Introduction
FTP: File Transfer Protocol file transfer protocol; it works on the seventh layer of the OSI model, the fourth layer of the TCP model, that is, the application layer, uses TCP transmission instead of UDP, and the client needs to go through a "three-way handshake" before establishing a connection with the server "The process ensures that the connection between the client and the server is reliable, and it is connection-oriented, providing a reliable guarantee for data transmission.
effect
Provides file sharing services. Most of the media resources and software resources on the Internet are delivered through FTP servers.
dual channel protocol
Command and Data Connections
model
From server point of view
- Active (PORT sytle): The server actively connects
- command (control): client: random port >>> server: tcp21
- Data: client: random port <<< server: tcp20
- Passive (PASV style): The client actively connects
- command (control): client: random port >>> server: tcp21
- data: client: client: random port >>> server: random port
software
FTP server: vsftpd
FTP client: ftp, lftp, wget, curl
status code
1XX: Information 125: Data Connection Open
2XX: Success Class Status 200: Command OK 230: Login Successful
3XX: Supplementary Class 331: Username OK
4XX: Client Error 425: Cannot Open Data Connection
5XX: Server Error 530: Cannot Login
User Authentication
- Anonymous User:
ftp, anonymous, corresponding to Linux user ftp;
Mapped to system user FTP, shared file location: /var/ftp; see Experiment 1 below
- system user:
Linux user, user /etc/passwd, password /etc/shadow
Shared file location: user's home directory; see Experiment 1 below
- Virtual user:
Dedicated users for specific services, separate user/password files
Shared file location: the home directory of the system user mapped to it
configuration file
| path | illustrate |
| /etc/vsftpd/vsftpd.conf | ftp configuration file |
| /usr/sbin/vsftpd | ftp main program |
| /etc/rc.d/init.d/vsftpd | ftp launcher |
| /etc/pam.d/vsftpd | PAM authentication file (the file=/etc/vsftpd/ftpusers field in this file indicates that the users who are blocked from access come from the users in the /etc/vsftpd/ftpusers file) |
| /etc/vsftpd/ftpusers | Disable vsftpd's user list file. Record the list of users who are not allowed to access the FTP server. The administrator can record some user accounts that threaten the system security in this file, so as to prevent users from gaining more rights than uploading and downloading operations after logging in from FTP and causing damage to the system. |
| /etc/vsftpd/user_list | A user list file that prohibits or allows use of vsftpd. The users specified in this file cannot access the FTP server by default (that is, set userlist_deny=YES in /etc/vsftpd/vsftpd.conf). When userlist_deny=NO is set, only users specified in user_list are allowed to access FTP server. |
| /var/ftp | Anonymous user home directory; local user home directory is: /home/user home directory, that is, enter your own home directory after login |
| /var/ftp/pub | Anonymous user's download directory, this directory needs to be authorized as the root chmod 1777 pub (1 is a special permission, so that it cannot be deleted after uploading) |
| /etc/logrotate.d/vsftpd.log | Log files for vsftpd |
/etc/vsftpd/vsftpd.conf default configuration instructions
#是否启用匿名用户
anonymous_enable=NO
#是否允许Linux用户登录
local_enable=YES
#全局设置,是否允许写入(无论是本地用户还是匿名用户,若要启用上传功能,需要开启)
write_enable=YES
#本地用户上传文件的umask
local_umask=022
#匿名用户是否可以上传文件(非目录)
anon_upload_enable=YES
#匿名用户是否可以创建文件夹
anon_mkdir_write_enable=YES
#允许为目录配置显示信息,显示每个目录下的message_file文件的内容
dirmessage_enable=YES
#开启日记功能
xferlog_enable=YES
#使用端口20连接ftp
connect_from_port_20=YES
#所有匿名用户上传的文件的所属用户将会被更改成chown_username
chown_uploads=YES
#匿名用户上传文件所属用户名
chown_username=whoever
#日志文件位置
xferlog_file=/var/log/xferlog
#日志文件使用标准格式
xferlog_std_format=YES
#用户会话空闲600秒后中断
idle_session_timeout=600
#数据连接空闲120秒后中断
data_connection_timeout=120
#当服务器运行于最底层时使用的用户名
nopriv_user=ftpsecure
#
async_abor_enable=YES
#优先以文本方式传输 不建议开启
ascii_upload_enable=YES
#优先以文本方式传输 不建议开启
ascii_download_enable=YES
#登录时显示欢迎信息,如果设置了banner_file,则此设置无效
ftpd_banner=Welcome to blah FTP service.
