- 基于ssl加密的认证
查看是否支持SSL查看到libssl.so
[root@localhost pub]# ldd `which vsftpd`
linux-vdso.so.1 => (0x00007fff1ded2000)
libssl.so.10 => /lib64/libssl.so.10 (0x00007fd017b54000) 有该模块
libwrap.so.0 => /lib64/libwrap.so.0 (0x00007fd017949000)
libnsl.so.1 => /lib64/libnsl.so.1 (0x00007fd01772f000)
libpam.so.0 => /lib64/libpam.so.0 (0x00007fd017520000)
libcap.so.2 => /lib64/libcap.so.2 (0x00007fd01731b000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007fd017116000)
libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007fd016d2c000)
libc.so.6 => /lib64/libc.so.6 (0x00007fd01696b000)
libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007fd01671c000)
libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007fd016435000)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007fd016231000)
libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007fd015ffe000)
libz.so.1 => /lib64/libz.so.1 (0x00007fd015de8000)
libaudit.so.1 => /lib64/libaudit.so.1 (0x00007fd015bc0000)
libattr.so.1 => /lib64/libattr.so.1 (0x00007fd0159ba000)
/lib64/ld-linux-x86-64.so.2 (0x00007fd017ff5000)
libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007fd0157ab000)
libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007fd0155a7000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00007fd01538c000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fd015170000)
libcap-ng.so.0 => /lib64/libcap-ng.so.0 (0x00007fd014f69000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00007fd014d42000)
libpcre.so.1 => /lib64/libpcre.so.1 (0x00007fd014ae1000)
创建自签名证书
[root@localhost certs]# (umask 066; openssl genrsa -out /etc/vsftpd/ftp.key 2048) 创建私钥
Generating RSA private key, 2048 bit long modulus
............................................................+++
........................................................................+++
e is 65537 (0x10001)
[root@localhost certs]# openssl req -x509 -new -key /etc/vsftpd/ftp.key -out /etc/vsftpd/ftp.pem -days 365 生成证书
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cx 国家
State or Province Name (full name) []:chxi 省份
Locality Name (eg, city) [Default City]:chenxi 市
Organization Name (eg, company) [Default Company Ltd]:chenxi 公司
Organizational Unit Name (eg, section) []:cxftp部门
Common Name (eg, your name or your server's hostname) []:cxftp.com 域名
Email Address []:
[root@localhost certs]# cd /etc/vsftpd/
[root@localhost vsftpd]# ls
ftp.key ftp.pem ftpusers user_list vsftpd vsftpd.conf vsftpd.conf.bak vsftpd_conf_migrate.sh
[root@localhost vsftpd]# openssl x509 -in ftp.pem -noout -text 查看证书
