vsftpd利用pam_mysql.so连接mariadb进行认证
实验环境:
认证模块pam_mysql.so的安装
需要从网上下载pam_mysql.so的源码包,pam_mysql-0.7RC1.tar.gz
在解压安装之前,确保在CentOS7上面的开发组包已经安装,如果没有安装,则需要运行如下命令:
$yumgroupinstall"DevelopmentTools"-y
之后安装mariadb和pam的开发包:
$yuminstallmariadb-develpam-devel-y
解压pam_mysql的源码包,进入源码目录,进行编译安装。其中–with-mysql引用了mariadb的头文件以及lib,–with-pam引用了pam的头文件以及lib。–with-pam-mods-dir指明将模块安装的位置。
$./configure--with-mysql=/usr--with-pam=/usr--with-pam-mods-dir=/usr/lib64/security$make$makeinstall
安装完毕之后,在/usr/lib64/security目录下面,可以查看到新的pam_mysql.so模块。
$ls/usr/lib64/security/|grepmysql.sopam_mysql.so
mariadb创建数据
下面规划一下mariadb里面的用户。建立一个名为vsftpd的数据库,在这个数据库里面建立一个名为auth的数据表,在数据表里面建立两个用户作为vsftpd的虚拟用户:user1,密码为user1;user2,密码为user2。密码采用mysql自带的PASSWORD()函数进行加密。使用名为vsftpd@’127.0.0.1’的用户进行登录查询,只授予该用户select权限,登录密码为vsftpd。建立之后的结果如下:
WelcometotheMariaDBmonitor.Commandsendwith;or\g.YourMariaDBconnectionidis3Serverversion:5.5.44-MariaDBMariaDBServerCopyright(c)2000,2015,Oracle,MariaDBCorporationAbandothers.Type'help;'or'\h'forhelp.Type'\c'toclearthecurrentinputstatement.MariaDB[(none)]>usevsftpd;ReadingtableinformationforcompletionoftableandcolumnnamesYoucanturnoffthisfeaturetogetaquickerstartupwith-ADatabasechangedMariaDB[vsftpd]>showtables;+------------------+|Tables_in_vsftpd|+------------------+|auth|+------------------+1rowinset(0.00sec)MariaDB[vsftpd]>descauth;+----------+-----------+------+-----+---------+-------+|Field|Type|Null|Key|Default|Extra|+----------+-----------+------+-----+---------+-------+|name|char(20)|YES||NULL|||password|char(100)|YES||NULL||+----------+-----------+------+-----+---------+-------+2rowsinset(0.01sec)MariaDB[vsftpd]>select*fromauth;+-------+-------------------------------------------+|name|password|+-------+-------------------------------------------+|user1|*34D3B87A652E7F0D1D371C3DBF28E291705468C4||user2|*12A20BE57AF67CBF230D55FD33FBAF5230CFDBC4|+-------+-------------------------------------------+2rowsinset(0.00sec)MariaDB[vsftpd]>selecthost,user,passwordfrommysql.userwhereuser='vsftpd';+-----------+--------+-------------------------------------------+|host|user|password|+-----------+--------+-------------------------------------------+|127.0.0.1|vsftpd|*653E55BC34328FD9504096B9DFB2434DE24AAE86|+-----------+--------+-------------------------------------------+1rowinset(0.00sec)
建立来宾账户
所有mysql里面存储的虚拟用户在登录之后都会被映射为本地的来宾用户,这里建立一个名为vuser的来宾账户,家目录为/ftproot/vuser,修改其权限为544,即去除所有的’写’权限。在里面新建一个pub目录,用setfacl给pub目录赋予vuser用户的读写执行权限。
$mkdirftproot$cdftproot$useradd-d/ftproot/vuservuser$chmod544/ftproot/vuser$mkdir/ftproot/vuser/pub$setfacl-mu:vuser:rwx/ftproot/vuser/pub
配置pam文件
新建一个/etc/pam.d/ftp-mysql的文件,在里面添加两行如下内容,详细的配置项,请参见pam_mysql.so源码包里面的README文档:
authrequired/usr/lib64/security/pam_mysql.souser=vsftpdpasswd=vsftpdhost=127.0.0.1db=vsftpdtable=authusercolumn=namepasswdcolumn=passwordcrypt=2accountrequired/usr/lib64/security/pam_mysql.souser=vsftpdpasswd=vsftpdhost=127.0.0.1db=vsftpdtable=authusercolumn=namepasswdcolumn=passwordcrypt=2
配置vsftpd.conf文件
新建一个vsftpd.conf文件,配置如下所示。注意pam_service_name由默认的vsftpd替换为刚才建立的ftp-mysql,启用来宾账户guest_enable=YES,使用来宾账户vuser,并且配置虚拟用户user1和user2的权限文件到/etc/vsftpd/vusers_config目录下面:
