###############################
####### ldap網絡帳號 #######
###############################
1.ldap是什麼
ldap目錄服務認證和windows活動目錄類似就是記錄數據的一種方式
2.ldap客戶端所須軟件
yum sssd krb5-workstation -y
3.如何開啓ldap用戶認證
authconfig-tui
┌────────────────┤ Authentication Configuration ├─────────────────┐
│ │
│ User Information Authentication │
│ [ ] Cache Information [ ] Use MD5 Passwords │
│ [*] Use LDAP [*] Use Shadow Passwords │
│ [ ] Use NIS [ ] Use LDAP Authentication │
│ [ ] Use IPAv2 [*] Use Kerberos │
│ [ ] Use Winbind [ ] Use Fingerprint reader │
│ [ ] Use Winbind Authentication │
│ [*] Local authorization is sufficient │
│ │
│ ┌────────┐ ┌──────┐ │
│ │ Cancel │ │ Next │ │
│ └────────┘ └──────┘ │
│ │
│ │
└─────────────────────────────────────────────────────────────────┘
┌─────────────────┤ LDAP Settings ├─────────────────┐
│ │
│ [*] Use TLS │
│ Server: ldap://cla***oom.example.com/___________ │
│ Base DN: dc=example,dc=com_______________________ │
│ │
│ ┌──────┐ ┌──────┐ │
│ │ Back │ │ Next │ │
│ └──────┘ └──────┘ │
│ │
│ │
└───────────────────────────────────────────────────┘
┌─────────────────┤ Kerberos Settings ├──────────────────┐
│ │
│ Realm: EXAMPLE.COM_____________________________ │
│ KDC: cla***oom.example.com___________________ │
│ Admin Server: cla***oom.example.com___________________ │
│ [ ] Use DNS to resolve hosts to realms │
│ [ ] Use DNS to locate KDCs for realms │
│ │
│ ┌──────┐ ┌────┐ │
│ │ Back │ │ Ok │ │
│ └──────┘ └────┘ │
│ │
│ │
└────────────────────────────────────────────────────────┘
<當出現以下報錯時>
┌────────────────┤ Warning ├─────────────────┐
│ │
│ To connect to a LDAP server with TLS │
│ protocol enabled you need a CA certificate │
│ which signed your server's certificate. │
│ Copy the certificate in the PEM format to │
│ the '/etc/openldap/cacerts' directory. │
│ Then press OK. │
│ │
│ ┌────┐ │
│ │ Ok │ │
│ └────┘ │
│ │
│ │
└────────────────────────────────────────────┘
是因爲tls的證書缺失需要到服務器端下載所需要的證書到/etc/openldap/cacerts
用到的命令
wget http://172.25.254.254/pub/example-ca.crt
<測試>
getent passwd ldapuser1
如果用戶信息可以正常顯示證明客戶端認成功。
4.自動掛載用戶家目錄
yum install autofs -y
vim /etc/autofs.master
/home/guests /etc/auto.ldap
vim /etc/auto.ldap
ldapuser1 172.25.254.254:/home/guests/ldapuser1
-----------------------------------------------------
* 172.25.254.254:/home/guests/&
systemctl restart autofs
systemctl restart autofs
ldp服務端配置在企業部分講
####################
client:
[root@desktop15 ~]# grep bash$ /etc/passwd
root:x:0:0:root:/root:/bin/bash
student:x:1000:1000:Student User:/home/student:/bin/bash
[root@desktop15 ~]# getent passwd root
root:x:0:0:root:/root:/bin/bash
[root@desktop15 ~]# getent passwd student
student:x:1000:1000:Student User:/home/student:/bin/bash
[root@desktop15 ~]# getent passwd ldapuser1
[root@desktop15 ~]# getent passwd ldapuser2
[root@desktop15 ~]# getent passwd ldapuser3
[root@desktop15 ~]# yum install sssd krb5-workstation -y
......
>>>
=====方法1=====
[root@desktop15 ~]# authconfig-tui
......
[root@desktop15 ~]# cd /etc/openldap
[root@desktop15 openldap]# ls
cacerts certs ldap.conf
=====方法2=====
[root@desktop15 ~]# cd /etc/openldap
[root@desktop15 openldap]# ls
certs ldap.conf
[root@desktop15 openldap]# mkdir cacerts/
>>>
[root@desktop15 openldap]# cd cacerts/
[root@desktop15 cacerts]# ls
[root@desktop15 cacerts]# wget http://172.25.254.254/pub/example-ca.crt
--2016-11-12 20:35:59-- http://172.25.254.254/pub/example-ca.crt
Connecting to 172.25.254.254:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1220 (1.2K)
Saving to: ‘example-ca.crt’
100%[=================================>] 1,220 --.-K/s in 0s
2016-11-12 20:35:59 (165 MB/s) - ‘example-ca.crt’ saved [1220/1220]
[root@desktop15 cacerts]# ls
example-ca.crt
[root@desktop15 cacerts]# authconfig-tui
......
