一、安装FTP及相关配制

[root@test ~]# yum install vsftpd

==============================================
 Package   Arch       Version      Repository   
==============================================
Installing:
 vsftpd    i386   2.0.5-16.el5    FTP134.200-32b   1
Transaction Summary
===========================
Total download size: 140 k
Is this ok [y/N]: y
Downloading Packages:
vsftpd-2.0.5-16.el5.i386.rpm      | 140 kB     00:00
Finished Transaction Test
Installed:
  vsftpd.i386 0:2.0.5-16.el5
Complete!
[root@test ~]# rpm -q vsftpd
vsftpd-2.0.5-16.el5
[root@test ~]# rpm -ql vsftpd
/etc/logrotate.d/vsftpd.log
/etc/pam.d/vsftpd
/etc/rc.d/init.d/vsftpd
/etc/vsftpd
/etc/vsftpd/ftpusers
/etc/vsftpd/user_list
/etc/vsftpd/vsftpd.conf
/etc/vsftpd/vsftpd_conf_migrate.sh
/usr/sbin/vsftpd
...
/var/ftp
/var/ftp/pub
[root@test upload]# vi /etc/vsftpd/vsftpd.conf

允许匿名用户登录

# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=YES
# 允许系统用户登录
# Uncomment this to allow local users to log in.
local_enable=YES
允许系统用户写权限用户登录
# Uncomment this to enable any form of FTP write command.
write_enable=YES
允许匿名用户上传
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
anon_upload_enable=YES
允许匿名用户写权限、其它权限
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
# 显示.messages中的自定义信息
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
# 打开日志功能
# The target log file can be vsftpd_log_file or xferlog_file.
# This depends on setting xferlog_std_format parameter
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
# 修改上传名的权限
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
# 打开日志功能之  定义日志名
# The name of log file when xferlog_enable=YES and xferlog_std_format=YES
# WARNING - changing this filename affects /etc/logrotate.d/vsftpd.log
xferlog_file=/var/log/vsftpd.log
# 启动日志标准格式
# Switches between logging into vsftpd_log_file and xferlog_file files.
# NO writes to vsftpd_log_file, YES to xferlog_file
xferlog_std_format=YES
# 禁锢部分用户在家目录下(方法一)
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_list_enable=YES   定义启用
# (default follows)
chroot_list_file=/etc/vsftpd/chroot_list  定义到列表中方可生效
#  禁锢所有用户在家目录下(方法二)
chroot_local_user=YES

pam_service_name=vsftpd

userlist_enable=YES           # userlist中的用户名控制启用,规则参照下一个命令
userlist_deny=YES             # 若=NO白名单,若=YES则为黑名单
tcp_wrappers=YES

[root@test vsftpd]# ls  /etc/vsftpd/

chroot_list  ftpusers  user_list  vsftpd.conf  vsftpd_conf_migrate.sh

[root@test vsftpd]# cat user_list

# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody
[root@test vsftpd]#

二、安装FTP认证登录

FTP中同时有系统读写权限文件共享读写权限时,FTP帐号才有读写权限;

[root@test ftp]# ls -ld /var/ftp/pub/

drwxr-xr-x 2 root root 4096 May 13  2009 /var/ftp/pub/
[root@test ftp]# ls -ld /var/ftp/
drwxr-xr-x 3 root root 4096 Jan 12 10:48 /var/ftp/
[root@test ftp]# mkdir upload
[root@test ftp]# ls
pub  upload
[root@test ftp]# ls -ld /var/ftp/upload/
drwxr-xr-x 2 root root 4096 Jan 12 15:30 /var/ftp/upload/
[root@test ftp]# setfa
setfacl   setfattr  
[root@test ftp]# setfacl -m
u:ftp:rwx /var/ftp/upload/  
#新增ftp帐号的所有权限
[root@test ftp]# getfacl /var/ftp/upload/
getfacl: Removing leading '/' from absolute path names
# file: var/ftp/upload
# owner: root
# group: root
user::rwx
user:ftp:rwx
group::r-x
mask::rwx
other::r-x

[root@test ftp]#

[root@test ssl]# pwd

/etc/vsftpd/ssl
[root@test ssl]# ll
total 16
-rw-r--r-- 1 root root 4541 Jan 13 08:48 vsftpd.crt
-rw-r--r-- 1 root root 1005 Jan 13 08:48 vsftpd.csr
-rw------- 1 root root 1675 Jan 13 08:39 vsftpd.key

[root@test ssl]# cd ..

