马哥 27_02 _ftp服务【攻城狮论坛の免费分享】有大用

星期三, 2020-07-22 08:08 — adminshiping1

ftp 本身就是明文的,所以 root 用户不允许访问 ftp 服务

守护进程:

独立守护: 用户访问量大,在线时间比较长的服务

超级守护进程 xinetd 自己是一个独立的守护进程

瞬时守护: 用户访问量小,而且在线时间不长的服务

都是由超级守护进程 xinetd 代为管理的

[root@mail ~]# vim /etc/vsftpd/vsftpd.conf

#idle_session_timeout=600 #用户会话超过600秒,就断开

#data_connection_timeout=120 #跟数据连接相关的

#ascii_upload_enable=YES #启用ascii文本上传功能 # 如果打开,默认纯文本格式上传,最好不好打开

#ascii_download_enable=YES #启用ascii文本下载功能 # 如果打开,默认纯文本格式下载,最好不好打开

chroot_list_enable=YES # 准备禁锢用户

chroot_list_file=/etc/vsftpd/chroot_list # 里面定义禁锢哪些用户,在这个文件里面

[root@mail ~]# touch /etc/vsftpd/chroot_list

[root@mail ~]# vim /etc/vsftpd/chroot_list

hadoop

[root@mail ~]# service vsftpd restart

关闭 vsftpd： [确定]

为 vsftpd 启动 vsftpd： [确定]

[root@mail ~]#

新开一窗口,建两个用户

[root@mail ~]# useradd hbase

[root@mail ~]# passwd hbase

Changing password for user hbase.

New UNIX password:

Retype new UNIX password:

passwd: all authentication tokens updated successfully.

[root@mail ~]#

[root@mail ~]# passwd redis

Changing password for user redis.

New UNIX password:

Retype new UNIX password:

passwd: all authentication tokens updated successfully.

[root@mail ~]#

[root@mail ~]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): redis

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> pwd ( 不是 "/" 说明未禁锢在家目录下 )

257 "/home/redis"

ftp>

[root@mail ~]# vim /etc/vsftpd/chroot_list

hadoop

redis

[root@mail ~]# !se

service vsftpd restart

关闭 vsftpd： [确定]

为 vsftpd 启动 vsftpd： [确定]

[root@mail ~]#

[root@mail ~]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): redis

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> pwd (此时可看到禁锢在家目录下面了)

257 "/"

ftp>

[root@mail ~]# vim /etc/vsftpd/vsftpd.conf

#chroot_list_enable=YES

#chroot_list_file=/etc/vsftpd/chroot_list

chroot_local_user=YES # 此时所有的用户都禁锢在家目录下面了

listen=YES # 表示 vsftpd 是否工作为一个独立守护进程的,否则是一个瞬时守护进程

# 如果为瞬时守护进程 /etc/xinetd.d/ 目录下建一个配置文件就成

pam_service_name=vsftpd # vsftpd 接受 pam 来控制的,pam 配置文件在 /etc/pam.d 目录下叫什么名字,就是这里定义的即 /etc/pam.d/vsftpd

userlist_enable=YES # 表示启用 user_list 这个文件来控制用户是否能够登录,默认所有写在这个文件里面的用户都是不能登录的

userlist_deny=YES # 默认是YES,是拒绝 user_list 里面的用户登录

#userlist_deny=NO # 不拒绝

[root@mail ~]# man vsftpd.conf

[root@mail ~]# service vsftpd restart

关闭 vsftpd： [确定]

为 vsftpd 启动 vsftpd： [确定]

[root@mail ~]#

[root@mail ~]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): hbase

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> pwd (禁锢在家目录里面)

257 "/"

ftp>

[root@mail ~]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): root (连密码都来不及输,它就让你权限拒绝)

530 Permission denied.

ftp>

[root@mail ~]# cd /etc/vsftpd/

[root@mail vsftpd]# ls #有个ftpusers,所有写在这个文件里面的用户都禁止访问ftp

chroot_list ftpusers user_list vsftpd.conf vsftpd.conf.bak vsftpd_conf_migrate.sh

[root@mail vsftpd]#

[root@mail vsftpd]# cat ftpusers

# Users that are not allowed to login via ftp

root

bin

daemon

adm

sync

shutdown

halt

mail

news

uucp

operator

games

nobody

[root@mail vsftpd]#

[root@mail vsftpd]# cat /etc/pam.d/vsftpd

#%PAM-1.0

session optional pam_keyinit.so force revoke

#下一行,,sense=deny 表示感觉(敏感度)=拒绝,由/etc/vsftpd/ftpusers 文件定义

auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed

auth required pam_shells.so

auth include system-auth

account include system-auth

session include system-auth

session required pam_loginuid.so

[root@mail vsftpd]#

[root@mail vsftpd]# pwd

/etc/vsftpd

[root@mail vsftpd]# cat user_list

# vsftpd userlist

# If userlist_deny=NO, only allow users in this file

# If userlist_deny=YES (default), never allow users in this file, and

# do not even prompt for a password.

# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers

# for users that are denied.

root

bin

daemon

adm

sync

shutdown

halt

mail

news

uucp

operator

games

nobody

[root@mail vsftpd]#

清空 user_list 文件 # vim user_list 执行 ggDG 就清空了 user_list 文件

[root@mail vsftpd]# service vsftpd restart

关闭 vsftpd： [确定]

