Linux课程第十六天学习笔记-白红宇

Linux课程第十六天学习笔记

阅读量：6872 次

发布时间：2019-06-26

本文共 33521 字，大约阅读时间需要 111 分钟。

###############################

####### ldap网络帐号 #######

###############################

1.ldap是什么

ldap目录服务认证和windows活动目录类似就是记录数据的一种方式

2.ldap客户端所须软件

yum sssd krb5-workstation -y

3.如何开启ldap用户认证

authconfig-tui

┌────────────────┤ Authentication Configuration ├─────────────────┐

│ │

│ User Information Authentication │

│ [ ] Cache Information [ ] Use MD5 Passwords │

│ [*] Use LDAP [*] Use Shadow Passwords │

│ [ ] Use NIS [ ] Use LDAP Authentication │

│ [ ] Use IPAv2 [*] Use Kerberos │

│ [ ] Use Winbind [ ] Use Fingerprint reader │

│ [ ] Use Winbind Authentication │

│ [*] Local authorization is sufficient │

│ │

│ ┌────────┐ ┌──────┐ │

│ │ Cancel │ │ Next │ │

│ └────────┘ └──────┘ │

│ │

└─────────────────────────────────────────────────────────────────┘

┌─────────────────┤ LDAP Settings ├─────────────────┐

│ │

│ [*] Use TLS │

│ Server: ldap://cla***oom.example.com/___________ │

│ Base DN: dc=example,dc=com_______________________ │

│ │

│ ┌──────┐ ┌──────┐ │

│ │ Back │ │ Next │ │

│ └──────┘ └──────┘ │

│ │

└───────────────────────────────────────────────────┘

┌─────────────────┤ Kerberos Settings ├──────────────────┐

│ │

│ Realm: EXAMPLE.COM_____________________________ │

│ KDC: cla***oom.example.com___________________ │

│ Admin Server: cla***oom.example.com___________________ │

│ [ ] Use DNS to resolve hosts to realms │

│ [ ] Use DNS to locate KDCs for realms │

│ │

│ ┌──────┐ ┌────┐ │

│ │ Back │ │ Ok │ │

│ └──────┘ └────┘ │

│ │

└────────────────────────────────────────────────────────┘

<当出现以下报错时>

┌────────────────┤ Warning ├─────────────────┐

│ │

│ To connect to a LDAP server with TLS │

│ protocol enabled you need a CA certificate │

│ which signed your server's certificate. │

│ Copy the certificate in the PEM format to │

│ the '/etc/openldap/cacerts' directory. │

│ Then press OK. │

│ │

│ ┌────┐ │

│ │ Ok │ │

│ └────┘ │

│ │

└────────────────────────────────────────────┘

是因为tls的证书缺失需要到服务器端下载所需要的证书到/etc/openldap/cacerts

用到的命令

wget http://172.25.254.254/pub/example-ca.crt

<测试>

getent passwd ldapuser1

如果用户信息可以正常显示证明客户端认成功。

4.自动挂载用户家目录

yum install autofs -y

vim /etc/autofs.master

/home/guests /etc/auto.ldap

vim /etc/auto.ldap

ldapuser1 172.25.254.254:/home/guests/ldapuser1

-----------------------------------------------------

* 172.25.254.254:/home/guests/&

systemctl restart autofs

ldp服务端配置在企业部分讲

####################

client:

[root@desktop15 ~]# grep bash$ /etc/passwd

root:x:0:0:root:/root:/bin/bash

student:x:1000:1000:Student User:/home/student:/bin/bash

[root@desktop15 ~]# getent passwd root

root:x:0:0:root:/root:/bin/bash

[root@desktop15 ~]# getent passwd student

student:x:1000:1000:Student User:/home/student:/bin/bash

[root@desktop15 ~]# getent passwd ldapuser1

[root@desktop15 ~]# getent passwd ldapuser2

[root@desktop15 ~]# getent passwd ldapuser3

[root@desktop15 ~]# yum install sssd krb5-workstation -y

......

>>>

=====方法1=====

[root@desktop15 ~]# authconfig-tui

......

[root@desktop15 ~]# cd /etc/openldap

[root@desktop15 openldap]# ls

cacerts certs ldap.conf

=====方法2=====

[root@desktop15 ~]# cd /etc/openldap

[root@desktop15 openldap]# ls

certs ldap.conf

[root@desktop15 openldap]# mkdir cacerts/

>>>

[root@desktop15 openldap]# cd cacerts/

[root@desktop15 cacerts]# ls

[root@desktop15 cacerts]# wget http://172.25.254.254/pub/example-ca.crt

--2016-11-12 20:35:59-- http://172.25.254.254/pub/example-ca.crt

Connecting to 172.25.254.254:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 1220 (1.2K)

Saving to: ‘example-ca.crt’

100%[=================================>] 1,220 --.-K/s in 0s

2016-11-12 20:35:59 (165 MB/s) - ‘example-ca.crt’ saved [1220/1220]

[root@desktop15 cacerts]# ls

example-ca.crt

[root@desktop15 cacerts]# authconfig-tui

......

[root@desktop15 cacerts]# getent passwd ldapuser1

ldapuser1:*:1701:1701:LDAP Test User 1:/home/guests/ldapuser1:/bin/bash

[root@desktop15 cacerts]# su - ldapuser1

su: warning: cannot change directory to /home/guests/ldapuser1: No such file directory

mkdir: cannot create directory '/home/guests': Permission denied

-bash-4.2$ whoami

ldapuser1

-bash-4.2$ pwd

/etc/openldap/cacerts

-bash-4.2$ logout

[root@desktop15 cacerts]# ping cla***oom.example.com

PING cla***oom.example.com (172.25.254.254) 56(84) bytes of data.