[root@desktop15 cacerts]# getent passwd ldapuser1
ldapuser1:*:1701:1701:LDAP Test User 1:/home/guests/ldapuser1:/bin/bash
[root@desktop15 cacerts]# su - ldapuser1
su: warning: cannot change directory to /home/guests/ldapuser1: No such file directory
mkdir: cannot create directory '/home/guests': Permission denied
-bash-4.2$ whoami
ldapuser1
-bash-4.2$ pwd
/etc/openldap/cacerts
-bash-4.2$ logout
[root@desktop15 cacerts]# ping cla***oom.example.com
PING cla***oom.example.com (172.25.254.254) 56(84) bytes of data.
64 bytes from cla***oom.example.com (172.25.254.254): icmp_seq=1 ttl=64 time=0.456 ms
64 bytes from cla***oom.example.com (172.25.254.254): icmp_seq=2 ttl=64 time=0.326 ms
......
[root@desktop15 cacerts]# getent passwd ldapuser1
ldapuser1:*:1701:1701:LDAP Test User 1:/home/guests/ldapuser1:/bin/bash
[root@desktop15 cacerts]# getent passwd | grep ldapuser
[root@desktop15 cacerts]# man 5 sssd.conf
--------------------------------------------------
/bool ##with values of “TRUE/FALSE”。bool的取值相當於功能的開關
按"n"向下查找
enumerate (bool) ##枚舉
Determines if a domain can be enumerated. This parameter can have
one of the following values:
TRUE = Users and groups are enumerated
FALSE = No enumerations for this domain
Default: FALSE
--------------------------------------------------
[root@desktop15 cacerts]# vim /etc/sssd/sssd.conf
--------------------------------------------------
16 enumerate = True
:wq
--------------------------------------------------
[root@desktop15 cacerts]# systemctl restart sssd.service
[root@desktop15 cacerts]# getent passwd | grep ldapuser
ldapuser10:*:1710:1710:LDAP Test User 10:/home/guests/ldapuser10:/bin/bash
ldapuser11:*:1711:1711:LDAP Test User 11:/home/guests/ldapuser11:/bin/bash
ldapuser12:*:1712:1712:LDAP Test User 12:/home/guests/ldapuser12:/bin/bash
ldapuser13:*:1713:1713:LDAP Test User 13:/home/guests/ldapuser13:/bin/bash
ldapuser14:*:1714:1714:LDAP Test User 14:/home/guests/ldapuser14:/bin/bash
ldapuser15:*:1715:1715:LDAP Test User 15:/home/guests/ldapuser15:/bin/bash
ldapuser16:*:1716:1716:LDAP Test User 16:/home/guests/ldapuser16:/bin/bash
ldapuser17:*:1717:1717:LDAP Test User 17:/home/guests/ldapuser17:/bin/bash
ldapuser18:*:1718:1718:LDAP Test User 18:/home/guests/ldapuser18:/bin/bash
ldapuser19:*:1719:1719:LDAP Test User 19:/home/guests/ldapuser19:/bin/bash
ldapuser20:*:1720:1720:LDAP Test User 20:/home/guests/ldapuser20:/bin/bash
ldapuser0:*:1700:1700:LDAP Test User 0:/home/guests/ldapuser0:/bin/bash
ldapuser1:*:1701:1701:LDAP Test User 1:/home/guests/ldapuser1:/bin/bash
ldapuser2:*:1702:1702:LDAP Test User 2:/home/guests/ldapuser2:/bin/bash
ldapuser3:*:1703:1703:LDAP Test User 3:/home/guests/ldapuser3:/bin/bash
ldapuser4:*:1704:1704:LDAP Test User 4:/home/guests/ldapuser4:/bin/bash
ldapuser5:*:1705:1705:LDAP Test User 5:/home/guests/ldapuser5:/bin/bash
ldapuser6:*:1706:1706:LDAP Test User 6:/home/guests/ldapuser6:/bin/bash
ldapuser7:*:1707:1707:LDAP Test User 7:/home/guests/ldapuser7:/bin/bash
ldapuser8:*:1708:1708:LDAP Test User 8:/home/guests/ldapuser8:/bin/bash
ldapuser9:*:1709:1709:LDAP Test User 9:/home/guests/ldapuser9:/bin/bash
[root@desktop15 cacerts]# yum install autofs -y
......
[root@desktop15 cacerts]# vim /etc/auto.master
--------------------------------------------------
14 /home/guests /etc/auto.ldap
:wq
--------------------------------------------------
[root@desktop15 cacerts]# showmount -e 172.25.254.254
Export list for 172.25.254.254:
/home/guests 172.25.0.0/255.255.0.0
[root@desktop15 cacerts]# vim /etc/auto.ldap
--------------------------------------------------
ldapuser1 172.25.254.254:/home/guests/ldapuser1
:wq
--------------------------------------------------
[root@desktop15 cacerts]# systemctl restart autofs
[root@desktop15 cacerts]# su - ldapuser1
Last login: Sat Nov 12 20:32:55 EST 2016 on pts/0
[ldapuser1@desktop15 ~]# logout
[root@desktop15 cacerts]# vim /etc/auto.ldap
--------------------------------------------------
* 172.25.254.254:/home/guests/&
:wq
--------------------------------------------------
[root@desktop15 cacerts]# systemctl restart autofs
[root@desktop15 cacerts]# systemctl enable autofs
ln -s '/usr/lib/systemd/system/autofs.service' '/etc/systemd/system/multi-user.target.wants/autofs.service'
>註銷圖形使用ldapuser{0..20}重新登陸desktop0密碼均爲kerberos
>如果登陸時畫面一閃又退回到登陸界面。說明配置有問題請檢查配置。
>進入圖形表示配置正確
>打開另外一臺虛擬機"server15"編寫腳本
[root@server15 ~]# authconfig --help |less ##查看命令解釋
[root@server15 ~]# vim set-ldap.sh
--------------------------------------------------
#!/bin/bash
echo "install software ing ..."
