VSFTP MYSQL Virtual User Configuring 2004-06-30 Jaryer VSFTP MySQL Virtual User Configuring VSFTPD is a very secure and fast FTP server in UNIX / Linux, which has been used by many large sites. VSFTPD supports saving usernames and passwords in database files or database servers. VSFTPD said this form of user is a virtual user. Compared to the local (system) user of FTP, virtual users are only proprietary users of the FTP server, and virtual users can only access the resources provided by the FTP server, which greatly enhances the security of the system itself. Compared to anonymous users, virtual users need usernames and passwords to get files in the FTP server, add managementability to users and downloads. For download services, but don't want everyone to download anonymously; both need to manage the downloading users, and considering host security and convenient FTP sites, virtual users are an excellent solution. This article describes how to save the virtual username and password of the Redhat Linux 9 in the MySQL database server.
First, VSFTPD installation
At present, the latest version of VSFTPD is 1.2.0. The official download address is ftp://vsftpd.beasts.org/Users/cevans/vsftpd-1.2.0.tar.gz. Before installation, you need to do the following preparations first:
"Nobody" users are required in the VSFTPD default configuration. Add this user in the system, if the user already exists, the userAdd command has the corresponding prompt. [Root @ hpe45 root] # UserAdd Nobody UserAdd: User NoBody Exists
The "/ usr / share / empty" directory is required in the VSFTPD default configuration. In the system this directory, if the directory already exists, the mkdir command has the corresponding prompt. [Root @ hpe45 root] # mkdir / usr / share / empty / mkdir: Cannot Create Directory '/ usr / share / empty': file exists
When VSFTPD provides an anonymous FTP service, you need "FTP" users and a valid anonymous directory. [Root @ HPE45 root] # mkdir / var / ftp / [root @ hpe45 root] # UserAdd -d / var / ftp ftp Next action is useful for FTP users already exist. [Root @ hpe45 root] # chown root.root / var / ftp [root @ HPE45 root] # chmod og-w / var / ftp
After the above preparation is completed, we can start compiling the source code. Assume that we downloaded vsftpd-1.2.0.tar.gz in the / root directory, execute the following command: [Root @ HPE45 root] # tar zxvf vsftpd-1.2.0.tar.gz [root @ hpe45 root] # CD vsftpd- 1.2.0 [root @ hpe45 vsftpd-1.2.0] # make [root @ HPE45 vsftpd-1.2.0] # make install
The above "make install" command will compile the binary, the manual, etc. to the corresponding directory. On RHL9, you may need to manually perform the following copy: [Root @ hpe45 vsftpd-1.2.0] # cp vsftpd / usr / local / sbin / vsftpd [root @ HPE45 vsftpd-1.2.0] # cp vsftpd.conf.5 / USR / local / share / man / man5 [root @ HPE45 vSFTPD-1.2.0] # cp vsftpd.8 / usr / local / share / man / man8 Next, we copy a simple configuration file as a base supply back modification. [root @ HPE45 vSFTPD-1.2.0] # cp vsftpd.conf / etc [root @ hpe45 vsftpd-1.2.0] # cp redhat / vsftpd.pam /etc/pam.dpdp copy PAM verification file to allow local The user logs in to vsftpd. [Root @ hpe45 vsftpd-1.2.0] # cp redhat / vsftpd.pam /etc/pam.d/FTP
Second, create a GUEST user
VSFTPD uses a PAM way to verify the virtual user. Since the username / password of the virtual user is saved separately, VSFTPD needs to read the database file or database server as a system user to complete the verification, which is the Guest user of VSFTPD. This is just like anonymous users, it needs to have a system user FTP. Of course, we can also regard guest users as a virtual user representatives in the system. The following is a VSFTPDGUEST user, as a guest of VSFTPD. [Root @ HPE45 vSFTPD-1.2.0] # UserAdd vsftpdguest When the virtual user is logged in, the location is VSFTPDGUEST's own directory / home / vsftpdguest. If you want to let the virtual user log in to other directories such as / var / ftp, modify the VSFTPDGUEST's own directory.
Third, set the vsftpd configuration file
Add the following options in the /etc/vsftpd.conf file: guest_enable = yes guest_username = vsftpdguest
Then do the following command, let VSFTPD run in the background: [Root @ HPE45 vsftpd-1.2.0] # / usr / local / sbin / vsftpd &
Fourth, save the virtual user in the MySQL database server
We build database vsftpdvu, table users, field name, and passwd to save user names and passwords for virtual users while adding two virtual users xiaotong and xiaowang.