64 bytes from cla***oom.example.com (172.25.254.254): icmp_seq=1 ttl=64 time=0.456 ms

64 bytes from cla***oom.example.com (172.25.254.254): icmp_seq=2 ttl=64 time=0.326 ms

......

[root@desktop15 cacerts]# getent passwd ldapuser1

ldapuser1:*:1701:1701:LDAP Test User 1:/home/guests/ldapuser1:/bin/bash

[root@desktop15 cacerts]# getent passwd | grep ldapuser

[root@desktop15 cacerts]# man 5 sssd.conf

--------------------------------------------------

/bool ##with values of “TRUE/FALSE”。bool的取值相当于功能的开关

按"n"向下查找

enumerate (bool) ##枚举

Determines if a domain can be enumerated. This parameter can have

one of the following values:

TRUE = Users and groups are enumerated

FALSE = No enumerations for this domain

Default: FALSE

--------------------------------------------------

[root@desktop15 cacerts]# vim /etc/sssd/sssd.conf

--------------------------------------------------

16 enumerate = True

:wq

--------------------------------------------------

[root@desktop15 cacerts]# systemctl restart sssd.service

[root@desktop15 cacerts]# getent passwd | grep ldapuser

ldapuser10:*:1710:1710:LDAP Test User 10:/home/guests/ldapuser10:/bin/bash

ldapuser11:*:1711:1711:LDAP Test User 11:/home/guests/ldapuser11:/bin/bash

ldapuser12:*:1712:1712:LDAP Test User 12:/home/guests/ldapuser12:/bin/bash

ldapuser13:*:1713:1713:LDAP Test User 13:/home/guests/ldapuser13:/bin/bash

ldapuser14:*:1714:1714:LDAP Test User 14:/home/guests/ldapuser14:/bin/bash

ldapuser15:*:1715:1715:LDAP Test User 15:/home/guests/ldapuser15:/bin/bash

ldapuser16:*:1716:1716:LDAP Test User 16:/home/guests/ldapuser16:/bin/bash

ldapuser17:*:1717:1717:LDAP Test User 17:/home/guests/ldapuser17:/bin/bash

ldapuser18:*:1718:1718:LDAP Test User 18:/home/guests/ldapuser18:/bin/bash

ldapuser19:*:1719:1719:LDAP Test User 19:/home/guests/ldapuser19:/bin/bash

ldapuser20:*:1720:1720:LDAP Test User 20:/home/guests/ldapuser20:/bin/bash

ldapuser0:*:1700:1700:LDAP Test User 0:/home/guests/ldapuser0:/bin/bash

ldapuser1:*:1701:1701:LDAP Test User 1:/home/guests/ldapuser1:/bin/bash

ldapuser2:*:1702:1702:LDAP Test User 2:/home/guests/ldapuser2:/bin/bash

ldapuser3:*:1703:1703:LDAP Test User 3:/home/guests/ldapuser3:/bin/bash

ldapuser4:*:1704:1704:LDAP Test User 4:/home/guests/ldapuser4:/bin/bash

ldapuser5:*:1705:1705:LDAP Test User 5:/home/guests/ldapuser5:/bin/bash

ldapuser6:*:1706:1706:LDAP Test User 6:/home/guests/ldapuser6:/bin/bash

ldapuser7:*:1707:1707:LDAP Test User 7:/home/guests/ldapuser7:/bin/bash

ldapuser8:*:1708:1708:LDAP Test User 8:/home/guests/ldapuser8:/bin/bash

ldapuser9:*:1709:1709:LDAP Test User 9:/home/guests/ldapuser9:/bin/bash

[root@desktop15 cacerts]# yum install autofs -y

......

[root@desktop15 cacerts]# vim /etc/auto.master

--------------------------------------------------

14 /home/guests /etc/auto.ldap

:wq

--------------------------------------------------

[root@desktop15 cacerts]# showmount -e 172.25.254.254

Export list for 172.25.254.254:

/home/guests 172.25.0.0/255.255.0.0

[root@desktop15 cacerts]# vim /etc/auto.ldap

--------------------------------------------------

ldapuser1 172.25.254.254:/home/guests/ldapuser1

:wq

--------------------------------------------------

[root@desktop15 cacerts]# systemctl restart autofs

[root@desktop15 cacerts]# su - ldapuser1

Last login: Sat Nov 12 20:32:55 EST 2016 on pts/0

[ldapuser1@desktop15 ~]# logout

[root@desktop15 cacerts]# vim /etc/auto.ldap

--------------------------------------------------

* 172.25.254.254:/home/guests/&

:wq

--------------------------------------------------

[root@desktop15 cacerts]# systemctl restart autofs

[root@desktop15 cacerts]# systemctl enable autofs

ln -s '/usr/lib/systemd/system/autofs.service' '/etc/systemd/system/multi-user.target.wants/autofs.service'

>注销图形使用ldapuser{0..20}重新登陆desktop0密码均为kerberos

>如果登陆时画面一闪又退回到登陆界面。说明配置有问题请检查配置。

>进入图形表示配置正确

>打开另外一台虚拟机"server15"编写脚本

[root@server15 ~]# authconfig --help |less ##查看命令解释

[root@server15 ~]# vim set-ldap.sh

--------------------------------------------------

#!/bin/bash

echo "install software ing ..."

