vsftpd+openssl+mysql实现sftp和ftp虚拟用户

标签：vsftpd+openssl+mysql实现sftp和ftp虚拟用户

FTP：File Transfer protocol ,端口：控制:tcp/21；数据:tcp/20或随机高端口

ftp有两个连接：

             命令连接（控制连接):tcp/21

             数据连接（按需打开):

                                主动模式:tcp/20(ftp服务器主动连接客户端）

                                被动模式:随机高端口

ftp有两种传输模式：二进制、文本（默认为auto,会根据文件特性动匹配）

sftp是以openssl来实现；ftps是ssh的子功能。

系统平台：rhel5.8（32位），ip:32.12.32.227，采用系统自带的rpm包安装

安装ftp:

#yum install vsftpd

#service vsftpd start

#finger ftp (安装vsftpd会自动创建ftp用户和用户组，查看ftp对应的家目录

测试（此时匿名登录,用户名可以anonymous或ftp，密码为空）：

C:\Users\yangyuan>ftp 32.12.32.227

连接到 32.12.32.227。

220 (vsFTPd 2.0.5)

用户(32.12.32.227:(none)): ftp

331 Please specify the password.

密码:

230 Login successful.

ftp>

注意：匿名用户是不能上传文件，新建目录，删除文件，除非改配置文件/etc/vsftpd/vsftpd.conf

#vim /etc/vsftpd/vsftpd.conf

anon_upload_enable=YES  (允许匿名用户上传文件)

anon_mkdir_write_enable=YES  (允许匿名用户新建目录）

anon_other_write_enable=YES  (允许匿名用户删除文件）

#mkdir /var/ftp/upload (创建一个上传目录）

#setfacl -m u:ftp:rwx /var/ftp/upload

#service vsftpd restart 

#setenforce 0

#iptables -F   (清空防火墙)

测试：

Xshell:\> ftp 32.12.32.227

Connecting to 32.12.32.227:21...

Connection established.

To escape to local shell, press ‘Ctrl+Alt+]‘.

220 (vsFTPd 2.0.5)

Name (32.12.32.227:yangyuan): ftp

331 Please specify the password.

Password: 

230 Login successful.

ftp:/> cd upload

250 Directory successfully changed.

ftp:/upload> lpwd

D:\Users\yangyuan\Desktop

ftp:/upload> put fd.png

227 Entering Passive Mode (32,12,32,227,222,90)

150 Ok to send data.

fd.png: 12.8 KB sent in 0.001 sec (13,129 bytes, 12.5 MB/sec).

226 File receive OK.

ftp:/upload> mkdir test3

257 "/upload/test3" created

ftp:/upload> delete fd.png

250 Delete operation successful.

用系统的普通用户访问ftp会进入普通用户家目录，建议不要使用：

#useradd hadoop

#echo "redhat" | passwd --stdin hadoop

Xshell:\> ftp 32.12.32.227

Connecting to 32.12.32.227:21...

Connection established.

To escape to local shell, press ‘Ctrl+Alt+]‘.

220 (vsFTPd 2.0.5)

Name (32.12.32.227:yangyuan): hadoop

331 Please specify the password.

Password: 

230 Login successful.

ftp:/home/hadoop>

另外可以/etc/vsftpd/vsftpd.conf中增加如下两个指令：

max_clients=数值  （用来定义访问最大用户数）

mas_per_ip=数值    (用来定义单独一IP地址用户数）

sftp的实现:CA---->sftp

# (umask 077;openssl genrsa -out private/cakey.pem 2048)

# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650

.........

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:JS

Locality Name (eg, city) [Newbury]:SZ

Organization Name (eg, company) [My Company Ltd]:bocs

Organizational Unit Name (eg, section) []:Tech

Common Name (eg, your name or your server‘s hostname) []:ca.bocs.com

Email Address []:

# vim /etc/pki/tls/openssl.cnf  

dir             = /etc/pki/CA 

# mkdir /etc/vsftpd/ssl

# cd /etc/vsftpd/ssl

# (umask 077;openssl genrsa -out vsftpd.key 2048)

# openssl req -new -key vsftpd.key -out vsftpd.csr

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:JS

Locality Name (eg, city) [Newbury]:SZ

Organization Name (eg, company) [My Company Ltd]:bocs

Organizational Unit Name (eg, section) []:Tech

Common Name (eg, your name or your server‘s hostname) []:ftp.bocs.com

Email Address []:

Please enter the following ‘extra‘ attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

# openssl ca -in vsftpd.csr -out vsftpd.crt  (y y)

#vim /etc/vsftpd/vsftpd.conf  (增加如下内容)

