欢迎各位兄弟 发布技术文章

这里的技术是共享的

You are here

马哥 27_02 _ftp服务【攻城狮论坛の免费分享】 有大用

ftp 本身就是明文的,所以 root 用户不允许访问 ftp 服务


守护进程:

    独立守护: 用户访问量大,在线时间比较长的服务

                超级守护进程 xinetd 自己是一个独立的守护进程

    瞬时守护: 用户访问量小,而且在线时间不长的服务

                都是由超级守护进程 xinetd 代为管理的

            





[root@mail ~]# vim /etc/vsftpd/vsftpd.conf

#idle_session_timeout=600  #用户会话超过600秒,就断开

#data_connection_timeout=120 #跟数据连接相关的

#ascii_upload_enable=YES  #启用ascii文本上传功能        # 如果打开,默认纯文本格式上传,最好不好打开

#ascii_download_enable=YES  #启用ascii文本下载功能   # 如果打开,默认纯文本格式下载,最好不好打开

chroot_list_enable=YES                          # 准备禁锢用户

chroot_list_file=/etc/vsftpd/chroot_list  # 里面定义禁锢哪些用户,在这个文件里面


[root@mail ~]# touch /etc/vsftpd/chroot_list


[root@mail ~]# vim /etc/vsftpd/chroot_list

hadoop


[root@mail ~]# service vsftpd restart

关闭 vsftpd:                                              [确定]

为 vsftpd 启动 vsftpd:                                    [确定]

[root@mail ~]#



新开一窗口,建两个用户

[root@mail ~]# useradd hbase

[root@mail ~]# passwd hbase

Changing password for user hbase.

New UNIX password:

Retype new UNIX password:

passwd: all authentication tokens updated successfully.

[root@mail ~]#

[root@mail ~]# passwd redis

Changing password for user redis.

New UNIX password:

Retype new UNIX password:

passwd: all authentication tokens updated successfully.

[root@mail ~]#



[root@mail ~]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

530 Please login with USER and PASS.

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): redis

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> pwd   ( 不是  "/"  说明未禁锢在家目录下 )

257 "/home/redis"

ftp>


[root@mail ~]# vim /etc/vsftpd/chroot_list

hadoop

redis


[root@mail ~]# !se

service vsftpd restart

关闭 vsftpd:                                              [确定]

为 vsftpd 启动 vsftpd:                                    [确定]

[root@mail ~]#


[root@mail ~]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

530 Please login with USER and PASS.

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): redis

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> pwd  (此时可看到禁锢在家目录下面了)

257 "/"

ftp>




[root@mail ~]# vim /etc/vsftpd/vsftpd.conf

#chroot_list_enable=YES

#chroot_list_file=/etc/vsftpd/chroot_list

chroot_local_user=YES  # 此时所有的用户都禁锢在家目录下面了

listen=YES   # 表示 vsftpd 是否工作为一个独立守护进程的,否则是一个瞬时守护进程

                    # 如果为瞬时守护进程   /etc/xinetd.d/  目录下建一个配置文件就成

pam_service_name=vsftpd   # vsftpd 接受 pam 来控制的,pam 配置文件在 /etc/pam.d 目录下叫什么名字,就是这里定义的 即 /etc/pam.d/vsftpd

userlist_enable=YES    # 表示启用  user_list  这个文件来控制用户是否能够登录,默认所有写在这个文件里面的用户都是不能登录的

userlist_deny=YES    # 默认是YES,是拒绝 user_list  里面的用户登录

#userlist_deny=NO   # 不拒绝  


[root@mail ~]# man vsftpd.conf

image.png



[root@mail ~]# service vsftpd restart

关闭 vsftpd:                                              [确定]

为 vsftpd 启动 vsftpd:                                    [确定]

[root@mail ~]#



[root@mail ~]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

530 Please login with USER and PASS.

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): hbase

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> pwd  (禁锢在家目录里面)

257 "/"

ftp>



[root@mail ~]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

530 Please login with USER and PASS.

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): root  (连密码都来不及输,它就让你权限拒绝)

530 Permission denied.

Login failed.

ftp>



[root@mail ~]# cd /etc/vsftpd/

[root@mail vsftpd]# ls  #有个ftpusers,所有写在这个文件里面的用户都禁止访问ftp

chroot_list  ftpusers  user_list  vsftpd.conf  vsftpd.conf.bak  vsftpd_conf_migrate.sh

[root@mail vsftpd]#

[root@mail vsftpd]# cat ftpusers

# Users that are not allowed to login via ftp

root

bin

daemon

adm

lp

sync

shutdown

halt

mail

news

uucp

operator

games

nobody

[root@mail vsftpd]#

[root@mail vsftpd]# cat /etc/pam.d/vsftpd

#%PAM-1.0

session    optional     pam_keyinit.so    force revoke

#下一行,,sense=deny 表示 感觉(敏感度)=拒绝,由/etc/vsftpd/ftpusers 文件定义

auth       required     pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers  onerr=succeed

auth       required     pam_shells.so

auth       include      system-auth

account    include      system-auth

session    include      system-auth

session    required     pam_loginuid.so

[root@mail vsftpd]#


[root@mail vsftpd]# pwd

/etc/vsftpd

[root@mail vsftpd]# cat user_list

# vsftpd userlist

# If userlist_deny=NO, only allow users in this file

# If userlist_deny=YES (default), never allow users in this file, and

# do not even prompt for a password.

# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers

# for users that are denied.

root

bin

daemon

adm

lp

sync

shutdown

halt

mail

news

uucp

operator

games

nobody

[root@mail vsftpd]# 

清空 user_list 文件     # vim  user_list   执行 ggDG 就清空了 user_list   文件



[root@mail vsftpd]# service vsftpd restart

关闭 vsftpd:                                              [确定]