yum install sssd krb5-workstation autofs -y &> /dev/null

echo "config ldap auth client ing ..."

authconfig \

--enableldap \

--enablekrb5 \

--disableldapauth \

--enableldaptls \

--ldaploadcacert=http://172.25.254.254/pub/example-ca.crt \

--ldapserver="cla***oom.example.com" \

--ldapbasedn="dc=example,dc=com" \

--krb5realm="EXAMPLE.COM" \

--krb5kdc="cla***oom.example.com" \

--krb5adminserver="cla***oom.example.com" \

--enablesssd \

--enablesssdauth \

--update

echo "config ldap user\'s home directory ing ..."

echo /home/guests /etc/auto.ldap >> /etc/auto.master

echo "* 172.25.254.254:/home/guests/&" >> /etc/auto.ldap

systemctl restart autofs

systemctl enable autofs &> /dev/null

echo "all is successfully !!!"

--------------------------------------------------

##编写完脚本authconfig部分的配置使用命令"authconfig-tui"检查同时确保网络畅通。

[root@server15 ~]# chmod +x set-ldap.sh

[root@server15 ~]# ./set-ldap.sh

[root@server15 ~]# getent passwd ldapuser1

ldapuser1:*:1701:1701:LDAP Test User 1:/home/guests/ldapuser1:/bin/bash

>注销图形使用ldapuser{0..20}重新登陆desktop0密码均为kerberos

>如果登陆时画面一闪又退回到登陆界面。说明脚本有问题请检查脚本。

>进入图形表示配置正确

####################

#### vsftpd服务 ####

####################

接11.12的笔记

####################

服务端

[root@server ~]# yum install vsftpd -y

[root@server ~]# systemctl start vsftpd

[root@server ~]# systemctl enable vsftpd

[root@server ~]# firewall-cmd --permanent --add-service=ftp

[root@server ~]# firewall-cmd --reload

##以上输出省略

[root@server ~]# vim /etc/sysconfig/selinux

--------------------------------------------------

7 SELINUX=disabled

:wq

--------------------------------------------------

[root@server ~]# reboot

##等待重启

[root@server ~]# chgrp ftp /var/ftp/pub/

[root@server ~]# chmod 775 /var/ftp/pub/

####################

#<匿名用户使用的用户身份修改>

chown_uploads=YES

chown_username=student

####################

服务端

[root@server ~]# man 5 vsftpd.conf

--------------------------------------------------

chown_uploads

If enabled, all anonymously uploaded files will have the owner‐

ship changed to the user specified in the setting chown_user‐

name. This is useful from an administrative, and perhaps secu‐

rity, standpoint.

Default: NO

chown_username

This is the name of the user who is given ownership of anony‐

mously uploaded files. This option is only relevant if another

option, chown_uploads, is set.

Default: root

--------------------------------------------------

[root@server ~]# vim /etc/vsftpd/vsftpd.conf

--------------------------------------------------

29 anon_upload_enable=YES

48 chown_uploads=YES

49 chown_username=student

:wq

--------------------------------------------------

[root@server ~]# systemctl restart vsftpd

客户端

[root@desktop ~]# yum install lftp -y

[root@desktop ~]# lftp 172.25.50.200

lftp 172.25.50.200:/> cd pub/

lftp 172.25.50.200:/pub> ls

lftp 172.25.50.200:/pub> put /etc/passwd

2005 bytes transferred

lftp 172.25.50.200:/pub> ls

-rw------- 1 1000 50 2005 Nov 18 01:52 passwd

lftp 172.25.50.200:/pub> exit

服务端

[root@server ~]# cd /var/ftp/pub/

[root@server pub]# ll

total 4

-rw-------. 1 student ftp 2005 Nov 17 20:52 passwd

[root@server pub]# rm -fr *

####################

#<最大上传速率>

anon_max_rate=102400

####################

客户端

[root@desktop ~]# dd if=/dev/zero of=/mnt/file bs=1M count=1000

1000+0 records in

1000+0 records out

1048576000 bytes (1.0 GB) copied, 20.4023 s, 51.4 MB/s

[root@desktop ~]# lftp 172.25.50.200

lftp 172.25.50.200:/> cd pub/

lftp 172.25.50.200:/pub> ls

lftp 172.25.50.200:/pub> put /mnt/file

1048576000 bytes transferred in 26 seconds (38.28M/s)

lftp 172.25.50.200:/pub> exit

服务端

[root@server pub]# man 5 vsftpd.conf

--------------------------------------------------

anon_max_rate

The maximum data transfer rate permitted, in bytes per second,

for anonymous clients.

Default: 0 (unlimited)

--------------------------------------------------

[root@server pub]# vim /etc/vsftpd/vsftpd.conf

--------------------------------------------------

30 anon_max_rate=10240000 ##限制为每秒10兆

49 #chown_uploads=YES

50 #chown_username=student

:wq

--------------------------------------------------

[root@server pub]# systemctl restart vsftpd

[root@server pub]# ls

file

[root@server pub]# rm -fr *

客户端

[root@desktop ~]# lftp 172.25.50.200

lftp 172.25.50.200:/> cd pub/

lftp 172.25.50.200:/pub> ls

lftp 172.25.50.200:/pub> put /mnt/file

1048576000 bytes transferred in 102 seconds (9.76M/s)

lftp 172.25.50.200:/pub>

服务端

[root@server pub]# ls

file

[root@server pub]# rm -fr *

####################

#<最大链接数>

max_clients=2

####################

真机

[root@foundation50 Desktop]# lftp 172.25.50.200

lftp 172.25.50.200:~> ls

drwxrwxr-x 2 0 50 17 Nov 18 02:19 pub

lftp 172.25.50.200:~> exit

##虚拟机desktop使用lftp登陆后真机再使用lftp登陆不受影响

服务端

[root@server pub]# man 5 vsftpd.conf

--------------------------------------------------

max_clients

If vsftpd is in standalone mode, this is the maximum number of

clients which may be connected. Any additional clients connect‐

ing will get an error message.