#########   SSL or TLS  #########

ssl_enable=YES

ssl_tlsv1=YES

ssl_sslv3=YES

allow_anon_ssl=NO

force_local_data_ssl=YES

force_local_logins_ssl=YES

rsa_cert_file=/etc/vsftpd/ssl/vsftpd.crt

rsa_private_key_file=/etc/vsftpd/ssl/vsftpd.key

#service vsftpd restart

测试

基于PAM、Mysql实现虚拟用户

# yum -y install mysql-server mysql-devel

# service mysqld start

# chkconfig mysqld on

由于系统的pam与mysql关联还一个包：pam_mysql-0.7RC1.tar.gz，下载位置：http://download.chinaunix.net/download.php?id=15901&ResourceID=7820

# tar xf pam_mysql-0.7RC1.tar.gz

# cd pam_mysql-0.7RC1

# ./configure --with-msyql --with-openssl

#  make

# make install

创建数据库、表，给用库用户赋权限

# mysql

mysql> CREATE DATABASE vsftpd;

Query OK, 1 row affected (0.02 sec)

mysql> USE vsftpd;

Database changed

mysql> CREATE TABLE users (

    -> id SMALLINT AUTO_INCREMENT NOT NULL,

    -> name CHAR(20) BINARY NOT NULL,

    -> password CHAR(48) BINARY NOT NULL,

    -> PRIMARY KEY(id)

    -> );

Query OK, 0 rows affected (0.03 sec)

mysql> DESC users;

+----------+-------------+------+-----+---------+----------------+

| Field    | Type        | Null | Key | Default | Extra          |

+----------+-------------+------+-----+---------+----------------+

| id       | smallint(6) | NO   | PRI | NULL    | auto_increment | 

| name     | char(20)    | NO   |     | NULL    |                | 

| password | char(48)    | NO   |     | NULL    |                | 

+----------+-------------+------+-----+---------+----------------+

3 rows in set (0.01 sec)

mysql> GRANT SELECT ON vsftpd.* TO vsftpd@localhost IDENTIFIED BY ‘vsftpd‘;

Query OK, 0 rows affected (0.00 sec)

mysql> GRANT SELECT ON vsftpd.* TO vsftpd@‘127.0.0.1‘ IDENTIFIED BY ‘vsftpd‘;

Query OK, 0 rows affected (0.00 sec)

mysql> INSERT INTO users (name,password) values (‘tom‘,‘redhat‘);

Query OK, 1 row affected (0.00 sec)

mysql> INSERT INTO users (name,password) values (‘jerry‘,‘redhat‘);

Query OK, 1 row affected (0.00 sec)

mysql> FLUSH PRIVILEGES;

Query OK, 0 rows affected (0.00 sec)

mysql> \q

建立pam认证所需的文件

# vim /etc/pam.d/vsftpd.mysql

auth required /usr/lib/security/pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=0

account required /usr/lib/security/pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=0

# useradd -s /sbin/nologin -d /var/vuser vuser

# chmod go+rx /var/vuser

# vim /etc/vsftpd/vsftpd.conf

pam_service_name=vsftpd.mysql

force_local_data_ssl=NO

force_local_logins_ssl=NO

########    guset   ##########

guest_enable=YES

guest_username=YES

user_config_dir=/etc/vsftpd/vuser_list

# mkdir /etc/vsftpd/vuser_list

# touch /etc/vsftpd/vuser_list/{tom,jerry}

# vim /etc/vsftpd/vuser_list/jerry    (jerry用户有上传、创建目录、删除文件功能)

anon_upload_enable=YES

anon_mkdir_write_enable=YES

anon_other_write_enable=YES

# service vsftpd restart

测试

[root@localhost ~]# ftp 32.12.32.227

Connected to 32.12.32.227.

220 (vsFTPd 2.0.5)

504 Unknown AUTH type.

504 Unknown AUTH type.

KERBEROS_V4 rejected as an authentication type

Name (32.12.32.227:root): tom

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> 

[root@localhost ~]# ftp 32.12.32.227

Connected to 32.12.32.227.

220 (vsFTPd 2.0.5)

504 Unknown AUTH type.

504 Unknown AUTH type.

KERBEROS_V4 rejected as an authentication type

Name (32.12.32.227:root): jerry

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> lcd /etc

Local directory now /etc

ftp> put inittab

local: inittab remote: inittab

227 Entering Passive Mode (32,12,32,227,93,85)

150 Ok to send data.

226 File receive OK.

1666 bytes sent in 0.021 seconds (77 Kbytes/s)

ftp> mkdir test

257 "/test" created

ftp> ls     

227 Entering Passive Mode (32,12,32,227,230,252)

150 Here comes the directory listing.

-rw-------    1 502      502          1666 May 05 16:21 inittab

drwx------    2 502      502          4096 May 05 16:21 test

226 Directory send OK.

ftp> delete inittab

250 Delete operation successful.

vsftpd+openssl+mysql实现sftp和ftp虚拟用户

标签：vsftpd+openssl+mysql实现sftp和ftp虚拟用户

原文地址：http://puregrass.blog.51cto.com/2882569/1770452