote: hosts 227 Entering Passive Mode (192,168,5,181,36,41). 150 Ok to send data. 226 Transfer complete. 256 bytes sent in 0.000145 secs (1765.52 Kbytes/sec) ftp> ls 227 Entering Passive Mode (192,168,5,181,141,235). 150 Here comes the directory listing. -rw------- 1 1001 1001 256 Jun 06 05:10 hosts 226 Directory send OK. ftp> delete hosts 250 Delete operation successful. ftp> ls 227 Entering Passive Mode (192,168,5,181,56,230). 150 Here comes the directory listing. 226 Directory send OK. ftp> mkdir dir 257 "/pub/dir" created ftp> ls 227 Entering Passive Mode (192,168,5,181,208,106). 150 Here comes the directory listing. drwx------ 2 1001 1001 6 Jun 06 05:10 dir 226 Directory send OK.
下面對于系統用戶ftpuser以及一個不存在的用戶abc進行登錄測試,發現無法登錄,證明只用mysql數據庫里面存在的用戶才能夠進行認證:
$ ftp 192.168.5.181 Connected to 192.168.5.181 (192.168.5.181). 220 (vsFTPd 3.0.2) Name (192.168.5.181:root): ftpuser 331 Please specify the password. Password: 530 Login incorrect. Login failed. $ ftp 192.168.5.181 Connected to 192.168.5.181 (192.168.5.181). 220 (vsFTPd 3.0.2) Name (192.168.5.181:root): abc 331 Please specify the password. Password: 530 Login incorrect. Login failed. ftp>
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。