为 vsftpd 启动 vsftpd:                                    [确定]

[root@mail vsftpd]#


[root@mail ~]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

530 Please login with USER and PASS.

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): root

331 Please specify the password.

Password:    (清空了 user_list ,虽然可以让你输密码了,但是仍然是不能登录的)

530 Login incorrect.

Login failed.

ftp>



[root@mail ~]# vim /etc/vsftpd/vsftpd.conf

#chroot_list_enable=YES

#chroot_list_file=/etc/vsftpd/chroot_list

chroot_local_user=YES  # 此时所有的用户都禁锢在家目录下面了

listen=YES   # 表示 vsftpd 是否工作为一个独立守护进程的,否则是一个瞬时守护进程

                    # 如果为瞬时守护进程   /etc/xinetd.d/  目录下建一个配置文件就成

pam_service_name=vsftpd   # vsftpd 接受 pam 来控制的,pam 配置文件在 /etc/pam.d 目录下叫什么名字,就是这里定义的 即 /etc/pam.d/vsftpd

userlist_enable=YES    # 表示启用  user_list 这个文件来控制用户是否能够登录,默认所有写在这个文件里面的用户都是不能登录的

userlist_deny=YES    # 默认是YES,是拒绝 userlist 里面的用户登录

        #userlist_deny=NO   # 不拒绝  



[root@mail vsftpd]# vim user_list

hbase


[root@mail ~]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

530 Please login with USER and PASS.

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): hbase

530 Permission denied.  (拒绝登录,连输密码的机会都没有)

Login failed.

ftp>



[root@mail ~]# vim /etc/vsftpd/vsftpd.conf

#chroot_list_enable=YES

#chroot_list_file=/etc/vsftpd/chroot_list

chroot_local_user=YES  # 此时所有的用户都禁锢在家目录下面了

listen=YES   # 表示 vsftpd 是否工作为一个独立守护进程的,否则是一个瞬时守护进程

                    # 如果为瞬时守护进程   /etc/xinetd.d/  目录下建一个配置文件就成

pam_service_name=vsftpd   # vsftpd 接受 pam 来控制的,pam 配置文件在 /etc/pam.d 目录下叫什么名字,就是这里定义的 即 /etc/pam.d/vsftpd

userlist_enable=YES    # 表示启用  user_list 这个文件来控制用户是否能够登录,默认所有写在这个文件里面的用户都是不能登录的  # 表示启用 user_list 这个文件来控制用户是否能够登录

#userlist_deny=YES    # 默认是YES,是拒绝 userlist 里面的用户登录  #到底能不能登录, YES,表示黑名单

userlist_deny=NO   # 不拒绝 ,仅 允许 userlist 里面的用户能够登录  #到底能不能登录, NO,表示白名单


[root@mail vsftpd]# service vsftpd restart

关闭 vsftpd:                                              [确定]

为 vsftpd 启动 vsftpd:                                    [确定]

[root@mail vsftpd]#



[root@mail ~]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

530 Please login with USER and PASS.

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): hbase

331 Please specify the password.

Password:

230 Login successful.   (此时能正常登录)

Remote system type is UNIX. 

Using binary mode to transfer files.

ftp> pwd

257 "/"

ftp>


[root@mail ~]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

530 Please login with USER and PASS.

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): hadoop  # 此时 hadoop 不能登录,(连输密码的机会都没有)

530 Permission denied.

Login failed.

ftp>



image.png


vsftpd:

    max_clients=#

    max_per_ip=#

ftp本身是明文的

安全通信方式

    ftps: ftp+ssl/tls

    sftp: (OpenSSH,SubSystem,sftp(SSH))



ftps: 创建一个证书,配置证书,提供下面几个指令

ssl_sslv2 能不支持 就不支持吧

最好 ssl_tlsv1 和 ssl_sslv3 同时支持

image.png


创建证书

[root@mail ~]# cd /etc/pki/CA/

[root@mail CA]# mkdir certs newcerts crl

mkdir: 无法创建目录 “certs”: 文件已存在

mkdir: 无法创建目录 “newcerts”: 文件已存在

mkdir: 无法创建目录 “crl”: 文件已存在

[root@mail CA]#

[root@mail CA]# touch index.txt

[root@mail CA]# echo 01 > serial

[root@mail CA]#




# vsftpd 需要使用rsa ,密码长度是 2048

[root@mail CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)

Generating RSA private key, 2048 bit long modulus

......................................................................+++

...+++

e is 65537 (0x10001)