#
deny_email_enable=YES
#
banned_email_file=/etc/vsftpd/banned_emails
#是否禁止用户离开设置的根目录
chroot_local_user=YES
#如果启动这项功能,则所有列在chroot_list_file之中的使用者不能更改根目录
chroot_list_enable=YES
#指出被锁定/允许 在自家目录中的用户的列表文件
#chroot_list_file=/etc/vsftpd/chroot_list
#是否能使用ls -R命令以防止浪费大量的服务器资源
#ls_recurse_enable=YES
#是否监听IPV4
listen=NO
#是否监听IPV6
listen_ipv6=YES
#设置PAM使用的名称,默认值为/etc/pam.d/vsftpd
pam_service_name=vsftpd
#限制了/etc/vsftpd/user_list文件里的用户不能访问
userlist_enable=YES
Common configuration
- command port
listen_port=21
- active mode port
connect_from_port_20=YES active mode port is 20
ftp_data_port=20 (default) specifies active mode port
- Passive Mode Port Range
Linux clients use passive mode by default
Windows clients use active mode by default
pasv_min_port=6000 0 is randomly assigned
pasv_max_port=6010
- use local time
use_localtime=YES use local time (default NO, use GMT)
- Anonymous User
anonymous_enable=YES supports anonymous users
no_anon_password=YES (default NO) anonymous users skip the password check
anon_world_readable_only (default YES) can only download all readable files
anon_upload_enable=YES anonymous upload, note: file system permissions, can not give ftp root directory permissions, Only subdirectory permissions can be given
anon_mkdir_write_enable=YES Create directories anonymously
anon_umask=077 Specify the umask of uploaded files anonymously
anon_other_write_enable=YES Can delete and modify uploaded files
Specify the default owner and permissions for uploading files
chown_uploads=YES (default NO)
chown_username=username
chown_upload_mode=0644
- Linux system users
guest_enable=YES All system users are mapped to guest users,
guest_username=ftp is the default item, you can leave it out; it will take effect with the above options, specify the guest user; see Experiment 2
local_enable=YES whether to allow linux users to log in
write_enable=YES to allow linux users to upload files
local_umask=022 specifies the default permissions for system users to upload files
local_root=/ftproot guest user login directory
- Jail all system users in the home directory
chroot_local_user=YES (default NO, not imprisoned) imprison system users
- Imprison or not imprison a specific system user in the home directory, contrary to the above setting function
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
When chroot_local_user=YES, users in chroot_list are not imprisoned
When chroot_local_user=NO, users in chroot_list are imprisoned
- wu-ftp log: enabled by default
xferlog_enable=YES (default) enable record upload and download logs
xferlog_std_format=YES (default) use wu-ftp log format
xferlog_file=/var/log/xferlog (default) can be automatically generated
- vsftpd log: disabled by default
dual_log_enable=YES Use vsftpd log format, not enabled by default
vsftpd_log_file=/var/log/vsftpd.log (default) can be automatically generated
- Login prompt information
dirmessage_enable=YES (default)
message_file=.message(default) information is stored in the specified directory.message
- Use pam (Pluggable Authentication Modules) to complete user authentication
pam_service_name=vsftpd
pam configuration file: /etc/pam.d/vsftpd
/etc/vsftpd/ftpusers Default file users refuse to log in
- Whether to enable list files that control user logins
userlist_enable=YES has this setting by default
userlist_deny=YES (default value) blacklist, no password prompt, NO is whitelist
userlist_file=/etc/vsftpd/users_list This is the default value
- The vsftpd service runs as the specified user
nopriv_user=nobody (default)
- Connection limit
max_clients=0 The maximum number of concurrent connections
max_per_ip=0 The maximum number of connections initiated by each IP at the same time
- Transfer Rate: Bytes/Sec
anon_max_rate=0 the maximum transmission rate of anonymous users
local_max_rate=0 the maximum transmission rate of local users
- Connection time: in seconds
connect_timeout=60 active mode data connection timeout
accept_timeout=60 passive mode data connection timeout
data_connection_timeout=300 data connection no data output timeout
idle_session_timeout=60 no command operation timeout
- Prioritize transmission in text mode; it is not recommended to open
ascii_upload_enable=YES
ascii_download_enable=YES
experiment
Turn off firewall and Selinux
| fs(192.168.29.131) | centos7 | FTP server |
| ftpServer(192.168.29.141) | i tried8 | FTP server |
| mates(192.168.29.142) | i tried8 | client |
Notice
centos7 supports anonymous (anonymous) user login by default
centos8 does not support anonymous (anonymous) user login by default
Experiment 1: The difference between the default shared directory
centos7
[root@fs ~]# yum -y install vsftpd
[root@fs ~]# systemctl start vsftpd
[root@fs ~]# ss -tnlp
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:22 *:* users:(("sshd",pid=1014,fd=3))
LISTEN 0 100 127.0.0.1:25 *:* users:(("master",pid=1175,fd=13))
LISTEN 0 32 [::]:21 [::]:* users:(("vsftpd",pid=1350,fd=4))
LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=1014,fd=4))
LISTEN 0 100 [::1]:25 [::]:* users:(("master",pid=1175,fd=14))Access fs through wenzi, anonymous login still needs to enter anonymous or ftp
[root@wenzi ~]#ftp 192.168.29.131
Connected to 192.168.29.131 (192.168.29.131).
