VSFTP通過pam_mysql插件創建進行基于mysql的虛擬用戶

 

1、對pam_mysql-0.7RC1包進行編譯安裝

• 編譯安裝環境配置

編譯安裝所需的包如下：

~]#yum -y groupinstall "Development Tools" "Server Platform Development"

~]#yum -y install mariadb-server mariadb-devel openssl-devel

• 對包進行解壓并編譯安裝

~]# tar xf pam_mysql-0.7RC1.tar.gz

~]# cd pam_mysql-0.7RC1

pam_mysql-0.7RC1]# ls

acinclude.m4  config.h.in   COPYING     ltmain.sh    mkinstalldirs   pam_mysql.spec.in

aclocal.m4    config.sub    CREDITS     Makefile.am  NEWS            pkg.m4

ChangeLog     configure     INSTALL     Makefile.in  pam_mysql.c     README

config.guess  configure.in  install-sh  missing      pam_mysql.spec  stamp-h.in

pam_mysql-0.7RC1]# ./configure –help |less     編譯安裝參數幫助查看

~]#./configure –with-mysql=/usr –with-openssl=/usr –with-pam=/usr –with-pam-mods-dir=/lib64/security

~]#make && make install 

pam_mysql-0.7RC1]# ls /lib64/security/ |grep pam_mysql  查看編譯安裝后pam_mysql.so是否存在

pam_mysql.la

pam_mysql.so

2、mysql中創建用戶及表

開啟數據庫并設定開機自啟動

~]systemctl start mariadb.service

~]systemctl enable mariadb.service

創建用戶及表

pam_mysql-0.7RC1]# mysql

Welcome to the MariaDB monitor.  Commands end with ; or \g.

Your MariaDB connection id is 3

Server version: 5.5.50-MariaDB MariaDB Server

Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> CREATE DATABASE vsftpd;

Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> use vsftpd;

Database changed

MariaDB [vsftpd]> CREATE TABLE users (

    -> id int AUTO_INCREMENT NOT NULL PRIMARY KEY,

    -> name char(30) NOT NULL,

    -> password char(48) binary NOT NULL );

Query OK, 0 rows affected (0.01 sec)

MariaDB [vsftpd]> DESC users

    -> ;

+———-+———-+——+—–+———+—————-+

| Field    | Type     | Null | Key | Default | Extra          |

+———-+———-+——+—–+———+—————-+

| id       | int(11)  | NO   | PRI | NULL    | auto_increment |

| name     | char(30) | NO   |     | NULL    |                |

| password | char(48) | NO   |     | NULL    |                |

+———-+———-+——+—–+———+—————-+

3 rows in set (0.00 sec)

MariaDB [vsftpd]> INSERT INTO users(name,password) VALUES ('tom',password('oracleadmin'));

Query OK, 1 row affected (0.00 sec)

MariaDB [vsftpd]> INSERT INTO users(name,password) VALUES ('jerry',password('oracleadmin'));

Query OK, 1 row affected (0.01 sec)

MariaDB [vsftpd]> SELECT * FROM users;

+—-+——-+——————————————-+

| id | name  | password                                  |

+—-+——-+——————————————-+

|  1 | tom   | *81D2898F52A342B0B5E52CB747519B10342BD069 |

|  2 | jerry | *81D2898F52A342B0B5E52CB747519B10342BD069 |

+—-+——-+——————————————-+

2 rows in set (0.00 sec)

MariaDB [vsftpd]> GRANT select ON vsftpd.* TO vsftpd@localhost IDENTIFIED BY 'oracleadmin';

Query OK, 0 rows affected (0.00 sec)

MariaDB [vsftpd]> GRANT select ON vsftpd.* TO vsftpd@'127.0.0.1' IDENTIFIED BY 'oracleadmin'

;

Query OK, 0 rows affected (0.00 sec)

MariaDB [vsftpd]> FLUSH PRIVILEGES;

Query OK, 0 rows affected (0.01 sec)

MariaDB [vsftpd]> exit

Bye

測試連接

]# mysql -uvsftpd -poracleadmin

Welcome to the MariaDB monitor.  Commands end with ; or \g.

