分类: LINUX
2008-02-20 15:35:45
建立用于存放vsftpd虚拟用户的Schema的过程:
mysql> create database vsftpd;
mysql> use vsftpd;
mysql> create table users (
-> id int AUTO_INCREMENT NOT NULL,
-> name char(16) binary NOT NULL,
-> passwd char(48) binary NOT NULL,
-> primary key(id)
-> );
mysql> describe users;
+--------+----------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+--------+----------+------+-----+---------+----------------+
| id | int(11) | | PRI | NULL | auto_increment |
| name | char(16) | | | | |
| passwd | char(48) | | | | |
+--------+----------+------+-----+---------+----------------+
mysql> create table logs (msg varchar(255),
-> user char(16),
-> pid int,
-> host char(32),
-> rhost char(32),
-> logtime timestamp
-> );
mysql> describe logs;
+---------+--------------+------+-----+-------------------+-------+
| Field | Type | Null | Key | Default | Extra |
+---------+--------------+------+-----+-------------------+-------+
| msg | varchar(255) | YES | | NULL | |
| user | varchar(16) | YES | | NULL | |
| pid | int(11) | YES | | NULL | |
| host | varchar(32) | YES | | NULL | |
| rhost | varchar(32) | YES | | NULL | |
| logtime | timestamp | YES | | CURRENT_TIMESTAMP | |
+---------+--------------+------+-----+-------------------+-------+
这里,用户密码这个字段的长度是48。这是根据MySQL加密函数的返回值的长度确定的。关于PASSWORD函数返回值的长度,可以参考这个:
http://dev.mysql.com/doc/refman/4.1/en/password-hashing.html
mysql> select encrypt('foo');
+----------------+
| encrypt('foo') |
+----------------+
| 4Wwn2AXFYb.So |
+----------------+
mysql> select password('foo');
+-------------------------------------------+
| password('foo') |
+-------------------------------------------+
| *F
+-------------------------------------------+
、
mysql> select md5('foo');
+----------------------------------+
| md5('foo') |
+----------------------------------+
| acbd18db4cc
+----------------------------------+
编译安装pam_mysql
# ./configure --with-openssl
# make
# make install
加上--with-openssl可以避免make时报有关md5.h的编译错误
建立/etc/pam.d/vsftpd.mysql(因为只是想验证pam_mysql的安装过程,所以我不想覆盖原有的vsftpd这个文件)。[color=#FF0000]注意只有两行,auth是一行,account是一行。[/color]
auth required /lib/security/pam_mysql.so user=root passwd=123456 host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=passwd crypt=2 sqllog=1 logtable=logs logmsgcolumn=msg logusercolumn=user logpidcolumn=pid loghostcolumn=host logrhostcolumn=rhost logtimecolumn=logtime verbose=1
account required /lib/security/pam_mysql.so user=root passwd=123456 host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=passwd crypt=2 sqllog=1 logtable=logs logmsgcolumn=msg logusercolumn=user logpidcolumn=pid loghostcolumn=host logrhostcolumn=rhost logtimecolumn=logtime verbose=1
注意这里pam_mysql.so的路径是/lib/security;指定了sqllog;加密方式是2,也就是用MySQL PASSWORD()函数;verbose=1,设置这个可以帮助调试,日志信息输出在/var/log/messages里。
建立/etc/vsftpd/vsftpd.mysql.conf(同样,不影响已有的vsftpd服务,执行service vsftpd restart时会启动两个vsftpd服务,端口不一样)
主要的设置如下:
pam_service_name=vsftpd.mysql
listen=YES
tcp_wrappers=YES
local_enable=YES
guest_enable=YES
guest_username=ftp
listen_port=2121
注意pam_service_name=vsftpd.mysql指定了使用刚才设置的pam_mysql。
插入用户信息:
mysql> insert into users (name,passwd) values('tom',password('foo'));