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15018347509568254265 (0xd06be37d45303139)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=cx, ST=chxi, L=chenxi, O=chenxi, OU=cxftp, CN=cxftp.com
Validity
Not Before: Aug 11 07:33:54 2017 GMT
Not After : Aug 11 07:33:54 2018 GMT
Subject: C=cx, ST=chxi, L=chenxi, O=chenxi, OU=cxftp, CN=cxftp.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b9:35:92:d4:6b:80:1b:86:5d:14:24:17:07:96:
5a:f3:62:26:fb:63:e2:6f:b1:3b:27:a9:78:d7:e5:
e8:8a:32:04:27:83:0c:0c:01:4e:48:b3:9c:7d:ba:
88:5b:3c:c1:16:9f:1b:1c:21:d8:f4:ef:3d:79:f3:
61:d4:81:03:05:bf:78:ef:83:dc:b1:92:10:39:12:
b2:ab:4e:9e:f1:26:1e:cf:90:be:52:99:76:f0:b0:
3a:5d:66:98:e3:1e:cf:cb:8c:af:02:1f:52:8e:b1:
0c:10:ae:b2:aa:5d:fd:60:f8:9f:ad:83:e3:4f:ee:
d7:b7:f5:40:fd:2b:7e:7c:ee:e6:33:9c:99:67:7f:
10:6b:b2:ba:1f:f3:93:22:96:cd:29:79:95:f5:8b:
50:e4:93:3c:d7:6a:a4:94:94:b2:63:b6:ba:af:61:
b7:b9:c3:a7:4b:c6:55:c0:a8:72:69:97:19:56:3d:
ef:3b:11:db:6a:e9:af:a5:c8:c9:d7:ce:f7:9a:41:
d1:0f:7b:d4:0f:e7:68:dd:4c:81:28:df:63:f9:e2:
6a:2e:7e:fe:93:15:5a:5b:33:90:73:09:36:8b:b2:
08:c1:6b:5a:eb:60:b7:05:e5:63:6c:27:05:71:01:
02:bd:3c:28:d6:a0:20:ee:95:b0:97:dd:46:a2:63:
71:77
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
5A:4E:CF:82:65:84:88:F9:70:E4:06:DC:F0:42:55:55:05:B8:A4:D1
X509v3 Authority Key Identifier:
keyid:5A:4E:CF:82:65:84:88:F9:70:E4:06:DC:F0:42:55:55:05:B8:A4:D1
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
4a:58:ff:96:05:2e:06:28:51:4c:be:40:57:d3:16:88:1d:79:
21:16:b7:da:aa:2c:af:0d:1d:7f:a8:f7:84:18:f8:49:ba:60:
8a:f3:2a:7e:a6:e1:f1:55:55:5d:e0:23:e7:5f:3a:5d:38:a0:
19:28:c1:fc:bc:a2:d8:2c:29:c9:55:89:bd:04:13:6e:16:21:
3a:fe:e7:8c:5e:62:9b:f3:a6:a7:5b:f6:0c:54:3c:5a:0f:bc:
38:2a:41:14:1a:9f:03:6b:0e:6a:72:bb:ab:2c:99:81:df:fd:
f7:28:8a:e1:fd:ff:c3:b9:6c:58:27:88:44:30:8e:ea:81:7c:
90:56:96:36:60:43:de:5e:29:7d:00:ce:cd:e2:0d:06:b4:16:
97:77:22:66:bb:9c:06:63:66:5e:5f:50:55:df:f7:1d:2a:c4:
c3:43:a7:0a:83:9f:2a:e8:dd:52:96:e2:84:9e:71:40:a1:fa:
5a:8e:f9:d8:f6:00:ff:59:41:29:ed:5f:b6:2e:b4:2b:a1:03:
86:d0:51:3f:8c:be:e1:79:bc:d9:34:84:21:8f:92:f8:a1:46:
a8:24:09:bf:1d:af:36:98:6a:76:62:98:b3:f8:30:97:f1:50:
77:74:77:1e:e0:18:94:6e:ae:cf:64:69:44:06:2e:c6:41:ac:
b5:f7:a8:27
[root@localhost vsftpd]# vim vsftpd.conf 注意配置项后不可跟空格
ssl_enable=YES
#启用SSL
allow_anon_ssl=NO
#匿名不支持SSL
force_local_logins_ssl=YES
#本地用户登录加密
force_local_data_ssl=YES
#本地用户数据传输加密
rsa_cert_file=/etc/vsftpd/ftp.pem
"vsftpd.conf" 136L, 5238C
[root@localhost vsftpd]# systemctl restart vsftpd.service 重启
用filezilla 等工具测试
- vsftpd 虚拟用户
- 虚拟用户:所有虚拟用户会统一映射为一个指定的系统帐号:访问共享位置 ,即为此系统帐号的家目录;各虚拟用户可被赋予不同的访问权限,通过匿名用户的权限控制参数进行指定