220 (vsFTPd 3.0.2)
Name (192.168.29.131:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,29,131,123,46).
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 6 Jun 09 2021 pub
226 Directory send OK.
ftp> pwd
257 "/"
ftp> exit
221 Goodbye.Access fs through windows
i tried8
#安装vsftpd
[root@ftpServer ~]#yum -y install vsftpd
#启动ftp
[root@ftpServer ~]#systemctl enable --now vsftpd
Created symlink /etc/systemd/system/multi-user.target.wants/vsftpd.service → /usr/lib/systemd/system/vsftpd.service.
#查看端口号 21端口已打开
[root@ftpServer ~]#ss -tnlp
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=898,fd=4))
LISTEN 0 32 *:21 *:* users:(("vsftpd",pid=1655,fd=3))
LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=898,fd=6))
#创建新用户张三
[root@ftpServer ~]#useradd zhangsan
[root@ftpServer ~]#echo "admin" | passwd --stdin zhangsan
[root@ftpServer ~]#cd ~zhangsan
[root@ftpServer zhangsan]#touch zs.txt
[root@ftpServer zhangsan]#pwd
/home/zhangsanAccess ftpServer through windows
[root@wenzi ~]#ftp 192.168.29.141
Connected to 192.168.29.141 (192.168.29.141).
220 (vsFTPd 3.0.3)
Name (192.168.29.141:root): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp> ls
530 Please login with USER and PASS.
Passive mode refused.
ftp> exit
221 Goodbye.Use zhangsan user to log in to ftp
[root@wenzi ~]#ftp 192.168.29.141
Connected to 192.168.29.141 (192.168.29.141).
220 (vsFTPd 3.0.3)
Name (192.168.29.141:root): zhangsan
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,29,141,54,103).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 0 Aug 01 13:49 zs.txt
226 Directory send OK.
ftp> pwd
257 "/home/zhangsan" is the current directory
ftp> exit
221 Goodbye.Modify the vsftpd configuration file vim /etc/vsftpd/vsftpd.conf to enable anonymous user login
Restart vsftpd, access ftpServer through windows again, and log in anonymously
[root@wenzi ~]#ftp 192.168.29.141
Connected to 192.168.29.141 (192.168.29.141).
220 (vsFTPd 3.0.3)
Name (192.168.29.141:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,29,141,118,252).
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 6 Apr 22 2021 pub
226 Directory send OK.
ftp> pwd
257 "/" is the current directoryExperiment 2: Realize the upload and download function of Linux users
Target
- Forbid anonymous users to log in, allow Linux users to log in
- Login prompt message: "This is FTP Server"
- Map all system users to guest users and set the directory after login to /data/ftp, and the upload directory to /data/ftp/upload
- Allow Linux users to download, upload, create new directories, delete and modify uploaded files
- Specify the default permissions for system users to upload files
- Enable vsftpd format log
ftp server configuration
[root@ftpServer ~]#vim /etc/vsftpd/vsftpd.conf
# Example config file /etc/vsftpd/vsftpd.conf
...
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
...
# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access
#anon_upload_enable=YES
...
# go into a certain directory.
dirmessage_enable=YES
#
...
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
...
# with the listen_ipv6 directive.
listen=NO
#
...
