欢迎各位兄弟 发布技术文章
这里的技术是共享的
ftp 本身就是明文的,所以 root 用户不允许访问 ftp 服务
守护进程:
独立守护: 用户访问量大,在线时间比较长的服务
超级守护进程 xinetd 自己是一个独立的守护进程
瞬时守护: 用户访问量小,而且在线时间不长的服务
都是由超级守护进程 xinetd 代为管理的
[root@mail ~]# vim /etc/vsftpd/vsftpd.conf
#idle_session_timeout=600 #用户会话超过600秒,就断开
#data_connection_timeout=120 #跟数据连接相关的
#ascii_upload_enable=YES #启用ascii文本上传功能 # 如果打开,默认纯文本格式上传,最好不好打开
#ascii_download_enable=YES #启用ascii文本下载功能 # 如果打开,默认纯文本格式下载,最好不好打开
chroot_list_enable=YES # 准备禁锢用户
chroot_list_file=/etc/vsftpd/chroot_list # 里面定义禁锢哪些用户,在这个文件里面
[root@mail ~]# touch /etc/vsftpd/chroot_list
[root@mail ~]# vim /etc/vsftpd/chroot_list
hadoop
[root@mail ~]# service vsftpd restart
关闭 vsftpd: [确定]
为 vsftpd 启动 vsftpd: [确定]
[root@mail ~]#
新开一窗口,建两个用户
[root@mail ~]# useradd hbase
[root@mail ~]# passwd hbase
Changing password for user hbase.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@mail ~]#
[root@mail ~]# passwd redis
Changing password for user redis.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@mail ~]#
[root@mail ~]# ftp 192.168.1.85
Connected to 192.168.1.85.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.1.85:root): redis
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd ( 不是 "/" 说明未禁锢在家目录下 )
257 "/home/redis"
ftp>
[root@mail ~]# vim /etc/vsftpd/chroot_list
hadoop
redis
[root@mail ~]# !se
service vsftpd restart
关闭 vsftpd: [确定]
为 vsftpd 启动 vsftpd: [确定]
[root@mail ~]#
[root@mail ~]# ftp 192.168.1.85
Connected to 192.168.1.85.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.1.85:root): redis
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd (此时可看到禁锢在家目录下面了)
257 "/"
ftp>
[root@mail ~]# vim /etc/vsftpd/vsftpd.conf
#chroot_list_enable=YES
#chroot_list_file=/etc/vsftpd/chroot_list
chroot_local_user=YES # 此时所有的用户都禁锢在家目录下面了
listen=YES # 表示 vsftpd 是否工作为一个独立守护进程的,否则是一个瞬时守护进程
# 如果为瞬时守护进程 /etc/xinetd.d/ 目录下建一个配置文件就成
pam_service_name=vsftpd # vsftpd 接受 pam 来控制的,pam 配置文件在 /etc/pam.d 目录下叫什么名字,就是这里定义的 即 /etc/pam.d/vsftpd
userlist_enable=YES # 表示启用 user_list 这个文件来控制用户是否能够登录,默认所有写在这个文件里面的用户都是不能登录的
userlist_deny=YES # 默认是YES,是拒绝 user_list 里面的用户登录
#userlist_deny=NO # 不拒绝
[root@mail ~]# man vsftpd.conf
[root@mail ~]# service vsftpd restart
关闭 vsftpd: [确定]
为 vsftpd 启动 vsftpd: [确定]
[root@mail ~]#
[root@mail ~]# ftp 192.168.1.85
Connected to 192.168.1.85.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.1.85:root): hbase
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd (禁锢在家目录里面)
257 "/"
ftp>
[root@mail ~]# ftp 192.168.1.85
Connected to 192.168.1.85.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.1.85:root): root (连密码都来不及输,它就让你权限拒绝)
530 Permission denied.
Login failed.
ftp>
[root@mail ~]# cd /etc/vsftpd/
[root@mail vsftpd]# ls #有个ftpusers,所有写在这个文件里面的用户都禁止访问ftp
chroot_list ftpusers user_list vsftpd.conf vsftpd.conf.bak vsftpd_conf_migrate.sh
[root@mail vsftpd]#
[root@mail vsftpd]# cat ftpusers
# Users that are not allowed to login via ftp
root
bin
daemon
adm
lp
sync
shutdown
halt
news
uucp
operator
games
nobody
[root@mail vsftpd]#
[root@mail vsftpd]# cat /etc/pam.d/vsftpd
#%PAM-1.0
session optional pam_keyinit.so force revoke
#下一行,,sense=deny 表示 感觉(敏感度)=拒绝,由/etc/vsftpd/ftpusers 文件定义
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth required pam_shells.so
auth include system-auth
account include system-auth
session include system-auth
session required pam_loginuid.so
[root@mail vsftpd]#
[root@mail vsftpd]# pwd
/etc/vsftpd
[root@mail vsftpd]# cat user_list
# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.