- 虚拟用户帐号的存储方式:
(1)文件:编辑文本文件,此文件需要被编码为hash 格式
奇数行为用户名,偶数行为密码
db_load -T -t hash -f vusers.txt vusers.db
(2)关系型数据库中的表中:实时查询数据库完成用户认证
mysql 库:pam 要依赖于pam-mysql、/lib64/security/pam_mysql.so、/usr/share/doc/pam_mysql-0.7/README
3.实现基于文件验证的vsftpd 虚拟用户
(1)创建用户数据库文件注意基数行是用户名;偶数行是密码
[root@localhost vsftpd]# cat vusers.txt
chenxi
chenxi++
chenxi123
chenxi123++
[root@localhost vsftpd]# cd /etc/vsftpd/ 切到此目录下
[root@localhost vsftpd]# db_load -T -t hash -f vusers.txt vusers.db 使用hash加密
[root@localhost vsftpd]# cat vusers.db
뤚) )茗эh^chenxi++chenxichenxi123++chenxi123[root@localhost vsftpd]#
[root@localhost vsftpd]# chmod 600 vusers.db 为保证文件的安全性(2)创建用户和访问FTP 目录
创建用户
[root@localhost vsftpd]# useradd -d /var/ftproot -s /sbin/nologin vuser
授权
[root@localhost vsftpd]# chmod +rx /var/ftproot/
centos7 还需要执行以下操作
对ftp共享根目录设置不可写操作;否则不可登录
[root@localhost vsftpd]# chmod -w /var/ftproot/
在ftp共享目录创建子文件夹
[root@localhost vsftpd]# mkdir /var/ftproot/upload
使用acl给该目录授予全部的权限
[root@localhost vsftpd]# setfacl -m u:vuser:rwx /var/ftproot/upload
(3)创建pam 配置文件
vim /etc/pam.d/vsftpd.db
auth required pam_userdb.so db=/etc/vsftpd/vusers 验证虚拟用户
account required pam_userdb.so db=/etc/vsftpd/vusers 验证虚拟用户密码
(4)指定pam 配置文件
vim /etc/vsftpd/vsftpd.conf
guest_enable=YES 启用虚拟用户功能
guest_username=vuser 虚拟用户对应的系统用户
pam_service_name=vsftpd.db 验证模块
(5)SELinux 设置:
禁用SELinux 或者 setsebool -P ftpd_full_access 1
(6)虚拟用户建立独立的配置文件
mkdir /etc/vsftpd/vusers.d/ 创建配置文件存放的路径
vim /etc/vsftpd/vsftpd.conf
user_config_dir=/etc/vsftpd/vusers.d/ 复制 建立独立的配置文件
cd /etc/vsftpd/vusers.d/ 进入此目录
允许chenxi用户可读写,其它用户只读
vim chenxi 创建各用户自已的配置文件
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
local_root=/ftproot 登录目录改变至指定的目录
最后重启
[root@localhost vusers.d]# systemctl restart vsftpd.service
客户端测试
[root@root ~]# ftp 192.168.175.130
Connected to 192.168.175.130 (192.168.175.130).
220 (vsFTPd 3.0.2)
Name (192.168.175.130:root): chenxi
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
4、基于数据库MYSQL 验证的vsftpd 虚拟用户
(1)说明:本实验在两台CentOS 主机上实现,一台做为FTP 服务器,一台做数据库服务器
(2)安装所需要包和包组
在数据库服务器上安装包
Centos7 :在数据库服务器上安装
yum –y install mariadb-server mariadb
systemctl start mariadb.service
systemctl enable mariadb
Centos6 :在数据库服务器上安装
yum –y install mysql-server
(3)在FTP 服务器上安装vsftpd 和pam_mysql包
centos6:pam_mysql 由 由epel6 的源中提供
yum install vsftpd pam_mysql
centos7 :无对应rpm 包,需手动 编译 安装
yum -y groupinstall "Development Tools"
yum -y install mariadb-devel pam-devel vsftpd
下载pam_mysql-0.7RC1.tar.gz
链接:http://pan.baidu.com/s/1i5FvwUT 密码:36nb
tar xvf pam_mysql-0.7RC1.tar.gz
cd pam_mysql-0.7RC1/
./configure --with-mysql=/usr --with-pam=/usr --with-pam-mods-dir=/lib64/security