# Make sure, that one of the listen options is commented !!
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
ftpd_banner="This is FTP Server"
guest_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
local_root=/data/ftp
dual_log_enable=YES
vsftpd_log_file=/var/log/vsftpd.log
[root@ftpServer ~]#mkdir /data/ftp -p
[root@ftpServer ~]#mkdir /data/ftp/upload
[root@ftpServer ~]#chmod 777 /data/ftp/upload/
[root@ftpServer ~]#systemctl restart vsftpd.serviceclient testing
[root@wenzi ~]#ll
total 8
-rw-r--r-- 1 root root 0 Aug 2 02:03 111.txt
-rw-------. 1 root root 1279 May 15 01:30 anaconda-ks.cfg
[root@wenzi ~]#ftp 192.168.29.141
Connected to 192.168.29.141 (192.168.29.141).
220 "This is FTP Server"
Name (192.168.29.141:root): zhangsan
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,29,141,19,185).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 0 Aug 01 18:02 sy2.txt
drwxrwxrwx 2 0 0 6 Aug 01 21:14 upload
226 Directory send OK.
ftp> pwd
257 "/" is the current directory
#下载
ftp> get sy2.txt
local: sy2.txt remote: sy2.txt
227 Entering Passive Mode (192,168,29,141,119,145).
150 Opening BINARY mode data connection for sy2.txt (0 bytes).
226 Transfer complete.
ftp> cd upload
250 Directory successfully changed.
ftp> pwd
257 "/upload" is the current directory
#上传
ftp> put 111.txt
local: 111.txt remote: 111.txt
227 Entering Passive Mode (192,168,29,141,153,176).
150 Ok to send data.
226 Transfer complete.
ftp> ls
227 Entering Passive Mode (192,168,29,141,116,132).
150 Here comes the directory listing.
-rw------- 1 14 50 0 Aug 01 21:17 111.txt
226 Directory send OK.
ftp> help
Commands may be abbreviated. Commands are:
! debug mdir sendport site
$ dir mget put size
account disconnect mkdir pwd status
append exit mls quit struct
ascii form mode quote system
bell get modtime recv sunique
binary glob mput reget tenex
bye hash newer rstatus tick
case help nmap rhelp trace
cd idle nlist rename type
cdup image ntrans reset user
chmod lcd open restart umask
close ls prompt rmdir verbose
cr macdef passive runique ?
delete mdelete proxy send
#改名
ftp> rename 111.txt 222.txt
350 Ready for RNTO.
250 Rename successful.
ftp> ls
227 Entering Passive Mode (192,168,29,141,151,67).
150 Here comes the directory listing.
-rw------- 1 14 50 0 Aug 01 21:17 222.txt
226 Directory send OK.
#新建目录
ftp> mkdir abc
257 "/upload/abc" created
ftp> ls
227 Entering Passive Mode (192,168,29,141,124,143).
150 Here comes the directory listing.
-rw------- 1 14 50 0 Aug 01 21:17 222.txt
drwx------ 2 14 50 6 Aug 01 21:17 abc
