MYSQL認証に基づいてvsftpd仮想ユーザーを実装する
Implement Vsftpd Virtual User Based Mysql Authentication
MYSQL認証に基づいてvsftpd仮想ユーザーを実装する
前の要約
- この実験には2つのホストが必要です。1つはFTPサーバーとして機能し、もう1つはMySQLサーバーとして機能します。
- FTPサーバー:CentOS 7システム、IPアドレスは172.20.54.1
- MySQLサーバー:CentOS 7システム、IPアドレスは172.20.54.2
1️⃣mysqlサーバーを構成する
/ Install Mariadb database yum -y install mariadb-server systemctl enable --now mariadb / Configure the virtual user database MariaDB [(none)]> CREATE DATABASE ftpdb Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> USE ftpdb Database changed MariaDB [ftpdb]> CREATE TABLE ftpvusers ( -> id INT UNSIGNED AUTO_INCREMENT NOT NULL PRIMARY KEY, -> username CHAR(50), -> password CHAR(50) BINARY NOT NULL -> ) Query OK, 0 rows affected (0.00 sec) / Use password()Function encryption passwords to avoid storing passwords in clear text MariaDB [ftpdb]> INSERT ftpvusers (username,password)VALUES('ftpuse1',password('centos')) Query OK, 1 row affected (0.00 sec) MariaDB [ftpdb]> INSERT ftpvusers (username,password)VALUES('ftpuse2',password('centos')) Query OK, 1 row affected (0.00 sec) / Establish authorized communication account MariaDB [ftpdb]> GRANT ALL ON ftpdb.* TO root@xxxxx'172.20.54.%' IDENTIFIED BY 'centos' Query OK, 0 rows affected (0.00 sec) MariaDB [ftpdb]> FLUSH PRIVILEGES Query OK, 0 rows affected (0.00 sec) 2️⃣FTPサーバーにvsftpdをインストールし、pam_mysqlをコンパイルします
- vsftpdをインストールします
yum -y install vsftpd systemctl start vsftpd - pam_mysqlをコンパイルします
/ Download compiling tool related packages yum -y install vsftpd gcc gcc-c++ make mariadb-devel pam-devel / Download pam-mysql source code to compile / Download pam_mysql-0.7RC1.tar.gz wget http://prdownloads.sourceforge.net/pam-mysql/pam_mysql-0.7RC1.tar.gz tar xf pam_mysql-0.7RC1.tar.gz cd pam_mysql-0.7RC1 ./configure --with-pam-mods-dir=/lib64/security/ make && make install [root@xxxxx pam_mysql-0.7RC1]# ll /lib64/security/pam_mysql* -rwxr-xr-x 1 root root 883 Dec 18 14:40 /lib64/security/pam_mysql.la -rwxr-xr-x 1 root root 141712 Dec 18 14:40 /lib64/security/pam_mysql.so 3️⃣FTPサーバーでシステムユーザーを作成する
[root@xxxxx ~]# useradd -d /data/ftpsite -s /sbin/nologin ftpvuser / Remove root write permission [root@xxxxx ~]# chmod 555 /data/ftpsite/ [root@xxxxx ~]# mkdir -p /data/ftpsite/upload [root@xxxxx ~]# setfacl -m u:ftpvuser:rwx /data/ftpsite/upload 4️⃣FTPサーバー上にpam構成ファイルを作成します
vim /etc/pam.d/vsftpd.mysql auth required pam_mysql.so user=ftpuser passwd=centos host=172.20.54.2 db=ftpdb table=ftpvusers usercolumn=username passwdcolumn=password crypt=2 account required pam_mysql.so user=ftpuser passwd=centos host=172.20.54.2 db=ftpdb table=ftpvusers usercolumn=username passwdcolumn=password crypt=2 - cryptは暗号化方式、0は暗号化なし、1はcrypt(3)暗号化、2はmysql password()関数暗号化の使用、3はmd5暗号化、4はsha1暗号化を意味します
- 構成フィールドの説明
auth means authentication account Verify that the account password is used normally required indicates that the certification is to be passed pam_mysql.The so module is the default relative path, which is relative/lib64/security/In terms of paths, you can also write absolute paths The parameters passed to this module user=vsftpd is the user who logs in to mysql passwd=magedu password for logging in to mysql host=mysqlserver The host name or ip address of the mysql server db=vsftpd specifies the database name to connect to msyql table=users specifies the name of the table in the connection database usercolumn=name as the user name field passwdcolumn=password as the password in the username field crypt=2 Password encryption method is mysql password()Function encryption 5️⃣FTPサーバー上のpam構成ファイルを指定します
