vsftpd+pam+mysql实现虚拟用户访问控制

rgar12

                      1、安装mysql数据库及开发环境
# yum -y install mysql-server mysql-devel

2、安装pam_mysql-0.7RC1
# tar xf pam_mysql-0.7RC1.tar.gz
# cd pam_mysql-0.7RC1
# ./configure --with-mysql=/usr --with-openssl
# make
# make install

# 启动mysql
# service mysqld start

3、创建数据库、表及虚拟用户
mysqladmin -uroot password 'redhat'
mysql -uroot -p
mysql> create database vsftpd;
mysql> use vsftpd;
mysql> create table users( id smallint auto_increment not null , name char(20) binary not null, password char(48) binary not null, primary key(id));
mysql> desc users;
mysql> insert into users (name,password) value ('tom',password('redhat')),('jerry',password('redhat'));
mysql> grant select on vsftpd.* to vsftpd@localhost identified by 'vsftpd';
mysql> grant select on vsftpd.* to vsftpd@127.0.0.1 identified by 'vsftpd';
mysql> select * from users;
mysql> flush privileges;

4、安装vsftpd
# yum install vsftpd lftp ftp

5、配置pam认证所需文件
# vim /etc/pam.d/vsftpd.mysql
auth required /lib/security/pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
account required /lib/security/pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
# 注：pam_mysql-0.7RC1源码目录下的README有介绍crypt的几种机制

6、建立虚拟用户映射的系统用户及对应的目录
# useradd -s /sbin/nologin -d /data/ftproot vuser
# chmod go+rx /data/ftproot/

7、配置vsftpd
# vim /etc/vsftpd/vsftpd.conf
anonymous_enable=YES
local_enable=YES
write_enable=YES
anon_upload_enable=NO
anon_mkdir_write_enable=NO
chroot_local_user=YES

pam_service_name=vsftpd.mysql        # 确保该文件名正确

guest_enable=YES
guest_username=vuser

8、启动vsftpd
# service vsftpd start
# chkconfig vsftpd on

9、测试vsftpd
# ftp localhost
Trying ::1...
ftp: connect to address ::1Connection refused
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
220 (vsFTPd 2.2.2)
Name (localhost:root): tom
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
ftp> lcd /tmp
ftp> get issue
ftp> put inittab
local: inittab remote: inittab
227 Entering Passive Mode (127,0,0,1,27,53).
550 Permission denied.
ftp> bye

10、配置虚拟用户具有不同的访问权限

    vsftpd可以在配置文件目录中为每个用户提供单独的配置文件以定义其ftp服务访问权限，每个虚拟用户的配置文件名同虚拟用户的用户名。配置文件目录可以是任意未使用目录，只需要在vsftpd.conf指定其路径及名称即可。

# 配置vsftpd虚拟用户使用的配置文件目录
# vim /etc/vsftpd/vsftpd.conf
user_config_dir=/etc/vsftpd/vuser/

# 创建所需目录及配置文件
# mkdir /etc/vsftpd/vuser/
# cd /etc/vsftpd/vuser/
# touch tom jerry

# 配置对应虚拟用户权限
# vim tom
anon_upload_enable=NO

# vim jerry
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES

# 重启vsftpd
# service vsftpd restart

# 测试vsftpd
# ftp localhost
Trying ::1...
ftp: connect to address ::1Connection refused
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
220 (vsFTPd 2.2.2)
Name (localhost:root): jerry
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put inittab
local: inittab remote: inittab
227 Entering Passive Mode (127,0,0,1,73,116).
150 Ok to send data.
226 Transfer complete.
884 bytes sent in 2.2e-05 secs (40181.82 Kbytes/sec)
ftp> ls
227 Entering Passive Mode (127,0,0,1,71,165).
150 Here comes the directory listing.
-rw-------    1 500      500           884 May 22 13:00 inittab
-rw-r--r--    1 0        0              75 May 22 12:55 issue
226 Directory send OK.
ftp> bye


### 配置vsftpd支持openssl安全通信 ###
# 配置生成CA证书
# cd /etc/pki/CA
# (umask 077; openssl genrsa -out private/cakey.pem 2048)

# vim ../tls/openssl.cnf
countryName_default= CN
stateOrProvinceName_default= GuangDong
localityName_default= GuangZhou
0.organizationName_default= Test
organizationalUnitName_default= Tech
dir= /etc/pki/CA

# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3656

# mkdir certs crl newcerts
# touch index.txt
# echo 01 > serial

# mkdir -p /etc/vsftpd/ssl
# cd /etc/vsftpd/ssl/
# (umask 077;openssl genrsa -out vsftpd.key 2048)
# openssl req -new -key vsftpd.key -out vsftpd.csr

# openssl ca -in vsftpd.csr -out vsftpd.crt -days 3656

# 配置vsftpd支持ssl认证
# vim /etc/vsftpd/vsftpd.conf
ssl_enable=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
rsa_cert_file=/etc/vsftpd/ssl/vsftpd.crt
rsa_private_key_file=/etc/vsftpd/ssl/vsftpd.key

# 重启vsftpd
# service vsftpd restart

# 测试
# ftp localhost
Trying ::1...
ftp: connect to address ::1Connection refused
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
220 (vsFTPd 2.2.2)
Name (localhost:root): tom
530 Non-anonymous sessions must use encryption.
Login failed.

# 显示以上信息则表明OK，因Linux的ftp命令不支持ssl连接，固可用其它ftp客户端工具（例如filezilla）连接测试，并使用tcpdump工具抓包查看。