226 Directory send OK.
#删除目录
ftp> rmdir abc
250 Remove directory operation successful.
View logs on the ftp server
[root@ftpServer ftp]#cat /var/log/vsftpd.log
ed Aug 2 05:15:56 2023 [pid 3426] CONNECT: Client "::ffff:192.168.29.142"
Wed Aug 2 05:16:01 2023 [pid 3425] [zhangsan] OK LOGIN: Client "::ffff:192.168.29.142"
Wed Aug 2 05:16:29 2023 [pid 3427] [zhangsan] OK DOWNLOAD: Client "::ffff:192.168.29.142", "/sy2.txt", 0.00Kbyte/sec
Wed Aug 2 05:17:01 2023 [pid 3427] [zhangsan] OK UPLOAD: Client "::ffff:192.168.29.142", "/upload/111.txt", 0.00Kbyte/sec
Wed Aug 2 05:17:33 2023 [pid 3427] [zhangsan] OK RENAME: Client "::ffff:192.168.29.142", "/upload/111.txt /upload/222.txt"
Wed Aug 2 05:17:48 2023 [pid 3427] [zhangsan] OK MKDIR: Client "::ffff:192.168.29.142", "/upload/abc"
Wed Aug 2 05:20:15 2023 [pid 3432] [zhangsan] OK RMDIR: Client "::ffff:192.168.29.142", "/upload/abc"
Experiment 3: FTPS over SSL
#Centos7 可以实现直接生成一个包括私钥和证书的文件
#查看是否支持SSL
[root@fs ~]# ldd `which vsftpd` | grep ssl
libssl.so.10 => /lib64/libssl.so.10 (0x00007f8a15030000)
[root@fs ~]# cd /etc/pki/tls/certs/
[root@fs certs]# ll
总用量 12
lrwxrwxrwx. 1 root root 49 5月 25 21:13 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. 1 root root 55 5月 25 21:13 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rwxr-xr-x. 1 root root 610 8月 9 2019 make-dummy-cert
-rw-r--r--. 1 root root 2516 8月 9 2019 Makefile
-rwxr-xr-x. 1 root root 829 8月 9 2019 renew-dummy-cert
#文件结尾是.pem的,即私钥和证书合二为一
[root@fs certs]# make vsftpd.pem
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -utf8 -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 ; \
cat $PEM1 > vsftpd.pem ; \
echo "" >> vsftpd.pem ; \
cat $PEM2 >> vsftpd.pem ; \
rm -f $PEM1 $PEM2
Generating a 2048 bit RSA private key
................................+++
.......+++
writing new private key to '/tmp/openssl.CGeh1N'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:wenzi
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:wenzi.com
Email Address []:[email protected]
[root@fs certs]# ll
总用量 16
lrwxrwxrwx. 1 root root 49 5月 25 21:13 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. 1 root root 55 5月 25 21:13 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rwxr-xr-x. 1 root root 610 8月 9 2019 make-dummy-cert
-rw-r--r--. 1 root root 2516 8月 9 2019 Makefile
-rwxr-xr-x. 1 root root 829 8月 9 2019 renew-dummy-cert
-rw------- 1 root root 3100 8月 2 00:10 vsftpd.pem
#查看生成的私钥和证书合二为一的文件;上方是私钥,下方是证书
[root@fs certs]# cat vsftpd.pem
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCcCHH/tA+U8FmT
