Article Directory
Linux-cloud computing organization-vsftpd service 3 authentication methods and SSL security authentication
1. 3 authentication methods of vsftpd service
匿名开放模式
: Insecure, login directly without a password.本地用户模式
: Log in with the local linux account password.虚拟用户模式
: The most secure, a user database file needs to be established, and some account information used for password verification is virtual. The account information does not actually exist in the server system and is only used for authentication by the FTP server program.
Here first install the vsftpd service program , clear the firewall policy and save the current firewall policy , then filter out the comment information in the configuration file of the vsftpd service, and finally restart the vsftpd service and add it to the startup item .
Configuration file: /etc/vsftpd/vsftpd.conf
The detailed introduction is as follows:
Which permissions are required in the production environment, please measure according to the actual situation! ! !
Common commands for FTP server are as follows:
2. Anonymous Open Mode
Generally used to access unimportant public files, try not to store important files in the production environment.
The vsftpd service program turns on the anonymous user mode by default, and you will enter the server /var/ftp
directory when logging in to the FTP server
-
Modify the configuration file as follows:
-
Restart the service vsftpd and add it to the startup item
-
Install on the client
ftp客户端工具
, clear the firewall and save the current firewall policy, and finally enter theftp 192.168.10.10
login ftp server. [Account:anonymous
Password:Enter键
]
When logging in to the FTP server and entering the/var/ftp/pub
directory, you cannot create files in it. It is estimated权限
orselinux域策略
problems. -
Troubleshoot the above problems:
check the permissions of the directory:
Try it and see if it is OK or not, but selinux called the police! ! ! ! This is a hint! ! !
Check the selinux domain policy on ftp service
and try again. ! !
3. Local user mode
- Modify the configuration file as follows
- Restart the service vsftpd and add it to the startup item
- Try to log in to the FTP server with root and abong users on the client, and found that abong users can log in, but root users cannot. But isn't the root user known as a super administrator? ? Does this have no authority? ? ? In fact , the configuration file of the vsftpd service has a parameter that limits it .
- View the configuration file of vsftpd service
Remove theroot
user from these two files , and try to log in as the root user. You can see that the root user can also log in normally.
In the process of using the FTP server, if you encounter permission problems or selinux domain policy problems, you can refer to it匿名用户模式的排错过程
.
4. Virtual User Mode
The most secure authentication mode, the configuration is more complicated.
Before configuration, first check vsftpd服务
whether it is turned on normally. It can be seen that it is normally turned on.
- Create a user database file for FTP authentication, the path is:
/etc/vsftpd/vuser.list
[odd behavior account, even behavior password]
- Use
db_load命令
to encrypt thehash算法
original plaintext user database file/etc/vsftpd/vuser.list
into a ciphertext database file/etc/vsftpd/vuser.db
, and reduce the file permissions, only allow the owner to have read and write permissions, and delete the plaintext user database file/etc/vsftpd/vuser.list
- Create a system local user
virtual
, home directory is/var/ftproot
, shell interpreter is/sbin/nologin
. Local users of the system are not allowed to log in to the FTP server.
The local user of the system acts as a bridge between the virtual user and the FTP server . When a virtual user is used to log in to the FTP server, it will first be mapped to the system local uservirtual
, and then log in to the FTP server from the local user. Log in to the FTP server, which is系统本地用户virtual
the home directory you entered .
- Use the ciphertext database file
vuser.db
to generate a PAM file for virtual user authenticationvsftpd.vu
.pam_service_name
Modify the parameters in the configuration file of the vsftpd service program to the file name. And modify other parameter values.
PAM (pluggable authentication module) is an authentication mechanism that separates the services and authentication methods provided by the system through some dynamic link libraries and unified APIs, so that system administrators can flexibly adjust different authentication methods of service programs according to their needs.
- Configure different permissions for different virtual users. The default permissions for files with blank permissions are that they can only view files . And configure the authority directory to the configuration file of the vsftpd service .
Restart the vsftpd service and add it to self-start after boot.
- Set on
ftpd服务
theselinux域策略ftpd_full_access
toon
- Clear and save the server and client iptables policies
So far, the configuration of the FTP server is over, it is time to verify the results! ! ! - Log in to the FTP server on the client, and verify the permissions of the related virtual users on the FTP server.