root
bin
daemon
adm
lp
sync
shutdown
halt
news
uucp
operator
games
nobody
[root@mail vsftpd]#
清空 user_list 文件 # vim user_list 执行 ggDG 就清空了 user_list 文件
[root@mail vsftpd]# service vsftpd restart
关闭 vsftpd: [确定]
为 vsftpd 启动 vsftpd: [确定]
[root@mail vsftpd]#
[root@mail ~]# ftp 192.168.1.85
Connected to 192.168.1.85.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.1.85:root): root
331 Please specify the password.
Password: (清空了 user_list ,虽然可以让你输密码了,但是仍然是不能登录的)
530 Login incorrect.
Login failed.
ftp>
[root@mail ~]# vim /etc/vsftpd/vsftpd.conf
#chroot_list_enable=YES
#chroot_list_file=/etc/vsftpd/chroot_list
chroot_local_user=YES # 此时所有的用户都禁锢在家目录下面了
listen=YES # 表示 vsftpd 是否工作为一个独立守护进程的,否则是一个瞬时守护进程
# 如果为瞬时守护进程 /etc/xinetd.d/ 目录下建一个配置文件就成
pam_service_name=vsftpd # vsftpd 接受 pam 来控制的,pam 配置文件在 /etc/pam.d 目录下叫什么名字,就是这里定义的 即 /etc/pam.d/vsftpd
userlist_enable=YES # 表示启用 user_list 这个文件来控制用户是否能够登录,默认所有写在这个文件里面的用户都是不能登录的
userlist_deny=YES # 默认是YES,是拒绝 userlist 里面的用户登录
#userlist_deny=NO # 不拒绝
[root@mail vsftpd]# vim user_list
hbase
[root@mail ~]# ftp 192.168.1.85
Connected to 192.168.1.85.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.1.85:root): hbase
530 Permission denied. (拒绝登录,连输密码的机会都没有)
Login failed.
ftp>
[root@mail ~]# vim /etc/vsftpd/vsftpd.conf
#chroot_list_enable=YES
#chroot_list_file=/etc/vsftpd/chroot_list
chroot_local_user=YES # 此时所有的用户都禁锢在家目录下面了
listen=YES # 表示 vsftpd 是否工作为一个独立守护进程的,否则是一个瞬时守护进程
# 如果为瞬时守护进程 /etc/xinetd.d/ 目录下建一个配置文件就成
pam_service_name=vsftpd # vsftpd 接受 pam 来控制的,pam 配置文件在 /etc/pam.d 目录下叫什么名字,就是这里定义的 即 /etc/pam.d/vsftpd
userlist_enable=YES # 表示启用 user_list 这个文件来控制用户是否能够登录,默认所有写在这个文件里面的用户都是不能登录的 # 表示启用 user_list 这个文件来控制用户是否能够登录
#userlist_deny=YES # 默认是YES,是拒绝 userlist 里面的用户登录 #到底能不能登录, YES,表示黑名单
userlist_deny=NO # 不拒绝 ,仅 允许 userlist 里面的用户能够登录 #到底能不能登录, NO,表示白名单
[root@mail vsftpd]# service vsftpd restart
关闭 vsftpd: [确定]
为 vsftpd 启动 vsftpd: [确定]
[root@mail vsftpd]#
[root@mail ~]# ftp 192.168.1.85
Connected to 192.168.1.85.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.1.85:root): hbase
331 Please specify the password.
Password:
230 Login successful. (此时能正常登录)
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp>
[root@mail ~]# ftp 192.168.1.85
Connected to 192.168.1.85.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.1.85:root): hadoop # 此时 hadoop 不能登录,(连输密码的机会都没有)
530 Permission denied.
Login failed.