yum install sssd krb5-workstation autofs -y &> /dev/null
echo "config ldap auth client ing ..."
authconfig \
--enableldap \
--enablekrb5 \
--disableldapauth \
--enableldaptls \
--ldaploadcacert=http://172.25.254.254/pub/example-ca.crt \
--ldapserver="cla***oom.example.com" \
--ldapbasedn="dc=example,dc=com" \
--krb5realm="EXAMPLE.COM" \
--krb5kdc="cla***oom.example.com" \
--krb5adminserver="cla***oom.example.com" \
--enablesssd \
--enablesssdauth \
--update
echo "config ldap user\'s home directory ing ..."
echo /home/guests /etc/auto.ldap >> /etc/auto.master
echo "* 172.25.254.254:/home/guests/&" >> /etc/auto.ldap
systemctl restart autofs
systemctl enable autofs &> /dev/null
echo "all is successfully !!!"
--------------------------------------------------
##編寫完腳本authconfig部分的配置使用命令"authconfig-tui"檢查同時確保網絡暢通。
[root@server15 ~]# chmod +x set-ldap.sh
[root@server15 ~]# ./set-ldap.sh
[root@server15 ~]# getent passwd ldapuser1
ldapuser1:*:1701:1701:LDAP Test User 1:/home/guests/ldapuser1:/bin/bash
>註銷圖形使用ldapuser{0..20}重新登陸desktop0密碼均爲kerberos
>如果登陸時畫面一閃又退回到登陸界面。說明腳本有問題請檢查腳本。
>進入圖形表示配置正確
####################
####################
#### vsftpd服務 ####
####################
接11.12的筆記
####################
服務端
[root@server ~]# yum install vsftpd -y
[root@server ~]# systemctl start vsftpd
[root@server ~]# systemctl enable vsftpd
[root@server ~]# firewall-cmd --permanent --add-service=ftp
[root@server ~]# firewall-cmd --reload
##以上輸出省略
[root@server ~]# vim /etc/sysconfig/selinux
--------------------------------------------------
7 SELINUX=disabled
:wq
--------------------------------------------------
[root@server ~]# reboot
##等待重啓
[root@server ~]# chgrp ftp /var/ftp/pub/
[root@server ~]# chmod 775 /var/ftp/pub/
####################
#<匿名用戶使用的用戶身份修改>
chown_uploads=YES
chown_username=student
####################
服務端
[root@server ~]# man 5 vsftpd.conf
--------------------------------------------------
chown_uploads
If enabled, all anonymously uploaded files will have the owner‐
ship changed to the user specified in the setting chown_user‐
name. This is useful from an administrative, and perhaps secu‐
rity, standpoint.
Default: NO
chown_username
This is the name of the user who is given ownership of anony‐
mously uploaded files. This option is only relevant if another
option, chown_uploads, is set.
Default: root
--------------------------------------------------
[root@server ~]# vim /etc/vsftpd/vsftpd.conf
--------------------------------------------------
29 anon_upload_enable=YES
48 chown_uploads=YES
49 chown_username=student
:wq
--------------------------------------------------
[root@server ~]# systemctl restart vsftpd
客戶端
[root@desktop ~]# yum install lftp -y
[root@desktop ~]# lftp 172.25.50.200
lftp 172.25.50.200:/> cd pub/
lftp 172.25.50.200:/pub> ls
lftp 172.25.50.200:/pub> put /etc/passwd
2005 bytes transferred
lftp 172.25.50.200:/pub> ls
-rw------- 1 1000 50 2005 Nov 18 01:52 passwd
lftp 172.25.50.200:/pub> exit
服務端
[root@server ~]# cd /var/ftp/pub/
[root@server pub]# ll
total 4
-rw-------. 1 student ftp 2005 Nov 17 20:52 passwd
[root@server pub]# rm -fr *
####################
#<最大上傳速率>
anon_max_rate=102400
####################
客戶端
[root@desktop ~]# dd if=/dev/zero of=/mnt/file bs=1M count=1000
1000+0 records in
1000+0 records out
1048576000 bytes (1.0 GB) copied, 20.4023 s, 51.4 MB/s
[root@desktop ~]# lftp 172.25.50.200
lftp 172.25.50.200:/> cd pub/
lftp 172.25.50.200:/pub> ls
lftp 172.25.50.200:/pub> put /mnt/file
1048576000 bytes transferred in 26 seconds (38.28M/s)
lftp 172.25.50.200:/pub> exit
服務端
[root@server pub]# man 5 vsftpd.conf
--------------------------------------------------
anon_max_rate
The maximum data transfer rate permitted, in bytes per second,
for anonymous clients.