Your MariaDB connection id is 4

Server version: 5.5.50-MariaDB MariaDB Server

Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> SHOW DATABASE;

to your MariaDB server version for the right syntax to use near 'DATABASE' at line 1

MariaDB [(none)]> SHOW DATABASES;

+——————–+

| Database           |

+——————–+

| information_schema |

| test               |

| vsftpd             |

+——————–+

3 rows in set (0.00 sec)

MariaDB [(none)]> user vsftpd

    -> ;

to your MariaDB server version for the right syntax to use near 'user vsftpd' at line 1

MariaDB [(none)]> use vsftpd

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A

Database changed

MariaDB [vsftpd]> SELECT * FROM users;

+—-+——-+——————————————-+

| id | name  | password                                  |

+—-+——-+——————————————-+

|  1 | tom   | *81D2898F52A342B0B5E52CB747519B10342BD069 |

|  2 | jerry | *81D2898F52A342B0B5E52CB747519B10342BD069 |

+—-+——-+——————————————-+

2 rows in set (0.00 sec)

MariaDB [vsftpd]> exit

Bye

3、創建并修改與pamd的連接文件

在pam.d目錄中創建vsftpd.mysql文件

~]# cd /etc/pam.d/

pam.d]# vim vsftpd.mysql    此文件中所涉及的參數可以在pam_mysql-0.7RC1文件的README中查看

pam_mysql-0.7RC1]# less README |more

pam_mysql – A PAM authentication module against MySQL database.

$Id: README,v 1.8.2.9 2006/01/09 10:35:59 moriyoshi Exp $

pam.d]# cat vsftpd.mysql

auth required pam_mysql.so user=vsftpd passwd=oracleadmin host=localhost db=vsftpd table=users userco lumn=name passwdcolumn=password crypt=2      （Use MySQL PASSWORD() function）

account required pam_mysql.so user=vsftpd passwd=oracleadmin host=localhost db=vsftpd table=users use rcolumn=name passwdcolumn=password crypt=2

4、創建虛擬賬戶所對應的實體賬號，并進行vsftpd的配置文件修改

創建賬號并進行目錄創建和權限修改

pam.d]# useradd -s /sbin/nologin -d /ftproot vuser

pam.d]# ls -ld /ftproot/

drwx—— 2 vuser vuser 59 11月  9 15:16 /ftproot/

pam.d]# chmod go+rx /ftproot/

pam.d]# ls -ld /ftproot/

drwxr-xr-x 2 vuser vuser 59 11月  9 15:16 /ftproot/

pam.d]# chmod -w /ftproot/

pam.d]# mkdir /ftproot/{pub,upload}

修改vsftpd的配置文件添加guest_enable=YES guest_username=vuser pam_service_name=vsftpd.mysql，可以通過man vsftpd.conf進行參數確認并查看

[root@localhost pam.d]# vim /etc/vsftpd/vsftpd.conf  

guest_enable=YES

guest_username=vuser  

pam_service_name=vsftpd.mysql

]# systemctl start vsftpd.service

]# ss -tnl

State       Recv-Q Send-Q     Local Address:Port                    Peer Address:Port             

LISTEN      0      50                     *:3306                               *:*                 

LISTEN      0      128                    *:22                                 *:*                 

LISTEN      0      100            127.0.0.1:25                                 *:*                 

LISTEN      0      32                    :::21                                :::*                 

LISTEN      0      128                   :::22                                :::*                 

LISTEN      0      100                  ::1:25                                :::*                 

5、測試連接

• 連接性測試：

[root@localhost pam.d]# ftp 192.168.150.137

Connected to 192.168.150.137 (192.168.150.137).

220 (vsFTPd 3.0.2)

Name (192.168.150.137:root): tom

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

227 Entering Passive Mode (192,168,150,137,84,48).

150 Here comes the directory listing.

drwxr-xr-x    2 0        0               6 Nov 09 07:21 pub

drwxr-xr-x    2 0        0               6 Nov 09 07:21 upload

226 Directory send OK.

ftp> bye

221 Goodbye.

[root@localhost pam.d]# ftp 192.168.150.137

Connected to 192.168.150.137 (192.168.150.137).