ftp>
vsftpd:
max_clients=#
max_per_ip=#
ftp本身是明文的
安全通信方式
ftps: ftp+ssl/tls
sftp: (OpenSSH,SubSystem,sftp(SSH))
ftps: 创建一个证书,配置证书,提供下面几个指令
ssl_sslv2 能不支持 就不支持吧
最好 ssl_tlsv1 和 ssl_sslv3 同时支持
创建证书
[root@mail ~]# cd /etc/pki/CA/
[root@mail CA]# mkdir certs newcerts crl
mkdir: 无法创建目录 “certs”: 文件已存在
mkdir: 无法创建目录 “newcerts”: 文件已存在
mkdir: 无法创建目录 “crl”: 文件已存在
[root@mail CA]#
[root@mail CA]# touch index.txt
[root@mail CA]# echo 01 > serial
[root@mail CA]#
# vsftpd 需要使用rsa ,密码长度是 2048
[root@mail CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
......................................................................+++
...+++
e is 65537 (0x10001)
[root@mail CA]#
生成自签证书
[root@mail CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HN
Locality Name (eg, city) [Newbury]:ZZ
Organization Name (eg, company) [My Company Ltd]:MageEdu
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server's hostname) []:ca.magedu.com #名称一定要跟访问服务的时候名称保持一致
Email Address []:
[root@mail CA]#
[root@mail CA]# mkdir /etc/vsftpd/ssl
[root@mail CA]# cd /etc/vsftpd/ssl
[root@mail ssl]#
生成私钥
[root@mail ssl]# (umask 077;openssl genrsa -out vsftpd.key 2048;)
Generating RSA private key, 2048 bit long modulus
.................................................+++
.........+++
e is 65537 (0x10001)
[root@mail ssl]#
生成证书颁发申请
[root@mail ssl]# openssl req -new -key vsftpd.key -out vsftpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HN
Locality Name (eg, city) [Newbury]:ZZ
Organization Name (eg, company) [My Company Ltd]:MageEdu
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server's hostname) []:ftp.magedu.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@mail ssl]#
签署
[root@mail ssl]# openssl ca -in vsftpd.csr -out vsftpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 23 05:58:48 2020 GMT
Not After : Jul 23 05:58:48 2021 GMT
Subject:
countryName = CN
stateOrProvinceName = HN
organizationName = MageEdu
organizationalUnitName = Tech
commonName = ftp.magedu.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
17:3B:DD:26:AB:07:67:63:56:6D:E2:0C:AD:13:D3:55:AA:2F:3C:CA
X509v3 Authority Key Identifier:
keyid:A8:3D:C4:13:AC:83:4A:DE:D3:88:4A:36:D2:6B:7B:F1:F8:06:24:67
Certificate is to be certified until Jul 23 05:58:48 2021 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@mail ssl]#
配置 vsftpd 能够使用这个证书
[root@mail ssl]# vim /etc/vsftpd/vsftpd.conf
#这个文件的最后添加如下的东西
# ssl or tls
ssl_enable=YES
ssl_tlsv1=YES
ssl_sslv3=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
rsa_cert_file=/etc/vsftpd/ssl/vsftpd.crt
rsa_private_key_file=/etc/vsftpd/ssl/vsftpd.key
[root@mail ssl]# service vsftpd restart
关闭 vsftpd: [确定]
为 vsftpd 启动 vsftpd: [确定]
[root@mail ssl]#
# 此时匿名用户登录失败
[root@mail ssl]# ftp 192.168.1.85
Connected to 192.168.1.85.
220 (vsFTPd 2.0.5)
504 Unknown AUTH type.
504 Unknown AUTH type.
KERBEROS_V4 rejected as an authentication type
Name (192.168.1.85:root): ftp
530 Permission denied.
Login failed.
ftp>
这个文件清空
[root@mail ssl]# vim /etc/vsftpd/vsftpd
[root@mail ssl]# vim /etc/vsftpd/vsftpd.conf
...........................
# userlist_deny=NO # 关掉它,使其不影响后面的测试
...........................
[root@mail ssl]# service vsftpd restart
关闭 vsftpd: [确定]
为 vsftpd 启动 vsftpd: [确定]
[root@mail ssl]#
对匿名用户是正常的
[root@mail ssl]# ftp 192.168.1.85
Connected to 192.168.1.85.
220 (vsFTPd 2.0.5)
504 Unknown AUTH type.
504 Unknown AUTH type.
KERBEROS_V4 rejected as an authentication type
Name (192.168.1.85:root): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> ls
227 Entering Passive Mode (192,168,1,85,197,163)
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Sep 25 2012 pub
drwxrwxr-x 3 0 0 4096 Jul 22 07:58 upload
226 Directory send OK.
ftp>
普通用户不正常
[root@mail ssl]# ftp 192.168.1.85
Connected to 192.168.1.85.
220 (vsFTPd 2.0.5)
504 Unknown AUTH type.
504 Unknown AUTH type.
KERBEROS_V4 rejected as an authentication type
Name (192.168.1.85:root): hadoop
530 Non-anonymous sessions must use encryption.
Login failed.
ftp>
[root@mail ssl]# openssl s_client -connect 192.168.1.85:21
CONNECTED(00000003)
23651:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:588:
[root@mail ssl]#
安装 FileZilla
如下,可以匿名连接成功
如下 hadoop 明文不能连接成功
如下 hadoop tls不能连接成功
根据下面报错信息,是不是说是证书的问题?