4/EQbCviOItC7Cs59fsUkoyeD7zxZFfs6Zk/HoErsFXtdzlMKHbPKjd1D7gfLZxM
+UuoIIDX0abftraBTTA/AQ41pHAymBCFvxVPjJtW4HJ1verrQQK6ur+gaVpZY0ZY
A9DBecy0Yi5hsu8lpdKmHYeRbm1Um0E3N7azCwjEWyd15fsU0aGis+NG8xkFGFgu
Zu4dZsbxHPM6tvZw9EQC+Yg5QtTzEFZiRXpONmyAjcQQ5SmDb4d0ujqsv+qulhvn
QTNim09ti96nzGpCCni3x400IOaBTXevpcC+2oqErof9gGE9X3clyhLV0TVaIay9
g01jrwepAgMBAAECggEAYKLGX9SX9elpwTNiIIauIxxb+6WjG/GhgFtHJbmfjm1U
G1GN7M6qt3EttrWpUeaZtrJxyFlk8kJgVDftyIHg6klZLaLOo4Q3xj2UHFrsdhlB
2mO/AhaWOpclrJBkBzGrTBTPC71UDJp0fZxXVQxnYKySB0Y34Lwzm1gcl1Cp+8R4
X+nT0Fl3VKHH4VIJmvJNWnQpWPcgtIakl1/yRlgB0RFmw43rdMo/PDS4eJa/MHzd
MQYThkDHhdH8P7RBhCANvUCGPKEr7MEiAkrSVG/FN76trH5KkqDnOVj+VY24Bad+
HggwwH7uDShBvFIvMPvdf/flq/E5865EsBW27iz9AQKBgQDMKT70iqIa3DwQZ4db
pzyVlG+9jFEyFsC62Bk6C7kcNoADmeSZPCtK/6wsV1c07MgcW5MWfhMmDtuWWjvX
N7ckivOnRL0RHW/7Sf5mCWw+Q+5wp2bCdXT6KsawSX9ifpYlMH9M+qxMaW4ZZ7Ik
/V2pi7Xjj1sjDDOmITKXbA78IQKBgQDDps4ESXa5m37V2JoUnVWFEnan9s/iE6Px
VdiVDhm4OCyIDyRGUcfhpGLxpkw5+UbIy4WMj7IqIK2BKkL2MlsPh/G1CPDz+1EC
1FEiYsBKdAiNua6KS3/RUu6pn56y9WEstRY5r5vZyOQqagJpNmUGGIph7CgKVs8P
0rYy3jbaiQKBgQCoMJqCjur4wdJhmUhzgxRwDbb4Km6BmyjvRDOUFDBNQ8C2NsOS
UXVA9dv7M4DOQvqgEfjcoMRZqAfSl0eRB39DBY2wkPpI7T1hgRWpLb4UlZYLDH2l
WWoi5baFaCcfFzXOMWPOIPxsfraLC1hBDNFqaYRQkbr85oJuLA8nm4fEwQKBgAuV
TI0kbEsA0bmHYVfnGLEQLsYy7ovL7eDT3Ea21v75FGnZu6QOI29QdCsqVUj5YR9y
LS3tM/caiCslfWFmCc4Zlk3JgbpwHpO0Tjli7095HyiE3biCT8bsygRw1sxxipdD
AVXY97klE50POaVQ+xopScgSWyyBhzDAoNjSHx1BAoGARArY69CrhrdIh4g1WI/7
W965s7lLt3hCuKmBqnedF5L21o4c7CUEaIA3OBLCe/X5Q7+CzZoO/p9YUAIDzMVw
OPtUVnGw5xv2cbtY5wZ3T48mbukOT9OIq9gtmCV84WFatDNojsc/pNhYBBWNi/Pu
S5xGCYromjR80ssRs3jIIIo=
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIID2TCCAsGgAwIBAgIJAPoRcK5w6KzaMA0GCSqGSIb3DQEBCwUAMIGCMQswCQYD
VQQGEwJDTjEQMA4GA1UECAwHYmVpamluZzEQMA4GA1UEBwwHYmVpamluZzEOMAwG
A1UECgwFd2VuemkxCzAJBgNVBAsMAml0MRIwEAYDVQQDDAl3ZW56aS5jb20xHjAc
BgkqhkiG9w0BCQEWD3lvdXhpYW5nQHFxLmNvbTAeFw0yMzA4MDExNjEwMDNaFw0y
NDA3MzExNjEwMDNaMIGCMQswCQYDVQQGEwJDTjEQMA4GA1UECAwHYmVpamluZzEQ
MA4GA1UEBwwHYmVpamluZzEOMAwGA1UECgwFd2VuemkxCzAJBgNVBAsMAml0MRIw
EAYDVQQDDAl3ZW56aS5jb20xHjAcBgkqhkiG9w0BCQEWD3lvdXhpYW5nQHFxLmNv
bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJwIcf+0D5TwWZPj8RBs
K+I4i0LsKzn1+xSSjJ4PvPFkV+zpmT8egSuwVe13OUwods8qN3UPuB8tnEz5S6gg
gNfRpt+2toFNMD8BDjWkcDKYEIW/FU+Mm1bgcnW96utBArq6v6BpWlljRlgD0MF5
zLRiLmGy7yWl0qYdh5FubVSbQTc3trMLCMRbJ3Xl+xTRoaKz40bzGQUYWC5m7h1m
xvEc8zq29nD0RAL5iDlC1PMQVmJFek42bICNxBDlKYNvh3S6Oqy/6q6WG+dBM2Kb
T22L3qfMakIKeLfHjTQg5oFNd6+lwL7aioSuh/2AYT1fdyXKEtXRNVohrL2DTWOv
B6kCAwEAAaNQME4wHQYDVR0OBBYEFK/58aSYGbc7l7bDemVyakvFe4nDMB8GA1Ud