Default: 0 (unlimited)
--------------------------------------------------
[root@server pub]# vim /etc/vsftpd/vsftpd.conf
--------------------------------------------------
30 anon_max_rate=10240000 ##限制爲每秒10兆
49 #chown_uploads=YES
50 #chown_username=student
:wq
--------------------------------------------------
[root@server pub]# systemctl restart vsftpd
[root@server pub]# ls
file
[root@server pub]# rm -fr *
客戶端
[root@desktop ~]# lftp 172.25.50.200
lftp 172.25.50.200:/> cd pub/
lftp 172.25.50.200:/pub> ls
lftp 172.25.50.200:/pub> put /mnt/file
1048576000 bytes transferred in 102 seconds (9.76M/s)
lftp 172.25.50.200:/pub>
服務端
[root@server pub]# ls
file
[root@server pub]# rm -fr *
####################
#<最大鏈接數>
max_clients=2
####################
真機
[root@foundation50 Desktop]# lftp 172.25.50.200
lftp 172.25.50.200:~> ls
drwxrwxr-x 2 0 50 17 Nov 18 02:19 pub
lftp 172.25.50.200:~> exit
##虛擬機desktop使用lftp登陸後真機再使用lftp登陸不受影響
服務端
[root@server pub]# man 5 vsftpd.conf
--------------------------------------------------
max_clients
If vsftpd is in standalone mode, this is the maximum number of
clients which may be connected. Any additional clients connect‐
ing will get an error message.
Default: 0 (unlimited)
--------------------------------------------------
[root@server pub]# vim /etc/vsftpd/vsftpd.conf
--------------------------------------------------
30 max_clients=1
:wq
--------------------------------------------------
[root@server pub]# systemctl restart vsftpd
真機
[root@foundation50 Desktop]# lftp 172.25.50.200
lftp 172.25.50.200:~> ls
Interrupt
lftp 172.25.50.200:~> exit
##虛擬機desktop使用lftp登陸後真機再使用lftp登陸無法執行任何操作
####################
2)本地用戶設定
local_enable=YES|NO ##本地用戶登陸限制
write_enable=YES|NO ##本地用戶寫權限限制
####################
服務端
[root@server pub]# useradd westos
[root@server pub]# echo westos | passwd westos --stdin
Changing password for user westos.
passwd: all authentication tokens updated successfully.
[root@server pub]# useradd redhat
[root@server pub]# echo redhat | passwd redhat --stdin
Changing password for user redhat.
passwd: all authentication tokens updated successfully.
[root@server pub]# id westos
uid=1001(westos) gid=1001(westos) groups=1001(westos)
[root@server pub]# id redhat
uid=1002(redhat) gid=1002(redhat) groups=1002(redhat)
客戶端
lftp 172.25.50.200:/pub> exit
[root@desktop ~]# lftp 172.25.50.200 -u westos
Password:
lftp [email protected]:~> ls
lftp [email protected]:~> put /etc/passwd
2005 bytes transferred
lftp [email protected]:~> ls
-rw-r--r-- 1 1001 1001 2005 Nov 18 02:52 passwd
lftp [email protected]:~> exit
服務端
[root@server pub]# cd /home/westos
[root@server westos]# ls
passwd
[root@server westos]# man 5 vsftpd.conf
--------------------------------------------------
local_enable
Controls whether local logins are permitted or not. If enabled,
normal user accounts in /etc/passwd (or wherever your PAM config
references) may be used to log in. This must be enable for any
non-anonymous login to work, including virtual users.
Default: NO
--------------------------------------------------
[root@server westos]# vim /etc/vsftpd/vsftpd.conf
--------------------------------------------------
修改
16 local_enable=NO
刪除
30 max_clients=1
--------------------------------------------------
[root@server westos]# systemctl restart vsftpd.service
客戶端
[root@desktop ~]# lftp 172.25.50.200 -u westos
Password:
lftp [email protected]:~> ls
ls: Login failed: 530 This FTP server is anonymous only.
lftp [email protected]:~> exit
服務端
[root@server westos]# man 5 vsftpd.conf
--------------------------------------------------
write_enable
This controls whether any FTP commands which change the filesys‐
tem are allowed or not. These commands are: STOR, DELE, RNFR,
RNTO, MKD, RMD, APPE and SITE.
Default: NO
--------------------------------------------------
[root@server westos]# vim /etc/vsftpd/vsftpd.conf
--------------------------------------------------
16 local_enable=YES
19 write_enable=NO
:wq
--------------------------------------------------
[root@server westos]# systemctl restart vsftpd.service
客戶端
[root@desktop ~]# lftp 172.25.50.200 -u westos
Password:
lftp [email protected]:~> ls
-rw-r--r-- 1 1001 1001 2005 Nov 18 02:52 passwd
lftp [email protected]:~> put /etc/group
put: Access failed: 550 Permission denied. (group)
lftp [email protected]:~> exit
####################
#<本地用戶家目錄修改>
local_root=/directory
####################
服務端
[root@server westos]# man 5 vsftpd.conf
--------------------------------------------------
local_root
This option represents a directory which vsftpd will try to
change into after a local (i.e. non-anonymous) login. Failure is
silently ignored.