为 vsftpd 启动 vsftpd： [确定]

[root@mail vsftpd]#

[root@mail ~]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): root

331 Please specify the password.

Password: (清空了 user_list ,虽然可以让你输密码了,但是仍然是不能登录的)

530 Login incorrect.

ftp>

[root@mail ~]# vim /etc/vsftpd/vsftpd.conf

#chroot_list_enable=YES

#chroot_list_file=/etc/vsftpd/chroot_list

chroot_local_user=YES # 此时所有的用户都禁锢在家目录下面了

listen=YES # 表示 vsftpd 是否工作为一个独立守护进程的,否则是一个瞬时守护进程

# 如果为瞬时守护进程 /etc/xinetd.d/ 目录下建一个配置文件就成

pam_service_name=vsftpd # vsftpd 接受 pam 来控制的,pam 配置文件在 /etc/pam.d 目录下叫什么名字,就是这里定义的即 /etc/pam.d/vsftpd

userlist_enable=YES # 表示启用 user_list 这个文件来控制用户是否能够登录,默认所有写在这个文件里面的用户都是不能登录的

userlist_deny=YES # 默认是YES,是拒绝 userlist 里面的用户登录

#userlist_deny=NO # 不拒绝

[root@mail vsftpd]# vim user_list

hbase

[root@mail ~]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): hbase

530 Permission denied. (拒绝登录,连输密码的机会都没有)

ftp>

[root@mail ~]# vim /etc/vsftpd/vsftpd.conf

#chroot_list_enable=YES

#chroot_list_file=/etc/vsftpd/chroot_list

chroot_local_user=YES # 此时所有的用户都禁锢在家目录下面了

listen=YES # 表示 vsftpd 是否工作为一个独立守护进程的,否则是一个瞬时守护进程

# 如果为瞬时守护进程 /etc/xinetd.d/ 目录下建一个配置文件就成

pam_service_name=vsftpd # vsftpd 接受 pam 来控制的,pam 配置文件在 /etc/pam.d 目录下叫什么名字,就是这里定义的即 /etc/pam.d/vsftpd

userlist_enable=YES # 表示启用 user_list 这个文件来控制用户是否能够登录,默认所有写在这个文件里面的用户都是不能登录的 # 表示启用 user_list 这个文件来控制用户是否能够登录

#userlist_deny=YES # 默认是YES,是拒绝 userlist 里面的用户登录 #到底能不能登录, YES,表示黑名单

userlist_deny=NO # 不拒绝 ,仅允许 userlist 里面的用户能够登录 #到底能不能登录, NO,表示白名单

[root@mail vsftpd]# service vsftpd restart

关闭 vsftpd： [确定]

为 vsftpd 启动 vsftpd： [确定]

[root@mail vsftpd]#

[root@mail ~]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): hbase

331 Please specify the password.

Password:

230 Login successful. (此时能正常登录)

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> pwd

257 "/"

ftp>

[root@mail ~]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): hadoop # 此时 hadoop 不能登录,(连输密码的机会都没有)

530 Permission denied.

ftp>

vsftpd:

max_clients=#

max_per_ip=#

ftp本身是明文的

安全通信方式

ftps: ftp+ssl/tls

sftp: (OpenSSH,SubSystem,sftp(SSH))

ftps: 创建一个证书,配置证书,提供下面几个指令

ssl_sslv2 能不支持就不支持吧

最好 ssl_tlsv1 和 ssl_sslv3 同时支持

创建证书

[root@mail ~]# cd /etc/pki/CA/

[root@mail CA]# mkdir certs newcerts crl

mkdir: 无法创建目录 “certs”: 文件已存在

mkdir: 无法创建目录 “newcerts”: 文件已存在

mkdir: 无法创建目录 “crl”: 文件已存在

[root@mail CA]#

[root@mail CA]# touch index.txt

[root@mail CA]# echo 01 > serial

[root@mail CA]#

# vsftpd 需要使用rsa ,密码长度是 2048

[root@mail CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)

Generating RSA private key, 2048 bit long modulus

......................................................................+++

...+++

e is 65537 (0x10001)

[root@mail CA]#

生成自签证书

[root@mail CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:HN

Locality Name (eg, city) [Newbury]:ZZ

Organization Name (eg, company) [My Company Ltd]:MageEdu

Organizational Unit Name (eg, section) []:Tech

Common Name (eg, your name or your server's hostname) []:ca.magedu.com #名称一定要跟访问服务的时候名称保持一致