Default: 0 (unlimited)

--------------------------------------------------

[root@server pub]# vim /etc/vsftpd/vsftpd.conf

--------------------------------------------------

30 max_clients=1

:wq

--------------------------------------------------

[root@server pub]# systemctl restart vsftpd

真机

[root@foundation50 Desktop]# lftp 172.25.50.200

lftp 172.25.50.200:~> ls

Interrupt

lftp 172.25.50.200:~> exit

##虚拟机desktop使用lftp登陆后真机再使用lftp登陆无法执行任何操作

####################

2)本地用户设定

local_enable=YES|NO ##本地用户登陆限制

write_enable=YES|NO ##本地用户写权限限制

####################

服务端

[root@server pub]# useradd westos

[root@server pub]# echo westos | passwd westos --stdin

Changing password for user westos.

passwd: all authentication tokens updated successfully.

[root@server pub]# useradd redhat

[root@server pub]# echo redhat | passwd redhat --stdin

Changing password for user redhat.

passwd: all authentication tokens updated successfully.

[root@server pub]# id westos

uid=1001(westos) gid=1001(westos) groups=1001(westos)

[root@server pub]# id redhat

uid=1002(redhat) gid=1002(redhat) groups=1002(redhat)

客户端

lftp 172.25.50.200:/pub> exit

[root@desktop ~]# lftp 172.25.50.200 -u westos

Password:

lftp westos@172.25.50.200:~> ls

lftp westos@172.25.50.200:~> put /etc/passwd

2005 bytes transferred

lftp westos@172.25.50.200:~> ls

-rw-r--r-- 1 1001 1001 2005 Nov 18 02:52 passwd

lftp westos@172.25.50.200:~> exit

服务端

[root@server pub]# cd /home/westos

[root@server westos]# ls

passwd

[root@server westos]# man 5 vsftpd.conf

--------------------------------------------------

local_enable

Controls whether local logins are permitted or not. If enabled,

normal user accounts in /etc/passwd (or wherever your PAM config

references) may be used to log in. This must be enable for any

non-anonymous login to work, including virtual users.

Default: NO

--------------------------------------------------

[root@server westos]# vim /etc/vsftpd/vsftpd.conf

--------------------------------------------------

修改

16 local_enable=NO

删除

30 max_clients=1

--------------------------------------------------

[root@server westos]# systemctl restart vsftpd.service

客户端

[root@desktop ~]# lftp 172.25.50.200 -u westos

Password:

lftp westos@172.25.50.200:~> ls

ls: Login failed: 530 This FTP server is anonymous only.

lftp westos@172.25.50.200:~> exit

服务端

[root@server westos]# man 5 vsftpd.conf

--------------------------------------------------

write_enable

This controls whether any FTP commands which change the filesys‐

tem are allowed or not. These commands are: STOR, DELE, RNFR,

RNTO, MKD, RMD, APPE and SITE.

Default: NO

--------------------------------------------------

[root@server westos]# vim /etc/vsftpd/vsftpd.conf

--------------------------------------------------

16 local_enable=YES

19 write_enable=NO

:wq

--------------------------------------------------

[root@server westos]# systemctl restart vsftpd.service

客户端

[root@desktop ~]# lftp 172.25.50.200 -u westos

Password:

lftp westos@172.25.50.200:~> ls

-rw-r--r-- 1 1001 1001 2005 Nov 18 02:52 passwd

lftp westos@172.25.50.200:~> put /etc/group

put: Access failed: 550 Permission denied. (group)

lftp westos@172.25.50.200:~> exit

####################

#<本地用户家目录修改>

local_root=/directory

####################

服务端

[root@server westos]# man 5 vsftpd.conf

--------------------------------------------------

local_root

This option represents a directory which vsftpd will try to

change into after a local (i.e. non-anonymous) login. Failure is

silently ignored.

Default: (none)

--------------------------------------------------

[root@server westos]# vim /etc/vsftpd/vsftpd.conf

--------------------------------------------------

17 local_root=/etc

20 write_enable=YES

:wq

--------------------------------------------------

[root@server westos]# systemctl restart vsftpd.service

客户端

[root@desktop ~]# lftp 172.25.50.200 -u westos

Password:

lftp westos@172.25.50.200:~> ls

......

lftp westos@172.25.50.200:~> exit

####################

#<本地用户上传文件权限>

local_umask=xxx

####################

服务端

[root@server westos]# man 5 vsftpd.conf

--------------------------------------------------

local_umask

The value that the umask for file creation is set to for local

users. NOTE! If you want to specify octal values, remember the

"0" prefix otherwise the value will be treated as a base 10

integer!