220 (vsFTPd 3.0.2)

Name (192.168.150.137:root): jerry

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

227 Entering Passive Mode (192,168,150,137,181,119).

150 Here comes the directory listing.

drwxr-xr-x    2 0        0               6 Nov 09 07:21 pub

drwxr-xr-x    2 0        0               6 Nov 09 07:21 upload

226 Directory send OK.

ftp> exit

221 Goodbye.

均可以通過mysql中添加的賬戶密碼進行vsftp登入

• 文件上傳下載測試

pam.d]# chown vuser /ftproot/upload/           upload文件夾添加vuser的用戶權限

[root@localhost pam.d]# ls -ld /ftproot/upload/

drwxr-xr-x 2 vuser root 6 11月  9 15:21 /ftproot/upload/

pam.d]# vim /etc/vsftpd/vsftpd.conf           修改vsftpd.conf的配置文件，運行用戶上傳操作，修改完后重啟vsftpd服務

anon_upload_enable=YES

[root@localhost pam.d]# !system

systemctl restart vsftpd.service

pam.d]# ftp 192.168.150.137

Connected to 192.168.150.137 (192.168.150.137).

220 (vsFTPd 3.0.2)

Name (192.168.150.137:root): tom

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> cd upload

250 Directory successfully changed.

ftp> lcd /etc

Local directory now /etc

ftp> put fstab

local: fstab remote: fstab

227 Entering Passive Mode (192,168,150,137,205,67).

150 Ok to send data.

226 Transfer complete.

465 bytes sent in 1.8e-05 secs (25833.33 Kbytes/sec)

ftp> bye

221 Goodbye.

[root@localhost pam.d]# ftp 192.168.150.137

Connected to 192.168.150.137 (192.168.150.137).

220 (vsFTPd 3.0.2)

Name (192.168.150.137:root): jerry

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> cd upload

250 Directory successfully changed.

ftp> lcd /etc

Local directory now /etc

ftp> put issue

local: issue remote: issue

227 Entering Passive Mode (192,168,150,137,187,178).

150 Ok to send data.

226 Transfer complete.

23 bytes sent in 5.9e-05 secs (389.83 Kbytes/sec)

ftp> bye

221 Goodbye.

• 用戶權限分類型測試

將mysql中的用戶區分為可以上傳和無法上傳兩個權限

pam.d]# cd /etc/vsftpd/

vsftpd]# vim vsftpd.conf 將anon_upload_enable=YES功能關閉

#anon_upload_enable=YES

創建vuser.conf.d目錄并進行各用戶單獨配置文件創建，配置文件中單獨設定anon_upload_enable此功能是否開啟

vsftpd]# ls

ftpusers  user_list  vsftpd.conf  vsftpd_conf_migrate.sh

vsftpd]# mkdir vusers.conf.d

vsftpd]# cd vusers.conf.d/

vusers.conf.d]# vim tom

vusers.conf.d]# cp tom jerry

vusers.conf.d]# vim jerry

vusers.conf.d]# cat {tom,jerry}

anon_upload_enable=YES

anon_upload_enable=NO

修改vsftpd.conf添加參數user_config_dir=/etc/vsftpd/vusers.conf.d，進行單獨用戶配置文件的連接，修改完成后重啟vsftpd服務

vusers.conf.d]# cd ..

vsftpd]# ls

ftpusers  user_list  vsftpd.conf  vsftpd_conf_migrate.sh  vusers.conf.d

vsftpd]# vim vsftpd

vsftpd]# vim vsftpd.conf

user_config_dir=/etc/vsftpd/vusers.conf.d

[root@localhost vsftpd]# systemctl restart vsftpd.service

測試

此用戶可以上傳

vsftpd]# ftp 192.168.150.137

Connected to 192.168.150.137 (192.168.150.137).

