系统环境:
RedHat AS 5.1
mysql-5.0.22-2.1.0.1
pam_mysql-0.7RC1
vsftpd-2.0.5-10.el5
安装:
其中mysql及vsftpd直接用yum install mysql* vsftpd*即可!
另外pam_mysql-0.7RC1.tar.gz,
下载地址:
则
[root@mail ~]# cp pam_mysql-0.7RC1.tar.gz /tmp/
[root@mail ~]# cd /tmp/
[root@mail tmp]# tar -zxvf pam_mysql-0.7RC1.tar.gz
[root@mail tmp]# cd pam_mysql-0.7RC1
[root@mail pam_mysql-0.7RC1]# ./configure ;make;make install
安装完成之后,其中pam_mysql.la及pam_mysql.so两个文件默认是安装在/usr/lib/security/中,但RHEL5系统中共享库文件默认是存在/lib/security/文件夹中,可将/usr/lib/security/中两文件复制或链接到此处(或者在下面的vsftpd的pam配置文件中写明pam_mysql的路径也是可以的)
配置:
useradd -s /sbin/nologin vsftpd
setsebool -P allow_ftpd_anon_write=1 allow_ftpd_full_access=1 ftp_home_dir=1 ftpd_disable_trans=1 ftpd_is_daemon=1
1.vsftpd
由于是测试,所以我直接复制vsftpd.conf文件成为vsftpd.mysql.conf,修改vsftpd.mysql.conf文件
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
listen=YES
pam_service_name=vsftpd.mysqlduserlist_enable=YES
tcp_wrappers=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
listen_port=2121guest_enable=YES
guest_username=vsftpd
pasv_enable=YES
pasv_min_port=30000
pasv_max_port=30999
anon_world_readable_only=NO
virtual_use_local_privs=YES
user_config_dir=/etc/vsftpd/vsftpd_user_conf**************************************************************
设置每个用户单独的目录:
增加 user_config_dir=/etc/vsftpd_user_conf 到/etc/vsftp.mysql.conf
创建/etc/vsftpd/vsftpd_user_conf目录 :
如需给用户设置单独的权限,在/etc/vsftpd/vsftpd_user 建立以用户命名的文件,如tom,
然后 vi /etc/vsftpd/vsftpd_user/tom,将下面代码复制进去
local_root=/home/vsftpd/tom
anon_world_readable_only=NO
write_enable=YES
anon_upload_enable=YES
anon_other_write_enable=YES
anon_mkdir_write_enable=YES
virtual_use_local_privs=YES
chmod_enable=YES
file_open_mode=0775
然后到 /home/vsftpd/下创建一个tom目录:
mkdir /home/vsftpd/tom
chown -R vsftp.vsftpd /home/vsftpd
chmod -R 700 /home/vsftpd
2.mysql
创建vsftpd数据库,且新增vsftpd帐户,密码为123456
mysql> CREATE USER 'vsftpd'@'localhost'
IDENTIFIED BY '123456';
GRANT USAGE ON * . * TO 'vsftpd'@'localhost'
IDENTIFIED BY '123456' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR
0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
CREATE DATABASE IF NOT EXISTS `vsftpd` ;
GRANT ALL PRIVILEGES ON `vsftpd` . * TO 'vsftpd'@'localhost';
GRANT ALL PRIVILEGES ON `vsftpd` . * TO 'vsftpd'@'localhost'
WITH GRANT OPTION ;
mysql> use vsftpd;
mysql> create table users (id int AUTO_INCREMENT NOT NULL,name char(16) binary NOT NULL,passwd char(48) binary NOT NULL,primary key(id));
mysql> describe users;
+--------+----------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+--------+----------+------+-----+---------+----------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| name | char(16) | NO | | NULL | |
| passwd | char(48) | NO | | NULL | |
+--------+----------+------+-----+---------+----------------+
3 rows in set (0.00 sec)
mysql> create table logs (msg varchar(255),user char(16),pid int,host char(32),rhost char(32),logtime timestamp);
mysql> describe logs;
+---------+--------------+------+-----+-------------------+-------+
| Field | Type | Null | Key | Default | Extra |
+---------+--------------+------+-----+-------------------+-------+
| msg | varchar(255) | YES | | NULL | |
| user | char(16) | YES | | NULL | |
| pid | int(11) | YES | | NULL | |
| host | char(32) | YES | | NULL | |
| rhost | char(32) | YES | | NULL | |
| logtime | timestamp | YES | | CURRENT_TIMESTAMP | |
+---------+--------------+------+-----+-------------------+-------+
6 rows in set (0.00 sec)
这里,用户密码这个字段的长度是48。这是根据MySQL加密函数的返回值的长度确定的。关于PASSWORD函数返回值的长度,可以参考这个:
http://dev.mysql.com/doc/refman/4.1/en/password-hashing.html++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
