Chinaunix首页 | 论坛 | 博客
  • 博客访问: 216646
  • 博文数量: 49
  • 博客积分: 3040
  • 博客等级: 少校
  • 技术积分: 450
  • 用 户 组: 普通用户
  • 注册时间: 2009-12-29 09:28
文章分类

全部博文(49)

文章存档

2011年(8)

2010年(16)

2009年(25)

分类: LINUX

2011-04-22 15:58:42

CentOS之Vsftp虚拟用户配置生产实例

符合生产环境需求,系统centos5.4_X64

安装:yum -y install vsftpd db*
需求:虚拟三个用户,使用同一个家目录。权限如下
ftpadmin  读写删除(上传、下载、删除)
ftpuser   读写(上传、下载、不能删除)
ftp       读(只能下载)
复制代码
目录为:/ftpdata
密码统一为:123456
   
一、创建虚拟用户数据库:

1、创建文件文件loginuser.txt
格式如下:
用户名
密码
vi /etc/vsftpd/loginuser.txt
ftpadmin
123456
ftpuser
123456
ftp
123456

2、生成数据库文件:
db_load -T -t hash -f /etc/vsftpd/loginuser.txt /etc/vsftpd/vsftpd_login.db
chmod 600 /etc/vsftpd/vsftpd_login.db

3、配置pam文件
vi /etc/pam.d/vsftpd.vu
64位换成(lib64)
auth required /lib64/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login
account required /lib64/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login

二、为虚拟用户创建本地系统用户
useradd vsftp -d /ftpdata -s /bin/false
chown vsftp.vsftp /ftpdata

三、vsftpd.conf配置
cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.bak
rm -rf /etc/vsftpd/vsftpd.conf
vi /etc/vsftpd/vsftpd.conf
anonymous_enable=NO
local_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
listen_port=21
userlist_enable=YES
chroot_local_user=YES
tcp_wrappers=YES
guest_enable=YES
guest_username=vsftp
pam_service_name=vsftpd.vu
user_config_dir=/etc/vsftpd/vsftpd_user_conf
virtual_use_local_privs=YES
pasv_min_port=50000
pasv_max_port=60000
pasv_enable=yes
max_clients=200
max_per_ip=10
idle_session_timeout=600
ftpd_banner=Welcome to  FTP service

mkdit -p /ftpdata
mkdir /etc/vsftpd/vsftpd_user_conf
vi /etc/vsftpd/vsftpd_user_conf/ftpadmin 所有权限
write_enable=YES
anonymous_enable=NO
anon_world_readable_only=NO
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
local_umask=022
download_enable=Yes
local_root=/ftpdata

vi /etc/vsftpd/vsftpd_user_conf/ftpuser 能下载、上传但不能删除
write_enable=YES
cmds_allowed=ABOR,CWD,LIST,MDTM,MKD,NLST,PASS,PASV,PORT,PWD,QUIT,RETR,RNFR,RNTO,SIZE,STOR,TYPE,USER,REST,CDUP,HELP,MODE,NOOP,REIN,STAT,STOU,STRU,SYST,FEAT
file_open_mode=0444
local_root=/ftpdata

vi /etc/vsftpd/vsftpd_user_conf/ftp 只能下载
write_enable=NO
anon_world_readable_only=NO
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
local_umask=022
download_enable=yes
local_root=/ftpdata

service vsftpd restart
测试:
ftp -n localhost
Connected to ifidc.
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
220 Welcome to tfhudong FTP service
ftp> use ftpadmin
331 Please specify the password.
Password:
230 Login successful.
ftp> quit
221 Goodbye.

如果出现500 oops错误,请执行:setsebool ftpd_disable_trans 1

补充:
如果对上传用户要限制其上传目录(主目录),需要加入
local_root=/ftpdata/   ftpdata是我自己的设置的,可按实际需求来
前将local_root=/ftpdata/给予相应的权限
ps: centos6 need config the seliunx allow ftpd

Quote:
Originally Posted by macemoneta
The problem is that ftp, being a completely insecure legacy protocol, should only be used for anonymous login (all userids and passwords are sent in clear text). In order to use ftp with user logins, you'll need to disable the protections that keep it contained to that state.

I'm not sure if these options are available back on FC5, but you can try:

setsebool ftp_home_dir on

and if necessary:

setsebool allow_ftpd_anon_write on
setsebool allow_ftpd_full_access on

If none of those work, go to:

setsebool ftpd_disable_trans on
Thanks for this. The problem is that the client needs to offer FTP access to their clients. Security isn't a huge issue as the accounts are created as required and deleted when finished with. I'll give your suggestions a go on Monday (today is a public holiday here ).



阅读(2116) | 评论(0) | 转发(0) |
0

上一篇:cisco FW K8 upgrade K9

下一篇:centos yum升级php

给主人留下些什么吧!~~