[root@test vsftpd]# ls
chroot_list  ftpusers  ssl  user_list  vsftpd.conf  vsftpd.conf.bak  vsftpd_conf_migrate.sh
[root@test vsftpd]# vi vsftpd.conf

# ssl or tls

ssl_enable=YES
ssl_sslv3=YES
ssl_tlsv1=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
rsa_cert_file=/etc/vsftpd/ssl/vsftpd.crt
rsa_private_key_file=/etc/vsftpd/ssl/vsftpd.key

 

验证登录:

[root@test vsftpd]# service vsftpd restart

Shutting down vsftpd:                                      [  OK  ]
Starting vsftpd for vsftpd:                                [  OK  ]
[root@test vsftpd]# ftp 10.109.131.209
Connected to 10.109.131.209.
220 (vsFTPd 2.0.5)
504 Unknown AUTH type.
504 Unknown AUTH type.
KERBEROS_V4 rejected as an authentication type
Name (10.109.131.209:root): ftp   #正常登录
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (10,109,131,209,46,95)
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 May 13  2009 pub
drwxrwxr-x    3 0        0            4096 Jan 12 08:08 upload
226 Directory send OK.
ftp> bye
221 Goodbye.
[root@test vsftpd]# ftp 10.109.131.209
Connected to 10.109.131.209.
220 (vsFTPd 2.0.5)
504 Unknown AUTH type.
504 Unknown AUTH type.
KERBEROS_V4 rejected as an authentication type
Name (10.109.131.209:root): hadoop  #登录失败
530 Non-anonymous sessions must use encryption.
Login failed.     #非匿名用户强制使用认证登录
ftp>    
ftp> bye
221 Goodbye.
[root@test vsftpd]# ls       #版本FileZilla3.2.7

三、mysql认证登录FTP

1.安装pam_mysql

[root@test pki]# rpm -q mysql-devel

mysql-devel-5.0.77-3.el5
[root@test pki]# rpm -q mysql
mysql-5.0.77-3.el5

[root@test ~]# tar xf pam_mysql-0.7RC1.tar.gz

[root@test ~]# cd pam_mysql-0.7RC1
[root@test pam_mysql-0.7RC1]# ./configure --with-mysql=/usr --with-openssl
[root@test pam_mysql-0.7RC1]# make
[root@test pam_mysql-0.7RC1]# make install

make[1]: Entering directory `/root/pam_mysql-0.7RC1'

/bin/sh ./mkinstalldirs /usr/lib/security
/bin/sh ./libtool  --mode=install /usr/bin/install -c pam_mysql.la /usr/lib/security/pam_mysql.la
/usr/bin/install -c .libs/pam_mysql.so /usr/lib/security/pam_mysql.so
/usr/bin/install -c .libs/pam_mysql.lai /usr/lib/security/pam_mysql.la
PATH="$PATH:/sbin" ldconfig -n /usr/lib/security
----------------------------------------------------------------------
Libraries have been installed in:
   /usr/lib/security

If you ever happen to want to link against installed libraries

in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:
   - add LIBDIR to the `LD_LIBRARY_PATH' environment variable
     during execution
   - add LIBDIR to the `LD_RUN_PATH' environment variable
     during linking
   - use the `-Wl,--rpath -Wl,LIBDIR' linker flag
   - have your system administrator add LIBDIR to `/etc/ld.so.conf'
See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------
make[1]: Nothing to be done for `install-data-am'.
make[1]: Leaving directory `/root/pam_mysql-0.7RC1'

