vsftpd+pam_mysql 安裝配置總結
系統環境:
????*?RedHat?AS?4
????*?MySQL?4.1.15
????*?pam_mysql-0.7pre3
說明一下,MySQL我是使用其官方網站的rpm包安裝的,包括下面這4個:
???1.?MySQL-server-standard-4.1.15-0.rhel4.i386.rpm
???2.?MySQL-client-standard-4.1.15-0.rhel4.i386.rpm
???3.?MySQL-devel-standard-4.1.15-0.rhel4.i386.rpm
???4.?MySQL-shared-standard-4.1.15-0.rhel4.i386.rpm
vsftpd是RedHat自帶的。
建立用于存放vsftpd虛擬用戶的Schema的過程:
mysql>?create?database?vsftpd;
mysql>?use?vsftpd;
mysql>?create?table?users?(
????->?id?int?AUTO_INCREMENT?NOT?NULL,
????->?name?char(16)?binary?NOT?NULL,
????->?passwd?char(48)?binary?NOT?NULL,
????->?primary?key(id)
????->?);
mysql>?describe?users;
+--------+----------+------+-----+---------+----------------+
|?Field??|?Type?????|?Null?|?Key?|?Default?|?Extra??????????|
+--------+----------+------+-----+---------+----------------+
|?id?????|?int(11)??|??????|?PRI?|?NULL????|?auto_increment?|
|?name???|?char(16)?|??????|?????|?????????|????????????????|
|?passwd?|?char(48)?|??????|?????|?????????|????????????????|
+--------+----------+------+-----+---------+----------------+
mysql>?create?table?logs?(msg?varchar(255),
????->?user?char(16),
????->?pid?int,
????->?host?char(32),
????->?rhost?char(32),
????->?logtime?timestamp
????->?);
mysql>?describe?logs;
+---------+--------------+------+-----+-------------------+-------+
|?Field???|?Type?????????|?Null?|?Key?|?Default???????????|?Extra?|
+---------+--------------+------+-----+-------------------+-------+
|?msg?????|?varchar(255)?|?YES??|?????|?NULL??????????????|???????|
|?user????|?varchar(16)??|?YES??|?????|?NULL??????????????|???????|
|?pid?????|?int(11)??????|?YES??|?????|?NULL??????????????|???????|
|?host????|?varchar(32)??|?YES??|?????|?NULL??????????????|???????|
|?rhost???|?varchar(32)??|?YES??|?????|?NULL??????????????|???????|
|?logtime?|?timestamp????|?YES??|?????|?CURRENT_TIMESTAMP?|???????|
+---------+--------------+------+-----+-------------------+-------+
這里,用戶密碼這個字段的長度是48。這是根據MySQL加密函數的返回值的長度確定的。關于PASSWORD函數返回值的長度,可以參考這個:
http://dev.mysql.com/doc/refman/4.1/en/password-hashing.html
mysql>?select?encrypt('foo');
+----------------+
|?encrypt('foo')?|
+----------------+
|?4Wwn2AXFYb.So??|
+----------------+
mysql>?select?password('foo');
+-------------------------------------------+
|?password('foo')???????????????????????????|
+-------------------------------------------+
|?*F3A2A51A9B0F2BE2468926B4132313728C250DBF?|
+-------------------------------------------+