马哥也不会配置 Filezilla
下面配置 flashFXP吧
sftp 与 ssh 有关,这里不再重述
vsftpd: 基于PAM(手动定义配置)
匿名
本地
虚拟用户
一种,放数据库: MySQL: VSFTPD,users: Name,Password
另一种,放文件里: /etc/vsftpd/vusers: --> db_load (转换成二进制)
USERNAME (奇数行)
PASSWORD (偶数行)
db4-utils 所提供的 db_load 命令
# postconf -m 看支持的查找表
pam默认情况下不支持到mysql中验证用户账号,所以要安装 pam_mysql 模块
( pam_mysql 已停止研发,但支持新版本的 mysql (只要对应的头文件没有发生改变))
安装 mysql和 mysql-devel包
[root@mail ~]# yum -y install mysql-server mysql-devel (没按回车,没安装,应该已经安装了)
安装 开发库 和开发工具
下面是命令是仅仅安装开发库
[root@mail ~]# yum -y groupinstall "Development Libraries" (没按回车,没执行)
https://download.csdn.net/download/qq_32574665/9243143
https://www.iteye.com/resource/scdjj199771-1126274
http://pam-mysql.sourceforge.net/
https://netcologne.dl.sourceforge.net/project/pam-mysql/pam-mysql/0.7RC1/pam_mysql-0.7RC1.tar.gz
[root@mail pam_mysql-0.7RC1]# wget https://netcologne.dl.sourceforge.net/project/pam-mysql/pam-mysql/0.7RC1/pam_mysql-0.7RC1.tar.gz --no-check-certificate
[root@mail ~]# tar xf pam_mysql-0.7RC1.tar.gz
[root@mail ~]# cd pam_mysql-0.7RC1
[root@mail pam_mysql-0.7RC1]#
[root@mail pam_mysql-0.7RC1]# ls
acinclude.m4 config.sub INSTALL missing pam_mysql.spec.in
aclocal.m4 configure install-sh mkinstalldirs pkg.m4
ChangeLog configure.in ltmain.sh NEWS README
config.guess COPYING Makefile.am pam_mysql.c stamp-h.in
config.h.in CREDITS Makefile.in pam_mysql.spec
[root@mail pam_mysql-0.7RC1]#
[root@mail pam_mysql-0.7RC1]# ./configure --with-mysql=/usr/ --with-openssl (为什么不是--with-mysql=/usr/local/mysql , 我为什么两个路径 /usr 和 /usr/local/mysql 都可以,反正如果不指定即直接 --with-mysql 是到根下面去找 )
看看mysql的库文件在哪里
[root@mail pam_mysql-0.7RC1]# ldconfig -v | grep mysql
libauthmysql.so -> libauthmysql.so.0
/usr/lib/mysql:
libmysqlclient.so.15 -> libmysqlclient.so.15.0.0
libmysqlclient_r.so.15 -> libmysqlclient_r.so.15.0.0
/usr/local/mysql/lib:
libmysqlclient.so.18 -> libmysqlclient_r.so.18.0.0
[root@mail pam_mysql-0.7RC1]#
如果是第一次装 mysql 的话
[root@mail pam_mysql-0.7RC1]# service mysqld start
[root@mail pam_mysql-0.7RC1]# rpm -ql mysql-devel
/usr/include/mysql
/usr/include/mysql/chardefs.h
/usr/include/mysql/decimal.h
/usr/include/mysql/errmsg.h
/usr/include/mysql/history.h
/usr/include/mysql/keycache.h
/usr/include/mysql/keymaps.h
/usr/include/mysql/m_ctype.h
/usr/include/mysql/m_string.h
/usr/include/mysql/my_alloc.h
/usr/include/mysql/my_attribute.h
/usr/include/mysql/my_config.h
/usr/include/mysql/my_config_i386.h
/usr/include/mysql/my_dbug.h
/usr/include/mysql/my_dir.h
/usr/include/mysql/my_getopt.h
/usr/include/mysql/my_global.h
/usr/include/mysql/my_list.h
/usr/include/mysql/my_net.h
/usr/include/mysql/my_no_pthread.h
/usr/include/mysql/my_pthread.h
/usr/include/mysql/my_sys.h
/usr/include/mysql/my_xml.h
/usr/include/mysql/mysql.h
/usr/include/mysql/mysql_com.h
/usr/include/mysql/mysql_embed.h
/usr/include/mysql/mysql_time.h
/usr/include/mysql/mysql_version.h
/usr/include/mysql/mysqld_ername.h
/usr/include/mysql/mysqld_error.h
/usr/include/mysql/raid.h
/usr/include/mysql/readline.h
/usr/include/mysql/rlmbutil.h
/usr/include/mysql/rlprivate.h
/usr/include/mysql/rlshell.h
/usr/include/mysql/rltypedefs.h
/usr/include/mysql/sql_common.h
/usr/include/mysql/sql_state.h
/usr/include/mysql/sslopt-case.h
/usr/include/mysql/sslopt-longopts.h
/usr/include/mysql/sslopt-vars.h
/usr/include/mysql/tilde.h
/usr/include/mysql/typelib.h
/usr/include/mysql/xmalloc.h
/usr/lib/mysql/libdbug.a
/usr/lib/mysql/libheap.a
/usr/lib/mysql/libmyisam.a
/usr/lib/mysql/libmyisammrg.a
/usr/lib/mysql/libmysqlclient.a
/usr/lib/mysql/libmysqlclient.so
/usr/lib/mysql/libmysqlclient_r.a
/usr/lib/mysql/libmysqlclient_r.so
/usr/lib/mysql/libmystrings.a
/usr/lib/mysql/libmysys.a
/usr/lib/mysql/libvio.a
[root@mail pam_mysql-0.7RC1]#
[root@mail pam_mysql-0.7RC1]# rpm -q mysql
mysql-5.0.95-5.el5_9
[root@mail pam_mysql-0.7RC1]# rpm -q mysql-devel
mysql-devel-5.0.95-5.el5_9
[root@mail pam_mysql-0.7RC1]#
[root@mail pam_mysql-0.7RC1]# make