vim /etc/vsftpd/vsftpd.conf pam_service_name=vsftpd.mysql / Mapping system users guest_enable=YES guest_username=ftpvuser / Virtual user independent configuration directory user_config_dir=/etc/vsftpd/vusers.conf.d/ 6️⃣FTPサーバー上の仮想ユーザーごとに個別の構成ファイルを確立します
vim /etc/vsftpd/vusers.conf.d/ftpuse1 anon_upload_enable=YES vim /etc/vsftpd/vusers.conf.d/ftpuse2 anon_upload_enable=YES local_root=/data/ftpsite2 anon_mkdir_write_enable=YES anon_other_write_enable=YES 7️⃣FTPサーバーで共有ルートディレクトリを構成し、vsftpdサービスを再起動します
[root@xxxxx ~]# mkdir -p /data/ftpsite2/upload [root@xxxxx ~]# chmod 555 /data/ftpsite2 [root@xxxxx ~]# setfacl -m u:ftpvuser:rwx /data/ftpsite2/upload/ [root@xxxxx ~]# touch /data/ftpsite/ftptest1.txt [root@xxxxx ~]# touch /data/ftpsite2/ftptest2.txt 8️⃣クライアントテスト
- ftpuser1アカウントのログインテスト、正しいディレクトリに入力、サブディレクトリ/ uploadにファイルをアップロードできます
[root@xxxxx ~]# ftp 172.20.54.1 Connected to 172.20.54.1 (172.20.54.1). 220 (vsFTPd 3.0.2) Name (172.20.54.1:root): ftpuse1 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls / View catalog file 227 Entering Passive Mode (172,20,54,1,188,170). 150 Here comes the directory listing. -rw-r--r-- 1 0 0 0 Dec 18 07:06 ftptest1.txt drwxrwxr-x 2 0 0 6 Dec 18 06:44 upload 226 Directory send OK. ftp> cd upload 250 Directory successfully changed. ftp> put anaconda-ks.cfg / upload files local: anaconda-ks.cfg remote: anaconda-ks.cfg 227 Entering Passive Mode (172,20,54,1,34,230). 150 Ok to send data. 226 Transfer complete. 1615 bytes sent in 0.00106 secs (1516.43 Kbytes/sec) ftp> ls 227 Entering Passive Mode (172,20,54,1,64,78). 150 Here comes the directory listing. -rw------- 1 1001 1001 1615 Dec 18 07:27 anaconda-ks.cfg 226 Directory send OK. - ftpuser2アカウントログインテスト、正しいディレクトリに入力、ディレクトリを作成サブディレクトリ/ uploadにファイルをアップロードできます
[root@xxxxx ~]# ftp 172.20.54.1 Connected to 172.20.54.1 (172.20.54.1). 220 (vsFTPd 3.0.2) Name (172.20.54.1:root): ftpuse2 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls / View catalog file 227 Entering Passive Mode (172,20,54,1,217,9). 150 Here comes the directory listing. -rw-r--r-- 1 0 0 0 Dec 18 07:06 ftptest2.txt drwxrwxr-x 2 0 0 6 Dec 18 07:05 upload 226 Directory send OK. ftp> mkdir testdir / Create a new directory 550 Create directory operation failed. ftp> ls 227 Entering Passive Mode (172,20,54,1,42,122). 150 Here comes the directory listing. -rw-r--r-- 1 0 0 0 Dec 18 07:06 ftptest2.txt drwxrwxr-x 2 0 0 6 Dec 18 07:05 upload 226 Directory send OK. ftp> cd upload 250 Directory successfully changed. ftp> put anaconda-ks.cfg / upload files local: anaconda-ks.cfg remote: anaconda-ks.cfg 227 Entering Passive Mode (172,20,54,1,169,45). 150 Ok to send data. 226 Transfer complete. 1615 bytes sent in 0.000266 secs (6071.43 Kbytes/sec) ftp> ls 227 Entering Passive Mode (172,20,54,1,73,4). 150 Here comes the directory listing. -rw------- 1 1001 1001 1615 Dec 18 07:30 anaconda-ks.cfg 226 Directory send OK. Entering Passive Mode (172,20,54,1,73,4). 150 Here comes the directory listing. -rw------- 1 1001 1001 1615 Dec 18 07:30 anaconda-ks.cfg 226 Directory send OK.