anonymous_enable=YESlocal_enable=YESwrite_enable=YESlocal_umask=022dirmessage_enable=YESxferlog_enable=YESconnect_from_port_20=YESxferlog_std_format=YESlisten=NOlisten_ipv6=YESpam_service_name=ftp-mysqluserlist_enable=YEStcp_wrappers=YESguest_enable=YESguest_username=vuseruser_config_dir=/etc/vsftpd/vusers_config/
/etc/vsftpd/vusers_config目录下面的user1和user2的权限配置如下所示,给予user1上传的权限,但是给予user2上传、删除目录、删除文件的权限。配置完毕后,用systemctl start mariadb.service vsftpd.service命令重启mariadb和vsftpd服务:
$cat/etc/vsftpd/vusers_config/user1anon_upload_enable=YESanon_other_write_enable=NO$cat/etc/vsftpd/vusers_config/user2anon_upload_enable=YESanon_mkdir_write_enable=YESanon_other_write_enable=YES
客户端测试
在客户端上面,确保安装了ftp客户端工具:
yuminstallftp
利用上述工具和服务端进行通信,对user1进行测试,可以看到,登录成功,并且user1有上传的权限,但是并没有删除的权限:
$ftp192.168.5.181Connectedto192.168.5.181(192.168.5.181).220(vsFTPd3.0.2)Name(192.168.5.181:root):user1331Pleasespecifythepassword.Password:230Loginsuccessful.RemotesystemtypeisUNIX.Usingbinarymodetotransferfiles.ftp>ls227EnteringPassiveMode(192,168,5,181,187,35).150Herecomesthedirectorylisting.drwxrwxr-x2006Jun0518:33pub226DirectorysendOK.ftp>cdpub250Directorysuccessfullychanged.ftp>ls227EnteringPassiveMode(192,168,5,181,180,167).150Herecomesthedirectorylisting.226DirectorysendOK.ftp>lcd/etcLocaldirectorynow/etcftp>puthostslocal:hostsremote:hosts227EnteringPassiveMode(192,168,5,181,142,11).150Oktosenddata.226Transfercomplete.256bytessentin0.000155secs(1651.61Kbytes/sec)ftp>ls227EnteringPassiveMode(192,168,5,181,108,36).150Herecomesthedirectorylisting.-rw-------110011001256Jun0605:06hosts226DirectorysendOK.ftp>deletehosts550Permissiondenied.ftp>exit221Goodbye.
下面对user2进行测试,可以看到,user2登录成功,并且有上传权限,删除权限,创建目录的权限。:
$ftp192.168.5.181Connectedto192.168.5.181(192.168.5.181).220(vsFTPd3.0.2)Name(192.168.5.181:root):user2331Pleasespecifythepassword.Password:230Loginsuccessful.RemotesystemtypeisUNIX.Usingbinarymodetotransferfiles.ftp>cdpub250Directorysuccessfullychanged.ftp>ls227EnteringPassiveMode(192,168,5,181,96,57).150Herecomesthedirectorylisting.226DirectorysendOK.ftp>lcd/etcLocaldirectorynow/etcftp>puthostslocal:hostsremote:hosts227EnteringPassiveMode(192,168,5,181,36,41).150Oktosenddata.226Transfercomplete.256bytessentin0.000145secs(1765.52Kbytes/sec)ftp>ls227EnteringPassiveMode(192,168,5,181,141,235).150Herecomesthedirectorylisting.-rw-------110011001256Jun0605:10hosts226DirectorysendOK.ftp>deletehosts250Deleteoperationsuccessful.ftp>ls227EnteringPassiveMode(192,168,5,181,56,230).150Herecomesthedirectorylisting.226DirectorysendOK.ftp>mkdirdir257"/pub/dir"createdftp>ls227EnteringPassiveMode(192,168,5,181,208,106).150Herecomesthedirectorylisting.drwx------2100110016Jun0605:10dir226DirectorysendOK.
下面对于系统用户ftpuser以及一个不存在的用户abc进行登录测试,发现无法登录,证明只用mysql数据库里面存在的用户才能够进行认证:
$ftp192.168.5.181Connectedto192.168.5.181(192.168.5.181).220(vsFTPd3.0.2)Name(192.168.5.181:root):ftpuser331Pleasespecifythepassword.Password:530Loginincorrect.Loginfailed.$ftp192.168.5.181Connectedto192.168.5.181(192.168.5.181).220(vsFTPd3.0.2)Name(192.168.5.181:root):abc331Pleasespecifythepassword.Password:530Loginincorrect.Loginfailed.ftp>
声明:本站所有文章资源内容,如无特殊说明或标注,均为采集网络资源。如若本站内容侵犯了原著者的合法权益,可联系本站删除。