make && make install
(4)在数据库服务器上创建虚拟用户账号
数据库服务器连接上去
[root@localhost ~]# /usr/bin/mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 6
Server version: 5.5.52-MariaDB MariaDB Server
Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> CREATE DATABASE vsftpd; 创建数据库
MariaDB [(none)]> GRANT SELECT ON vsftpd.* TO
-> vsftpd@'172.16.%.%' IDENTIFIED BY 'magedu'; 创建用户并受与查询权限
MariaDB [(none)]> USE vsftpd; 进入vsftpd数据库
MariaDB [vsftpd]> CREATE TABLE users (
-> id INT AUTO_INCREMENT NOT NULL PRIMARY KEY,
-> name CHAR(50) BINARY NOT NULL,
-> password CHAR(48) BINARY NOT NULL
-> ); 创建表
mysql>DESC users; 查看表结构
客户端测试连接
[root@root ~]# mysql -uvsftpd -h192.168.175.130 -pmagedu
数据库服务器端添加用户
MariaDB [vsftpd]> INSERT INTO users(name,password)
-> values('chenxi',password('123'));
Query OK, 1 row affected (0.00 sec)
MariaDB [vsftpd]> INSERT INTO users(name,password) values('chenxi1',password('123'));
Query OK, 1 row affected (0.01 sec)
ftp服务端,也就是数据库的客户端操作
. 在FTP 服务器上建立pam认证所需文件
[root@root ~]# cat /etc/pam.d/vsftpd.mysql
auth required pam_mysql.so user=vsftpd passwd=magedu host=192.168.175.130 db=vsftpd table=users usercolumn=name passwdcol
umn=password crypt=2account required pam_mysql.so user=vsftpd passwd=magedu host=192.168.175.130 db=vsftpd table=users usercolumn=name passwd
=magedu usercolumn=name passwdcolumn=password crypt=2
. 建立相应用户和修改vsftpd 配置文件,使其适应mysql 认证建立虚拟用户映射的系统用户及对应的目录
useradd -s /sbin/nologin -d /var/ftproot vuser
chmod 555 /var/ftproot
mkdir /var/ftproot/{upload,pub}
setfacl –m u:vuser:rwx /var/ftproot/upload
确保/etc/vsftpd.conf 中已经启用了以下选项
anonymous_enable=YES
添加下面两项
guest_enable=YES
guest_username=vuser
修改下面一项,原系统用户无法登录
pam_service_name=vsftpd.mysql
四、启动vsftpd 服务
service vsftpd start;systemctl start vsftpd
chkconfig vsftpd on;systemctl enable vsftpd
查看端口开启情况
netstat -tnlp |grep :21
五、Selinux 相关设置:在FTP
restorecon -R /lib64/security
setsebool -P ftpd_connect_db 1
setsebool -P ftp_home_dir 1
chcon -R -t public_content_rw_t /var/ftproot/
在FTP 服务器上配置虚拟用户具有不同的访问权限vsftpd 可以在配置文件目录中为每个用户提供单独的配置文件以定义其ftp 服务访问权限,每个虚拟用户的配置文件名同虚拟用户的用户名。配置文件目录可以是任意未使用目录,只需要在vsftpd.conf指定其路径及名称即可
配置vsftpd 为虚拟用户使用配置文件目录
vim /etc/vsftpd/vsftpd.conf
添加如下选项
user_config_dir=/etc/vsftpd/vusers_config
创建所需要目录,并为虚拟用户提供配置文件
mkdir /etc/vsftpd/vusers_config/
cd /etc/vsftpd/vusers_config/
touch chenxi chenxi1
配置虚拟用户的访问权限
虚拟用户对vsftpd 服务的访问权限是通过匿名用户的相关指令进行的。如果需要让用户wang 具有上传文件的权限,可以改/etc/vsftpd/vusers_config/wang 文件,在里面添加如下
选项并设置为YES 即可, 只读则设为NO
注意:需确保 对应的映射用户对于文件系统有写 权限
anon_upload_enable={YES|NO}
anon_mkdir_write_enable={YES|NO}
anon_other_write_enable={YES|NO}