[root@mail CA]#


生成自签证书

[root@mail CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:HN

Locality Name (eg, city) [Newbury]:ZZ

Organization Name (eg, company) [My Company Ltd]:MageEdu

Organizational Unit Name (eg, section) []:Tech

Common Name (eg, your name or your server's hostname) []:ca.magedu.com  #名称一定要跟访问服务的时候名称保持一致

Email Address []:

[root@mail CA]#


[root@mail CA]# mkdir /etc/vsftpd/ssl

[root@mail CA]# cd /etc/vsftpd/ssl

[root@mail ssl]#

生成私钥

[root@mail ssl]# (umask 077;openssl genrsa -out vsftpd.key 2048;)             

  Generating RSA private key, 2048 bit long modulus

.................................................+++

.........+++

e is 65537 (0x10001)

[root@mail ssl]#

生成证书颁发申请

[root@mail ssl]# openssl req -new  -key vsftpd.key -out vsftpd.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:HN

Locality Name (eg, city) [Newbury]:ZZ

Organization Name (eg, company) [My Company Ltd]:MageEdu

Organizational Unit Name (eg, section) []:Tech

Common Name (eg, your name or your server's hostname) []:ftp.magedu.com

Email Address []:


Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

[root@mail ssl]#



image.png



签署

[root@mail ssl]# openssl ca -in vsftpd.csr -out vsftpd.crt

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 1 (0x1)

        Validity

            Not Before: Jul 23 05:58:48 2020 GMT

            Not After : Jul 23 05:58:48 2021 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = HN

            organizationName          = MageEdu

            organizationalUnitName    = Tech

            commonName                = ftp.magedu.com

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            Netscape Comment:

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier:

                17:3B:DD:26:AB:07:67:63:56:6D:E2:0C:AD:13:D3:55:AA:2F:3C:CA

            X509v3 Authority Key Identifier:

                keyid:A8:3D:C4:13:AC:83:4A:DE:D3:88:4A:36:D2:6B:7B:F1:F8:06:24:67


Certificate is to be certified until Jul 23 05:58:48 2021 GMT (365 days)

Sign the certificate? [y/n]:y



1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@mail ssl]#



配置 vsftpd 能够使用这个证书

[root@mail ssl]# vim /etc/vsftpd/vsftpd.conf

#这个文件的最后添加如下的东西

# ssl or tls

ssl_enable=YES

ssl_tlsv1=YES

ssl_sslv3=YES

allow_anon_ssl=NO

force_local_data_ssl=YES

force_local_logins_ssl=YES

rsa_cert_file=/etc/vsftpd/ssl/vsftpd.crt

rsa_private_key_file=/etc/vsftpd/ssl/vsftpd.key


[root@mail ssl]# service vsftpd restart

关闭 vsftpd:                                              [确定]

为 vsftpd 启动 vsftpd:                                    [确定]


[root@mail ssl]#


# 此时匿名用户登录失败

[root@mail ssl]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

504 Unknown AUTH type.

504 Unknown AUTH type.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): ftp

530 Permission denied.

Login failed.

ftp>


这个文件清空

[root@mail ssl]# vim /etc/vsftpd/vsftpd


[root@mail ssl]# vim /etc/vsftpd/vsftpd.conf

...........................

 # userlist_deny=NO  # 关掉它,使其不影响后面的测试

...........................



[root@mail ssl]# service vsftpd restart

关闭 vsftpd:                                              [确定]

为 vsftpd 启动 vsftpd:                                    [确定]


[root@mail ssl]#


对匿名用户是正常的

[root@mail ssl]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

504 Unknown AUTH type.

504 Unknown AUTH type.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): ftp

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> pwd

257 "/"

ftp> ls

227 Entering Passive Mode (192,168,1,85,197,163)

150 Here comes the directory listing.

drwxr-xr-x    2 0        0            4096 Sep 25  2012 pub

drwxrwxr-x    3 0        0            4096 Jul 22 07:58 upload

226 Directory send OK.

ftp>


普通用户不正常

[root@mail ssl]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

504 Unknown AUTH type.

504 Unknown AUTH type.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): hadoop

530 Non-anonymous sessions must use encryption.

Login failed.

ftp>


[root@mail ssl]# openssl s_client -connect 192.168.1.85:21

CONNECTED(00000003)

23651:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:588:

[root@mail ssl]#


安装 FileZilla

image.png

image.png




如下,可以匿名连接成功

image.png


image.png


如下 hadoop  明文不能连接成功

image.png


image.png


如下 hadoop  tls不能连接成功  

image.png

根据下面报错信息,是不是说是证书的问题?

image.png


马哥也不会配置  Filezilla 


下面配置 flashFXP吧

image.png


image.png

image.png

image.png



sftp 与 ssh 有关,这里不再重述


vsftpd: 基于PAM(手动定义配置)

    匿名

    本地

    虚拟用户

            一种,放数据库:  MySQL: VSFTPD,users: Name,Password

            另一种,放文件里:  /etc/vsftpd/vusers:   --> db_load  (转换成二进制)

                        USERNAME  (奇数行)

                        PASSWORD  (偶数行)

db4-utils 所提供的 db_load 命令



# postconf -m  看支持的查找表


image.png

pam默认情况下不支持到mysql中验证用户账号,所以要安装 pam_mysql 模块

( pam_mysql 已停止研发,但支持新版本的 mysql (只要对应的头文件没有发生改变))


image.png

image.png

image.png

安装 mysql和 mysql-devel包

[root@mail ~]# yum -y install mysql-server mysql-devel  (没按回车,没安装,应该已经安装了)


