VSFTPD virtual user configuration: PAM PGSQL FreeBSD-4
PowerPlane
(1.02beta, welcome debug, I will be updated at any time)
VSFTPD may be the best ftpd in the world. It is very popular in the Linux world, safe and high. The purpose of this article is to let PGSQL store your VSFTP virtual users and password, certified by a Dongdong called PAM.
Brief introduction PAM principle If you have already understood the PAM, please skip, I know may not be as good as you. You are not interested, please skip, because you can also be configured.
User <-> vsftpd <-> PAM Module <-> User and Password Database
VSFTPD uses a very smart and unix / Linux specification method to authenticate the user, that is, PAM. Everyone is a bit strange for PAM, but it has been in use. The so-called PAM, English is: Pluggable Authentication Modules, plug-in authentication module (do not know that such translation is right). Seeing Plug's keyword, you know that it is flexible. Almost all Daemon programs are now certified with PAM, including telnet / sshd / imapd, and even your login, all with PAM. Friends on FBSD 4, you can play
PS -AX | GREP PAM
You will find how many consists of logins, how many processes write PAM are written.
The biggest benefit of PAM is flexible. It doesn't care about what data format for your users and passwords (the database is also good, the password files that are usually used), as long as there is a corresponding PAM module, you can store. For example, everyone can not only use vsftpd pgsql to log in to verify, as long as you like you can also store user data with mysql, oracle, LDAP database, as long as there is a corresponding PAM. All Daemon can use a background database to log in, including telnet / sshd, and more.
PAM's configuration mechanism has different versions of FreeBSDs freeBSD-4 in /etc/pam.conf, a file to record all PAM services. FreeBSD-5 is placed in /etc/pam.d ,/usr/local/etc/pam.d. Each PAM service is recorded by a separate file.
This article does not intend to describe the configuration of PAM. The configuration of PAM is not very difficult. After all, just want you to configure some parameters, not calling you to develop a PAM module. And this article is limited, and even something that I just knows hope to play the role of tile jade. When I have a deeper PAM, I will write an in-depth situation about PAM?
Ready to start to mention the role of the configuration file to be used.
/etc/pam.conf #PAM service configuration /etc/pam_pgsql.conf # PAM_PGSQL.SO configuration /usr/local/etc/vsftpd.conf #VSFTPD configuration
First, install VSFTPD, PostgreSQL, PAM_PGSQL
I am using port to install, please use port / package to install, don't download the source code yourself to compile, otherwise it may not be used normally according to the method of this article. Where VSFTPD and PAM-PGSQL must be installed with Port / Package. The following is their port directory:
/ usr / ports / ftp / vsftpd
/ usr / ports / databases / postgresql7
/ usr / ports / security / PAM-PGSQL
Installation: As long as the CD goes, then make install is OK. Second, PostgreSQL installation (if you already have postgreSQL, don't need to see this section) Simplely mention port to POSTGRESQL process, because the PGSQL method in the BSD version is compiled by yourself. I used port to compile installation, because this is the FBSD recommended installation method, and the installed software will be installed according to the BSD's Hier (directory structure), which is more convenient to manage. When using port to install PostgreSQL, the default database management user is PGSQL (the installer of the port is automatically added), and the other system default is Postgres. The program initialized PostgreSQL is as follows:
1, the initial database. Please use root to log in or SU to root. Then, command:
# su pgsql
# initdb
Normal initialization should have the following tips:
This Database System Will BE Initialized with username "pgsql".
THIS User Will Own All The Data Files and Must Also Own The Server Process.
Creating directory / usr / local / pgsql / dataCreating directory / usr / local / pgsql / data / baseCreating directory / usr / local / pgsql / data / globalCreating directory / usr / local / pgsql / data / pg_xlogCreating template1 database in / usr / local / PGSQL / DATA / BASE / 1
You can now Start The Database Server Using:
/ usr / local / bin / postmaster -d / usr / local / pgsql / dataor / usr / local / bin / pg_ctl -d / usr / local / pgsql / data -l logfile start
2, start PostgreSQL
# /usr/local/etc/rc.d/010.pgsql.sh start
For more detailed help, please see an article on the freebsddiary with port to install PostgreSQL articles, all English. http://www.freebsddiary.org/postgreSQL.PHP
Third, set the user database I am an initiator of PGSQL, the command line is not familiar, so it is necessary to manage the database with phppgadmin.
1. Create a database first called MYDB. 2. Create a data table called FTP to store usernames and accounts. The structure of this data sheet is the simplest table specified by the PAM_PGSQL module, and each field is required, you can extend the structure of this table, but don't delete these fields. I export a SQL script for everyone to create.