因为mysql5.0版本中password函数默认返回长度为16,需要将/etc/my.cnf中的old_passwords的值设置为0
[root@mail vsftpd]# cat /etc/my.cnf
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
# Default to using old password format for compatibility with mysql 3.x
# clients (those using the mysqlclient10 compatibility package).
#old_passwords=1
old_passwords=0[mysql.server]
user=mysql
basedir=/var/lib
[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
记得重新启动mysql服务呀。。。++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
mysql> select encrypt('foo');
+----------------+
| encrypt('foo') |
+----------------+
| xxY8K1xpBNqPg |
+----------------+
1 row in set (0.01 sec)
mysql> select password('foo');
+-------------------------------------------+
| password('foo') |
+-------------------------------------------+
| *F3A2A51A9B0F2BE2468926B4132313728C250DBF |
+-------------------------------------------+
1 row in set (0.00 sec)
mysql> select md5('foo');
+----------------------------------+
| md5('foo') |
+----------------------------------+
| acbd18db4cc2f85cedef654fccc4a4d8 |
+----------------------------------+
1 row in set (0.01 sec)
插入用户信息:
mysql> insert into users (name,passwd) values('tom',password('foo'));
mysql> insert into users (name,passwd) values('jerry',password('bar'));
mysql> select * from users;
+----+-------+-------------------------------------------+
| id | name | passwd |
+----+-------+-------------------------------------------+
| 1 | tom | *F3A2A51A9B0F2BE2468926B4132313728C250DBF |
| 2 | jerry | *E8D46CE25265E545D225A8A6F1BAF642FEBEE5CB |
+----+-------+-------------------------------------------+
2 rows in set (0.00 sec)
接下来配置pam配置文件
cd /etc/pam.d/
cp vsftpd vsftpd.mysqld
vim vsftpd.mysqld
auth required /lib/security/pam_mysql.so user=vsftpd passwd=123456 host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=passwd crypt=2 sqllog=1 logtable=logs logmsgcolumn=msg logusercolumn=user logpidcolumn=pid loghostcolumn=host logrhostcolumn=rhost logtimecolumn=logtime verbose=1
account required /lib/security/pam_mysql.so user=vsftpd passwd=123456 host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=passwd crypt=2 sqllog=1 logtable=logs logmsgcolumn=msg logusercolumn=user logpidcolumn=pid loghostcolumn=host logrhostcolumn=rhost logtimecolumn=logtime verbose=1
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
注意:
注意这里pam_mysql.so的路径是/lib/security;指定了sqllog;加密方式是2,也就是用MySQL PASSWORD()函数;verbose=1,设置这个可以帮助调试,日志信息输出在/var/log/secure里。
crypt
参数。crypt表示口令字段中口令的加密方式:crypt=0,口令以明文方式(不加密)保存在数据库中;crypt=1,口令使用UNIX系统的
DES加密方式加密后保存在数据库中;crypt=2,口令经过MySQL的password()函数加密后保存;crypt=3,口令使用16进制数制MD5加密后保存;crypt=4,口令使用16进制数制SHA1加密后保存。++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
这是配置文件1,也可按配置文件2方式配置(任选一种即可)
auth required /usr/lib/security/pam_mysql.so config_file=/etc/vsftpd/pam_mysql
account required /usr/lib/security/pam_mysql.so config_file=/etc/vsftpd/pam_mysql
然后在/etc/vsftpd目录中新增pam_mysql文件,在此文件中新增以下内容
users.host=localhost
users.database=vsftpd
users.db_user=vsftpd
users.db_passwd=123456
users.table=users
users.user_column=name
users.password_column=passwd
users.password_crypt=2verbose=1
log.enabled=1
log.table=logs
log.message_column=msg
log.pid_column=pid
log.user_column=user
log.host_column=host
log.rhost_column=rhost
log.time_column=logtime
重启动vsftpd服务,测试
[root@mail vsftpd]# ftp localhost 2121
Connected to mail.brinkman.com.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (localhost:root):
tom331 Please specify the password.
Password:
foo230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