mysql> insert into users (name,passwd) values('jerry',password('bar'));
mysql> select * from users;
+----+-------+-------------------------------------------+
| id | name | passwd |
+----+-------+-------------------------------------------+
| 1 | tom | *F
| 2 | jerry | *E8D46CE25265E545D
+----+-------+-------------------------------------------+
然后试验pam_mysql v0.7新加的config_file配置选项。这个选项用来指定一个配置文件,可以把所有pam_mysql的配置放在这个文件中。这样的话,/etc/pam.d/vsftpd.mysql的内容变成这样:
auth required /usr/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf
account required /usr/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf
/etc/security/pam_mysql.conf的内容:
users.host=localhost
users.database=vsftpd
users.db_user=root
users.db_passwd=123456
users.table=users
users.user_column=name
users.password_column=passwd
users.password_crypt=3
verbose=1
log.enabled=1
log.table=logs
log.message_column=msg
log.pid_column=pid
log.user_column=user
log.host_column=host
log.rhost_column=rhost
log.time_column=logtime
改好这些以后,用之前建好的虚拟用户登录,居然不行!而且这次/var/log/messages里没有任何错误消息。ls -ltr /var/log 发现secure这个文件最新,试着打开,果然发现了pam_mysql的调试信息:
Dec 26 16:18:37 javadev vsftpd[6175]: pam_mysql - option verbose is set to "1"
Dec 26 16:18:37 javadev vsftpd[6175]: pam_mysql - option log.enabled is set to "1 "
Dec 26 16:18:37 javadev vsftpd[6175]: pam_mysql - option log.table is set to "logs"
Dec 26 16:18:37 javadev vsftpd[6175]: pam_mysql - option log.message_column is set to "msg"
Dec 26 16:18:37 javadev vsftpd[6175]: pam_mysql - option log.pid_column is set to "pid"
Dec 26 16:18:37 javadev vsftpd[6175]: pam_mysql - option log.user_column is set to "user"
Dec 26 16:18:37 javadev vsftpd[6175]: pam_mysql - option log.host_column is set to "host"
Dec 26 16:18:37 javadev vsftpd[6175]: pam_mysql - option log.rhost_column is set to "rhost"
Dec 26 16:18:37 javadev vsftpd[6175]: pam_mysql - option log.time_column is set to "logtime"
Dec 26 16:18:37 javadev vsftpd[6175]: pam_mysql - pam_sm_authenticate() called.
Dec 26 16:18:37 javadev vsftpd[6175]: pam_mysql - pam_mysql_open_db() called.
Dec 26 16:18:42 javadev vsftpd[6175]: pam_mysql - MySQL error (Unknown MySQL server host 'localhost ' (3))
Dec 26 16:18:42 javadev vsftpd[6175]: pam_mysql - pam_mysql_open_db() returning 5.
Dec 26 16:18:42 javadev vsftpd[6175]: pam_mysql - pam_sm_authenticate() returning 9.
Dec 26 16:18:42 javadev vsftpd[6175]: pam_mysql - pam_mysql_release_ctx() called.
Dec 26 16:18:42 javadev vsftpd[6175]: pam_mysql - pam_mysql_destroy_ctx() called.
Dec 26 16:18:42 javadev vsftpd[6175]: pam_mysql - pam_mysql_close_db() called.
仔细检查,发现原因在这里:
[color=#FF0000]pam_mysql - MySQL error (Unknown MySQL server host 'localhost ' (3))[/color]
原来配置文件里users.host=localhost 这行行尾多了一个空格!郁闷!修改以后就可以登录了。
最后,我在论坛里回复时说过不能用password这种方式,原因是
2 (or "mysql") = Use MySQL PASSWORD() function. It is possible
that the encryption function used by PAM-MySQL
is different from that of the MySQL server, as
PAM-MySQL uses the function defined in MySQL's
C-client API instead of using PASSWORD() SQL function
in the query.
事实证明我说错了。 :oops:
还有,两个log可以帮助分析故障(当然可能仅在RedHat下),/var/log/messages和/var/log/secure