Email Address []:

[root@mail CA]#

[root@mail CA]# mkdir /etc/vsftpd/ssl

[root@mail CA]# cd /etc/vsftpd/ssl

[root@mail ssl]#

生成私钥

[root@mail ssl]# (umask 077;openssl genrsa -out vsftpd.key 2048;)

Generating RSA private key, 2048 bit long modulus

.................................................+++

.........+++

e is 65537 (0x10001)

[root@mail ssl]#

生成证书颁发申请

[root@mail ssl]# openssl req -new -key vsftpd.key -out vsftpd.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:HN

Locality Name (eg, city) [Newbury]:ZZ

Organization Name (eg, company) [My Company Ltd]:MageEdu

Organizational Unit Name (eg, section) []:Tech

Common Name (eg, your name or your server's hostname) []:ftp.magedu.com

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

[root@mail ssl]#

签署

[root@mail ssl]# openssl ca -in vsftpd.csr -out vsftpd.crt

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 1 (0x1)

Validity

Not Before: Jul 23 05:58:48 2020 GMT

Not After : Jul 23 05:58:48 2021 GMT

Subject:

countryName = CN

stateOrProvinceName = HN

organizationName = MageEdu

organizationalUnitName = Tech

commonName = ftp.magedu.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

17:3B:DD:26:AB:07:67:63:56:6D:E2:0C:AD:13:D3:55:AA:2F:3C:CA

X509v3 Authority Key Identifier:

keyid:A8:3D:C4:13:AC:83:4A:DE:D3:88:4A:36:D2:6B:7B:F1:F8:06:24:67

Certificate is to be certified until Jul 23 05:58:48 2021 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@mail ssl]#

配置 vsftpd 能够使用这个证书

[root@mail ssl]# vim /etc/vsftpd/vsftpd.conf

#这个文件的最后添加如下的东西

# ssl or tls

ssl_enable=YES

ssl_tlsv1=YES

ssl_sslv3=YES

allow_anon_ssl=NO

force_local_data_ssl=YES

force_local_logins_ssl=YES

rsa_cert_file=/etc/vsftpd/ssl/vsftpd.crt

rsa_private_key_file=/etc/vsftpd/ssl/vsftpd.key

[root@mail ssl]# service vsftpd restart

关闭 vsftpd： [确定]

为 vsftpd 启动 vsftpd： [确定]

[root@mail ssl]#

# 此时匿名用户登录失败

[root@mail ssl]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

504 Unknown AUTH type.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): ftp

530 Permission denied.

ftp>

这个文件清空

[root@mail ssl]# vim /etc/vsftpd/vsftpd

[root@mail ssl]# vim /etc/vsftpd/vsftpd.conf

...........................

# userlist_deny=NO # 关掉它,使其不影响后面的测试

...........................

[root@mail ssl]# service vsftpd restart

关闭 vsftpd： [确定]

为 vsftpd 启动 vsftpd： [确定]

[root@mail ssl]#

对匿名用户是正常的

[root@mail ssl]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

504 Unknown AUTH type.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): ftp

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> pwd

257 "/"

ftp> ls

227 Entering Passive Mode (192,168,1,85,197,163)

150 Here comes the directory listing.

drwxr-xr-x 2 0 0 4096 Sep 25 2012 pub

drwxrwxr-x 3 0 0 4096 Jul 22 07:58 upload

226 Directory send OK.

ftp>

普通用户不正常

[root@mail ssl]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

504 Unknown AUTH type.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): hadoop

530 Non-anonymous sessions must use encryption.

ftp>

[root@mail ssl]# openssl s_client -connect 192.168.1.85:21

CONNECTED(00000003)

23651:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:588:

[root@mail ssl]#

安装 FileZilla

如下,可以匿名连接成功

如下 hadoop 明文不能连接成功

如下 hadoop tls不能连接成功

根据下面报错信息,是不是说是证书的问题?

马哥也不会配置 Filezilla

下面配置 flashFXP吧

sftp 与 ssh 有关,这里不再重述

vsftpd: 基于PAM(手动定义配置)

匿名

本地

虚拟用户

一种,放数据库: MySQL: VSFTPD,users: Name,Password

另一种,放文件里: /etc/vsftpd/vusers: --> db_load (转换成二进制)

USERNAME (奇数行)

PASSWORD (偶数行)

db4-utils 所提供的 db_load 命令

# postconf -m 看支持的查找表

pam默认情况下不支持到mysql中验证用户账号,所以要安装 pam_mysql 模块

( pam_mysql 已停止研发,但支持新版本的 mysql (只要对应的头文件没有发生改变))

安装 mysql和 mysql-devel包

[root@mail ~]# yum -y install mysql-server mysql-devel (没按回车,没安装,应该已经安装了)