mysql>?select?md5('foo');
+----------------------------------+
|?md5('foo')???????????????????????|
+----------------------------------+
|?acbd18db4cc2f85cedef654fccc4a4d8?|
+----------------------------------+
編譯安裝pam_mysql
#?./configure?--with-openssl
#?make
#?make?install
加上--with-openssl可以避免make時報有關md5.h的編譯錯誤
建立/etc/pam.d/vsftpd.mysql(因為只是想驗證pam_mysql的安裝過程,所以我不想覆蓋原有的vsftpd這個文件)。[color=#FF0000]注意只有兩行,auth是一行,account是一行。[/color]
auth???required??????/lib/security/pam_mysql.so?user=root?passwd=123456?host=localhost?db=vsftpd?table=users?usercolumn=name?passwdcolumn=passwd?crypt=2?sqllog=1?logtable=logs?logmsgcolumn=msg?logusercolumn=user?logpidcolumn=pid?loghostcolumn=host?logrhostcolumn=rhost?logtimecolumn=logtime?verbose=1
account??required??????/lib/security/pam_mysql.so?user=root?passwd=123456?host=localhost?db=vsftpd?table=users?usercolumn=name?passwdcolumn=passwd?crypt=2?sqllog=1?logtable=logs?logmsgcolumn=msg?logusercolumn=user?logpidcolumn=pid?loghostcolumn=host?logrhostcolumn=rhost?logtimecolumn=logtime?verbose=1
注意這里pam_mysql.so的路徑是/lib/security;指定了sqllog;加密方式是2,也就是用MySQL?PASSWORD()函數;verbose=1,設置這個可以幫助調試,日志信息輸出在/var/log/messages里。
建立/etc/vsftpd/vsftpd.mysql.conf(同樣,不影響已有的vsftpd服務,執行service?vsftpd?restart時會啟動兩個vsftpd服務,端口不一樣)
主要的設置如下:
??
??pam_service_name=vsftpd.mysql
????listen=YES
????tcp_wrappers=YES
????local_enable=YES
????guest_enable=YES
????guest_username=ftp
????listen_port=2121
注意pam_service_name=vsftpd.mysql指定了使用剛才設置的pam_mysql。
插入用戶信息:
mysql>?insert?into?users?(name,passwd)?values('tom',password('foo'));
mysql>?insert?into?users?(name,passwd)?values('jerry',password('bar'));
mysql>?select?*?from?users;
+----+-------+-------------------------------------------+
|?id?|?name??|?passwd????????????????????????????????????|
+----+-------+-------------------------------------------+
|??1?|?tom???|?*F3A2A51A9B0F2BE2468926B4132313728C250DBF?|
|??2?|?jerry?|?*E8D46CE25265E545D225A8A6F1BAF642FEBEE5CB?|
+----+-------+-------------------------------------------+
啟動vsftpd服務,測試配置:
#?ftp?localhost?2121
登錄失敗,檢查/var/log/messages,發現:
#?tail?-f?/var/log/messages
Nov?29?14:52:04?javadev?vsftpd[17683]:?PAM?unable?to?dlopen(/lib/security/pam_mysql.so)
Nov?29?14:52:04?javadev?vsftpd[17683]:?PAM?[dlerror:?/lib/security/pam_mysql.so:?cannot?open?shared?object?file:?No?such?file?or?directory]
Nov?29?14:52:04?javadev?vsftpd[17683]:?PAM?adding?faulty?module:?/lib/security/pam_mysql.so
看來是沒找到pam_mysql.so,怎么會呢?