Default: (none)
--------------------------------------------------
[root@server westos]# vim /etc/vsftpd/vsftpd.conf
--------------------------------------------------
17 local_root=/etc
20 write_enable=YES
:wq
--------------------------------------------------
[root@server westos]# systemctl restart vsftpd.service
客戶端
[root@desktop ~]# lftp 172.25.50.200 -u westos
Password:
lftp [email protected]:~> ls
......
lftp [email protected]:~> exit
####################
#<本地用戶上傳文件權限>
local_umask=xxx
####################
服務端
[root@server westos]# man 5 vsftpd.conf
--------------------------------------------------
local_umask
The value that the umask for file creation is set to for local
users. NOTE! If you want to specify octal values, remember the
"0" prefix otherwise the value will be treated as a base 10
integer!
Default: 077
--------------------------------------------------
[root@server westos]# vim /etc/vsftpd/vsftpd.conf
--------------------------------------------------
刪除
17 local_root=/etc
修改
23 local_umask=077 ##原來是022
:wq
--------------------------------------------------
[root@server westos]# systemctl restart vsftpd.service
客戶端
[root@desktop ~]# lftp 172.25.50.200 -u westos
Password:
lftp [email protected]:~> put /etc/group
850 bytes transferred
lftp [email protected]:~> ls
-rw------- 1 1001 1001 850 Nov 18 03:16 group
-rw-r--r-- 1 1001 1001 2005 Nov 18 02:52 passwd
lftp [email protected]:~> exit
####################
#<限制本地用戶瀏覽/目錄>
所有用戶被鎖定到自己的家目錄中
chroot_local_user=YES
chmod u-w /home/*
####################
[root@desktop ~]# lftp 172.25.50.200 -u redhat
Password:
lftp [email protected]:~> ls
lftp [email protected]:~> cd /
cd ok, cwd=/
lftp [email protected]:/> ls
lrwxrwxrwx 1 0 0 7 May 07 2014 bin -> usr/bin
dr-xr-xr-x 4 0 0 4096 Jul 10 2014 boot
drwxr-xr-x 18 0 0 2800 Nov 18 01:00 dev
drwxr-xr-x 134 0 0 8192 Nov 18 02:51 etc
drwxr-xr-x 5 0 0 46 Nov 18 02:44 home
lrwxrwxrwx 1 0 0 7 May 07 2014 lib -> usr/lib
lrwxrwxrwx 1 0 0 9 May 07 2014 lib64 -> usr/lib64
drwxr-xr-x 2 0 0 6 Mar 13 2014 media
drwxr-xr-x 2 0 0 6 Nov 18 02:19 mnt
drwxr-xr-x 3 0 0 15 Jul 10 2014 opt
dr-xr-xr-x 131 0 0 0 Nov 18 00:59 proc
dr-xr-x--- 14 0 0 4096 Nov 18 03:19 root
drwxr-xr-x 35 0 0 1140 Nov 18 02:33 run
lrwxrwxrwx 1 0 0 8 May 07 2014 sbin -> usr/sbin
drwxr-xr-x 2 0 0 6 Mar 13 2014 srv
dr-xr-xr-x 13 0 0 0 Nov 18 00:59 sys
drwxrwxrwt 10 0 0 4096 Nov 18 02:33 tmp
drwxr-xr-x 13 0 0 4096 May 07 2014 usr
drwxr-xr-x 23 0 0 4096 Nov 18 00:59 var
lftp [email protected]:/> exit
服務端
[root@server westos]# man 5 vsftpd.conf
--------------------------------------------------
chroot_local_user
If set to YES, local users will be (by default) placed in a
chroot() jail in their home directory after login. Warning:
This option has security implications, especially if the users
have upload permission, or shell access. Only enable if you know
what you are doing. Note that these security implications are
not vsftpd specific. They apply to all FTP daemons which offer
to put local users in chroot() jails.
Default: NO
--------------------------------------------------
[root@server westos]# vim /etc/vsftpd/vsftpd.conf
--------------------------------------------------
101 chroot_local_user=YES
:wq
--------------------------------------------------
[root@server westos]# systemctl restart vsftpd.service
客戶端
[root@desktop ~]# lftp 172.25.50.200 -u redhat
Password:
lftp [email protected]:~> ls
ls: Login failed: 500 OOPS: vsftpd: refusing to run with writable root inside chroot()
lftp [email protected]:~> cd /
cd: Login failed: 500 OOPS: vsftpd: refusing to run with writable root inside chroot()
lftp [email protected]:~> exit
服務端
[root@server westos]# ll /home
total 4
drwx------. 4 redhat redhat 88 Nov 17 21:44 redhat
drwx------. 4 student student 84 Jul 10 2014 student
drwx------. 4 westos westos 4096 Nov 17 22:16 westos
[root@server westos]# chmod u-w /home/*
[root@server westos]# ll /home
total 4
dr-x------. 4 redhat redhat 88 Nov 17 21:44 redhat
dr-x------. 4 student student 84 Jul 10 2014 student
dr-x------. 4 westos westos 4096 Nov 17 22:16 westos
客戶端
[root@desktop ~]# lftp 172.25.50.200 -u redhat
Password:
lftp [email protected]:~> ls
lftp [email protected]:/> cd /
lftp [email protected]:/> ls
lftp [email protected]:/> exit
[root@desktop ~]# lftp 172.25.50.200 -u westos
Password:
lftp [email protected]:~> ls
-rw------- 1 1001 1001 850 Nov 18 03:16 group
-rw-r--r-- 1 1001 1001 2005 Nov 18 02:52 passwd
lftp [email protected]:/> cd /
lftp [email protected]:/> ls
-rw------- 1 1001 1001 850 Nov 18 03:16 group
-rw-r--r-- 1 1001 1001 2005 Nov 18 02:52 passwd
lftp [email protected]:/> exit
####################
用戶黑名單建立
chroot_local_user=NO
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
用戶白名單建立
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
####################
服務端
[root@server westos]# man 5 vsftpd.conf
--------------------------------------------------
chroot_list_enable
If activated, you may provide a list of local users who are
placed in a chroot() jail in their home directory upon login.