安装开发库和开发工具

下面是命令是仅仅安装开发库

[root@mail ~]# yum -y groupinstall "Development Libraries" (没按回车,没执行)

https://download.csdn.net/download/qq_32574665/9243143

https://www.iteye.com/resource/scdjj199771-1126274

http://pam-mysql.sourceforge.net/

https://netcologne.dl.sourceforge.net/project/pam-mysql/pam-mysql/0.7RC1/pam_mysql-0.7RC1.tar.gz

[root@mail pam_mysql-0.7RC1]# wget https://netcologne.dl.sourceforge.net/project/pam-mysql/pam-mysql/0.7RC1/pam_mysql-0.7RC1.tar.gz --no-check-certificate

[root@mail ~]# tar xf pam_mysql-0.7RC1.tar.gz

[root@mail ~]# cd pam_mysql-0.7RC1

[root@mail pam_mysql-0.7RC1]#

[root@mail pam_mysql-0.7RC1]# ls

acinclude.m4 config.sub INSTALL missing pam_mysql.spec.in

aclocal.m4 configure install-sh mkinstalldirs pkg.m4

ChangeLog configure.in ltmain.sh NEWS README

config.guess COPYING Makefile.am pam_mysql.c stamp-h.in

config.h.in CREDITS Makefile.in pam_mysql.spec

[root@mail pam_mysql-0.7RC1]#

[root@mail pam_mysql-0.7RC1]# ./configure --with-mysql=/usr/ --with-openssl (为什么不是--with-mysql=/usr/local/mysql , 我为什么两个路径 /usr 和 /usr/local/mysql 都可以,反正如果不指定即直接 --with-mysql 是到根下面去找 )

看看mysql的库文件在哪里

[root@mail pam_mysql-0.7RC1]# ldconfig -v | grep mysql

libauthmysql.so -> libauthmysql.so.0

/usr/lib/mysql:

libmysqlclient.so.15 -> libmysqlclient.so.15.0.0

libmysqlclient_r.so.15 -> libmysqlclient_r.so.15.0.0

/usr/local/mysql/lib:

libmysqlclient.so.18 -> libmysqlclient_r.so.18.0.0

[root@mail pam_mysql-0.7RC1]#

如果是第一次装 mysql 的话

[root@mail pam_mysql-0.7RC1]# service mysqld start

[root@mail pam_mysql-0.7RC1]# rpm -ql mysql-devel

/usr/include/mysql

/usr/include/mysql/chardefs.h

/usr/include/mysql/decimal.h

/usr/include/mysql/errmsg.h

/usr/include/mysql/history.h

/usr/include/mysql/keycache.h

/usr/include/mysql/keymaps.h

/usr/include/mysql/m_ctype.h

/usr/include/mysql/m_string.h

/usr/include/mysql/my_alloc.h

/usr/include/mysql/my_attribute.h

/usr/include/mysql/my_config.h

/usr/include/mysql/my_config_i386.h

/usr/include/mysql/my_dbug.h

/usr/include/mysql/my_dir.h

/usr/include/mysql/my_getopt.h

/usr/include/mysql/my_global.h

/usr/include/mysql/my_list.h

/usr/include/mysql/my_net.h

/usr/include/mysql/my_no_pthread.h

/usr/include/mysql/my_pthread.h

/usr/include/mysql/my_sys.h

/usr/include/mysql/my_xml.h

/usr/include/mysql/mysql.h

/usr/include/mysql/mysql_com.h

/usr/include/mysql/mysql_embed.h

/usr/include/mysql/mysql_time.h

/usr/include/mysql/mysql_version.h

/usr/include/mysql/mysqld_ername.h

/usr/include/mysql/mysqld_error.h

/usr/include/mysql/raid.h

/usr/include/mysql/readline.h

/usr/include/mysql/rlmbutil.h

/usr/include/mysql/rlprivate.h

/usr/include/mysql/rlshell.h

/usr/include/mysql/rltypedefs.h

/usr/include/mysql/sql_common.h

/usr/include/mysql/sql_state.h

/usr/include/mysql/sslopt-case.h

/usr/include/mysql/sslopt-longopts.h

/usr/include/mysql/sslopt-vars.h

/usr/include/mysql/tilde.h

/usr/include/mysql/typelib.h

/usr/include/mysql/xmalloc.h

/usr/lib/mysql/libdbug.a

/usr/lib/mysql/libheap.a

/usr/lib/mysql/libmyisam.a

/usr/lib/mysql/libmyisammrg.a

/usr/lib/mysql/libmysqlclient.a

/usr/lib/mysql/libmysqlclient.so

/usr/lib/mysql/libmysqlclient_r.a

/usr/lib/mysql/libmysqlclient_r.so

/usr/lib/mysql/libmystrings.a

/usr/lib/mysql/libmysys.a

/usr/lib/mysql/libvio.a

[root@mail pam_mysql-0.7RC1]#

[root@mail pam_mysql-0.7RC1]# rpm -q mysql

mysql-5.0.95-5.el5_9

[root@mail pam_mysql-0.7RC1]# rpm -q mysql-devel

mysql-devel-5.0.95-5.el5_9

[root@mail pam_mysql-0.7RC1]#

[root@mail pam_mysql-0.7RC1]# make

/bin/sh ./libtool --mode=compile gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/security -I/usr/include -g -O2 -g -O2 -I/usr/include/mysql -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -fasynchronous-unwind-tables -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -fno-strict-aliasing -fwrapv -I/usr/kerberos/include -c pam_mysql.c