用find(也可以用locate,不過得先updatedb一下,慢)找了一下,原來make?install的時候默認安裝在
/usr/local/lib下。修改/etc/pam.d/vsftpd.mysql或者把lib拷到/lib/security目錄
auth???required??????/usr/local/lib/security/pam_mysql.so?user=root?passwd=123456?host=localhost?db=vsftpd?table=users?usercolumn=name?passwdcolumn=passwd?crypt=2?sqllog=1?logtable=logs?logmsgcolumn=msg?logusercolumn=user?logpidcolumn=pid?loghostcolumn=host?logrhostcolumn=rhost?logtimecolumn=logtime?verbose=1
account??required????/usr/local/lib/security/pam_mysql.so?user=root?passwd=123456?host=localhost?db=vsftpd?table=users?usercolumn=name?passwdcolumn=passwd?crypt=2?sqllog=1?logtable=logs?logmsgcolumn=msg?logusercolumn=user?logpidcolumn=pid?loghostcolumn=host?logrhostcolumn=rhost?logtimecolumn=logtime?verbose=1
再登錄,成功!換用其他加密方式,也都可以。
然后試驗pam_mysql?v0.7新加的config_file配置選項。這個選項用來指定一個配置文件,可以把所有pam_mysql的配置放在這個文件中。這樣的話,/etc/pam.d/vsftpd.mysql的內容變成這樣:
auth????required????????/usr/lib/security/pam_mysql.so?config_file=/etc/security/pam_mysql.conf
account?required????????/usr/lib/security/pam_mysql.so?config_file=/etc/security/pam_mysql.conf
/etc/security/pam_mysql.conf的內容:
users.host=localhost
users.database=vsftpd
users.db_user=root
users.db_passwd=123456
users.table=users
users.user_column=name
users.password_column=passwd
users.password_crypt=3
verbose=1
log.enabled=1
log.table=logs
log.message_column=msg
log.pid_column=pid
log.user_column=user
log.host_column=host
log.rhost_column=rhost
log.time_column=logtime
改好這些以后,用之前建好的虛擬用戶登錄,居然不行!而且這次/var/log/messages里沒有任何錯誤消息。ls?-
ltr?/var/log?發現secure這個文件最新,試著打開,果然發現了pam_mysql的調試信息:
Dec?26?16:18:37?javadev?vsftpd[6175]:?pam_mysql?-?option?verbose?is?set?to?"1"
Dec?26?16:18:37?javadev?vsftpd[6175]:?pam_mysql?-?option?log.enabled?is?set?to?"1?"
Dec?26?16:18:37?javadev?vsftpd[6175]:?pam_mysql?-?option?log.table?is?set?to?"logs"
Dec?26?16:18:37?javadev?vsftpd[6175]:?pam_mysql?-?option?log.message_column?is?set?to?"msg"
Dec?26?16:18:37?javadev?vsftpd[6175]:?pam_mysql?-?option?log.pid_column?is?set?to?"pid"
Dec?26?16:18:37?javadev?vsftpd[6175]:?pam_mysql?-?option?log.user_column?is?set?to?"user"
Dec?26?16:18:37?javadev?vsftpd[6175]:?pam_mysql?-?option?log.host_column?is?set?to?"host"
Dec?26?16:18:37?javadev?vsftpd[6175]:?pam_mysql?-?option?log.rhost_column?is?set?to?"rhost"
Dec?26?16:18:37?javadev?vsftpd[6175]:?pam_mysql?-?option?log.time_column?is?set?to?"logtime"
Dec?26?16:18:37?javadev?vsftpd[6175]:?pam_mysql?-?pam_sm_authenticate()?called.
Dec?26?16:18:37?javadev?vsftpd[6175]:?pam_mysql?-?pam_mysql_open_db()?called.
Dec?26?16:18:42?javadev?vsftpd[6175]:?pam_mysql?-?MySQL?error?(Unknown?MySQL?server?host?'localhost?'?(3))
Dec?26?16:18:42?javadev?vsftpd[6175]:?pam_mysql?-?pam_mysql_open_db()?returning?5.
Dec?26?16:18:42?javadev?vsftpd[6175]:?pam_mysql?-?pam_sm_authenticate()?returning?9.
Dec?26?16:18:42?javadev?vsftpd[6175]:?pam_mysql?-?pam_mysql_release_ctx()?called.
Dec?26?16:18:42?javadev?vsftpd[6175]:?pam_mysql?-?pam_mysql_destroy_ctx()?called.
Dec?26?16:18:42?javadev?vsftpd[6175]:?pam_mysql?-?pam_mysql_close_db()?called.
仔細檢查,發現原因在這里:
[color=#FF0000]
pam_mysql?-?MySQL?error?(Unknown?MySQL?server?host?'localhost?'?(3))[/color]
原來配置文件里users.host=localhost?這行行尾多了一個空格!郁悶!修改以后就可以登錄了。