VSFTPD virtual user configuration: PAM + PGSQL + FreeBSD-4

xiaoxiao2021-03-06  106

From: http://www.freebsdchina.org

VSFTPD virtual user configuration: PAM PGSQL FreeBSD-4 (1.0Beta, welcome debug, I will update it at any time) vsftpd may be the best ftpd in the world. It is very popular in the Linux world, safe and high. The purpose of this article is to let PGSQL store your VSFTP virtual users and password, certified by a Dongdong called PAM. Zero, briefly describe the principle of PAM. If you have already understood the PAM, please skip, I know may not be as much as you. You are not interested, please skip, because you can also be configured.

Code: User and Password Database <-> PAM Module <-> PAM Module

VSFTPD uses a very smart and unix / Linux specification method to authenticate the user, that is, PAM. Everyone is a bit strange for PAM, but it has been in use. The so-called PAM, English is: Pluggable Authentication Modules, plug-in authentication module (do not know that such translation is right). Seeing Plug's keyword, you know that it is flexible. Almost all Daemon programs are now certified with PAM, including telnet / sshd / imapd, and even your login, all with PAM. Friends on FBSD 4, you can play PS -AX | GREP PAM, you will find how many consists of logins, how many processes written with PAM. The biggest benefit of PAM is flexible. It doesn't care about what data format for your users and passwords (the database is also good, the password files that are usually used), as long as there is a corresponding PAM module, you can store. For example, everyone can not only use vsftpd pgsql to log in to verify, as long as you like you can also store user data with mysql, oracle, LDAP database, as long as there is a corresponding PAM. All Daemon can use a background database to log in, including telnet / sshd, and more. The configuration mechanism of the PAM is different from different versions of FreeBSD. FreeBSD-4 is placed in /etc/pam.conf, and a file records all PAM services. FreeBSD-5 is placed in /etc/pam.d ,/usr/local/etc/pam.d. Each PAM service is recorded by a separate file. This article does not intend to describe the configuration of PAM. The configuration of PAM is not very difficult. After all, just want you to configure some parameters, not calling you to develop a PAM module. And this article is limited, and even something that I just knows hope to play the role of tile jade. When I have a deeper PAM, I will write an in-depth situation about PAM? Prepare be started: Summary to talk about the role of the configuration file to be used.

Quote: /etc/pam.conf #PAM Services configure /etc/pam_pgsql.conf # PAM_PGSQL.SO configuration /usr/local/etc/vsftpd.conf #VSFTPD configuration

First, install VSFTPD, PostgreSQL, PAM_PGSQL. I am using port to install, please use port / package to install, don't download the source code yourself to compile, otherwise it may not be used normally according to the method of this article. Where VSFTPD and PAM-PGSQL must be installed with Port / Package. The following is their port directory:

Quote: / usr / ports / ftp / vsftpd / usr / ports / data / portgreSQL7 / USR / PORTS / Security / PAM-PGSQL installation: As long as the CD goes, then make install is OK. Second, PostgreSQL installation (if you already have postgreSQL, don't need to see this section) Simplely mention port to POSTGRESQL process, because the PGSQL method in the BSD version is compiled by yourself. I used port to compile installation, because this is the FBSD recommended installation method, and the installed software will be installed according to the BSD's Hier (directory structure), which is more convenient to manage. When using port to install PostgreSQL, the default database management user is PGSQL (the installer of the port is automatically added), and the other system default is Postgres. The procedure for initialization PostgreSQL is as follows: 1, the initial database. Please use root to log in or SU to root. Then, command:

Code: # Su pgsql # initdb

Normal initialization should have the following tips:

Reference: This database system will be initialized with username "pgsql" This user will own all the data files and must also own the server process Creating directory / usr / local / pgsql / data Creating directory / usr / local / pgsql / data.. / base Creating directory / usr / local / pgsql / data / global Creating directory / usr / local / pgsql / data / pg_xlog Creating template1 database in / usr / local / pgsql / data / base / 1 [snip] Success. You can now Start the database server using: / usr / local / bin / postmaster -d / usr / local / pgsql / data or usr / local / bin / pg_ctl -d / usr / local / pgsql / data -l logfile start

2, start PostgreSQL

Code: # /usr/local/etc/rc.d/010.pgsql.sh start

For more detailed help, please see an article on the freebsddiary with port to install PostgreSQL articles, all English. Http://www.freebsdiary.org/postgreSQL.php 3, set the user database. I am a PGSQL's beginner, the command line is not familiar, so it is necessary to manage the database with phppgadmin. 1. Create a database first called MYDB. 2. Create a data table called FTP to store usernames and accounts. The structure of this data sheet is the simplest table specified by the PAM_PGSQL module, and each field is required, you can extend the structure of this table, but don't delete these fields. I export a SQL script for everyone to create.

Code: Create Table "FTP" ("ID" INT4 Default NextVal ('public. "Ftp_id_seq") NOT NULL, "USR" varchar (32) Not null, "pass" varchar (32) Not null, "expired" BOOL Default False Not Null, "NewTok" Bool Default False Not Null; please create some users, easy to debug: This is my FTP table, these record names are casual. But please pay attention to only expired is F (fake) can be successfully logged in.