IwQYMBaAFK/58aSYGbc7l7bDemVyakvFe4nDMAwGA1UdEwQFMAMBAf8wDQYJKoZI
hvcNAQELBQADggEBAH0TSuhr9efKIVB9lpCRjBDyxQpTkkQYAb+QDBIGUfryHDje
2HJASg3EW7SKarzaDVkNdfGRtg5oHMbq44BxxR53j6kel1ZoP+PUz/TS6R5pAIDz
OPrdN+xOQX6gVGoSKakVP71Zq/0/F/3dMCmwYRwIUTqIUkTkdMu3bm5SI58Wox4U
osiPtJMkRoj0k5Du2gdTXbrFjmY2lXG39U89j+XfFyCZnTi7OvlexvGUsXw4Gdwm
l8izjDfg7frm42q+JUGWFCc2uuqeLdq0QnlbD/aJMwO9FVgL0MNBGdWzEAKsVjQB
otN5Ez/heedcLEm99dscGABpSBrfpRAeBc3UaU8=
-----END CERTIFICATE-----#centos8 需要手动分别生成一个证书和私钥文件,再合并成一个文件
[root@ftpServer ~]#ldd `which vsftpd` | grep ssl
libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007f53dd410000)
[root@ftpServer ~]#mkdir /etc/vsftpd/ssl
[root@ftpServer ~]#cd /etc/vsftpd/ssl/
[root@ftpServer ssl]#openssl req -x509 -nodes -keyout vsftpd.key -out vsftpd.crt -days 365 -newkey rsa:2048
Generating a RSA private key
...........................+++++
..................................................................................+++++
writing new private key to 'vsftpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:zz
Locality Name (eg, city) [Default City]:zz
Organization Name (eg, company) [Default Company Ltd]:wenzi
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:wenzi.com
Email Address []:[email protected]
[root@ftpServer ssl]#ll
total 8
-rw-r--r-- 1 root root 1387 Aug 2 00:18 vsftpd.crt
-rw------- 1 root root 1704 Aug 2 00:17 vsftpd.key
[root@ftpServer ssl]#cat * > vsftpd.pem
[root@ftpServer ssl]#cat vsftpd.pem
-----BEGIN CERTIFICATE-----
MIID0zCCArugAwIBAgIUOTggOPKZd8re8fs2WaIKC8giCQgwDQYJKoZIhvcNAQEL
BQAweTELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAnp6MQswCQYDVQQHDAJ6ejEOMAwG
A1UECgwFd2VuemkxCzAJBgNVBAsMAml0MRIwEAYDVQQDDAl3ZW56aS5jb20xHzAd
BgkqhkiG9w0BCQEWEHlvdXhpYW5nQDE2My5jb20wHhcNMjMwODAxMTYxODI4WhcN
MjQwNzMxMTYxODI4WjB5MQswCQYDVQQGEwJDTjELMAkGA1UECAwCenoxCzAJBgNV
BAcMAnp6MQ4wDAYDVQQKDAV3ZW56aTELMAkGA1UECwwCaXQxEjAQBgNVBAMMCXdl
bnppLmNvbTEfMB0GCSqGSIb3DQEJARYQeW91eGlhbmdAMTYzLmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2vmKixV0dHvqPdxWdAjdh4U605itlo
AZ9x3GegleVFHWe0gABGvf36Kl9KQmJtHYn6nbcGGLzmPDgdl7PhpHVViFY9H+br
0tpjRZSN+24nAWT9s1lKYQk0SIFYjSp0d01mTDzXOGrncHfdcXVFdx8Mjv4r76nB
V4/CkN436ampLwysJ/Ohvgqd6Af+HRkKJzBfbzLTqLQAwZOojvnw9ylin5O2lSzB
rJ94RSKgMPbpHV/2xET2ghVxz06WxtwMsrfBPArZmI7r8mQaQbZ8rmQhVfPVT+Tl
i5lqFee+OnmTHpucVYQwmU8Tamg95VGTSLbbS3fQBnVGQ4UBx8xCaJ0CAwEAAaNT
MFEwHQYDVR0OBBYEFLwFIH5UyVDWhJyzyKfTwBZKqEDoMB8GA1UdIwQYMBaAFLwF
IH5UyVDWhJyzyKfTwBZKqEDoMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