mkdir .libs

gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/security -I/usr/include -g -O2 -g -O2 -I/usr/include/mysql -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -fasynchronous-unwind-tables -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -fno-strict-aliasing -fwrapv -I/usr/kerberos/include -c pam_mysql.c -fPIC -DPIC -o .libs/pam_mysql.o

pam_mysql.c:38:1: warning: "_GNU_SOURCE" redefined

<command line>:1:1: warning: this is the location of the previous definition

pam_mysql.c: In function 'pam_mysql_converse':

pam_mysql.c:3192: warning: passing argument 2 of 'conv->conv' from incompatible pointer type

/bin/sh ./libtool --mode=link gcc -g -O2 -I/usr/include/mysql -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -fasynchronous-unwind-tables -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -fno-strict-aliasing -fwrapv -I/usr/kerberos/include -o pam_mysql.la -rpath /usr/lib/security -module -avoid-version pam_mysql.lo -rdynamic -L/usr/lib/mysql -lmysqlclient -lz -lcrypt -lnsl -lm -L/usr/lib -lssl -lcrypto -L/usr/kerberos/lib -lssl -lcrypto -ldl -lz -lcrypt

gcc -shared .libs/pam_mysql.o -L/usr/lib/mysql -lmysqlclient -lnsl -lm -L/usr/lib -L/usr/kerberos/lib -lssl -lcrypto -ldl -lz -lcrypt -m32 -Wl,-soname -Wl,pam_mysql.so -o .libs/pam_mysql.so

creating pam_mysql.la

(cd .libs && rm -f pam_mysql.la && ln -s ../pam_mysql.la pam_mysql.la)

[root@mail pam_mysql-0.7RC1]# make install

make[1]: Entering directory `/root/pam_mysql-0.7RC1'

/bin/sh ./mkinstalldirs /usr/lib/security

/bin/sh ./libtool --mode=install /usr/bin/install -c pam_mysql.la /usr/lib/security/pam_mysql.la

/usr/bin/install -c .libs/pam_mysql.so /usr/lib/security/pam_mysql.so

/usr/bin/install -c .libs/pam_mysql.lai /usr/lib/security/pam_mysql.la

PATH="$PATH:/sbin" ldconfig -n /usr/lib/security

----------------------------------------------------------------------

Libraries have been installed in:

/usr/lib/security

If you ever happen to want to link against installed libraries

in a given directory, LIBDIR, you must either use libtool, and

specify the full pathname of the library, or use the `-LLIBDIR'

flag during linking and do at least one of the following:

- add LIBDIR to the `LD_LIBRARY_PATH' environment variable

during execution

- add LIBDIR to the `LD_RUN_PATH' environment variable

during linking

- use the `-Wl,--rpath -Wl,LIBDIR' linker flag

- have your system administrator add LIBDIR to `/etc/ld.so.conf'

See any operating system documentation about shared libraries for

more information, such as the ld(1) and ld.so(8) manual pages.

----------------------------------------------------------------------

make[1]: Nothing to be done for `install-data-am'.

make[1]: Leaving directory `/root/pam_mysql-0.7RC1'

[root@mail pam_mysql-0.7RC1]#

马哥 make install 后,静态库和动态链接库路径跟我的不一样

我的是 /usr/lib/security/pam_mysql.la /usr/lib/security/pam_mysql.so

马哥的是 /lib/security/pam_mysql.la /lib/security/pam_mysql.so

我复制一下这两个文件吧

[root@mail ~]# cp /usr/lib/security/pam_mysql.la /lib/security/pam_mysql.la

[root@mail ~]# cp /usr/lib/security/pam_mysql.so /lib/security/pam_mysql.so

要执行一下 /etc/ld.so.conf(如何执行) ,,,实际上系统己经有了,不用执行

[root@mail ~]# mysql

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 271

Server version: 5.0.95 Source distribution

Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> create database vsftpd;

Query OK, 1 row affected (0.00 sec)

mysql> use vsftpd;

Database changed

mysql> create table users(

-> id INT AUTO_INCREMENT NOT NULL,

-> name CHAR(20) BINARY NOT NULL,

-> password CHAR(48) BINARY NOT NULL,

-> PRIMARY key(id))