Install theftp
service program on the client first , then clear the firewall policy and save the current policy.
Log in to the FTP serverftp 192.168.10.10
, you can see that the login and use are all right.
5. Practical skills of ftp
5.1 Modify the root directory of ftp login [only valid for local user mode]
root
The default root directory for /var/ftp
users to log in to the ftp server is /home/用户名
, and the default for ordinary users to log in to the ftp server , but obviously these directories are not the root directories we want to store data. For example, if we want to store data in a /data
directory, how should we set it?
[root@server ~]# vim /etc/vsftpd/vsftpd.conf
101 #chroot_local_user=YES
102 #chroot_list_enable=YES
103 # (default follows)
104 #chroot_list_file=/etc/vsftpd/chroot_list
# 修改以上几行,如下:
local_root=/data # 设定本地用户根目录
chroot_list_enable=YES # 激活chroot功能
# (default follows)
chroot_list_file=/etc/vsftpd/chroot_list # 存放锁定本地用户根目录的用户名
allow_writeable_chroot=YES # 允许锁定的用户有写的权限
# 创建锁定用户文件
[root@server ~]# vim /etc/vsftpd/chroot_list
abong
# 创建/data,并授予o+w的权限
[root@server ~]# mkdir /data
[root@server ~]# chmod -R o+w /data
[root@server ~]# ll -d /data
drwxr-xrwx. 2 root root 6 8月 11 21:05 /data
[root@server ~]# systemctl restart vsftpd
# abong用户再次登录ftp服务器时,就会进入/data目录下。
5.2 vsftpd uses SSL certificate to encrypt transmission
req # 是X.509 Certificate Signing Request (CSR,证书签名请求)管理的一个命令。
-new # 指生成证书请求
-x509 # X.509证书数据管理。
-nodes # 表示私钥不加密
days # 定义证书的有效日期。
newkey #指定证书密钥处理器。
keyout #设置密钥存储文件。
out #设置证书存储文件,注意证书和密钥都保存在一个相同的文件
# openssl生成一个自签证书
# 填写项为一些证书信息,随意填即可。
[root@server ~]# openssl req -new -x509 -nodes -out vsftpd.pem -keyout vsftpd.pem -days 3560
Generating a 2048 bit RSA private key
.........................................................................................................................+++
......................+++
writing new private key to 'vsftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:SH
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:GZ
Organization Name (eg, company) [Default Company Ltd]:SZ
Organizational Unit Name (eg, section) []:XZ
Common Name (eg, your name or your server's hostname) []:XZ.COM
Email Address []:[email protected]
# 创建一个隐藏目录,用来存放证书文件
[root@server ~]# mkdir /etc/vsftpd/.sslkey
[root@server ~]# mv vsftpd.pem /etc/vsftpd/.sslkey/
[root@server ~]# cd /etc/vsftpd/.sslkey/
[root@server .sslkey]# ll
总用量 4
-rw-r--r--. 1 root root 3038 8月 11 21:18 vsftpd.pem
# 修改ftp配置文件,支持SSL
# 在listen后配置即可
[root@server ~]# vim /etc/vsftpd/vsftpd.conf
ssl_enable=YES
allow_anon_ssl=NO
# 强制本地用户和匿名用户使用加密ssl登陆和数据传输
force_local_data_ssl=YES
force_local_logins_ssl=YES
force_anon_logins_ssl=YES
force_anon_data_ssl=YES
ssl_tlsv1=YES # 指定vsftpd支持TLS v1
ssl_sslv2=YES # 指定vsftpd支持SSL v2
ssl_sslv3=YES # 指定vsftpd支持SSL v3
require_ssl_reuse=NO #
ssl_ciphers=HIGH # 允许用于加密SSL连接的SSL算法
# 指定证书存储文件
rsa_cert_file=/etc/vsftpd/.sslkey/vsftpd.pem
# 指定密码存储文件
rsa_private_key_file=/etc/vsftpd/.sslkey/vsftpd.pem
[root@server ~]# systemctl restart vsftpd
Use the client tool FileZilla to test login:
①Open the filezilla client
②Enter the host name, user name, password, port number, and click connect
③An "unknown certificate" will pop up, trust the certificate.
④You can see that the local user abong
has logged in to the FTP server through TLS authentication. Since TLS encrypted transmission is established, data transmission is more secure.