The meaning is slightly different if chroot_local_user is set to
YES. In this case, the list becomes a list of users which are
NOT to be placed in a chroot() jail. By default, the file con‐
taining this list is /etc/vsftpd/chroot_list, but you may over‐
ride this with the chroot_list_file setting.
Default: NO
chroot_list_file
The option is the name of a file containing a list of local
users which will be placed in a chroot() jail in their home
directory. This option is only relevant if the option
chroot_list_enable is enabled. If the option chroot_local_user
is enabled, then the list file becomes a list of users to NOT
place in a chroot() jail.
Default: /etvsftpd.confc/vsftpd.chroot_list
--------------------------------------------------
[root@server westos]# vim /etc/vsftpd/vsftpd.conf
--------------------------------------------------
102 chroot_list_enable=YES
104 chroot_list_file=/etc/vsftpd/chroot_list
:wq
--------------------------------------------------
[root@server westos]# systemctl restart vsftpd.service
客戶端
[root@desktop ~]# lftp 172.25.50.200 -u westos
Password:
lftp [email protected]:~> ls
ls: Login failed: 500 OOPS: could not read chroot() list file:/etc/vsftpd/chroot_list
lftp [email protected]:~> cd /
cd: Login failed: 500 OOPS: could not read chroot() list file:/etc/vsftpd/chroot_list
lftp [email protected]:~> exit
服務端
[root@server westos]# ll /etc/vsftpd/chroot_list
ls: cannot access /etc/vsftpd/chroot_list: No such file or directory
[root@server westos]# touch /etc/vsftpd/chroot_list
客戶端
[root@desktop ~]# lftp 172.25.50.200 -u westos
Password:
lftp [email protected]:~> ls
-rw------- 1 1001 1001 850 Nov 18 03:16 group
-rw-r--r-- 1 1001 1001 2005 Nov 18 02:52 passwd
lftp [email protected]:/> cd /
lftp [email protected]:/> ls
-rw------- 1 1001 1001 850 Nov 18 03:16 group
-rw-r--r-- 1 1001 1001 2005 Nov 18 02:52 passwd
lftp [email protected]:/> exit
服務端
[root@server westos]# vim /etc/vsftpd/chroot_list
--------------------------------------------------
westos
:wq
--------------------------------------------------
客戶端
[root@desktop ~]# lftp 172.25.50.200 -u westos
Password:
lftp [email protected]:~> ls
-rw------- 1 1001 1001 850 Nov 18 03:16 group
-rw-r--r-- 1 1001 1001 2005 Nov 18 02:52 passwd
lftp [email protected]:~> cd /
cd ok, cwd=/
lftp [email protected]:/> ls
lrwxrwxrwx 1 0 0 7 May 07 2014 bin -> usr/bin
dr-xr-xr-x 4 0 0 4096 Jul 10 2014 boot
drwxr-xr-x 18 0 0 2800 Nov 18 01:00 dev
drwxr-xr-x 134 0 0 8192 Nov 18 02:51 etc
drwxr-xr-x 5 0 0 46 Nov 18 02:44 home
lrwxrwxrwx 1 0 0 7 May 07 2014 lib -> usr/lib
lrwxrwxrwx 1 0 0 9 May 07 2014 lib64 -> usr/lib64
drwxr-xr-x 2 0 0 6 Mar 13 2014 media
drwxr-xr-x 2 0 0 6 Nov 18 02:19 mnt
drwxr-xr-x 3 0 0 15 Jul 10 2014 opt
dr-xr-xr-x 131 0 0 0 Nov 18 00:59 proc
dr-xr-x--- 14 0 0 4096 Nov 18 03:48 root
drwxr-xr-x 35 0 0 1140 Nov 18 02:33 run
lrwxrwxrwx 1 0 0 8 May 07 2014 sbin -> usr/sbin
drwxr-xr-x 2 0 0 6 Mar 13 2014 srv
dr-xr-xr-x 13 0 0 0 Nov 18 00:59 sys
drwxrwxrwt 10 0 0 4096 Nov 18 03:42 tmp
drwxr-xr-x 13 0 0 4096 May 07 2014 usr
drwxr-xr-x 23 0 0 4096 Nov 18 00:59 var
lftp [email protected]:/> exit
[root@desktop ~]# lftp 172.25.50.200 -u redhat
Password:
lftp [email protected]:~> ls
lftp [email protected]:/> cd /
lftp [email protected]:/> ls
lftp [email protected]:/> exit
服務端
[root@server westos]# vim /etc/vsftpd/vsftpd.conf