CREATE TABLE "ftp"
"ID" INT4 Default NextVal ('public. "Ftp_id_seq")') NOT NULL,
"usr" varchar (32) Not null,
"Pass" varchar (32) Not null,
"expired" BOOL DEFAULT FALSE NOT NULL,
"NewTok" BOOL DEFAULT FALSE NOT NULL
);
Please create some users, easy to debug: This is my FTP table, these record names are casual. But please pay attention to only expired is F (fake) can be successfully logged in. ID | USR | Pass | Expired | NewTok
---- --------- ------- ------- --------
1 | ftp | ftp | f | f
2 | ftp1 | ftp1 | t | t
4 | ftp3 | ftp3 | f | f
6 | GO | Abcdef | f | f
3 | ftp2 | ftp2 | f | f
5 | DOWNFTP | DOWNFTP | f | f
3. Creating a PGSQL user called Pamusr, the password is also Pamusr. Give Pamusr for select permissions for the FTP table, pay attention to SELECT is enough. Pam_pgsql just reads the data table, not modifying it. You can also use other users, such as managing PGSQL PGSQL / Postgres users, but from security angles, we want to build a user who specializes to PAM_PGSQL is better!
Remarks: Database, Data Table, the username does not have to be like me, PAM_PGSQL is not specified, but these settings must be consistent with PAM_PGSQL profile /etc/pam_pgsql.conf.
Fourth, set the PAM_PGSQL module edit /etc/pam_pgsql.conf in /etc/pam.conf, plus the above, more data reference / usr / local / share / doc / pam-pgsql / readme
#host = 127.0.0.1
This is not required, the default is local connection. If you want to connect the remote server, set your IP and remove it #
Database = mydb
User = Pamusr # Using PGSQL users just added
Password = pamusr # Access PGSQL password
Table = ftp
User_column = USR # User name in the field in the data table
PWD_COLUMN = Pass # User password in the field in the data table
Expired_Column = EXPIRED # 用户 用户 是 字 字
NewTok_column = NewTok # Do you need to change a password?
V. Set the configuration of PAM services a, FBSD-4
Add the following items in /etc/pam.conf
# Service-name module-type control-flag module-path argument
vsftpd auth request pam_pgsql.so #
vsftpd account request pam_pgsql.so #
vsftpd password required pam_pgsql.so #
Note that the service name here is vsftpd, which is not necessary. Prerequisites Don't conflict with the service name conflict with Pam.conf. The PAM_SERVICE_NAME in vsftpd.conf corresponds to the service name here.
B, FBSD-5 configuration
The PAM configuration mechanism in FreeBSD-5 is different from freeBSD-4. You should build a file with a list of VSFTPDs in /etc/pam.d or /usr/local/etc/pam.d, the content is the same as the above content. I tried configuring on FBSD 5-CURRENT, but I was not successful, whether PAM_PGSQL or PAM_MYSQL, always prompts that these PAMs are not found. Google, found that this error seems to be the bughtp: //unix.derkeiler.com/mailing-lists/freebsd/current/2003-07/0278.html but also gives 5-current PAM services Configuration method as a reference. Create a file: /etc/pam.d/vsftpd. Note that this file is the name of the PAM service.
Auth Required Pam_pgsql.so #
Account Required Pam_pgsql.so #
Password required pam_pgsql.so #
6. Configuring vsftpd This is to configure the official documentation for VSFTPD Virtual User Settings 1.
1. Add a user with adduser, named Virtual.
2, configuration /usr/local/etc/vsftpd.conf
Anonymous_enable = no
Local_enable = YES
Write_enable = no
Anon_upload_enable = no
Anon_mkdir_write_enable = no
Anon_other_write_enable = no
chroot_local_user = yes
Guest_enable = yes
DUAL_LOG_ENABLE = YES
Guest_username = virtual
# We have just added local users, and virtual users will enjoy this permission called Virtual local users.
PAM_SERVICE_NAME = VSFTPD #
This is the name of the PAM service I set in pam.conf, without this, vsftpd is a PAM service named FTP.
Listen = yes
SECURE_CHROOT_DIR = / usr / local / share / vsftpd / EMPTY
# Please add this, vsftpd default secure_chroot_dir is / usr / share / empty, with port installation, not automatically created this directory, but placed in / usr / local / share / vsftpd / empty. Of course, you can also create a directory yourself.
Seven, debug with Standalone method to start VSFTPD, do not use inetd.
/ usr / local / libexec / vsftpd
or
/ usr / local / libexec / vsftpd configuration file name (such as vsftpd.conf.1, vsftpd.conf.2)
Generally, he is a search / usr / local / etc directory, if you put it on other places, you will write a complete path.
If there is no prompt to prove that vsftpd starts success. In practice, the mistake I often appear is to start VSFTPD with root, or the chroot path is wrong. Try the following ftp
> ftp 192.168.1.10
Connected to 192.168.1.10.
220 (vSFTPD 1.2.0)
Name (192.168.1.10:powerplane): DownFTP
331 Please Specify The Password.
PASSWORD:
230 login successful.Remote System Type IS UNIX.
Using binary model to transfer files.
Yeah, success.
Summary To configure the VSFTPD other PAM authentication methods, this article can be used in this article. Of course, you may modify the settings of Pam.conf. In addition to the module with PAM_PGSQL, FreeBSD's port, PAM_MYSQL, PAM_LDAP. Generally put in / usr / ports / security