-> ;

Query OK, 0 rows affected (0.02 sec)

mysql> DESC users;

+----------+----------+------+-----+---------+----------------+

+----------+----------+------+-----+---------+----------------+

| id | int(11) | NO | PRI | NULL | auto_increment |

+----------+----------+------+-----+---------+----------------+

3 rows in set (0.02 sec)

mysql> GRANT SELECT ON vsftpd.* TO vsftpd@localhost IDENTIFIED BY 'vsftpd';

Query OK, 0 rows affected (0.00 sec)

mysql> GRANT SELECT ON vsftpd.* TO vsftpd@127.0.0.1 IDENTIFIED BY 'vsftpd';

Query OK, 0 rows affected (0.00 sec)

mysql> FLUSH PRIVILEGES;

Query OK, 0 rows affected (0.00 sec)

mysql> INSERT INTO users(name,password) VALUES ('tom',password('abcdef')),('jery',password('abcdef'));

Query OK, 2 rows affected (0.00 sec)

Records: 2 Duplicates: 0 Warnings: 0

mysql>

mysql> select * from users;

+----+------+-------------------------------------------+

| id | name | password |

+----+------+-------------------------------------------+

| 1 | tom | *ED0DE3278EF02C0701FD328CA1DA43F22173FF3F |

| 2 | jery | *ED0DE3278EF02C0701FD328CA1DA43F22173FF3F |

+----+------+-------------------------------------------+

2 rows in set (0.00 sec)

mysql>

mysql> \q

Bye

[root@mail ~]#

[root@mail ~]# mysql -u vsftpd -p

Enter password:

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 278

Server version: 5.0.95 Source distribution

Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

mysql> show databases;

+--------------------+

| Database |

+--------------------+

| information_schema |

| test |

| vsftpd |

+--------------------+

3 rows in set (0.00 sec)

mysql>

mysql> use vsftpd

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A

Database changed

mysql>

mysql> SHOW TABLES;

+------------------+

| Tables_in_vsftpd |

+------------------+

| users |

+------------------+

1 row in set (0.00 sec)

mysql>

mysql> SELECT * FROM users;

+----+------+-------------------------------------------+

| id | name | password |

+----+------+-------------------------------------------+

| 1 | tom | *ED0DE3278EF02C0701FD328CA1DA43F22173FF3F |

| 2 | jery | *ED0DE3278EF02C0701FD328CA1DA43F22173FF3F |

+----+------+-------------------------------------------+

2 rows in set (0.00 sec)

mysql>

mysql> \q

Bye

[root@mail ~]#

[root@mail ~]# vim /etc/pam.d/vsftpd.mysql

auth required /lib/security/pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2

account required /lib/security/pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2

增加一个用户来自于mysql的虚拟用户都映射为vuser

[root@mail ~]# useradd -s /sbin/nologin -d /var/ftproot vuser

[root@mail ~]# ls -ld /var/ftproot/

drwx------ 3 vuser vuser 4096 07-26 10:49 /var/ftproot/

[root@mail ~]#

改组和其它用户的权限为 rx

[root@mail ~]# chmod go+rx /var/ftproot/

[root@mail ~]# ls -ld /var/ftproot/

drwxr-xr-x 3 vuser vuser 4096 07-26 10:49 /var/ftproot/

[root@mail ~]#

[root@mail ~]# vim /etc/vsftpd/vsftpd.conf

#pam_service_name=vsftpd

userlist_enable=YES

#pam_service_name=vsftpd.mysql

force_local_data_ssl=NO # 先把ssl改成NO,目的是为了不影响下面的测试

force_local_logins_ssl=NO # 先把ssl改成NO,目的是为了不影响下面的测试

anonymous_enable=YES

local_enable=YES

write_enable=YES

anon_upload_enable=YES

anon_mkdir_write_enable=YES

chroot_local_user=YES

guest_enable=YES

guest_username=vuser

listen=YES

pam_service_name=vsftpd.mysql

重启服务

[root@mail ~]# service vsftpd restart

关闭 vsftpd： [确定]

为 vsftpd 启动 vsftpd： [确定]

[root@mail ~]#

[root@mail ~]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

504 Unknown AUTH type.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): vuser

331 Please specify the password.

Password:

530 Login incorrect.

ftp> bye

221 Goodbye.

[root@mail ~]#

[root@mail ~]# service vsftpd restart

关闭 vsftpd： [确定]

为 vsftpd 启动 vsftpd： [确定]

[root@mail ~]#

[root@mail ~]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

504 Unknown AUTH type.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): tom

331 Please specify the password.

Password:

500 OOPS: cannot locate user entry:tom

ftp>

看看日志

[root@mail ~]# tail /var/log/secure

Jul 24 10:52:05 mail sshd[23290]: pam_unix(sshd:session): session closed for user root