/bin/sh ./libtool --mode=compile gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/security -I/usr/include -g -O2 -g -O2 -I/usr/include/mysql -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -fasynchronous-unwind-tables -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -fno-strict-aliasing -fwrapv -I/usr/kerberos/include -c pam_mysql.c
mkdir .libs
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/security -I/usr/include -g -O2 -g -O2 -I/usr/include/mysql -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -fasynchronous-unwind-tables -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -fno-strict-aliasing -fwrapv -I/usr/kerberos/include -c pam_mysql.c -fPIC -DPIC -o .libs/pam_mysql.o
pam_mysql.c:38:1: warning: "_GNU_SOURCE" redefined
<command line>:1:1: warning: this is the location of the previous definition
pam_mysql.c: In function 'pam_mysql_converse':
pam_mysql.c:3192: warning: passing argument 2 of 'conv->conv' from incompatible pointer type
/bin/sh ./libtool --mode=link gcc -g -O2 -I/usr/include/mysql -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -fasynchronous-unwind-tables -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -fno-strict-aliasing -fwrapv -I/usr/kerberos/include -o pam_mysql.la -rpath /usr/lib/security -module -avoid-version pam_mysql.lo -rdynamic -L/usr/lib/mysql -lmysqlclient -lz -lcrypt -lnsl -lm -L/usr/lib -lssl -lcrypto -L/usr/kerberos/lib -lssl -lcrypto -ldl -lz -lcrypt
gcc -shared .libs/pam_mysql.o -L/usr/lib/mysql -lmysqlclient -lnsl -lm -L/usr/lib -L/usr/kerberos/lib -lssl -lcrypto -ldl -lz -lcrypt -m32 -Wl,-soname -Wl,pam_mysql.so -o .libs/pam_mysql.so
creating pam_mysql.la
(cd .libs && rm -f pam_mysql.la && ln -s ../pam_mysql.la pam_mysql.la)
[root@mail pam_mysql-0.7RC1]# make install
make[1]: Entering directory `/root/pam_mysql-0.7RC1'
/bin/sh ./mkinstalldirs /usr/lib/security
/bin/sh ./libtool --mode=install /usr/bin/install -c pam_mysql.la /usr/lib/security/pam_mysql.la
/usr/bin/install -c .libs/pam_mysql.so /usr/lib/security/pam_mysql.so
/usr/bin/install -c .libs/pam_mysql.lai /usr/lib/security/pam_mysql.la
PATH="$PATH:/sbin" ldconfig -n /usr/lib/security
----------------------------------------------------------------------
Libraries have been installed in:
/usr/lib/security
If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:
- add LIBDIR to the `LD_LIBRARY_PATH' environment variable
during execution
- add LIBDIR to the `LD_RUN_PATH' environment variable
during linking
- use the `-Wl,--rpath -Wl,LIBDIR' linker flag
- have your system administrator add LIBDIR to `/etc/ld.so.conf'
See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------
make[1]: Nothing to be done for `install-data-am'.
make[1]: Leaving directory `/root/pam_mysql-0.7RC1'
[root@mail pam_mysql-0.7RC1]#
马哥 make install 后,静态库和动态链接库 路径跟我的不一样
我的是 /usr/lib/security/pam_mysql.la /usr/lib/security/pam_mysql.so
马哥的是 /lib/security/pam_mysql.la /lib/security/pam_mysql.so
我复制一下这两个文件吧
[root@mail ~]# cp /usr/lib/security/pam_mysql.la /lib/security/pam_mysql.la
[root@mail ~]# cp /usr/lib/security/pam_mysql.so /lib/security/pam_mysql.so
要执行一下 /etc/ld.so.conf(如何执行) ,,,实际上系统己经有了,不用执行
[root@mail ~]# mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 271
Server version: 5.0.95 Source distribution
Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> create database vsftpd;
Query OK, 1 row affected (0.00 sec)
mysql> use vsftpd;
Database changed
mysql> create table users(
-> id INT AUTO_INCREMENT NOT NULL,
-> name CHAR(20) BINARY NOT NULL,
-> password CHAR(48) BINARY NOT NULL,
-> PRIMARY key(id))
-> ;
Query OK, 0 rows affected (0.02 sec)
mysql> DESC users;
+----------+----------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+----------+----------+------+-----+---------+----------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| name | char(20) | NO | | NULL | |
| password | char(48) | NO | | NULL | |
+----------+----------+------+-----+---------+----------------+
3 rows in set (0.02 sec)
mysql> GRANT SELECT ON vsftpd.* TO vsftpd@localhost IDENTIFIED BY 'vsftpd';
Query OK, 0 rows affected (0.00 sec)
mysql> GRANT SELECT ON vsftpd.* TO vsftpd@127.0.0.1 IDENTIFIED BY 'vsftpd';
Query OK, 0 rows affected (0.00 sec)
mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)
mysql> INSERT INTO users(name,password) VALUES ('tom',password('abcdef')),('jery',password('abcdef'));
Query OK, 2 rows affected (0.00 sec)
Records: 2 Duplicates: 0 Warnings: 0
mysql>
mysql> select * from users;
+----+------+-------------------------------------------+
| id | name | password |
+----+------+-------------------------------------------+
| 1 | tom | *ED0DE3278EF02C0701FD328CA1DA43F22173FF3F |
| 2 | jery | *ED0DE3278EF02C0701FD328CA1DA43F22173FF3F |
+----+------+-------------------------------------------+
2 rows in set (0.00 sec)
mysql>
mysql> \q
Bye
[root@mail ~]#
[root@mail ~]# mysql -u vsftpd -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 278
Server version: 5.0.95 Source distribution
Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| test |
| vsftpd |
+--------------------+
3 rows in set (0.00 sec)
mysql>
mysql> use vsftpd
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql>
mysql> SHOW TABLES;
+------------------+
| Tables_in_vsftpd |
+------------------+
| users |
+------------------+
1 row in set (0.00 sec)
mysql>
mysql> SELECT * FROM users;
+----+------+-------------------------------------------+
| id | name | password |
+----+------+-------------------------------------------+
| 1 | tom | *ED0DE3278EF02C0701FD328CA1DA43F22173FF3F |
| 2 | jery | *ED0DE3278EF02C0701FD328CA1DA43F22173FF3F |
+----+------+-------------------------------------------+
2 rows in set (0.00 sec)
mysql>
mysql> \q
Bye
[root@mail ~]#
[root@mail ~]# vim /etc/pam.d/vsftpd.mysql
auth required /lib/security/pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
account required /lib/security/pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
增加一个用户 来自于mysql的虚拟用户都映射为vuser
[root@mail ~]# useradd -s /sbin/nologin -d /var/ftproot vuser
[root@mail ~]# ls -ld /var/ftproot/
drwx------ 3 vuser vuser 4096 07-26 10:49 /var/ftproot/
[root@mail ~]#
改 组和其它用户的权限 为 rx
[root@mail ~]# chmod go+rx /var/ftproot/
[root@mail ~]# ls -ld /var/ftproot/
drwxr-xr-x 3 vuser vuser 4096 07-26 10:49 /var/ftproot/
[root@mail ~]#
[root@mail ~]# vim /etc/vsftpd/vsftpd.conf
#pam_service_name=vsftpd
userlist_enable=YES
#pam_service_name=vsftpd.mysql
force_local_data_ssl=NO # 先把ssl改成NO,目的是为了不影响下面的测试
force_local_logins_ssl=NO # 先把ssl改成NO,目的是为了不影响下面的测试
anonymous_enable=YES
local_enable=YES
write_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
chroot_local_user=YES
guest_enable=YES
guest_username=vuser
listen=YES
pam_service_name=vsftpd.mysql
重启服务
[root@mail ~]# service vsftpd restart
关闭 vsftpd: [确定]
为 vsftpd 启动 vsftpd: [确定]
[root@mail ~]#
[root@mail ~]# ftp 192.168.1.85
Connected to 192.168.1.85.
220 (vsFTPd 2.0.5)
504 Unknown AUTH type.
504 Unknown AUTH type.
KERBEROS_V4 rejected as an authentication type
Name (192.168.1.85:root): vuser
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp> bye
221 Goodbye.
[root@mail ~]#
[root@mail ~]# service vsftpd restart
关闭 vsftpd: [确定]
为 vsftpd 启动 vsftpd: [确定]
[root@mail ~]#
[root@mail ~]# ftp 192.168.1.85
Connected to 192.168.1.85.
220 (vsFTPd 2.0.5)
504 Unknown AUTH type.
504 Unknown AUTH type.
KERBEROS_V4 rejected as an authentication type
Name (192.168.1.85:root): tom
331 Please specify the password.
Password:
500 OOPS: cannot locate user entry:tom
Login failed.
ftp>
看看日志
[root@mail ~]# tail /var/log/secure
Jul 24 10:52:05 mail sshd[23290]: pam_unix(sshd:session): session closed for user root
Jul 24 14:02:45 mail sshd[3931]: Accepted password for root from 192.168.1.251 port 3223 ssh2
Jul 24 14:02:45 mail sshd[3931]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jul 26 10:49:16 mail useradd[4219]: new group: name=vuser, GID=2531
Jul 26 10:49:16 mail useradd[4219]: new user: name=vuser, UID=2531, GID=2531, home=/var/ftproot, shell=/sbin/nologin
Jul 26 11:01:02 mail sshd[4274]: Accepted password for root from 192.168.1.251 port 9232 ssh2
Jul 26 11:01:02 mail sshd[4274]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jul 26 11:01:31 mail vsftpd: pam_mysql - SELECT returned no result.