220 (vsFTPd 3.0.2)

Name (192.168.150.137:root): tom

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> cd upload

250 Directory successfully changed.

ftp> lcd /etc

Local directory now /etc

ftp> ls

227 Entering Passive Mode (192,168,150,137,166,0).

150 Here comes the directory listing.

-rw——-    1 1000     1000          465 Nov 09 07:25 fstab

-rw——-    1 1000     1000           23 Nov 09 07:26 issue

226 Directory send OK.

ftp> lcd /etc

Local directory now /etc

ftp> put grub2.cfg

local: grub2.cfg remote: grub2.cfg

227 Entering Passive Mode (192,168,150,137,46,19).

150 Ok to send data.

226 Transfer complete.

4265 bytes sent in 0.0286 secs (149.04 Kbytes/sec)

ftp> bye

221 Goodbye.

此用戶禁用上傳

vsftpd]# ftp 192.168.150.137

Connected to 192.168.150.137 (192.168.150.137).

220 (vsFTPd 3.0.2)

Name (192.168.150.137:root): jerry

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> cd upload

250 Directory successfully changed.

ftp> ls

227 Entering Passive Mode (192,168,150,137,62,132).

150 Here comes the directory listing.

-rw——-    1 1000     1000          465 Nov 09 07:25 fstab

-rw——-    1 1000     1000         4265 Nov 09 07:31 grub2.cfg

-rw——-    1 1000     1000           23 Nov 09 07:26 issue

226 Directory send OK.

ftp> lcd /etc

Local directory now /etc

ftp> !ls

adjtime             e2fsck.conf  ld.so.conf        polkit-1    shadow-

aliases             environment  ld.so.conf.d        popt.d        shells

aliases.db         ethertypes   libaudit.conf        postfix        skel

alternatives         exports      libnl            ppp        ssh

anacrontab         favicon.png  libuser.conf        prelink.conf.d    ssl

asound.conf         filesystems  locale.conf        printcap    statetab

audisp             firewalld    localtime            profile        statetab.d

audit             fstab          login.defs        profile.d    subversion

avahi             gcrypt       logrotate.conf        protocols    sudo.conf

bash_completion.d     gdbinit      logrotate.d        python        sudoers

bashrc             gdbinit.d    lvm            rc0.d        sudoers.d

binfmt.d         gnupg          machine-id        rc1.d        sudo-ldap.conf

centos-release         GREP_COLORS  magic            rc2.d        sysconfig

centos-release-upstream  groff          makedumpfile.conf.sample    rc3.d        sysctl.conf

chkconfig.d         group          man_db.conf        rc4.d        sysctl.d

cron.d             group-       mke2fs.conf        rc5.d        systemd

cron.daily         grub2.cfg    modprobe.d        rc6.d        system-release

cron.deny         grub.d       modules-load.d        rc.d        system-release-cpe

cron.hourly         gshadow      motd            rc.local    tcsd.conf

cron.monthly         gshadow-     mtab            rdma        terminfo

crontab             gss          my.cnf            redhat-release    tmpfiles.d

cron.weekly         host.conf    my.cnf.d            resolv.conf    tuned

crypttab         hostname     NetworkManager        rpc        udev

csh.cshrc         hosts          networks            rpm        vconsole.conf

csh.login         hosts.allow  nsswitch.conf        rsyncd.conf    vimrc

dbus-1             hosts.deny   nsswitch.conf.bak        rsyslog.conf    virc

default             init.d       openldap            rsyslog.d    vsftpd

depmod.d         inittab      opt            rwtab        wpa_supplicant

dhcp             inputrc      os-release        rwtab.d        X11

DIR_COLORS         iproute2     pam.d            sasl2        xdg

DIR_COLORS.256color     issue          passwd            securetty    xinetd.d

DIR_COLORS.lightbgcolor  issue.net    passwd-            security    yum

dnsmasq.conf         kdump.conf   pkcs11            selinux        yum.conf

dnsmasq.d         kernel       pki            services    yum.repos.d

dracut.conf         krb5.conf    plymouth            sestatus.conf

dracut.conf.d         ld.so.cache  pm            shadow

ftp> put resolv.conf

local: resolv.conf remote: resolv.conf

227 Entering Passive Mode (192,168,150,137,44,37).

550 Permission denied.

ftp> bye

221 Goodbye.