Jul 24 14:02:45 mail sshd[3931]: Accepted password for root from 192.168.1.251 port 3223 ssh2

Jul 24 14:02:45 mail sshd[3931]: pam_unix(sshd:session): session opened for user root by (uid=0)

Jul 26 10:49:16 mail useradd[4219]: new group: name=vuser, GID=2531

Jul 26 10:49:16 mail useradd[4219]: new user: name=vuser, UID=2531, GID=2531, home=/var/ftproot, shell=/sbin/nologin

Jul 26 11:01:02 mail sshd[4274]: Accepted password for root from 192.168.1.251 port 9232 ssh2

Jul 26 11:01:02 mail sshd[4274]: pam_unix(sshd:session): session opened for user root by (uid=0)

Jul 26 11:01:31 mail vsftpd: pam_mysql - SELECT returned no result.

Jul 26 11:15:02 mail sshd[23993]: pam_unix(sshd:session): session closed for user root

[root@mail ~]#

[root@mail ~]# cd /etc/pam.d/

auth required /lib/security/pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2

account required /lib/security/pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2

[root@mail pam.d]# mysql

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 282

Server version: 5.0.95 Source distribution

Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> use vsftpd

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A

Database changed

mysql>

mysql> select * from users where name='tom';

+----+------+-------------------------------------------+

| id | name | password |

+----+------+-------------------------------------------+

| 1 | tom | *ED0DE3278EF02C0701FD328CA1DA43F22173FF3F |

+----+------+-------------------------------------------+

1 row in set (0.00 sec)

mysql>

mysql> desc users;

+----------+----------+------+-----+---------+----------------+

+----------+----------+------+-----+---------+----------------+

| id | int(11) | NO | PRI | NULL | auto_increment |

+----------+----------+------+-----+---------+----------------+

3 rows in set (0.00 sec)

mysql>

[root@mail pam.d]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

504 Unknown AUTH type.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): jery

331 Please specify the password.

Password:

500 OOPS: cannot locate user entry:jery

ftp>

把 crypt 改成 0 ,就是明文的

[root@mail pam.d]# vim /etc/pam.d/vsftpd.mysql

auth required /lib/security/pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=0

account required /lib/security/pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=0

[root@mail pam.d]# cd /root/pam_mysql-0.7RC1

[root@mail pam_mysql-0.7RC1]# ls

acinclude.m4 config.status install-sh mkinstalldirs pkg.m4

aclocal.m4 config.sub libtool NEWS README

ChangeLog configure ltmain.sh pam_mysql.c stamp-h

config.guess configure.in Makefile pam_mysql.la stamp-h.in

config.h COPYING Makefile.am pam_mysql.lo

config.h.in CREDITS Makefile.in pam_mysql.spec

config.log INSTALL missing pam_mysql.spec.in

[root@mail pam_mysql-0.7RC1]#

[root@mail pam_mysql-0.7RC1]# less README

mysql> use vsftpd;

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A

Database changed

# 密码使用明文吧

mysql> insert into users(name,password) value ('tony','abcdef'),('peter','abcdef');

Query OK, 2 rows affected (0.00 sec)

Records: 2 Duplicates: 0 Warnings: 0

mysql> insert into users(name,password) value ('aaa','abcdef'),('bbb','abcdef')\c; # 使用 \c 的话,就是取消执行吧

mysql>

[root@mail pam_mysql-0.7RC1]# service vsftpd restart

关闭 vsftpd： [确定]

为 vsftpd 启动 vsftpd： [确定]

[root@mail pam_mysql-0.7RC1]#

我这边不行

报了 500 OOPS: cannot locate user entry 错,见 /node-admin/15334 看看吧

马哥这边可以了

[root@mail ~]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

504 Unknown AUTH type.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): tony

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> pwd

257 "/"

ftp> ls

227 Entering Passive Mode (192,168,1,85,232,62)

150 Here comes the directory listing.

226 Directory send OK.

ftp> bye

221 Goodbye.

[root@mail ~]#

看看它的家目录有下载有上传权限

[root@mail ~]# cp /etc/fstab /var/ftproot/

[root@mail ~]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

504 Unknown AUTH type.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): tony

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

227 Entering Passive Mode (192,168,1,85,144,241)

150 Here comes the directory listing.

-rw-r--r-- 1 0 0 534 Jul 26 06:02 fstab

226 Directory send OK.

ftp> lcd /tmp

Local directory now /tmp

ftp> get fstab

local: fstab remote: fstab

227 Entering Passive Mode (192,168,1,85,196,28)

150 Opening BINARY mode data connection for fstab (534 bytes).

226 File send OK.

534 bytes received in 2.6e-05 seconds (2e+04 Kbytes/s)

ftp> lcd /etc

Local directory now /etc

ftp> pub issue

?Invalid command

ftp> put issue

local: issue remote: issue

227 Entering Passive Mode (192,168,1,85,104,204)

150 Ok to send data.

226 File receive OK.

75 bytes sent in 4.6e-05 seconds (1.6e+03 Kbytes/s)

ftp>

因为已经定义了权限虚拟用户的指令权限都是与匿名用户的指令权限进行匹配的

[root@mail ~]# vim /etc/vsftpd/vsftpd.conf

anon_upload_enable=YES

先关掉几个匿名用户的权限看看吧其实最好改成NO,因为有可能默认就是YES

[root@mail ~]# vim /etc/vsftpd/vsftpd.conf

#anon_upload_enable=YES

#anon_mkdir_write_enable=YES

#anon_other_write_enable=YES

[root@mail ~]# !se

service vsftpd restart

关闭 vsftpd： [确定]