Jul 26 11:01:31 mail vsftpd: pam_mysql - SELECT returned no result.
Jul 26 11:15:02 mail sshd[23993]: pam_unix(sshd:session): session closed for user root
[root@mail ~]#
[root@mail ~]# cd /etc/pam.d/
auth required /lib/security/pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
account required /lib/security/pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
[root@mail pam.d]# mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 282
Server version: 5.0.95 Source distribution
Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> use vsftpd
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql>
mysql> select * from users where name='tom';
+----+------+-------------------------------------------+
| id | name | password |
+----+------+-------------------------------------------+
| 1 | tom | *ED0DE3278EF02C0701FD328CA1DA43F22173FF3F |
+----+------+-------------------------------------------+
1 row in set (0.00 sec)
mysql>
mysql> desc users;
+----------+----------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+----------+----------+------+-----+---------+----------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| name | char(20) | NO | | NULL | |
| password | char(48) | NO | | NULL | |
+----------+----------+------+-----+---------+----------------+
3 rows in set (0.00 sec)
mysql>
[root@mail pam.d]# ftp 192.168.1.85
Connected to 192.168.1.85.
220 (vsFTPd 2.0.5)
504 Unknown AUTH type.
504 Unknown AUTH type.
KERBEROS_V4 rejected as an authentication type
Name (192.168.1.85:root): jery
331 Please specify the password.
Password:
500 OOPS: cannot locate user entry:jery
Login failed.
ftp>
把 crypt 改成 0 ,就是明文的
[root@mail pam.d]# vim /etc/pam.d/vsftpd.mysql
auth required /lib/security/pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=0
account required /lib/security/pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=0
[root@mail pam.d]# cd /root/pam_mysql-0.7RC1
[root@mail pam_mysql-0.7RC1]# ls
acinclude.m4 config.status install-sh mkinstalldirs pkg.m4
aclocal.m4 config.sub libtool NEWS README
ChangeLog configure ltmain.sh pam_mysql.c stamp-h
config.guess configure.in Makefile pam_mysql.la stamp-h.in
config.h COPYING Makefile.am pam_mysql.lo
config.h.in CREDITS Makefile.in pam_mysql.spec
config.log INSTALL missing pam_mysql.spec.in
[root@mail pam_mysql-0.7RC1]#
[root@mail pam_mysql-0.7RC1]# less README
mysql> use vsftpd;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
# 密码使用明文吧
mysql> insert into users(name,password) value ('tony','abcdef'),('peter','abcdef');
Query OK, 2 rows affected (0.00 sec)
Records: 2 Duplicates: 0 Warnings: 0
mysql> insert into users(name,password) value ('aaa','abcdef'),('bbb','abcdef')\c; # 使用 \c 的话,就是取消执行吧
mysql>
[root@mail pam_mysql-0.7RC1]# service vsftpd restart
关闭 vsftpd: [确定]
为 vsftpd 启动 vsftpd: [确定]
[root@mail pam_mysql-0.7RC1]#
我这边不行
报了 500 OOPS: cannot locate user entry 错,见 /node-admin/15334 看看吧
马哥这边可以了
[root@mail ~]# ftp 192.168.1.85
Connected to 192.168.1.85.
220 (vsFTPd 2.0.5)
504 Unknown AUTH type.
504 Unknown AUTH type.
KERBEROS_V4 rejected as an authentication type
Name (192.168.1.85:root): tony
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> ls
227 Entering Passive Mode (192,168,1,85,232,62)
150 Here comes the directory listing.
226 Directory send OK.
ftp> bye
221 Goodbye.
[root@mail ~]#
看看它的家目录 有下载 有上传 权限
[root@mail ~]# cp /etc/fstab /var/ftproot/
[root@mail ~]# ftp 192.168.1.85
Connected to 192.168.1.85.
220 (vsFTPd 2.0.5)
504 Unknown AUTH type.
504 Unknown AUTH type.
KERBEROS_V4 rejected as an authentication type
Name (192.168.1.85:root): tony
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,1,85,144,241)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 534 Jul 26 06:02 fstab
226 Directory send OK.
ftp> lcd /tmp
Local directory now /tmp
ftp> get fstab
local: fstab remote: fstab
227 Entering Passive Mode (192,168,1,85,196,28)
150 Opening BINARY mode data connection for fstab (534 bytes).
226 File send OK.
534 bytes received in 2.6e-05 seconds (2e+04 Kbytes/s)