安装 开发库 和开发工具

下面是命令是仅仅安装开发库 

[root@mail ~]# yum -y groupinstall "Development Libraries" (没按回车,没执行)


image.png



https://download.csdn.net/download/qq_32574665/9243143

https://www.iteye.com/resource/scdjj199771-1126274

http://pam-mysql.sourceforge.net/

https://netcologne.dl.sourceforge.net/project/pam-mysql/pam-mysql/0.7RC1/pam_mysql-0.7RC1.tar.gz


[root@mail pam_mysql-0.7RC1]# wget https://netcologne.dl.sourceforge.net/project/pam-mysql/pam-mysql/0.7RC1/pam_mysql-0.7RC1.tar.gz --no-check-certificate


[root@mail ~]# tar xf pam_mysql-0.7RC1.tar.gz

[root@mail ~]# cd pam_mysql-0.7RC1

[root@mail pam_mysql-0.7RC1]#


[root@mail pam_mysql-0.7RC1]# ls

acinclude.m4  config.sub    INSTALL      missing         pam_mysql.spec.in

aclocal.m4    configure     install-sh   mkinstalldirs   pkg.m4

ChangeLog     configure.in  ltmain.sh    NEWS            README

config.guess  COPYING       Makefile.am  pam_mysql.c     stamp-h.in

config.h.in   CREDITS       Makefile.in  pam_mysql.spec

[root@mail pam_mysql-0.7RC1]#


[root@mail pam_mysql-0.7RC1]# ./configure --with-mysql=/usr/ --with-openssl  (为什么不是--with-mysql=/usr/local/mysql ,  我为什么两个路径 /usr 和 /usr/local/mysql 都可以,反正如果不指定即直接 --with-mysql 是到根下面去找 )


看看mysql的库文件在哪里

[root@mail pam_mysql-0.7RC1]# ldconfig -v | grep mysql

        libauthmysql.so -> libauthmysql.so.0

/usr/lib/mysql:

        libmysqlclient.so.15 -> libmysqlclient.so.15.0.0

        libmysqlclient_r.so.15 -> libmysqlclient_r.so.15.0.0

/usr/local/mysql/lib:

        libmysqlclient.so.18 -> libmysqlclient_r.so.18.0.0

[root@mail pam_mysql-0.7RC1]#

如果是第一次装 mysql 的话 

[root@mail pam_mysql-0.7RC1]# service mysqld start


[root@mail pam_mysql-0.7RC1]# rpm -ql mysql-devel

/usr/include/mysql

/usr/include/mysql/chardefs.h

/usr/include/mysql/decimal.h

/usr/include/mysql/errmsg.h

/usr/include/mysql/history.h

/usr/include/mysql/keycache.h

/usr/include/mysql/keymaps.h

/usr/include/mysql/m_ctype.h

/usr/include/mysql/m_string.h

/usr/include/mysql/my_alloc.h

/usr/include/mysql/my_attribute.h

/usr/include/mysql/my_config.h

/usr/include/mysql/my_config_i386.h

/usr/include/mysql/my_dbug.h

/usr/include/mysql/my_dir.h

/usr/include/mysql/my_getopt.h

/usr/include/mysql/my_global.h

/usr/include/mysql/my_list.h

/usr/include/mysql/my_net.h

/usr/include/mysql/my_no_pthread.h

/usr/include/mysql/my_pthread.h

/usr/include/mysql/my_sys.h

/usr/include/mysql/my_xml.h

/usr/include/mysql/mysql.h

/usr/include/mysql/mysql_com.h

/usr/include/mysql/mysql_embed.h

/usr/include/mysql/mysql_time.h

/usr/include/mysql/mysql_version.h

/usr/include/mysql/mysqld_ername.h

/usr/include/mysql/mysqld_error.h

/usr/include/mysql/raid.h

/usr/include/mysql/readline.h

/usr/include/mysql/rlmbutil.h

/usr/include/mysql/rlprivate.h

/usr/include/mysql/rlshell.h

/usr/include/mysql/rltypedefs.h

/usr/include/mysql/sql_common.h

/usr/include/mysql/sql_state.h

/usr/include/mysql/sslopt-case.h

/usr/include/mysql/sslopt-longopts.h

/usr/include/mysql/sslopt-vars.h

/usr/include/mysql/tilde.h

/usr/include/mysql/typelib.h

/usr/include/mysql/xmalloc.h

/usr/lib/mysql/libdbug.a

/usr/lib/mysql/libheap.a

/usr/lib/mysql/libmyisam.a

/usr/lib/mysql/libmyisammrg.a

/usr/lib/mysql/libmysqlclient.a

/usr/lib/mysql/libmysqlclient.so

/usr/lib/mysql/libmysqlclient_r.a

/usr/lib/mysql/libmysqlclient_r.so

/usr/lib/mysql/libmystrings.a

/usr/lib/mysql/libmysys.a

/usr/lib/mysql/libvio.a

[root@mail pam_mysql-0.7RC1]#


[root@mail pam_mysql-0.7RC1]# rpm -q mysql

mysql-5.0.95-5.el5_9

[root@mail pam_mysql-0.7RC1]# rpm -q mysql-devel

mysql-devel-5.0.95-5.el5_9

[root@mail pam_mysql-0.7RC1]#

[root@mail pam_mysql-0.7RC1]# make

/bin/sh ./libtool --mode=compile gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/security -I/usr/include  -g -O2  -g -O2 -I/usr/include/mysql  -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -fasynchronous-unwind-tables -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -fno-strict-aliasing -fwrapv -I/usr/kerberos/include     -c pam_mysql.c