为 vsftpd 启动 vsftpd： [确定]

[root@mail ~]#

看看此时没有 anon_upload_enable,anon_mkdir_write_enable,anon_other_write_enable这些权限了吧

[root@mail ~]# !ftp

ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

504 Unknown AUTH type.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): tony

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> lcd /etc

Local directory now /etc

ftp> put inittab

local: inittab remote: inittab

227 Entering Passive Mode (192,168,1,85,254,40)

550 Permission denied.

ftp>

所有的虚拟用户都映射到同一个用户 vuser 上面去

所以此时 peter 用户也不能上传了

[root@mail ~]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

504 Unknown AUTH type.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): peter

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> lcd /etc

Local directory now /etc

ftp> put inittab

local: inittab remote: inittab

227 Entering Passive Mode (192,168,1,85,122,102)

550 Permission denied.

ftp>

在 /etc/vsftpd/vsftpd.conf 中,添加一项

user_config_dir=/etc/vsftpd/vusers_dir

# mkdir /etc/vsftpd/vusers_dir

# cd /etc/vsftpd/vusers_dir

# touch tony # /etc/vsftpd/vusers_dir 目录下建同名文件,里面放权限

# vim peter # /etc/vsftpd/vusers_dir 目录下建同名文件,里面放权限

anon_upload_enable=YES

anon_mkdir_write_enable=YES

anon_other_write_enable=YES

[root@mail ~]# vim /etc/vsftpd/vsftpd.conf

user_config_dir=/etc/vsftpd/vusers

[root@mail ~]# mkdir /etc/vsftpd/vusers

[root@mail ~]# cd /etc/vsftpd/vusers

建的文件要与用户名同名

[root@mail vusers]# touch tony peter

[root@mail vusers]# vim tony

anon_upload_enable=NO

[root@mail vusers]# vim peter

anon_upload_enable=YES

anon_mkdir_write_enable=YES

anon_other_write_enable=YES

[root@mail vusers]# service vsftpd restart

关闭 vsftpd： [确定]

为 vsftpd 启动 vsftpd： [确定]

[root@mail vusers]#

[root@mail vusers]# !ft

ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

504 Unknown AUTH type.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): tony

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> lcd /etc

Local directory now /etc

ftp> put inittab # tony 不能上传

local: inittab remote: inittab

227 Entering Passive Mode (192,168,1,85,52,152)

550 Permission denied.

ftp>

[root@mail vusers]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

504 Unknown AUTH type.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): peter

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> lcd /etc

Local directory now /etc

ftp> put inittab # peter 是可以上传的

local: inittab remote: inittab

227 Entering Passive Mode (192,168,1,85,128,166)

150 Ok to send data.

226 File receive OK.

1666 bytes sent in 4.7e-05 seconds (3.5e+04 Kbytes/s)

ftp> ls

227 Entering Passive Mode (192,168,1,85,246,243)

150 Here comes the directory listing.

-rw-r--r-- 1 0 0 534 Jul 26 06:02 fstab

-rw------- 1 2531 2531 1666 Jul 26 06:38 inittab

-rw------- 1 2531 2531 75 Jul 26 06:04 issue

226 Directory send OK.

ftp>

读读 README

[root@mail vusers]# cd /root/pam_mysql-0.7RC1

[root@mail pam_mysql-0.7RC1]# ls

acinclude.m4 config.status install-sh mkinstalldirs pkg.m4

aclocal.m4 config.sub libtool NEWS README

ChangeLog configure ltmain.sh pam_mysql.c stamp-h

config.guess configure.in Makefile pam_mysql.la stamp-h.in

config.h COPYING Makefile.am pam_mysql.lo

config.h.in CREDITS Makefile.in pam_mysql.spec

config.log INSTALL missing pam_mysql.spec.in

[root@mail pam_mysql-0.7RC1]# less README

换下加密算法试试 ,最好不要用明文,马哥不再讲了

普通分类:

linux

You are here

友情链接

搜索表单

用户登录

You are here

马哥 27_02 _ftp服务【攻城狮论坛の免费分享】 有大用

友情链接

马哥 27_02 _ftp服务【攻城狮论坛の免费分享】有大用