ftp> lcd /etc
Local directory now /etc
ftp> pub issue
?Invalid command
ftp> put issue
local: issue remote: issue
227 Entering Passive Mode (192,168,1,85,104,204)
150 Ok to send data.
226 File receive OK.
75 bytes sent in 4.6e-05 seconds (1.6e+03 Kbytes/s)
ftp>
因为 已经定义了权限 虚拟用户的指令权限都是与匿名用户的指令权限进行匹配的
[root@mail ~]# vim /etc/vsftpd/vsftpd.conf
anon_upload_enable=YES
先关掉几个匿名用户的权限看看吧 其实最好改成NO,因为有可能默认就是YES
[root@mail ~]# vim /etc/vsftpd/vsftpd.conf
#anon_upload_enable=YES
#anon_mkdir_write_enable=YES
#anon_other_write_enable=YES
[root@mail ~]# !se
service vsftpd restart
关闭 vsftpd: [确定]
为 vsftpd 启动 vsftpd: [确定]
[root@mail ~]#
看看此时 没有 anon_upload_enable,anon_mkdir_write_enable,anon_other_write_enable这些权限了吧
[root@mail ~]# !ftp
ftp 192.168.1.85
Connected to 192.168.1.85.
220 (vsFTPd 2.0.5)
504 Unknown AUTH type.
504 Unknown AUTH type.
KERBEROS_V4 rejected as an authentication type
Name (192.168.1.85:root): tony
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> lcd /etc
Local directory now /etc
ftp> put inittab
local: inittab remote: inittab
227 Entering Passive Mode (192,168,1,85,254,40)
550 Permission denied.
ftp>
所有的虚拟用户都映射到 同一个用户 vuser 上面去
所以 此时 peter 用户也不能 上传了
[root@mail ~]# ftp 192.168.1.85
Connected to 192.168.1.85.
220 (vsFTPd 2.0.5)
504 Unknown AUTH type.
504 Unknown AUTH type.
KERBEROS_V4 rejected as an authentication type
Name (192.168.1.85:root): peter
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> lcd /etc
Local directory now /etc
ftp> put inittab
local: inittab remote: inittab
227 Entering Passive Mode (192,168,1,85,122,102)
550 Permission denied.
ftp>
在 /etc/vsftpd/vsftpd.conf 中,添加一项
user_config_dir=/etc/vsftpd/vusers_dir
# mkdir /etc/vsftpd/vusers_dir
# cd /etc/vsftpd/vusers_dir
# touch tony # /etc/vsftpd/vusers_dir 目录下 建同名文件,里面放权限
# vim peter # /etc/vsftpd/vusers_dir 目录下 建同名文件,里面放权限
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
[root@mail ~]# vim /etc/vsftpd/vsftpd.conf
user_config_dir=/etc/vsftpd/vusers
[root@mail ~]# mkdir /etc/vsftpd/vusers
[root@mail ~]# cd /etc/vsftpd/vusers
建的文件要与用户名同名
[root@mail vusers]# touch tony peter
[root@mail vusers]# vim tony
anon_upload_enable=NO
[root@mail vusers]# vim peter
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
[root@mail vusers]# service vsftpd restart
关闭 vsftpd: [确定]
为 vsftpd 启动 vsftpd: [确定]
[root@mail vusers]#
[root@mail vusers]# !ft
ftp 192.168.1.85
Connected to 192.168.1.85.
220 (vsFTPd 2.0.5)
504 Unknown AUTH type.
504 Unknown AUTH type.
KERBEROS_V4 rejected as an authentication type
Name (192.168.1.85:root): tony
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> lcd /etc
Local directory now /etc
ftp> put inittab # tony 不能上传
local: inittab remote: inittab
227 Entering Passive Mode (192,168,1,85,52,152)
550 Permission denied.
ftp>
[root@mail vusers]# ftp 192.168.1.85
Connected to 192.168.1.85.
220 (vsFTPd 2.0.5)
504 Unknown AUTH type.
504 Unknown AUTH type.
KERBEROS_V4 rejected as an authentication type
Name (192.168.1.85:root): peter
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> lcd /etc
Local directory now /etc
ftp> put inittab # peter 是可以上传的
local: inittab remote: inittab
227 Entering Passive Mode (192,168,1,85,128,166)
150 Ok to send data.
226 File receive OK.
1666 bytes sent in 4.7e-05 seconds (3.5e+04 Kbytes/s)
ftp> ls
227 Entering Passive Mode (192,168,1,85,246,243)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 534 Jul 26 06:02 fstab
-rw------- 1 2531 2531 1666 Jul 26 06:38 inittab
-rw------- 1 2531 2531 75 Jul 26 06:04 issue
226 Directory send OK.
ftp>
读读 README
[root@mail vusers]# cd /root/pam_mysql-0.7RC1
[root@mail pam_mysql-0.7RC1]# ls
acinclude.m4 config.status install-sh mkinstalldirs pkg.m4
aclocal.m4 config.sub libtool NEWS README
ChangeLog configure ltmain.sh pam_mysql.c stamp-h
config.guess configure.in Makefile pam_mysql.la stamp-h.in
config.h COPYING Makefile.am pam_mysql.lo
config.h.in CREDITS Makefile.in pam_mysql.spec
config.log INSTALL missing pam_mysql.spec.in
[root@mail pam_mysql-0.7RC1]# less README
换下加密算法试试 ,最好不要用明文,马哥不再讲了