mkdir .libs

 gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/security -I/usr/include -g -O2 -g -O2 -I/usr/include/mysql -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -fasynchronous-unwind-tables -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -fno-strict-aliasing -fwrapv -I/usr/kerberos/include -c pam_mysql.c  -fPIC -DPIC -o .libs/pam_mysql.o

pam_mysql.c:38:1: warning: "_GNU_SOURCE" redefined

<command line>:1:1: warning: this is the location of the previous definition

pam_mysql.c: In function 'pam_mysql_converse':

pam_mysql.c:3192: warning: passing argument 2 of 'conv->conv' from incompatible pointer type

/bin/sh ./libtool --mode=link gcc  -g -O2 -I/usr/include/mysql  -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -fasynchronous-unwind-tables -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -fno-strict-aliasing -fwrapv -I/usr/kerberos/include      -o pam_mysql.la -rpath /usr/lib/security -module -avoid-version pam_mysql.lo  -rdynamic -L/usr/lib/mysql -lmysqlclient -lz -lcrypt -lnsl -lm -L/usr/lib -lssl -lcrypto -L/usr/kerberos/lib -lssl -lcrypto -ldl -lz     -lcrypt

gcc -shared  .libs/pam_mysql.o  -L/usr/lib/mysql -lmysqlclient -lnsl -lm -L/usr/lib -L/usr/kerberos/lib -lssl -lcrypto -ldl -lz -lcrypt  -m32 -Wl,-soname -Wl,pam_mysql.so -o .libs/pam_mysql.so

creating pam_mysql.la

(cd .libs && rm -f pam_mysql.la && ln -s ../pam_mysql.la pam_mysql.la)



[root@mail pam_mysql-0.7RC1]# make install

make[1]: Entering directory `/root/pam_mysql-0.7RC1'

/bin/sh ./mkinstalldirs /usr/lib/security

/bin/sh ./libtool  --mode=install /usr/bin/install -c pam_mysql.la /usr/lib/security/pam_mysql.la

/usr/bin/install -c .libs/pam_mysql.so /usr/lib/security/pam_mysql.so

/usr/bin/install -c .libs/pam_mysql.lai /usr/lib/security/pam_mysql.la

PATH="$PATH:/sbin" ldconfig -n /usr/lib/security

----------------------------------------------------------------------

Libraries have been installed in:

   /usr/lib/security


If you ever happen to want to link against installed libraries

in a given directory, LIBDIR, you must either use libtool, and

specify the full pathname of the library, or use the `-LLIBDIR'

flag during linking and do at least one of the following:

   - add LIBDIR to the `LD_LIBRARY_PATH' environment variable

     during execution

   - add LIBDIR to the `LD_RUN_PATH' environment variable

     during linking

   - use the `-Wl,--rpath -Wl,LIBDIR' linker flag

   - have your system administrator add LIBDIR to `/etc/ld.so.conf'


See any operating system documentation about shared libraries for

more information, such as the ld(1) and ld.so(8) manual pages.

----------------------------------------------------------------------

make[1]: Nothing to be done for `install-data-am'.

make[1]: Leaving directory `/root/pam_mysql-0.7RC1'

[root@mail pam_mysql-0.7RC1]#


马哥 make install 后,静态库和动态链接库 路径跟我的不一样

我的是 /usr/lib/security/pam_mysql.la            /usr/lib/security/pam_mysql.so

马哥的是    /lib/security/pam_mysql.la      /lib/security/pam_mysql.so

我复制一下这两个文件吧 


[root@mail ~]# cp  /usr/lib/security/pam_mysql.la  /lib/security/pam_mysql.la 

[root@mail ~]# cp  /usr/lib/security/pam_mysql.so  /lib/security/pam_mysql.so 


image.png


要执行一下 /etc/ld.so.conf(如何执行) ,,,实际上系统己经有了,不用执行



[root@mail ~]# mysql

Welcome to the MySQL monitor.  Commands end with ; or \g.

Your MySQL connection id is 271

Server version: 5.0.95 Source distribution


Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.


Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

owners.


Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.


mysql> create database  vsftpd;

Query OK, 1 row affected (0.00 sec)


mysql> use vsftpd;

Database changed

mysql> create table users(

    -> id INT AUTO_INCREMENT NOT NULL,

    -> name CHAR(20) BINARY NOT NULL,

    -> password CHAR(48) BINARY NOT NULL,

    -> PRIMARY key(id))

    -> ;

Query OK, 0 rows affected (0.02 sec)



mysql> DESC users;

+----------+----------+------+-----+---------+----------------+

| Field    | Type     | Null | Key | Default | Extra          |

+----------+----------+------+-----+---------+----------------+

| id       | int(11)  | NO   | PRI | NULL    | auto_increment |

| name     | char(20) | NO   |     | NULL    |                |

| password | char(48) | NO   |     | NULL    |                |

+----------+----------+------+-----+---------+----------------+

3 rows in set (0.02 sec)


mysql> GRANT SELECT ON vsftpd.* TO vsftpd@localhost IDENTIFIED BY 'vsftpd';

Query OK, 0 rows affected (0.00 sec)



mysql> GRANT SELECT ON vsftpd.* TO vsftpd@127.0.0.1 IDENTIFIED BY 'vsftpd';

Query OK, 0 rows affected (0.00 sec)



mysql> FLUSH PRIVILEGES;

Query OK, 0 rows affected (0.00 sec)



mysql> INSERT INTO users(name,password) VALUES ('tom',password('abcdef')),('jery',password('abcdef'));

Query OK, 2 rows affected (0.00 sec)

Records: 2  Duplicates: 0  Warnings: 0


mysql>


mysql> select * from users;

+----+------+-------------------------------------------+

| id | name | password                                  |

+----+------+-------------------------------------------+

|  1 | tom  | *ED0DE3278EF02C0701FD328CA1DA43F22173FF3F |

|  2 | jery | *ED0DE3278EF02C0701FD328CA1DA43F22173FF3F |

+----+------+-------------------------------------------+

2 rows in set (0.00 sec)


mysql>


mysql> \q

Bye

[root@mail ~]#




[root@mail ~]# mysql -u vsftpd -p

Enter password:

Welcome to the MySQL monitor.  Commands end with ; or \g.

Your MySQL connection id is 278

Server version: 5.0.95 Source distribution


Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.


Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

owners.


Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.


mysql>

mysql> show databases;

+--------------------+

| Database           |

+--------------------+

| information_schema |

| test               |

| vsftpd             |

+--------------------+

3 rows in set (0.00 sec)


mysql>

mysql> use vsftpd

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A


Database changed

mysql>


mysql> SHOW TABLES;

+------------------+

| Tables_in_vsftpd |

+------------------+

| users            |

+------------------+

1 row in set (0.00 sec)


mysql>

mysql> SELECT * FROM users;

+----+------+-------------------------------------------+

| id | name | password                                  |

+----+------+-------------------------------------------+

|  1 | tom  | *ED0DE3278EF02C0701FD328CA1DA43F22173FF3F |

|  2 | jery | *ED0DE3278EF02C0701FD328CA1DA43F22173FF3F |

+----+------+-------------------------------------------+

2 rows in set (0.00 sec)


mysql>

mysql> \q

Bye

[root@mail ~]#


[root@mail ~]# vim /etc/pam.d/vsftpd.mysql

auth required /lib/security/pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2

account required /lib/security/pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2


增加一个用户 来自于mysql的虚拟用户都映射为vuser

[root@mail ~]# useradd -s /sbin/nologin -d /var/ftproot vuser




[root@mail ~]# ls -ld /var/ftproot/

drwx------ 3 vuser vuser 4096 07-26 10:49 /var/ftproot/

[root@mail ~]# 

改 组和其它用户的权限  为 rx

[root@mail ~]# chmod go+rx /var/ftproot/

[root@mail ~]# ls -ld /var/ftproot/     

drwxr-xr-x 3 vuser vuser 4096 07-26 10:49 /var/ftproot/

[root@mail ~]#

[root@mail ~]# vim /etc/vsftpd/vsftpd.conf

#pam_service_name=vsftpd

userlist_enable=YES


#pam_service_name=vsftpd.mysql


force_local_data_ssl=NO       # 先把ssl改成NO,目的是为了不影响下面的测试

force_local_logins_ssl=NO    # 先把ssl改成NO,目的是为了不影响下面的测试


anonymous_enable=YES

local_enable=YES

write_enable=YES

anon_upload_enable=YES

anon_mkdir_write_enable=YES

chroot_local_user=YES


guest_enable=YES

guest_username=vuser

listen=YES

pam_service_name=vsftpd.mysql


重启服务

[root@mail ~]# service vsftpd restart

关闭 vsftpd:                                              [确定]

为 vsftpd 启动 vsftpd:                                    [确定]

[root@mail ~]#


[root@mail ~]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

504 Unknown AUTH type.

504 Unknown AUTH type.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): vuser

331 Please specify the password.

Password:

530 Login incorrect.

Login failed.

ftp> bye

221 Goodbye.

[root@mail ~]#


[root@mail ~]# service vsftpd restart

关闭 vsftpd:                                              [确定]

为 vsftpd 启动 vsftpd:                                    [确定]

[root@mail ~]#


[root@mail ~]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

504 Unknown AUTH type.

504 Unknown AUTH type.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): tom

331 Please specify the password.

Password:

500 OOPS: cannot locate user entry:tom

Login failed.

ftp>



看看日志

[root@mail ~]# tail /var/log/secure

Jul 24 10:52:05 mail sshd[23290]: pam_unix(sshd:session): session closed for user root

Jul 24 14:02:45 mail sshd[3931]: Accepted password for root from 192.168.1.251 port 3223 ssh2

Jul 24 14:02:45 mail sshd[3931]: pam_unix(sshd:session): session opened for user root by (uid=0)

Jul 26 10:49:16 mail useradd[4219]: new group: name=vuser, GID=2531

Jul 26 10:49:16 mail useradd[4219]: new user: name=vuser, UID=2531, GID=2531, home=/var/ftproot, shell=/sbin/nologin

Jul 26 11:01:02 mail sshd[4274]: Accepted password for root from 192.168.1.251 port 9232 ssh2

Jul 26 11:01:02 mail sshd[4274]: pam_unix(sshd:session): session opened for user root by (uid=0)

Jul 26 11:01:31 mail vsftpd: pam_mysql - SELECT returned no result.