--------------------------------------------------
101 chroot_local_user=NO
:wq
--------------------------------------------------
[root@server westos]# systemctl restart vsftpd.service
客戶端
[root@desktop ~]# lftp 172.25.50.200 -u westos
Password:
lftp [email protected]:~> ls
-rw------- 1 1001 1001 850 Nov 18 03:16 group
-rw-r--r-- 1 1001 1001 2005 Nov 18 02:52 passwd
lftp [email protected]:/> cd /
lftp [email protected]:/> ls
-rw------- 1 1001 1001 850 Nov 18 03:16 group
-rw-r--r-- 1 1001 1001 2005 Nov 18 02:52 passwd
lftp [email protected]:/> exit
[root@desktop ~]# lftp 172.25.50.200 -u redhat
Password:
lftp [email protected]:~> ls
lftp [email protected]:~> cd /
cd ok, cwd=/
lftp [email protected]:/> ls
lrwxrwxrwx 1 0 0 7 May 07 2014 bin -> usr/bin
dr-xr-xr-x 4 0 0 4096 Jul 10 2014 boot
drwxr-xr-x 18 0 0 2800 Nov 18 01:00 dev
drwxr-xr-x 134 0 0 8192 Nov 18 02:51 etc
drwxr-xr-x 5 0 0 46 Nov 18 02:44 home
lrwxrwxrwx 1 0 0 7 May 07 2014 lib -> usr/lib
lrwxrwxrwx 1 0 0 9 May 07 2014 lib64 -> usr/lib64
drwxr-xr-x 2 0 0 6 Mar 13 2014 media
drwxr-xr-x 2 0 0 6 Nov 18 02:19 mnt
drwxr-xr-x 3 0 0 15 Jul 10 2014 opt
dr-xr-xr-x 131 0 0 0 Nov 18 00:59 proc
dr-xr-x--- 14 0 0 4096 Nov 18 03:56 root
drwxr-xr-x 35 0 0 1140 Nov 18 02:33 run
lrwxrwxrwx 1 0 0 8 May 07 2014 sbin -> usr/sbin
drwxr-xr-x 2 0 0 6 Mar 13 2014 srv
dr-xr-xr-x 13 0 0 0 Nov 18 00:59 sys
drwxrwxrwt 10 0 0 4096 Nov 18 03:42 tmp
drwxr-xr-x 13 0 0 4096 May 07 2014 usr
drwxr-xr-x 23 0 0 4096 Nov 18 00:59 var
lftp [email protected]:/> exit
####################
#<限制本地用戶登陸>
vim /etc/vsftpd/ftpusers ##用戶永久黑名單
vim /etc/vsftpd/user_list ##用戶臨時黑名單
如果用戶不設定密碼就會被凍結禁止登陸
####################
服務端
[root@server westos]# cd /etc/vsftpd/
[root@server vsftpd]# ls
chroot_list ftpusers user_list vsftpd.conf vsftpd_conf_migrate.sh
[root@server vsftpd]# vim ftpusers
--------------------------------------------------
在最後添加
westos
:wq
--------------------------------------------------
客戶端
[root@desktop ~]# lftp 172.25.50.200 -u westos
Password:
lftp [email protected]:~> ls
ls: Login failed: 530 Login incorrect. ##直接提示登陸不正確
lftp [email protected]:~> exit
[root@desktop ~]# lftp 172.25.50.200 -u redhat
Password:
lftp [email protected]:~> ls
lftp [email protected]:~> exit
服務端
[root@server vsftpd]# vim ftpusers
--------------------------------------------------
刪除
westos
:wq
--------------------------------------------------
[root@server vsftpd]# vim user_list
--------------------------------------------------
在最後添加
westos
:wq
--------------------------------------------------
客戶端
[root@desktop ~]# lftp 172.25.50.200 -u westos
Password:
lftp [email protected]:~> ls
ls: Login failed: 530 Permission denied.
lftp [email protected]:~> exit
[root@desktop ~]# lftp 172.25.50.200 -u redhat
Password:
lftp [email protected]:~> ls
lftp [email protected]:~> exit
####################
用戶白名單設定
userlist_deny=NO
/etc/vsftpd/user_list ##參數設定此文件變成用戶白名單隻在名單中出現的用戶可以登陸ftp
####################
服務端
[root@server vsftpd]# man 5 vsftpd.conf
--------------------------------------------------
userlist_deny
This option is examined if userlist_enable is activated. If you
set this setting to NO, then users will be denied login unless
they are explicitly listed in the file specified by
userlist_file. When login is denied, the denial is issued
before the user is asked for a password.