[root@test pam_mysql-0.7RC1]# cp /usr/lib/security/pam_mysql.* /lib/security/

2. 连接MYSQL

[root@test ~]# mysql -uroot -p

mysql> CREATE DATABASE vsftpd;
Query OK, 1 row affected (0.00 sec)
mysql> use vsftpd;
Database changed
mysql> CREATE TABLE users (
    -> id SMALLINT AUTO_INCREMENT NOT NULL,
    -> name CHAR(20) BINARY NOT NULL,
    -> password CHAR(48) BINARY NOT NULL,
    -> PRIMARY key(id)     );
Query OK, 0 rows affected (0.01 sec)
mysql> desc users;
+----------+-------------+------+-----+---------+----------------+
| Field    | Type   | Null | Key | Default | Extra    |
+----------+-------------+------+-----+---------+----------------+
| id    | smallint(6) | NO   | PRI | NULL    | auto_increment |
| name  | char(20)    | NO   |     | NULL    |        |
| password | char(48)    | NO   |     | NULL    |         |
+----------+-------------+------+-----+---------+----------------+
3 rows in set (0.00 sec)
mysql> mysql> desc users;
+----------+-------------+------+-----+---------+----------------+
| Field    | Type        | Null | Key | Default | Extra          |
+----------+-------------+------+-----+---------+----------------+
| id       | smallint(6) | NO   | PRI | NULL    | auto_increment |
| name     | char(20)    | NO   |     | NULL    |                |
| password | char(48)    | NO   |     | NULL    |                |
+----------+-------------+------+-----+---------+----------------+
3 rows in set (0.00 sec)
mysql> GRANT SELECT ON vsftpd.* TO vsftpd@localhost IDENTIFIED BY 'vsftpd';
Query OK, 0 rows affected (0.00 sec)   #设置权限
mysql> GRANT SELECT ON vsftpd.* TO vsftpd@127.0.0.1 IDENTIFIED BY 'vsftpd';
Query OK, 0 rows affected (0.00 sec)
mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)
mysql> INSERT INTO users (name,password) VALUE ('tom','tom'),('jerry','jerry');
Query OK, 2 rows affected (0.00 sec)   #新增两个用户
Records: 2  Duplicates: 0  Warnings: 0
mysql> SELECT * FROM users;
+----+-------+----------+
| id | name  | password |
+----+-------+----------+
|  1 | tom   | tom      |
|  2 | jerry | jerry    |
+----+-------+----------+
2 rows in set (0.00 sec)

验证创建的数据是否正确:

[root@test ~]# mysql -uvsftpd -p

Enter password:  vsftpd   #验证登录
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 5
Server version: 5.0.77 Source distribution
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> show databases;   #验证数据库vsftpd
+--------------------+
| Database           |
+--------------------+
| information_schema |
| vsftpd             |
+--------------------+
2 rows in set (0.01 sec)
mysql> use vsftpd;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;    #验证表users
+------------------+
| Tables_in_vsftpd |
+------------------+
| users            |
+------------------+
1 row in set (0.00 sec)
mysql> select * from users; #验证新增用户
+----+-------+----------+
| id | name  | password |
+----+-------+----------+
|  1 | tom   | tom      |
|  2 | jerry | jerry    |
+----+-------+----------+
2 rows in set (0.00 sec)

3. 建立pam认证所需文件

[root@test ~]# vi /etc/pam.d/vsftp.mysql

auth required /lib/security/pam_mysql.so user=vsftpd passwd=123456 host=localhost db=vsftp table=users usercolumn=name passwdcolumn=passwd crypt=0

account required /lib/security/pam_mysql.so user=vsftpd passwd=123456 host=localhost db=vsftp table=users usercolumn=name passwdcolumn=passwd crypt=0

[root@test ~]# useradd -s /sbin/nologin -d /var/ftproot vuser

[root@test ~]# ls -ld /var/ftproot/

drwx------ 3 vuser vuser 4096 Jan 13 15:55 /var/ftproot/
[root@test ~]# chmod go+rx /var/ftproot/
[root@test ~]# ls -ld /var/ftproot/
drwxr-xr-x 3 vuser vuser 4096 Jan 13 15:55 /var/ftproot/
[root@test ~]# vi /etc/vsftpd/vsftpd.conf

...  #红色为修改部分

pam_service_name=vsftpd.mysql
userlist_enable=YES
tcp_wrappers=YES
# ssl or tls
ssl_enable=YES
ssl_sslv3=YES
ssl_tlsv1=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
rsa_cert_file=/etc/vsftpd/ssl/vsftpd.crt
rsa_private_key_file=/etc/vsftpd/ssl/vsftpd.key
guest_enable=YES
guest_username=vuser

[root@test ~]# service vsftpd restart

Shutting down vsftpd:                                      [  OK  ]
Starting vsftpd for vsftpd:                                [  OK  ]

待续。。。