Default: 077

--------------------------------------------------

[root@server westos]# vim /etc/vsftpd/vsftpd.conf

--------------------------------------------------

删除

17 local_root=/etc

修改

23 local_umask=077 ##原来是022

:wq

--------------------------------------------------

[root@server westos]# systemctl restart vsftpd.service

客户端

[root@desktop ~]# lftp 172.25.50.200 -u westos

Password:

lftp westos@172.25.50.200:~> put /etc/group

850 bytes transferred

lftp westos@172.25.50.200:~> ls

-rw------- 1 1001 1001 850 Nov 18 03:16 group

-rw-r--r-- 1 1001 1001 2005 Nov 18 02:52 passwd

lftp westos@172.25.50.200:~> exit

####################

#<限制本地用户浏览/目录>

所有用户被锁定到自己的家目录中

chroot_local_user=YES

chmod u-w /home/*

####################

[root@desktop ~]# lftp 172.25.50.200 -u redhat

Password:

lftp redhat@172.25.50.200:~> ls

lftp redhat@172.25.50.200:~> cd /

cd ok, cwd=/

lftp redhat@172.25.50.200:/> ls

lrwxrwxrwx 1 0 0 7 May 07 2014 bin -> usr/bin

dr-xr-xr-x 4 0 0 4096 Jul 10 2014 boot

drwxr-xr-x 18 0 0 2800 Nov 18 01:00 dev

drwxr-xr-x 134 0 0 8192 Nov 18 02:51 etc

drwxr-xr-x 5 0 0 46 Nov 18 02:44 home

lrwxrwxrwx 1 0 0 7 May 07 2014 lib -> usr/lib

lrwxrwxrwx 1 0 0 9 May 07 2014 lib64 -> usr/lib64

drwxr-xr-x 2 0 0 6 Mar 13 2014 media

drwxr-xr-x 2 0 0 6 Nov 18 02:19 mnt

drwxr-xr-x 3 0 0 15 Jul 10 2014 opt

dr-xr-xr-x 131 0 0 0 Nov 18 00:59 proc

dr-xr-x--- 14 0 0 4096 Nov 18 03:19 root

drwxr-xr-x 35 0 0 1140 Nov 18 02:33 run

lrwxrwxrwx 1 0 0 8 May 07 2014 sbin -> usr/sbin

drwxr-xr-x 2 0 0 6 Mar 13 2014 srv

dr-xr-xr-x 13 0 0 0 Nov 18 00:59 sys

drwxrwxrwt 10 0 0 4096 Nov 18 02:33 tmp

drwxr-xr-x 13 0 0 4096 May 07 2014 usr

drwxr-xr-x 23 0 0 4096 Nov 18 00:59 var

lftp redhat@172.25.50.200:/> exit

服务端

[root@server westos]# man 5 vsftpd.conf

--------------------------------------------------

chroot_local_user

If set to YES, local users will be (by default) placed in a

chroot() jail in their home directory after login. Warning:

This option has security implications, especially if the users

have upload permission, or shell access. Only enable if you know

what you are doing. Note that these security implications are

not vsftpd specific. They apply to all FTP daemons which offer

to put local users in chroot() jails.

Default: NO

--------------------------------------------------

[root@server westos]# vim /etc/vsftpd/vsftpd.conf

--------------------------------------------------

101 chroot_local_user=YES

:wq

--------------------------------------------------

[root@server westos]# systemctl restart vsftpd.service

客户端

[root@desktop ~]# lftp 172.25.50.200 -u redhat

Password:

lftp redhat@172.25.50.200:~> ls

ls: Login failed: 500 OOPS: vsftpd: refusing to run with writable root inside chroot()

lftp redhat@172.25.50.200:~> cd /

cd: Login failed: 500 OOPS: vsftpd: refusing to run with writable root inside chroot()

lftp redhat@172.25.50.200:~> exit

服务端

[root@server westos]# ll /home

total 4

drwx------. 4 redhat redhat 88 Nov 17 21:44 redhat

drwx------. 4 student student 84 Jul 10 2014 student

drwx------. 4 westos westos 4096 Nov 17 22:16 westos

[root@server westos]# chmod u-w /home/*

[root@server westos]# ll /home

total 4

dr-x------. 4 redhat redhat 88 Nov 17 21:44 redhat

dr-x------. 4 student student 84 Jul 10 2014 student

dr-x------. 4 westos westos 4096 Nov 17 22:16 westos

客户端

[root@desktop ~]# lftp 172.25.50.200 -u redhat

Password:

lftp redhat@172.25.50.200:~> ls

lftp redhat@172.25.50.200:/> cd /

lftp redhat@172.25.50.200:/> ls

lftp redhat@172.25.50.200:/> exit

[root@desktop ~]# lftp 172.25.50.200 -u westos

Password:

lftp westos@172.25.50.200:~> ls

-rw------- 1 1001 1001 850 Nov 18 03:16 group

-rw-r--r-- 1 1001 1001 2005 Nov 18 02:52 passwd

lftp westos@172.25.50.200:/> cd /

lftp westos@172.25.50.200:/> ls

-rw------- 1 1001 1001 850 Nov 18 03:16 group

-rw-r--r-- 1 1001 1001 2005 Nov 18 02:52 passwd

lftp westos@172.25.50.200:/> exit

####################

用户黑名单建立

chroot_local_user=NO

chroot_list_enable=YES

chroot_list_file=/etc/vsftpd/chroot_list

用户白名单建立

chroot_local_user=YES

chroot_list_enable=YES

chroot_list_file=/etc/vsftpd/chroot_list

####################

服务端

[root@server westos]# man 5 vsftpd.conf

--------------------------------------------------

chroot_list_enable

If activated, you may provide a list of local users who are

placed in a chroot() jail in their home directory upon login.