Default: YES
--------------------------------------------------
[root@server vsftpd]# vim /etc/vsftpd/vsftpd.conf
--------------------------------------------------
128 userlist_deny=NO
:wq
--------------------------------------------------
[root@server vsftpd]# systemctl restart vsftpd.service
客戶端
[root@desktop ~]# lftp 172.25.50.200 -u westos
Password:
lftp [email protected]:~> ls
-rw------- 1 1001 1001 850 Nov 18 03:16 group
-rw-r--r-- 1 1001 1001 2005 Nov 18 02:52 passwd
lftp [email protected]:/> exit
[root@desktop ~]# lftp 172.25.50.200 -u redhat
Password:
lftp [email protected]:~> ls
ls: Login failed: 530 Permission denied.
lftp [email protected]:~> exit
####################
#<ftp虛擬用戶的設定>
創建虛擬帳號身份)
vim /etc/vsftpd/loginusers ##文件名稱任意
ftpuser1
123
ftpuser2
123
ftpuser3
123
db_load -T -t hash -f /etc/vsftpd/loginusers loginusers.db
-T ##表示轉換
-t ##指定加密方式
vim /etc/pam.d/ckvsftpd ##文件名稱任意
account required pam_userdb.so db=/etc/vsftpd/loginusers
auth required pam_userdb.so db=/etc/vsftpd/loginusers
vim /etc/vsftpd/vsftpd.conf
pam_service_name=ckvsftpd
guest_enable=YES
虛擬帳號身份指定
guest_username=ftpuser
chmod u-w /home/ftpuser
虛擬用戶只在ftp上是本地用戶
####################
服務端
[root@server vsftpd]# vim /etc/vsftpd/userfile
--------------------------------------------------
westos1
123
westos2
123
westos3
123
:wq
--------------------------------------------------
[root@server vsftpd]# db_load -T -t hash -f userfile userfile.db
[root@server vsftpd]# ls
chroot_list userfile user_list vsftpd_conf_migrate.sh
ftpusers userfile.db vsftpd.conf
[root@server vsftpd]# rm -fr userfile
[root@server vsftpd]# cat userfile.db
D@&эh^123westos2
[root@server vsftpd]# vim /etc/vsftpd/vsftpd.conf
--------------------------------------------------
發現
126 pam_service_name=vsftpd
:q
--------------------------------------------------
[root@server vsftpd]# cat /etc/pam.d/vsftpd
#%PAM-1.0
session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth required pam_shells.so
auth include password-auth
account include password-auth
session required pam_loginuid.so
session include password-auth
[root@server vsftpd]# find /usr -name pam_userdb.so
/usr/lib64/security/pam_userdb.so
[root@server vsftpd]# vim /etc/pam.d/westos
--------------------------------------------------
account required pam_userdb.so db=/etc/vsftpd/userfile
auth required pam_userdb.so db=/etc/vsftpd/userfile
--------------------------------------------------
[root@server vsftpd]# vim /etc/vsftpd/vsftpd.conf
--------------------------------------------------
修改
126 pam_service_name=westos
刪除
128 userlist_deny=NO
添加
129 guest_enable=YES
130 guest_username=ftp ##默認就是ftp
:wq
--------------------------------------------------
[root@server vsftpd]# systemctl restart vsftpd.service
客戶端
[root@desktop ~]# lftp 172.25.50.200 -u westos1
Password:
lftp [email protected]:/> cd pub/
lftp [email protected]:/pub> ls
lftp [email protected]:/pub> put /etc/passwd
2005 bytes transferred
lftp [email protected]:/pub> ls
-rw------- 1 14 50 2005 Nov 18 08:14 passwd
lftp [email protected]:/pub> exit
[root@desktop ~]# lftp 172.25.50.200 -u westos2
Password:
lftp [email protected]:~> ls
drwxrwxr-x 2 0 50 19 Nov 18 08:38 pub
lftp [email protected]:/> exit
[root@desktop ~]# lftp 172.25.50.200 -u westos3
Password:
lftp [email protected]:~> ls
drwxrwxr-x 2 0 50 19 Nov 18 08:38 pub
lftp [email protected]:/> exit
####################
虛擬帳號家目錄獨立設定
vim /etc/vsftpd/vsftpd.conf
local_root=/ftpuserhome/$USER
user_sub_token=$USER
####################
服務端
[root@server vsftpd]# mkdir /ftp/westos1 -p
[root@server vsftpd]# mkdir /ftp/westos2 -p
[root@server vsftpd]# mkdir /ftp/westos3 -p
[root@server vsftpd]# touch /ftp/westos1/file1
[root@server vsftpd]# touch /ftp/westos2/file2
[root@server vsftpd]# touch /ftp/westos3/file3
[root@server vsftpd]# echo $USER
root
[root@server vsftpd]# su - student
[student@server ~]$ echo $USER
student
[student@server ~]$ exit
logout
[root@server vsftpd]# vim /etc/vsftpd/vsftpd.conf
--------------------------------------------------
131 local_root=/ftp/$USER
132 user_sub_token=$USER
:wq
--------------------------------------------------
[root@server vsftpd]# systemctl restart vsftpd.service
客戶端
[root@desktop ~]# lftp 172.25.50.200 -u westos1
Password:
lftp [email protected]:~> ls
-rw-r--r-- 1 0 0 0 Nov 18 08:50 file1
lftp [email protected]:/> exit
[root@desktop ~]# lftp 172.25.50.200 -u westos2
Password:
lftp [email protected]:~> ls
-rw-r--r-- 1 0 0 0 Nov 18 09:01 file2
lftp [email protected]:/> exit
[root@desktop ~]# lftp 172.25.50.200 -u westos3
Password:
lftp [email protected]:~> ls
-rw-r--r-- 1 0 0 0 Nov 18 09:01 file3
lftp [email protected]:/> exit
####################
Linux課程第十六天學習筆記
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.