Jul 26 11:01:31 mail vsftpd: pam_mysql - SELECT returned no result.

Jul 26 11:15:02 mail sshd[23993]: pam_unix(sshd:session): session closed for user root

[root@mail ~]#

image.png



[root@mail ~]# cd /etc/pam.d/

auth required /lib/security/pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2

account required /lib/security/pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2




[root@mail pam.d]# mysql

Welcome to the MySQL monitor.  Commands end with ; or \g.

Your MySQL connection id is 282

Server version: 5.0.95 Source distribution


Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.


Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

owners.


Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.


mysql>  use vsftpd

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A


Database changed

mysql>


mysql> select * from users where name='tom';

+----+------+-------------------------------------------+

| id | name | password                                  |

+----+------+-------------------------------------------+

|  1 | tom  | *ED0DE3278EF02C0701FD328CA1DA43F22173FF3F |

+----+------+-------------------------------------------+

1 row in set (0.00 sec)


mysql>


mysql> desc users;

+----------+----------+------+-----+---------+----------------+

| Field    | Type     | Null | Key | Default | Extra          |

+----------+----------+------+-----+---------+----------------+

| id       | int(11)  | NO   | PRI | NULL    | auto_increment |

| name     | char(20) | NO   |     | NULL    |                |

| password | char(48) | NO   |     | NULL    |                |

+----------+----------+------+-----+---------+----------------+

3 rows in set (0.00 sec)


mysql>


[root@mail pam.d]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

504 Unknown AUTH type.

504 Unknown AUTH type.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): jery

331 Please specify the password.

Password:

500 OOPS: cannot locate user entry:jery

Login failed.

ftp>


把 crypt 改成  0  ,就是明文的

[root@mail pam.d]# vim /etc/pam.d/vsftpd.mysql

auth required /lib/security/pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=0

account required /lib/security/pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=0



[root@mail pam.d]# cd /root/pam_mysql-0.7RC1

[root@mail pam_mysql-0.7RC1]# ls

acinclude.m4  config.status  install-sh   mkinstalldirs      pkg.m4

aclocal.m4    config.sub     libtool      NEWS               README

ChangeLog     configure      ltmain.sh    pam_mysql.c        stamp-h

config.guess  configure.in   Makefile     pam_mysql.la       stamp-h.in

config.h      COPYING        Makefile.am  pam_mysql.lo

config.h.in   CREDITS        Makefile.in  pam_mysql.spec

config.log    INSTALL        missing      pam_mysql.spec.in

[root@mail pam_mysql-0.7RC1]#

[root@mail pam_mysql-0.7RC1]# less README


image.png






mysql> use vsftpd;

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A


Database changed

# 密码使用明文吧

mysql> insert into users(name,password) value ('tony','abcdef'),('peter','abcdef');

Query OK, 2 rows affected (0.00 sec)

Records: 2  Duplicates: 0  Warnings: 0


mysql> insert into users(name,password) value ('aaa','abcdef'),('bbb','abcdef')\c;   # 使用 \c 的话,就是取消执行吧  

mysql>



[root@mail pam_mysql-0.7RC1]# service  vsftpd restart

关闭 vsftpd:                                              [确定]

为 vsftpd 启动 vsftpd:                                    [确定]

[root@mail pam_mysql-0.7RC1]#


我这边不行  

报了  500 OOPS: cannot locate user entry   错,见   /node-admin/15334   看看吧

image.png


马哥这边可以了

image.png



[root@mail ~]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

504 Unknown AUTH type.

504 Unknown AUTH type.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): tony

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> pwd

257 "/"

ftp> ls

227 Entering Passive Mode (192,168,1,85,232,62)

150 Here comes the directory listing.

226 Directory send OK.

ftp> bye

221 Goodbye.

[root@mail ~]#



看看它的家目录 有下载 有上传 权限

[root@mail ~]# cp /etc/fstab /var/ftproot/

[root@mail ~]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

504 Unknown AUTH type.

504 Unknown AUTH type.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): tony

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

227 Entering Passive Mode (192,168,1,85,144,241)

150 Here comes the directory listing.

-rw-r--r--    1 0        0             534 Jul 26 06:02 fstab

226 Directory send OK.

ftp> lcd /tmp

Local directory now /tmp

ftp> get fstab

local: fstab remote: fstab

227 Entering Passive Mode (192,168,1,85,196,28)

150 Opening BINARY mode data connection for fstab (534 bytes).

226 File send OK.

534 bytes received in 2.6e-05 seconds (2e+04 Kbytes/s)