Code: ID | usr | pass | evired | newtok ---- -------- ------- -------- ---- ---- 1 | FTP | FTP | F | F 2 | FTP1 | FTP1 | T | T 4 | FTP3 | FTP3 | F | F 6 | GO | ABCDEF | F | F 3 | ftp2 | ftp2 | f | f 5 | DOWNFTP | DOWNFTP | f | f

3. Creating a PGSQL user called Pamusr, the password is also Pamusr. Give Pamusr for select permissions for the FTP table, pay attention to SELECT is enough. Pam_pgsql just reads the data table, not modifying it. You can also use other users, such as managing PGSQL PGSQL / Postgres users, but from security angles, we want to build a user who specializes to PAM_PGSQL is better! Remarks: Database, Data Table, the username does not have to be like me, PAM_PGSQL is not specified, but these settings must be consistent with PAM_PGSQL profile /etc/pam_pgsql.conf. Fourth, set the PAM_PGSQL module: edit /etc/pam_pgsql.conf in /etc/pam.conf, plus the above, more information reference / usr / local / share / doc / pam-pgsql / readme

Code: #host = 127.0.0.1 This is not required, the default is local connection. If you want to connect the remote server, set your IP and remove the # Database = mydb user = Pamusr # Just added to the PGSQL user password = pamusr # access PGSQL password Table = ftp user_column = usr # username in the data table Field PWD_COLUMN = Pass # User Password in the field expired_column = expired # 用户 用户 用户 字 字 字 NEWTOK_COLUMN = NewTok # users need to change the password field

V. Set the PAM service. Add the following items in /etc/pam.conf

Code: # service-name module-type control-flag module-path argument vsftpd auth required pam_pgsql.so # vsftpd account required pam_pgsql.so # vsftpd password required pam_pgsql.so # Note that the service name is vsftpd, this is not necessary. Prerequisites Don't conflict with the service name conflict with Pam.conf. The PAM_SERVICE_NAME in vsftpd.conf corresponds to the service name here. About FreeBSD-5 PAM Configuration Mechanism in FreeBSD-5, different from freeBSD-4. You should build a file with a list of VSFTPDs in /etc/pam.d or /usr/local/etc/pam.d, the content is the same as the above content. I tried configuring on FBSD 5-CURRENT, but I was not successful, whether PAM_PGSQL or PAM_MYSQL, always prompts that these PAMs are not found. Google, found that this error seems to be FBSD 5-CURRENT bug http://unix.derkeiler.com/mailing-lists/freebsd/current/2003-07/0278.html 6, configure vsftpd. This is configured with the official documentation for VSFTPD Virtual User Settings 1, adds an addition to a user with addUser, named Virtual. 2, configuration /usr/local/etc/vsftpd.conf

Code: anonymous_enable = NO local_enable = YES write_enable = NO anon_upload_enable = NO anon_mkdir_write_enable = NO anon_other_write_enable = NO chroot_local_user = YES guest_enable = YES dual_log_enable = YES guest_username = virtual # we just increase the local users, virtual users will enjoy this called virtual local User's permissions. PAM_SERVICE_NAME = [color = red] vsftpd [/ color] # This is the name of the PAM service I set in Pam.conf, without this, vsftpd is a PAM service named FTP. Listen = yes secure_chroot_dir = / usr / local / share / vsftpd / empty # Please add this, vsftpd default second_chroot_dir is / usr / share / empty, use port installation, not automatically created this directory, but put In / usr / local / share / vsftpd / empty. Of course, you can also create a directory yourself.

Seven, debug with Standalone method to start VSFTPD, do not use inetd.

Code: / usr / local / libexec / vsftpd or / usr / local / libexec / vsftpd configuration file name (such as vsftpd.conf.1, vsftpd.conf.2), usually he is a search / usr / local / etc directory, if you Write on other places to write a complete path.

If there is no prompt to prove that vsftpd starts success. In practice, the mistake I often appear is to start VSFTPD with root, or the chroot path is wrong. Try the following ftp

Code:> ftp 192.168.1.10 Connected to 192.168.1.10 220 (vsFTPd 1.2.0) Name (192.168.1.10:powerplane):. Downftp 331 Please specify the password Password:... 230 Login successful Remote system type is UNIX Using binary Mode to transfer files.yeah, success. Summary To configure the VSFTPD other PAM authentication methods, this article can be used in this article. Of course, you may modify the settings of Pam.conf. In addition to the module with PAM_PGSQL, FreeBSD's port, PAM_MYSQL, PAM_LDAP. Generally put in / usr / ports / security ########################################################################################################################################################################################################################################################################## # Related information: 1. FreeBSD's official document http://www.freebsd.org/doc/en_us.iso8859-1/Articles/pam/index.html 2, FreeBSDDiary A configuration PGSQL article, suitable for novice . http://www.freebsdiary.org/postgreSQL.PHP 3, PAM-PGSQL and VSFTPD Readme (with the directory below, otherwise, please look in the source package) / usr / local / share / doc / pam -pgsql / readme / usr / local / share / doc / vsftpd / example / usr / local / share / doc / vsftpd / example / virtual_users_2 / readme

转载请注明原文地址:https://www.9cbs.com/read-124686.html

New Post(0)