BQADggEBAGOySp/mrY8FBLUWWrCCGe8oL+tUuIwFNwrPEw31QMytRO/z/NPa0Vh8
a2/EJgKCMj2eF6McaUpxFNJpfnVrhgtJpod888xR8FIZawYNcf8gz2jlaHzmG6oV
mmfI3pW0gFqvdx0iDyPAt3NsbbHP2amZJhlQ8xR+Qao4QvXyVpnSUQ2Bo4tP8sMk
0LnHsiMZ73auMqrz8s5E54ZHj5EV3AgyqO6Nj0M1VoWOLzKUgbpZsTs/KNPDVLIk
BpGQwxGUuJ9120S3MdPg7EOITDSRYdrHf4lTG0idSNgKUhLoJP/t9zj3bBc4MnM8
Hbg5/Ny75fblGLcKV4V7PBjDvp9iNM8=
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCtr5iosVdHR76j
3cVnQI3YeFOtOYrZaAGfcdxnoJXlRR1ntIAARr39+ipfSkJibR2J+p23Bhi85jw4
HZez4aR1VYhWPR/m69LaY0WUjftuJwFk/bNZSmEJNEiBWI0qdHdNZkw81zhq53B3
3XF1RXcfDI7+K++pwVePwpDeN+mpqS8MrCfzob4KnegH/h0ZCicwX28y06i0AMGT
qI758PcpYp+TtpUswayfeEUioDD26R1f9sRE9oIVcc9OlsbcDLK3wTwK2ZiO6/Jk
GkG2fK5kIVXz1U/k5YuZahXnvjp5kx6bnFWEMJlPE2poPeVRk0i220t30AZ1RkOF
AcfMQmidAgMBAAECggEAT7/tDKhBNw2OT5eo6HwPpXG6mjNtud2zwQ568Woe6aMO
mWubyoSxAEk5438pdCA+C/jzKfK2sSXWSL3txj65UNbxPwfZ+iIWMwiaDlgTNsTa
MxD6pOkuHRfQovOR/gh0Lynln5oC4bNbRO59BifbRnpxvetWpE+OcQgZlK9/rtKq
KxyvnuUmmTBjhHXDfSWpn3ok8w2jWHA/gK3XdP3K/WJQlEb7ywo799mGanBVd0Q1
E0faOUN8l694UsVRTImYLbBDPCyHxK1gKILZ5FxayK5sxb8PWjJ3eCiZDFwse16+
MEs/kO/qCikx80Z+rdzCg3GBM18FfepLdFmezmyxAQKBgQDgr69xbidtn9PlP3E5
XgfHDO/x5+szKenMPv5tccHmbmj7Eo61VVULq8aJyk8hoXvdRbVIDUO5g9rtyxon
k+BkxDH+VXM+Rd//hb50jgUGeOprgVwQI/VztpVGeSPlUPm+1KIcjagWD/hB55yf
/zAvSLzt1CC0FtW5IWe5irbxkQKBgQDF5FSEvZXDR3ENmO7TTcQ3DkV+eTMQdKem
aN3JKywJdIYqYvEWTf+Bl/B++lbYe32u+Sv3Uy3icBH/Z/GC2hlGtZbJoc0WLt5g
dbpY9LCyHmJBoMEklnz+PWp1nxVxPIM99ezZrih1JA8/Q4tOM0oVuCGpPoyAtVn3
vFcYBZ/ATQKBgQCni5qCNSgFoRc7bdGae7nE/qq2csB6iJilC5xiNF/o2xBBmRb9
tUITz+XevhO/+lEJMX/62JlV7zMD+13ngWfk/EBjbYjgOO7N9geNlpG8v9HelLn3
9ziDLvWldZQE3hs96AVy0Vc0DHiNfI7Y6EwgFld76aDxac25nWVhgETnYQKBgQCA
OZfuPu3oj8UYW2z8q9olFnE/JwdIdV4gPLjg3cF2CvPYSS4QFtAlR69Eh694LGRe
2QN9CX+kxptS1CYwdGOGZqli0x2RbyMWe5IYi8xmTbu67I/Zxk0Na/wsZL0/F0ev
AUfMMMX0ST477uc375Hkit/8yxO9XkUCeh4w6Yv+zQKBgCBN7XJSjs2lo85HIctI
9fPB2IJHN4XB1lKYZZraJ5w7ywhsnR7QreDVNhOweFG5N0VEEkZkU54d0rmfzRq9
DJpQLHONbQCU8QF7ll7gCxzzcUmIByUH6aGgR01/EgtQSqaZJzR39ZUKT+yO5/cY
eZNrxFP6s+BPWchNksxx02j2
-----END PRIVATE KEY-----
[root@ftpServer ssl]#ll
total 12
-rw-r--r-- 1 root root 1387 Aug 2 00:18 vsftpd.crt
-rw------- 1 root root 1704 Aug 2 00:17 vsftpd.key
-rw-r--r-- 1 root root 3091 Aug 2 00:18 vsftpd.pem
[root@ftpServer ssl]#vim /etc/vsftpd/vsftpd.conf
...
#启用SSL
ssl_enable=YES
#匿名不支持SSL
allow_anon_ssl=NO
#本地用户登录加密
force_local_logins_ssl=YES
#本地用户数据传输加密
force_local_data_ssl=YES
#一个文件包含私钥和证书
rsa_cert_file=/etc/vsftpd/ssl/vsftpd.pem
[root@ftpServer ssl]#systemctl restart vsftpdUse Filezilla to connect to ftpServer for verification