[root @ HPE45 vSFTPD-1.2.0] # mysql -p mysql> create database vsftpdvu; mysql> use vsftpdvu; mysql> create table users (name char (16) binary, passwd char (16) binary; mysql> Insert Into Users (name, passwd) ('xiaotong'); mysql> Insert Into Uses (Name, Passwd) Values ('xiaowang', Password ('TTMYWife')); mysql> quit
Then, authorize VSFTPDGUEST to read the UserS table of the vsftpdvu database. Perform the following command: [root @ hpe45 vsftpd-1.2.0] # mysql -u root mysql -p mysql> grant select p vsftpdvu.users to vsftpdguest @ localhost iDentified by 'i52serial0'; mysql> quit If you want to verify that the operation is just now Success can perform the following command: [root @ hpe45 vsftpd] #mysql -u vsftpdguest -pi52serial0 vsftpdvu mysql> select * from users; if success, XIAOTONG, XIAOWANG, and encrypted passwords will be listed
V. Set Mysql's PAM verification
Here we need to use an open source project (http://sourceforge.net/projects/pam-mysql/) using MySQL. First download its package PAM_MYQL-0.5.tar.gz from the website, copy to the / root directory. Before compiling and install, make sure that mysql-wevel's RPM package is already installed on your machine, if not, please install the package from the RHL installation CD. Then, perform the following command: [root @ hpe45 root] #tar xvzf PAM_MYSQL-0.5.tar.gz [root @ hpe45 root] #CD PAM_MYSQL [root @ hpe45 pam_mysql] #make [root @ hpe45 pam_mysql] #make install make install This step may have an error, then manually copy the PAM_MYSQL.O generated in this directory to the / lib / security directory. Next, we have to set the PAM verification file for VSFTPD. /Etc/pam.d/ftp open file, add the following: auth required pam_mysql.o user = vsftpdguest passwd = i52serial0 host = localhost db = vsftpdvu table = users usercolumn = name passwdcolumn = passwd crypt = 2 account required pam_mysql.o user = vsftpdguest passwd = i52serial0 host = localhost db = vsftpdvu table = userColumn = name passwdcolumn = passwd crypt = 2 The parameters involved above, as long as the settings of the previous database can be understood. The Crypt parameters are required herein. Crypt indicates the encryption method of the password in the password field: CRYPT = 0, the password is saved in the database in a clear text method (not encrypted); Crypt = 1, the password is encrypted in the DES encryption method of the UNIX system; Crypt = 2, The password is saved after encrypting the pAssword () function of MySQL.
Sixth, further virtual user settings
After the above steps, the virtual users can use it normally. Here is a further virtual user settings. First, describe the permissions settings of the virtual user.
VSFTPD-1.2.0 adds a Virtual_USE_LOCAL_PRIVS parameter when this parameter is activated (YES), using the same permissions as local users. When this parameter is turned off (NO), the virtual user uses the same permissions as anonymous users, which is the processing method for virtual user privileges before VSFTPD-1.2.0. Compared with the two practices, the latter is more strict, especially in the case of writing access. By default, this parameter is closed (NO). When Virtual_Use_local_privs = yes, simply set WRITE_ENABLE = YES, virtual users can have write permissions. When Virtual_Use_local_privs = no, the settings for virtual user privileges are more stringent. Control virtual user browsing directory: If the user can't browse the directory, you can still perform the following steps: 1. In the configuration file, Anon_World_Readable_only = yes. Second, the permissions of the virtual user directory can only be operated by vsftpdguest: [root @ hpe45 root] # chown vsftpdguest.vsftpdguest / home / vsftpdguest [root @ HPE45 root] # chmod 700 / home / vsftpdguest Allow virtual users to upload files: Write_enable = YES Anon_upload_enable = YES Allows the virtual user to modify the file name and delete file: Anon_other_write_enable = yes Since the above option is equally valid. If you don't want an anonymous user to have the same permissions, it is best to prohibit anonymous user login. Second, since the virtual user is VSFTPDGUEST identity in the system, other directories can be accessed. In order to safer, we can limit the virtual user in its own directory. There are two practices: 1. Add the following options chroot_local_user = no chroot_list_enable = yes chroot_list_file = / etc / vsftpd.chroot_list, add Virtual User Name XIAOTONG and Xiaowang. The second approach, modify chroot_local_user = yes in the configuration file. After modification, the virtual user is logged in to the root directory to limit the other directory under / home / vsftpdguest and cannot access other directories.
Seven, personal directory of virtual users