The meaning is slightly different if chroot_local_user is set to

YES. In this case, the list becomes a list of users which are

NOT to be placed in a chroot() jail. By default, the file con‐

taining this list is /etc/vsftpd/chroot_list, but you may over‐

ride this with the chroot_list_file setting.

Default: NO

chroot_list_file

The option is the name of a file containing a list of local

users which will be placed in a chroot() jail in their home

directory. This option is only relevant if the option

chroot_list_enable is enabled. If the option chroot_local_user

is enabled, then the list file becomes a list of users to NOT

place in a chroot() jail.

Default: /etvsftpd.confc/vsftpd.chroot_list

--------------------------------------------------

[root@server westos]# vim /etc/vsftpd/vsftpd.conf

--------------------------------------------------

102 chroot_list_enable=YES

104 chroot_list_file=/etc/vsftpd/chroot_list

:wq

--------------------------------------------------

[root@server westos]# systemctl restart vsftpd.service

客户端

[root@desktop ~]# lftp 172.25.50.200 -u westos

Password:

lftp westos@172.25.50.200:~> ls

ls: Login failed: 500 OOPS: could not read chroot() list file:/etc/vsftpd/chroot_list

lftp westos@172.25.50.200:~> cd /

cd: Login failed: 500 OOPS: could not read chroot() list file:/etc/vsftpd/chroot_list

lftp westos@172.25.50.200:~> exit

服务端

[root@server westos]# ll /etc/vsftpd/chroot_list

ls: cannot access /etc/vsftpd/chroot_list: No such file or directory

[root@server westos]# touch /etc/vsftpd/chroot_list

客户端

[root@desktop ~]# lftp 172.25.50.200 -u westos

Password:

lftp westos@172.25.50.200:~> ls

-rw------- 1 1001 1001 850 Nov 18 03:16 group

-rw-r--r-- 1 1001 1001 2005 Nov 18 02:52 passwd

lftp westos@172.25.50.200:/> cd /

lftp westos@172.25.50.200:/> ls

-rw------- 1 1001 1001 850 Nov 18 03:16 group

-rw-r--r-- 1 1001 1001 2005 Nov 18 02:52 passwd

lftp westos@172.25.50.200:/> exit

服务端

[root@server westos]# vim /etc/vsftpd/chroot_list

--------------------------------------------------

westos

:wq

--------------------------------------------------

客户端

[root@desktop ~]# lftp 172.25.50.200 -u westos

Password:

lftp westos@172.25.50.200:~> ls

-rw------- 1 1001 1001 850 Nov 18 03:16 group

-rw-r--r-- 1 1001 1001 2005 Nov 18 02:52 passwd

lftp westos@172.25.50.200:~> cd /

cd ok, cwd=/

lftp westos@172.25.50.200:/> ls

lrwxrwxrwx 1 0 0 7 May 07 2014 bin -> usr/bin

dr-xr-xr-x 4 0 0 4096 Jul 10 2014 boot

drwxr-xr-x 18 0 0 2800 Nov 18 01:00 dev

drwxr-xr-x 134 0 0 8192 Nov 18 02:51 etc

drwxr-xr-x 5 0 0 46 Nov 18 02:44 home

lrwxrwxrwx 1 0 0 7 May 07 2014 lib -> usr/lib

lrwxrwxrwx 1 0 0 9 May 07 2014 lib64 -> usr/lib64

drwxr-xr-x 2 0 0 6 Mar 13 2014 media

drwxr-xr-x 2 0 0 6 Nov 18 02:19 mnt

drwxr-xr-x 3 0 0 15 Jul 10 2014 opt

dr-xr-xr-x 131 0 0 0 Nov 18 00:59 proc

dr-xr-x--- 14 0 0 4096 Nov 18 03:48 root

drwxr-xr-x 35 0 0 1140 Nov 18 02:33 run

lrwxrwxrwx 1 0 0 8 May 07 2014 sbin -> usr/sbin

drwxr-xr-x 2 0 0 6 Mar 13 2014 srv

dr-xr-xr-x 13 0 0 0 Nov 18 00:59 sys

drwxrwxrwt 10 0 0 4096 Nov 18 03:42 tmp

drwxr-xr-x 13 0 0 4096 May 07 2014 usr

drwxr-xr-x 23 0 0 4096 Nov 18 00:59 var

lftp westos@172.25.50.200:/> exit

[root@desktop ~]# lftp 172.25.50.200 -u redhat

Password:

lftp redhat@172.25.50.200:~> ls

lftp redhat@172.25.50.200:/> cd /

lftp redhat@172.25.50.200:/> ls

lftp redhat@172.25.50.200:/> exit

服务端

[root@server westos]# vim /etc/vsftpd/vsftpd.conf

--------------------------------------------------

101 chroot_local_user=NO

:wq

--------------------------------------------------

[root@server westos]# systemctl restart vsftpd.service

客户端

[root@desktop ~]# lftp 172.25.50.200 -u westos

Password:

lftp westos@172.25.50.200:~> ls

-rw------- 1 1001 1001 850 Nov 18 03:16 group

-rw-r--r-- 1 1001 1001 2005 Nov 18 02:52 passwd

lftp westos@172.25.50.200:/> cd /

lftp westos@172.25.50.200:/> ls

-rw------- 1 1001 1001 850 Nov 18 03:16 group

-rw-r--r-- 1 1001 1001 2005 Nov 18 02:52 passwd

lftp westos@172.25.50.200:/> exit

[root@desktop ~]# lftp 172.25.50.200 -u redhat

Password:

lftp redhat@172.25.50.200:~> ls

lftp redhat@172.25.50.200:~> cd /

cd ok, cwd=/

lftp redhat@172.25.50.200:/> ls

lrwxrwxrwx 1 0 0 7 May 07 2014 bin -> usr/bin

dr-xr-xr-x 4 0 0 4096 Jul 10 2014 boot

drwxr-xr-x 18 0 0 2800 Nov 18 01:00 dev

drwxr-xr-x 134 0 0 8192 Nov 18 02:51 etc

drwxr-xr-x 5 0 0 46 Nov 18 02:44 home

lrwxrwxrwx 1 0 0 7 May 07 2014 lib -> usr/lib

lrwxrwxrwx 1 0 0 9 May 07 2014 lib64 -> usr/lib64

drwxr-xr-x 2 0 0 6 Mar 13 2014 media

drwxr-xr-x 2 0 0 6 Nov 18 02:19 mnt

drwxr-xr-x 3 0 0 15 Jul 10 2014 opt

dr-xr-xr-x 131 0 0 0 Nov 18 00:59 proc

dr-xr-x--- 14 0 0 4096 Nov 18 03:56 root

drwxr-xr-x 35 0 0 1140 Nov 18 02:33 run

lrwxrwxrwx 1 0 0 8 May 07 2014 sbin -> usr/sbin

drwxr-xr-x 2 0 0 6 Mar 13 2014 srv

dr-xr-xr-x 13 0 0 0 Nov 18 00:59 sys

drwxrwxrwt 10 0 0 4096 Nov 18 03:42 tmp

drwxr-xr-x 13 0 0 4096 May 07 2014 usr

drwxr-xr-x 23 0 0 4096 Nov 18 00:59 var

lftp redhat@172.25.50.200:/> exit

####################

#<限制本地用户登陆>

vim /etc/vsftpd/ftpusers ##用户永久黑名单

vim /etc/vsftpd/user_list ##用户临时黑名单

如果用户不设定密码就会被冻结禁止登陆

####################

服务端

[root@server westos]# cd /etc/vsftpd/

[root@server vsftpd]# ls

chroot_list ftpusers user_list vsftpd.conf vsftpd_conf_migrate.sh

[root@server vsftpd]# vim ftpusers

--------------------------------------------------

在最后添加

westos

:wq

--------------------------------------------------

客户端

[root@desktop ~]# lftp 172.25.50.200 -u westos

Password:

lftp westos@172.25.50.200:~> ls

ls: Login failed: 530 Login incorrect. ##直接提示登陆不正确

lftp westos@172.25.50.200:~> exit

[root@desktop ~]# lftp 172.25.50.200 -u redhat

Password:

lftp redhat@172.25.50.200:~> ls

lftp redhat@172.25.50.200:~> exit

服务端

[root@server vsftpd]# vim ftpusers

--------------------------------------------------

删除

westos

:wq

--------------------------------------------------

[root@server vsftpd]# vim user_list

--------------------------------------------------

在最后添加

westos

:wq

--------------------------------------------------

客户端

[root@desktop ~]# lftp 172.25.50.200 -u westos

Password:

lftp westos@172.25.50.200:~> ls

ls: Login failed: 530 Permission denied.

lftp westos@172.25.50.200:~> exit

[root@desktop ~]# lftp 172.25.50.200 -u redhat

Password:

lftp redhat@172.25.50.200:~> ls

lftp redhat@172.25.50.200:~> exit

####################

用户白名单设定

userlist_deny=NO

/etc/vsftpd/user_list ##参数设定此文件变成用户白名单只在名单中出现的用户可以登陆ftp

####################

服务端

[root@server vsftpd]# man 5 vsftpd.conf

--------------------------------------------------

userlist_deny

This option is examined if userlist_enable is activated. If you

set this setting to NO, then users will be denied login unless

they are explicitly listed in the file specified by

userlist_file. When login is denied, the denial is issued

before the user is asked for a password.

Default: YES

--------------------------------------------------

[root@server vsftpd]# vim /etc/vsftpd/vsftpd.conf

--------------------------------------------------

128 userlist_deny=NO

:wq

--------------------------------------------------

[root@server vsftpd]# systemctl restart vsftpd.service

客户端

[root@desktop ~]# lftp 172.25.50.200 -u westos

Password:

lftp westos@172.25.50.200:~> ls

-rw------- 1 1001 1001 850 Nov 18 03:16 group

-rw-r--r-- 1 1001 1001 2005 Nov 18 02:52 passwd

lftp westos@172.25.50.200:/> exit

[root@desktop ~]# lftp 172.25.50.200 -u redhat

Password:

lftp redhat@172.25.50.200:~> ls

ls: Login failed: 530 Permission denied.

lftp redhat@172.25.50.200:~> exit

####################

#<ftp虚拟用户的设定>

创建虚拟帐号身份)

vim /etc/vsftpd/loginusers ##文件名称任意

ftpuser1

123

ftpuser2

123

ftpuser3

123

db_load -T -t hash -f /etc/vsftpd/loginusers loginusers.db

-T ##表示转换

-t ##指定加密方式

vim /etc/pam.d/ckvsftpd ##文件名称任意

account required pam_userdb.so db=/etc/vsftpd/loginusers

auth required pam_userdb.so db=/etc/vsftpd/loginusers

vim /etc/vsftpd/vsftpd.conf

pam_service_name=ckvsftpd

guest_enable=YES

虚拟帐号身份指定

guest_username=ftpuser

chmod u-w /home/ftpuser

虚拟用户只在ftp上是本地用户

####################

服务端

[root@server vsftpd]# vim /etc/vsftpd/userfile

--------------------------------------------------

westos1

123

westos2

123

westos3

123

:wq

--------------------------------------------------

[root@server vsftpd]# db_load -T -t hash -f userfile userfile.db

[root@server vsftpd]# ls

chroot_list userfile user_list vsftpd_conf_migrate.sh

ftpusers userfile.db vsftpd.conf

[root@server vsftpd]# rm -fr userfile

[root@server vsftpd]# cat userfile.db

D@&эh^123westos2

[root@server vsftpd]# vim /etc/vsftpd/vsftpd.conf

--------------------------------------------------

发现

126 pam_service_name=vsftpd

--------------------------------------------------

[root@server vsftpd]# cat /etc/pam.d/vsftpd

#%PAM-1.0

session optional pam_keyinit.so force revoke

auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed

auth required pam_shells.so

auth include password-auth

account include password-auth

session required pam_loginuid.so

session include password-auth

[root@server vsftpd]# find /usr -name pam_userdb.so

/usr/lib64/security/pam_userdb.so

[root@server vsftpd]# vim /etc/pam.d/westos

--------------------------------------------------

account required pam_userdb.so db=/etc/vsftpd/userfile

auth required pam_userdb.so db=/etc/vsftpd/userfile

--------------------------------------------------

[root@server vsftpd]# vim /etc/vsftpd/vsftpd.conf

--------------------------------------------------

修改

126 pam_service_name=westos

删除

128 userlist_deny=NO

添加

129 guest_enable=YES

130 guest_username=ftp ##默认就是ftp

:wq

--------------------------------------------------

[root@server vsftpd]# systemctl restart vsftpd.service

客户端

[root@desktop ~]# lftp 172.25.50.200 -u westos1

Password:

lftp westos1@172.25.50.200:/> cd pub/

lftp westos1@172.25.50.200:/pub> ls

lftp westos1@172.25.50.200:/pub> put /etc/passwd

2005 bytes transferred

lftp westos1@172.25.50.200:/pub> ls

-rw------- 1 14 50 2005 Nov 18 08:14 passwd

lftp westos1@172.25.50.200:/pub> exit

[root@desktop ~]# lftp 172.25.50.200 -u westos2

Password:

lftp westos2@172.25.50.200:~> ls

drwxrwxr-x 2 0 50 19 Nov 18 08:38 pub

lftp westos2@172.25.50.200:/> exit

[root@desktop ~]# lftp 172.25.50.200 -u westos3

Password:

lftp westos3@172.25.50.200:~> ls

drwxrwxr-x 2 0 50 19 Nov 18 08:38 pub

lftp westos3@172.25.50.200:/> exit

####################

虚拟帐号家目录独立设定

vim /etc/vsftpd/vsftpd.conf

local_root=/ftpuserhome/$USER

user_sub_token=$USER

####################

服务端

[root@server vsftpd]# mkdir /ftp/westos1 -p

[root@server vsftpd]# mkdir /ftp/westos2 -p

[root@server vsftpd]# mkdir /ftp/westos3 -p

[root@server vsftpd]# touch /ftp/westos1/file1

[root@server vsftpd]# touch /ftp/westos2/file2

[root@server vsftpd]# touch /ftp/westos3/file3

[root@server vsftpd]# echo $USER

root

[root@server vsftpd]# su - student

[student@server ~]$ echo $USER

student

[student@server ~]$ exit

logout

[root@server vsftpd]# vim /etc/vsftpd/vsftpd.conf

--------------------------------------------------

131 local_root=/ftp/$USER

132 user_sub_token=$USER

:wq

--------------------------------------------------

[root@server vsftpd]# systemctl restart vsftpd.service

客户端

[root@desktop ~]# lftp 172.25.50.200 -u westos1

Password:

lftp westos1@172.25.50.200:~> ls

-rw-r--r-- 1 0 0 0 Nov 18 08:50 file1

lftp westos1@172.25.50.200:/> exit

[root@desktop ~]# lftp 172.25.50.200 -u westos2

Password:

lftp westos2@172.25.50.200:~> ls

-rw-r--r-- 1 0 0 0 Nov 18 09:01 file2

lftp westos2@172.25.50.200:/> exit

[root@desktop ~]# lftp 172.25.50.200 -u westos3

Password:

lftp westos3@172.25.50.200:~> ls

-rw-r--r-- 1 0 0 0 Nov 18 09:01 file3

lftp westos3@172.25.50.200:/> exit

####################

转载于:https://blog.51cto.com/shichao/1874437

你可能感兴趣的文章

Windows Server 2012 存储去重

查看>>

小米手机M1和华为Honor荣耀U8860手机深入比较

查看>>

java.lang.NoClassDefFoundError

查看>>

应一些朋友要求发下Caffe 怎么安装 CPU环境 ubuntu脚本（记录可用的）

查看>>

VC中窗口ID，句柄，指针三者相互转换函数

安装imagick扩展中出现了segmention fault解决的过程

查看>>

阿里巴巴Java开发手册

查看>>

redis配置文件redis.conf详细说明

查看>>

（七）Flask 学习 —— 单元测试

查看>>

Web前端规范--Javascript规范

TypeError: s[y] is not a function 表单提交错误

查看>>

java使用nircmd代替cmd解决管理员权限问题

查看>>