ftp> lcd /etc

Local directory now /etc

ftp> pub issue

?Invalid command

ftp> put issue

local: issue remote: issue

227 Entering Passive Mode (192,168,1,85,104,204)

150 Ok to send data.

226 File receive OK.

75 bytes sent in 4.6e-05 seconds (1.6e+03 Kbytes/s)

ftp>


因为 已经定义了权限  虚拟用户的指令权限都是与匿名用户的指令权限进行匹配的


[root@mail ~]# vim /etc/vsftpd/vsftpd.conf

anon_upload_enable=YES


先关掉几个匿名用户的权限看看吧  其实最好改成NO,因为有可能默认就是YES

[root@mail ~]# vim /etc/vsftpd/vsftpd.conf

#anon_upload_enable=YES  

#anon_mkdir_write_enable=YES

#anon_other_write_enable=YES



[root@mail ~]# !se

service vsftpd restart

关闭 vsftpd:                                              [确定]

为 vsftpd 启动 vsftpd:                                    [确定]

[root@mail ~]#


看看此时 没有  anon_upload_enable,anon_mkdir_write_enable,anon_other_write_enable这些权限了吧

[root@mail ~]# !ftp

ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

504 Unknown AUTH type.

504 Unknown AUTH type.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): tony

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> lcd /etc

Local directory now /etc

ftp> put inittab

local: inittab remote: inittab

227 Entering Passive Mode (192,168,1,85,254,40)

550 Permission denied.

ftp>



所有的虚拟用户都映射到 同一个用户 vuser 上面去

所以 此时 peter 用户也不能 上传了


[root@mail ~]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

504 Unknown AUTH type.

504 Unknown AUTH type.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): peter

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> lcd /etc

Local directory now /etc

ftp> put inittab

local: inittab remote: inittab

227 Entering Passive Mode (192,168,1,85,122,102)

550 Permission denied.

ftp>



在 /etc/vsftpd/vsftpd.conf 中,添加一项 

user_config_dir=/etc/vsftpd/vusers_dir

# mkdir /etc/vsftpd/vusers_dir

# cd /etc/vsftpd/vusers_dir

# touch tony        # /etc/vsftpd/vusers_dir 目录下 建同名文件,里面放权限

# vim peter             # /etc/vsftpd/vusers_dir 目录下 建同名文件,里面放权限


anon_upload_enable=YES

anon_mkdir_write_enable=YES

anon_other_write_enable=YES


image.png



[root@mail ~]# vim /etc/vsftpd/vsftpd.conf

user_config_dir=/etc/vsftpd/vusers


[root@mail ~]# mkdir /etc/vsftpd/vusers

[root@mail ~]# cd /etc/vsftpd/vusers


建的文件要与用户名同名

[root@mail vusers]# touch tony peter

[root@mail vusers]# vim tony

anon_upload_enable=NO


[root@mail vusers]# vim peter

anon_upload_enable=YES

anon_mkdir_write_enable=YES

anon_other_write_enable=YES



[root@mail vusers]# service vsftpd restart

关闭 vsftpd:                                              [确定]

为 vsftpd 启动 vsftpd:                                    [确定]

[root@mail vusers]#




[root@mail vusers]# !ft

ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

504 Unknown AUTH type.

504 Unknown AUTH type.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): tony

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> lcd /etc

Local directory now /etc

ftp> put inittab          # tony 不能上传

local: inittab remote: inittab

227 Entering Passive Mode (192,168,1,85,52,152)

550 Permission denied.

ftp>



[root@mail vusers]# ftp 192.168.1.85

Connected to 192.168.1.85.

220 (vsFTPd 2.0.5)

504 Unknown AUTH type.

504 Unknown AUTH type.

KERBEROS_V4 rejected as an authentication type

Name (192.168.1.85:root): peter

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> lcd /etc

Local directory now /etc

ftp> put inittab        # peter 是可以上传的

local: inittab remote: inittab

227 Entering Passive Mode (192,168,1,85,128,166)

150 Ok to send data.

226 File receive OK.

1666 bytes sent in 4.7e-05 seconds (3.5e+04 Kbytes/s)

ftp> ls  

227 Entering Passive Mode (192,168,1,85,246,243)

150 Here comes the directory listing.

-rw-r--r--    1 0        0             534 Jul 26 06:02 fstab

-rw-------    1 2531     2531         1666 Jul 26 06:38 inittab

-rw-------    1 2531     2531           75 Jul 26 06:04 issue

226 Directory send OK.

ftp>


读读 README

[root@mail vusers]# cd /root/pam_mysql-0.7RC1

[root@mail pam_mysql-0.7RC1]# ls

acinclude.m4  config.status  install-sh   mkinstalldirs      pkg.m4

aclocal.m4    config.sub     libtool      NEWS               README

ChangeLog     configure      ltmain.sh    pam_mysql.c        stamp-h

config.guess  configure.in   Makefile     pam_mysql.la       stamp-h.in

config.h      COPYING        Makefile.am  pam_mysql.lo

config.h.in   CREDITS        Makefile.in  pam_mysql.spec

config.log    INSTALL        missing      pam_mysql.spec.in

[root@mail pam_mysql-0.7RC1]# less README

换下加密算法试试 ,最好不要用明文,马哥不再讲了

image.png

普通分类: