iptables/netfilter
pop3s: 995/tcp
smtps: 465/tcp
Name Resolve: Username --> UID, Group --> GID,Service Name --> PORT, Hostname --> IP
Username --> UID: /etc/passwd
Hostname --> IP: DNS, /etc/hosts
Service Name --> Ports: /etc/services, MySQL: services,ports
只要有一种数据存储格式: 解析库,不同解析库需要不同查询方式
nsswitch
S/MIME
Openssl, GPG(PGP)
maildrop: MDA, Courier, 邮件投递
FTP:File Transfer Protocol(文件传输协议)
21/tcp:
文件共享服务: 应用层, ftp
NFS: Network File System (RPC: Remote Procedure Call, 远程国产调用)(能够基于二进制的格式实现数据通信的)
Samba: CIFS/SMB,
FTP: tcp, 两个连接
命令连接: 控制连接: 21/tcp
数据连接:
主动模式: 20/tcp
被动模式: 端口随机
数据传输模式(自动模式):
二进制:
文本:
ftp server --> ftp client
This is a test file. -->
结构化数据
半结构化数据
非结构化数据
文本, 二进制
html,
mp3,jpeg
服务器端程序:
wu ftpd:
vsftpd: Very Secure ftp Doemon
proftpd:
pureftpd
filezilla
Serv-U
客户端程序:
CLI:
ftp
lftp
GUI:
gftpd
flashFXP
Cuteftp
Filezilla
vsftpd:
/etc/vsftpd: 配置文件目录
/etc/init.d/vsftpd: 服务脚本
/usr/sbin/vsftpd: 主程序
基于PAM实现用户认证:
/etc/pam.d/*
/lib/security/*
/lib64/security/*
支持虚拟用户
vsftpd:(ftp, ftp)
/var/ftp: 不允许root以外其他用户有写权限
上传和下载:
ftp需要两个连接,首先客户端发起请求,服务器端予以响应,这个连接只要客户端不断开,它就处于长时间连接状态,它不像http协议一样,虽然支持长连接也有超时时间,ftp虽然支持超时但是另一码事,ftp协议是无状态的,但是ftp一旦客户端连上去以后,只要没有人为的定义它的空闲超时断开,那么这个连接将会一直在线,但是这个连接并不真正实现数据传输,ftp如何共享数据,在服务器上找一个目录,目录里面放很多文件,在里面启动一个服务器进程,客户端请求我们一定要监听在某个套接字上,所以客户端请求的时候,服务器端就检查有没有数据,一旦有数据的话,它请求这个文件存在的话,这个文件就要传输到客户端上去,怎么传输呢,一旦需要在服务器端和客户端之间传输数据的时候,它需要打开另外一个连接,它可不是使用原有的连接,而是重新打开一个连接,然后向客户端完成数据传输,所以基于这种角度来说,上面连接叫做控制连接,也叫做命令连接,下面连接叫做数据连接,命令连接是一直在线的,数据连接当客户端需要下载数据的时候,客户端发起数据下载请求的时候它才会按要求按需要打开一个数据连接,当文件传输完成了,这个连接就断开了,再下载一个文件再打开一个数据连接,再断开。。。所以数据连接是按需打开,按需关闭的,ftp也是向http一样文本协议,支持文本命令,所有支持文本协议都可以telnet过去,ftp很少telnet,本身就是一种专用的协议,有专用客户端,类似于C/S模式的,这种专用客户端可以向服务器端发送众多ftp命令,比如Get, mget, put, mput, cd, ls等等;这些命令类似于本地管理本地文件一样文件管理命令,包括文件的查看、目录的创建、文件的创建、文件的删除、目录的删除等等,这 每一个命令都是客户端发到服务端上去由服务端进程解析一下来完成客户端的请求操作的,这些请求都是客户端进程发起的并通过我们的命令连接传到服务器端,由服务器端接收下来以后判断客户端是否有此权限并完成在本地执行的,所以这个连接专门用于实现接收用户发来的命令,并检查是否能执行这个命令,如果能执行它这个命令连接,所以当客户端发起get后面指定文件的时候这就表示要下载一个文件,一旦要下载一个文件的时候我们的服务器就开始传输文件,打开数据连接传输文件,数据连接基于什么端口传输文件,基于tcp/ip协议两个会话只要建立都要有端口,要标识两个主机上的两个进程间的通信,所以它们必须要基于套接字来完成,问题是数据连接监听在什么端口,如果不监听能够连接吗,控制连接监听在tcp的21号端口,数据连接工作在分两种情况,这两种情况要看这个数据传输请求是谁发起的,也就意味着这个数据连接看谁主动建立的,一般会所来如果服务器端工作在tcp的20号端口上,一旦客户端请求下载数据的时候,我们的服务器端通过自己的20号端口主动去连接客户端,连接客户端那个端口,对于客户端来讲都是随机端口,比如客户端使用2001端口,服务器就是21端口,当服务器端主动通过自己的20号端口去连接客户端的时候,连接客户端那个端口,连接客户端的2002端口,因为这是ftp的工作机制,在ftp的客户端是允许打开这么个端口来接收服务器端请求的,如果客户端2002端口已经被占用怎么办,那就使用2003端口,依次向后找,找一个空闲端口接收服务器端请求,接下来连接建立,服务器端就可以传输数据了,所以这种模式站在服务器端角度它是主动连接,一般说主动被动都是站在服务器角度来讲,它将让服务器端监听在tcp的20号端口上,也就是说ftp服务器主动用自己的20号端口连接客户端,还有被动模式,主动模式有它不好的地方,要考虑具有防火墙的问题,现在客户端为了所谓的安全都添加了防火墙,作为ftp服务器,为了安全做了防火墙,任何请求都不允许进来,只允许我出去请求别人给我响应,当服务器端主动请求2002端口的时候,我们客户端的防火墙将会将它拒之门外,按道理来讲这应该是正常的,但是这个连接走的不是同一道门,所以这个连接按道理来讲防火墙是不会放行的,所以对客户端来讲这是一种不理想的模型,很有可能我们的连接就会被拒之门外的,由此就有了后来的被动模式,被动模式是当客户端去传输数据的时候,我们服务器端不是自己去直接把数据送给客户端了,而是它仍然通过命令连接发一个报文给客户端,这个报文告诉客户端我现在打开一个端口你来连接我吧,这时候客户端不能连接20号端口,服务器端也不工作在20号端口上,因为这时候对服务器端是被动的,客户端将使用自己的2002号端口去连接服务器端通知过来的新端口,这个通知过来新端口,通过发送一串数值,比如151、20,发来两个数字,我们客户端就知道服务器监听在这样端口上,这是151*256+20得到这个数值就是端口,服务器端这样来通知,就是服务器端打开的随机端口等待客户端连接,服务器端再也不工作在20号端口上了,因为这是被动模式,所以这时候客户端通过2002端口去主动连接服务器端,对于客户端来讲它是主动发起的,任何时候自己出去的都是允许的,这时候对客户端来讲防火墙就不会挡掉这种请求了,我们服务器端的响应按道理来讲是根据你请求来的也是应该放行的,这就是所谓的被动模式,因此在被动模式下服务器监听在随机端口上,这样又有问题了,如果服务端有防火墙怎么办,刚才一直考虑客户端防火墙,其实更应该装上防火墙的是服务器端,于是只开放了21号端口,开放20号端口,对方不访问20号端口了,告诉别人随机的,别人来连接这样一个端口了,服务器端应该开放那些端口,每一次客户端下载数据的请求给对方端口都是随机的,这个随机端口一般是大于1023的端口,在不同操作系统可能不一样,一般在BSD系统是大于5000的端口,这就意味着把所有大于5000的端口都得开放才有可能让客户端的每一个请求都能进来,我们要把每一个端口都开放了那么它的防火意义就不存在了,很显然对我们服务器端来讲把所有端口都打开也不是理想的,现在防火墙都有一种功能叫做连接追踪,也就意味着我们额防火墙进程可以自己判断这些连接和连接之间的关系,比如说我们请求出去的别人响应给我们过来的我们就能允许,别人新请求的我们就不允许,防火墙怎么知道那些是新请求,那个是我们请求别人响应的,防火墙能够实现根据用户请求这样一个连接请求来追踪这样一个来回请求的特征,这种功能就叫做连接追踪,它能够识别请求响应连接本身彼此间的关系,所以这种一来一往就是一种关系,这种客户端发起的新请求它的状态叫做新请求状态,一般tcp/ip握手的第一种状态叫new状态,就表示新建立的连接请求,而服务器端的响应这表示建立连接的响应叫做established响应,而只有客户端请求以后我们服务器才能打开的,也就意味着如果命令连接没有打开只打开数据连接,客户端根本没有使用get一个数据,这个连接已经开始传输数据了,这不可能,所以很显然每一个数据连接一定是跟某个命令连接相关联的,但是这又是两个独立的连接,所以这两个连接之间也有关系称作related(相关联的连接),我们防火墙可以追踪这些连接比较之间是否相关联的,不管你访问是什么端口,只要是相关联的都可以予以放行,这就是ftp的主动模式和被动模式以及和防火墙的关系;
mail:
ftp: 系统用户
匿名用户 --> 系统用户: anonymous_enable
系统用户: local_enable
虚拟用户 --> 系统用户
/var/ftp: ftp用户的家目录
匿名用户访问的目录
chroot: 切换用户根目录,禁锢用户于其家目录下;
系统用户:
write_enable=YES: 上传文件
文件服务权限: 文件系统权限*文件共享权限
[root@localhost ~]# grep ftp /etc/services(只显示services文件ftp相关的段)
ftp-data 20/tcp
ftp-data 20/udp
# 21 is registered to ftp, but also used by fsp
ftp 21/tcp
ftp 21/udp fsp fspd
tftp 69/tcp
tftp 69/udp
sftp 115/tcp
sftp 115/udp
tftp-mcast 1758/tcp
tftp-mcast 1758/udp
mtftp 1759/udp
venus-se 2431/udp # udp sftp side effect
codasrv-se 2433/udp # udp sftp side effectQ
ni-ftp 47/tcp # NI FTP
ni-ftp 47/udp # NI FTP
bftp 152/tcp # Background File Transfer Program
bftp 152/udp # Background File Transfer Program
softpc 215/tcp # Insignia Solutions
softpc 215/udp # Insignia Solutions
subntbcst_tftp 247/tcp # SUBNTBCST_TFTP
subntbcst_tftp 247/udp # SUBNTBCST_TFTP
mftp 349/tcp # mftp
mftp 349/udp # mftp
ftp-agent 574/tcp # FTP Software Agent System
ftp-agent 574/udp # FTP Software Agent System
pftp 662/tcp # PFTP
pftp 662/udp # PFTP
ftps-data 989/tcp # ftp protocol, data, over TLS/SSL
ftps-data 989/udp # ftp protocol, data, over TLS/SSL
ftps 990/tcp # ftp protocol, control, over TLS/SSL
ftps 990/udp # ftp protocol, control, over TLS/SSL
etftp 1818/tcp # Enhanced Trivial File Transfer Protocol
etftp 1818/udp # Enhanced Trivial File Transfer Protocol
utsftp 2529/tcp # UTS FTP
utsftp 2529/udp # UTS FTP
aaftp 2794/tcp # aaftp
aaftp 2794/udp # aaftp
gsiftp 2811/tcp # GSI FTP
gsiftp 2811/udp # GSI FTP
odette-ftp 3305/tcp # ODETTE-FTP
odette-ftp 3305/udp # ODETTE-FTP
tftps 3713/tcp # TFTP over TLS
tftps 3713/udp # TFTP over TLS
exasoftport1 3920/tcp # Exasoft IP Port
exasoftport1 3920/udp # Exasoft IP Port
kftp-data 6620/tcp # Kerberos V5 FTP Data
kftp-data 6620/udp # Kerberos V5 FTP Data
kftp 6621/tcp # Kerberos V5 FTP Control
kftp 6621/udp # Kerberos V5 FTP Control
[root@Smoke ~]# wget ftp://172.16.0.1/pub/gls/server.repo -O /etc/yum.repos.d/server.repo(从互联网的ftp服务器下载server.repo文件,-O另存到
/etc/yum.repos.d下叫server.repo)
[root@Smoke ~]# yum -y install vsftpd(通过yum安装vsftpd,-y所有询问回答yes)
[root@Smoke ~]# rpm -ql vsftpd(查看vsftpd安装后生成那些文件)
/etc/logrotate.d/vsftpd.log(日志滚动配置文件)
/etc/pam.d/vsftpd(基于pam完成用户认证配置文件)
/etc/rc.d/init.d/vsftpd(服务控制脚本)
/etc/vsftpd(配置文件目录)
/etc/vsftpd/ftpusers(控制用户登录配置文件)
/etc/vsftpd/user_list(控制用户登录配置文件)
/etc/vsftpd/vsftpd.conf(主配置文件)
/etc/vsftpd/vsftpd_conf_migrate.sh(脚本)
/usr/sbin/vsftpd(主程序)
/usr/share/doc/vsftpd-2.0.5
/usr/share/doc/vsftpd-2.0.5/AUDIT
/usr/share/doc/vsftpd-2.0.5/BENCHMARKS
/usr/share/doc/vsftpd-2.0.5/BUGS
/usr/share/doc/vsftpd-2.0.5/COPYING
/usr/share/doc/vsftpd-2.0.5/Changelog
/usr/share/doc/vsftpd-2.0.5/EXAMPLE
/usr/share/doc/vsftpd-2.0.5/EXAMPLE/INTERNET_SITE
/usr/share/doc/vsftpd-2.0.5/EXAMPLE/INTERNET_SITE/README
/usr/share/doc/vsftpd-2.0.5/EXAMPLE/INTERNET_SITE/vsftpd.conf
/usr/share/doc/vsftpd-2.0.5/EXAMPLE/INTERNET_SITE/vsftpd.xinetd
/usr/share/doc/vsftpd-2.0.5/EXAMPLE/INTERNET_SITE/vsftpd.xinetd.dir
/usr/share/doc/vsftpd-2.0.5/EXAMPLE/INTERNET_SITE_NOINETD
/usr/share/doc/vsftpd-2.0.5/EXAMPLE/INTERNET_SITE_NOINETD/README
/usr/share/doc/vsftpd-2.0.5/EXAMPLE/INTERNET_SITE_NOINETD/README.dir
/usr/share/doc/vsftpd-2.0.5/EXAMPLE/INTERNET_SITE_NOINETD/vsftpd.conf
/usr/share/doc/vsftpd-2.0.5/EXAMPLE/PER_IP_CONFIG
/usr/share/doc/vsftpd-2.0.5/EXAMPLE/PER_IP_CONFIG/README
/usr/share/doc/vsftpd-2.0.5/EXAMPLE/PER_IP_CONFIG/README.dir
/usr/share/doc/vsftpd-2.0.5/EXAMPLE/PER_IP_CONFIG/hosts.allow
/usr/share/doc/vsftpd-2.0.5/EXAMPLE/PER_IP_CONFIG/hosts.allow.dir
/usr/share/doc/vsftpd-2.0.5/EXAMPLE/README
/usr/share/doc/vsftpd-2.0.5/EXAMPLE/VIRTUAL_HOSTS
/usr/share/doc/vsftpd-2.0.5/EXAMPLE/VIRTUAL_HOSTS/README
/usr/share/doc/vsftpd-2.0.5/EXAMPLE/VIRTUAL_USERS
/usr/share/doc/vsftpd-2.0.5/EXAMPLE/VIRTUAL_USERS/README
/usr/share/doc/vsftpd-2.0.5/EXAMPLE/VIRTUAL_USERS/README.dir
/usr/share/doc/vsftpd-2.0.5/EXAMPLE/VIRTUAL_USERS/logins.txt
/usr/share/doc/vsftpd-2.0.5/EXAMPLE/VIRTUAL_USERS/vsftpd.conf
/usr/share/doc/vsftpd-2.0.5/EXAMPLE/VIRTUAL_USERS/vsftpd.pam
/usr/share/doc/vsftpd-2.0.5/EXAMPLE/VIRTUAL_USERS/vsftpd.pam.dir
/usr/share/doc/vsftpd-2.0.5/EXAMPLE/VIRTUAL_USERS_2
/usr/share/doc/vsftpd-2.0.5/EXAMPLE/VIRTUAL_USERS_2/README
/usr/share/doc/vsftpd-2.0.5/FAQ
/usr/share/doc/vsftpd-2.0.5/INSTALL
/usr/share/doc/vsftpd-2.0.5/LICENSE
/usr/share/doc/vsftpd-2.0.5/README
/usr/share/doc/vsftpd-2.0.5/README.security
/usr/share/doc/vsftpd-2.0.5/REWARD
/usr/share/doc/vsftpd-2.0.5/SECURITY
/usr/share/doc/vsftpd-2.0.5/SECURITY/DESIGN
/usr/share/doc/vsftpd-2.0.5/SECURITY/IMPLEMENTATION
/usr/share/doc/vsftpd-2.0.5/SECURITY/OVERVIEW
/usr/share/doc/vsftpd-2.0.5/SECURITY/TRUST
/usr/share/doc/vsftpd-2.0.5/SIZE
/usr/share/doc/vsftpd-2.0.5/SPEED
/usr/share/doc/vsftpd-2.0.5/TODO
/usr/share/doc/vsftpd-2.0.5/TUNING
/usr/share/doc/vsftpd-2.0.5/vsftpd.xinetd
/usr/share/man/man5/vsftpd.conf.5.gz
/usr/share/man/man8/vsftpd.8.gz
/var/ftp(ftp服务根目录)
/var/ftp/pub
[root@Smoke ~]# finger ftp(查看ftp用户帐号信息)
Login: ftp Name: FTP User
Directory: /var/ftp(家目录) Shell: /sbin/nologin
Never logged in.
No mail.
No Plan.
[root@Smoke ~]# grep vsftp /etc/passwd(只查看passwd文件包含vsftp的段)
[root@Smoke ~]# service vsftpd start(启动vsftpd服务)
Starting vsftpd for vsftpd: [ OK ]
[root@Smoke ~]# chkconfig vsftpd on(让vsftpd服务在相应系统级别开机自动启动)
[root@Smoke ~]# cd /var/ftp/(切换到/var/ftp目录)
[root@Smoke ftp]# ls(查看pub目录文件及子目录)
pub
[root@Smoke ftp]# iptables -L -n(查看filter表中的规则,-n使用数字显示地址及端口)
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
测试:通过windows的开始--运行输入cmd打开命令提示符;
C:\Users\Smoke>ftp 172.16.100.1(连接ftp服务器)
连接到 172.16.100.1。
220 (vsFTPd 2.0.5)(响应码220)
用户(172.16.100.1:(none)):(匿名)
331 Please specify the password.
密码:
503 Login with USER first.
登录失败。
ftp> bye(退出)
221 Goodbye.
C:\Users\Smoke>ftp 172.16.100.1(连接ftp服务器)
连接到 172.16.100.1。
220 (vsFTPd 2.0.5)
用户(172.16.100.1:(none)): anonymous(匿名)
331 Please specify the password.(331信息不完成进一步补全)
密码:
230 Login successful.(登录成功)
ftp> help(查看命令帮助,在ftp客户端可以使用众多的命令)
命令可能是缩写的。 命令为:
! delete(删除文件) literal prompt send
? debug ls put(上传文件) status
append dir mdelete pwd(显示当前所处路径) trace
ascii(以ascii码方式来传输) disconnect mdir quit type
bell get(下载) mget(下载多个文件) quote user
binary(以二进制方式来传输) glob mkdir(创建目录) recv verbose
bye hash mls remotehelp
cd(切换服务端目录) help mput(上传多个文件) rename(改文件名)
close lcd(切换客户端目录) open rmdir
ftp> ls(查看当前目录文件及子目录)
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
pub
226 Directory send OK.
ftp: 收到 5 字节,用时 0.00秒 5.00千字节/秒。
ftp> cd pub(切换服务器端目录到pub)
250 Directory successfully changed.
ftp> bye(退出)
221 Goodbye.
C:\Users\Smoke>(在下载的时候将文件下载到那里,在登录之前所处于的目录/Users/Smoke)
C:\Users\Smoke>ftp 172.16.100.1
连接到 172.16.100.1。
220 (vsFTPd 2.0.5)
用户(172.16.100.1:(none)): anonymous
331 Please specify the password.
密码:
230 Login successful.
如果登录以后发现登录之前的目录是错的,想下载到别的目录,使用lcd命令切换目录;
ftp> pwd(查看当前所出路径)
257 "/"(显示为根,其实在服务器上不是根,是/var/ftp)
[root@Smoke ftp]# cd /etc/vsftpd/(切换到/etc/vsftpd目录)
[root@Smoke vsftpd]# ls(查看当前目录文件及子目录)
ftpusers user_list vsftpd.conf vsftpd_conf_migrate.sh
[root@Smoke vsftpd]# cp vsftpd.conf vsftpd.conf.bak(备份vsftpd.conf叫vsftpd.conf.bak)
[root@Smoke vsftpd]# vim vsftpd.conf(编辑vsftpd.conf文件)
anonymous_enable=YES
提示:#号开头都是注释,任何一个指令前面不能有空白字符,否则语法错误;
[root@Smoke vsftpd]# man vsftpd.conf(查看vsftpd.conf配置文件的man帮助手册)
[root@Smoke vsftpd]# vim vsftpd.conf(编辑vsftpd.conf文件)
anonymous_enable=YES(是否允许匿名用户)
local_enable=YES(是否启用系统用户)
[root@Smoke vsftpd]# useradd hadoop(添加用户hadoop)
[root@Smoke vsftpd]# echo "hadoop" | passwd --stdin hadoop(显示hadoop送给管道,从标准输出将hadoop作为hadoop用户的密码)
Changing password for user hadoop.
passwd: all authentication tokens updated successfully.
测试:通过windows的开始--运行输入cmd打开命令提示符
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
pub(匿名用户登录底下有个pub目录)
226 Directory send OK.
ftp: 收到 5 字节,用时 0.00秒 5.00千字节/秒。
ftp> bye(退出)
221 Goodbye.
C:\Users\Smoke>ftp 172.16.100.1(连接ftp服务器)
连接到 172.16.100.1。
220 (vsFTPd 2.0.5)
用户(172.16.100.1:(none)): hadoop(使用hadoop用户登录)
331 Please specify the password.
密码:
230 Login successful.
ftp> ls(查看当前目录文件及子目录)
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
提示:使用hadoop用户登录没有pub目录,每个用户通过ftp访问的时候访问的是自己的家目录,所以hadoop访问的是/home/hadoop目录;
[root@Smoke vsftpd]# cp /etc/issue /home/hadoop/(复制/etc/issue到/home/hadoop目录)
ftp> ls(查看当前目录文件及子目录)
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
issue(复制的issue文件)
226 Directory send OK.
ftp: 收到 7 字节,用时 0.00秒 7.00千字节/秒。
ftp> pwd(查看当前所处的路径)
257 "/home/hadoop"
提示:对于系统用户而已它显示的是你真正在那个目录上,而没有锁定在根上;
ftp> cd /home(切换到/home目录)
250 Directory successfully changed.
ftp> ls(查看当前目录文件
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
Smoke
hadoop
226 Directory send OK.
ftp: 收到 15 字节,用时 0.00秒 15.00千字节/秒。
ftp> cd /etc(切换到/etc/目录)
250 Directory successfully changed.
ftp> ls(查看当前目录文件及子目录)
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
DIR_COLORS
DIR_COLORS.xterm
Muttrc
Muttrc.local
NetworkManager
X11
a2ps-site.cfg
a2ps.cfg
acpi
adjtime
alchemist
aliases
aliases.db
alsa
alternatives
anacrontab
asound.state
at.deny
audisp
audit
auto.master
auto.misc
auto.net
auto.smb
autofs_ldap_auth.conf
avahi
bash_completion.d
bashrc
blkid
bluetooth
bonobo-activation
capi.conf
cdrecord.conf
cipe
conman.conf
cron.d
cron.daily
cron.deny
cron.hourly
cron.monthly
cron.weekly
crontab
csh.cshrc
csh.login
cups
dbus-1
default
depmod.d
desktop-profiles
dev.d
dhcp6c.conf
dnsmasq.conf
dnsmasq.d
dumpdates
enscript.cfg
environment
esd.conf
exports
fb.modes
filesystems
fonts
foomatic
fstab
gconf
gcrypt
gdm
ghostscript
gnome-vfs-2.0
gnome-vfs-mime-magic
gpm-root.conf
gre.d
group
group-
grub.conf
gshadow
gshadow-
gssapi_mech.conf
gtk-2.0
hal
host.conf
hosts
hosts.allow
hosts.deny
hp
idmapd.conf
init.d
initlog.conf
inittab
inputrc
iproute2
iscsi
isdn
issue
issue.net
java
jvm
jvm-commmon
jwhois.conf
kdump.conf
krb5.conf
ld.so.cache
ld.so.conf
ld.so.conf.d
ldap.conf
lftp.conf
libaudit.conf
libuser.conf
localtime
login.defs
logrotate.conf
logrotate.d
logwatch
lsb-release.d
lvm
mail
mail.rc
mailcap
makedev.d
man.config
maven
mgetty+sendfax
mime.types
minicom.users
mke2fs.conf
modprobe.conf
modprobe.conf~
modprobe.d
motd
mtab
mtools.conf
multipath.conf
netplug
netplug.d
nscd.conf
nsswitch.conf
ntp
ntp.conf
openldap
opt
pam.d
pam_pkcs11
pam_smb.conf
pango
passwd
passwd-
pcmcia
pinforc
pki
pm
ppp
prelink.cache
prelink.conf
prelink.conf.d
printcap
profile
profile.d
protocols
quotagrpadmins
quotatab
racoon
rc
rc.d
rc.local
rc.sysinit
rc0.d
rc1.d
rc2.d
rc3.d
rc4.d
rc5.d
rc6.d
readahead.d
reader.conf
reader.conf.d
redhat-lsb
redhat-release
resolv.conf
resolv.conf.predhclient
rhgb
rhsm
rmt
rpc
rpm
rwtab
rwtab.d
samba
sane.d
sasl2
scim
scrollkeeper.conf
scsi_id.config
securetty
security
selinux
services
sestatus.conf
setroubleshoot
setuptool.d
sgml
shadow
shadow-
shells
skel
slrn.rc
smartd.conf
smrsh
sound
ssh
stunnel
sudoers
sysconfig
sysctl.conf
syslog.conf
termcap
udev
updatedb.conf
vimrc
virc
vsftpd
warnquota.conf
wgetrc
wpa_supplicant
wvdial.conf
xdg
xinetd.conf
xinetd.d
xml
yp.conf
yum
yum.conf
yum.repos.d
226 Directory send OK.
ftp: 收到 2405 字节,用时 0.01秒 171.79千字节/秒。
ftp> cd /var(切换到/var目录)
250 Directory successfully changed.
ftp> ls(查看当前目录文件及子目录)
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
account
cache
crash
db
empty
ftp
games
gdm
lib
local
lock
log
mail
nis
opt
preserve
racoon
run
spool
tmp
yp
226 Directory send OK.
ftp: 收到 129 字节,用时 0.00秒 64.50千字节/秒。
提示:不禁锢用户在它的家目录下这是非常危险的,任何一个用户通过ftp登录上去可以到处游荡的,访问任何一个敏感文件,ftp本身也是明文的;
ftp> bye(退出)
221 Goodbye.
[root@Smoke vsftpd]# tcpdump -i eth0 -nn -X -vv tcp port 21 and ip host 172.16.100.1(抓包分析eth0口主机172.16.100.1的tcp协议21号端口数据包,
-i指定抓包接口,-nn不反解主机名不反解端口号,-X以ACSII码和十六进制显示,-vv显示详细信息)
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
测试:通过windows的开始--运行输入cmd打开命令提示符
C:\Users\Smoke>ftp 172.16.100.1
连接到 172.16.100.1。
220 (vsFTPd 2.0.5)
用户(172.16.100.1:(none)): hadoop
331 Please specify the password.
密码:
230 Login successful.
[root@Smoke vsftpd]# tcpdump -i eth0 -nn -X -vv tcp port 21 and ip host 172.16.100.1(抓包分析eth0口主机172.16.100.1的tcp协议21号端口数据包,
-i指定抓包接口,-nn不反解主机名不反解端口号,-X以ACSII码和十六进制显示,-vv显示详细信息)
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
08:55:51.249985 IP (tos 0x0, ttl 64, id 9012, offset 0, flags [DF], proto: TCP (6), length: 52) 172.16.100.254.7663 > 172.16.100.1.21:
S, cksum 0x5e68 (correct), 4197234524:4197234524(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
0x0000: 4500 0034 2334 4000 4006 f66f ac10 64fe E..4#4@.@..o..d.
0x0010: ac10 6401 1def 0015 fa2c b75c 0000 0000 ..d......,.\....
0x0020: 8002 2000 5e68 0000 0204 05b4 0103 0302 ....^h..........
0x0030: 0101 0402 ....
08:55:51.250178 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: TCP (6), length: 52) 172.16.100.1.21 > 172.16.100.254.7663: S,
cksum 0xa601 (correct), 2130330246:2130330246(0) ack 4197234525 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 7>
0x0000: 4500 0034 0000 4000 4006 19a4 ac10 6401 E..4..@.@.....d.
0x0010: ac10 64fe 0015 1def 7efa 4286 fa2c b75d ..d.....~.B..,.]
0x0020: 8012 16d0 a601 0000 0204 05b4 0101 0402 ................
0x0030: 0103 0307 ....
08:55:51.250208 IP (tos 0x0, ttl 64, id 9013, offset 0, flags [DF], proto: TCP (6), length: 40) 172.16.100.254.7663 > 172.16.100.1.21:
., cksum 0xf5a3 (correct), 1:1(0) ack 1 win 2048
0x0000: 4500 0028 2335 4000 4006 f67a ac10 64fe E..(#5@.@..z..d.
0x0010: ac10 6401 1def 0015 fa2c b75d 7efa 4287 ..d......,.]~.B.
0x0020: 5010 0800 f5a3 0000 0000 0000 0000 P.............
08:55:51.251762 IP (tos 0x0, ttl 64, id 51302, offset 0, flags [DF], proto: TCP (6), length: 60) 172.16.100.1.21 > 172.16.100.254.7663:
P, cksum 0xa24a (correct), 1:21(20) ack 1 win 46
0x0000: 4500 003c c866 4000 4006 5135 ac10 6401 E..<.f@.@.Q5..d.
0x0010: ac10 64fe 0015 1def 7efa 4287 fa2c b75d ..d.....~.B..,.]
0x0020: 5018 002e a24a 0000 3232 3020 2876 7346 P....J..220.(vsF
0x0030: 5450 6420 322e 302e 3529 0d0a TPd.2.0.5)..
08:55:51.449391 IP (tos 0x0, ttl 64, id 9015, offset 0, flags [DF], proto: TCP (6), length: 40) 172.16.100.254.7663 > 172.16.100.1.21:
., cksum 0xf594 (correct), 1:1(0) ack 21 win 2043
0x0000: 4500 0028 2337 4000 4006 f678 ac10 64fe E..(#7@.@..x..d.
0x0010: ac10 6401 1def 0015 fa2c b75d 7efa 429b ..d......,.]~.B.
0x0020: 5010 07fb f594 0000 0000 0000 0000 P.............
08:55:56.275589 IP (tos 0x0, ttl 64, id 9017, offset 0, flags [DF], proto: TCP (6), length: 53) 172.16.100.254.7663 > 172.16.100.1.21:
P, cksum 0xef90 (correct), 1:14(13) ack 21 win 2043
0x0000: 4500 0035 2339 4000 4006 f669 ac10 64fe E..5#9@.@..i..d.
0x0010: ac10 6401 1def 0015 fa2c b75d 7efa 429b ..d......,.]~.B.
0x0020: 5018 07fb ef90 0000 5553 4552 2068 6164 P.......USER.had
0x0030: 6f6f 700d 0a oop..(用户名)
08:55:56.275633 IP (tos 0x0, ttl 64, id 51303, offset 0, flags [DF], proto: TCP (6), length: 40) 172.16.100.1.21 > 172.16.100.254.7663:
., cksum 0xfd54 (correct), 21:21(0) ack 14 win 46
0x0000: 4500 0028 c867 4000 4006 5148 ac10 6401 E..(.g@.@.QH..d.
0x0010: ac10 64fe 0015 1def 7efa 429b fa2c b76a ..d.....~.B..,.j
0x0020: 5010 002e fd54 0000 P....T..
08:55:56.276197 IP (tos 0x0, ttl 64, id 51304, offset 0, flags [DF], proto: TCP (6), length: 74) 172.16.100.1.21 > 172.16.100.254.7663:
P, cksum 0xb609 (correct), 21:55(34) ack 14 win 46
0x0000: 4500 004a c868 4000 4006 5125 ac10 6401 E..J.h@.@.Q%..d.
0x0010: ac10 64fe 0015 1def 7efa 429b fa2c b76a ..d.....~.B..,.j
0x0020: 5018 002e b609 0000 3333 3120 506c 6561 P.......331.Plea
0x0030: 7365 2073 7065 6369 6679 2074 6865 2070 se.specify.the.p
0x0040: 6173 7377 6f72 642e 0d0a assword...
08:55:56.475392 IP (tos 0x0, ttl 64, id 9019, offset 0, flags [DF], proto: TCP (6), length: 40) 172.16.100.254.7663 > 172.16.100.1.21:
., cksum 0xf56e (correct), 14:14(0) ack 55 win 2034
0x0000: 4500 0028 233b 4000 4006 f674 ac10 64fe E..(#;@.@..t..d.
0x0010: ac10 6401 1def 0015 fa2c b76a 7efa 42bd ..d......,.j~.B.
0x0020: 5010 07f2 f56e 0000 0000 0000 0000 P....n........
08:56:08.170329 IP (tos 0x0, ttl 64, id 9021, offset 0, flags [DF], proto: TCP (6), length: 53) 172.16.100.254.7663 > 172.16.100.1.21:
P, cksum 0xe67b (correct), 14:27(13) ack 55 win 2034
0x0000: 4500 0035 233d 4000 4006 f665 ac10 64fe E..5#=@.@..e..d.
0x0010: ac10 6401 1def 0015 fa2c b76a 7efa 42bd ..d......,.j~.B.
0x0020: 5018 07f2 e67b 0000 5041 5353 2068 6164 P....{..PASS.had
0x0030: 6f6f 700d 0a oop..(密码)
08:56:08.209964 IP (tos 0x0, ttl 64, id 51305, offset 0, flags [DF], proto: TCP (6), length: 40) 172.16.100.1.21 > 172.16.100.254.7663:
., cksum 0xfd25 (correct), 55:55(0) ack 27 win 46
0x0000: 4500 0028 c869 4000 4006 5146 ac10 6401 E..(.i@.@.QF..d.
0x0010: ac10 64fe 0015 1def 7efa 42bd fa2c b777 ..d.....~.B..,.w
0x0020: 5010 002e fd25 0000 P....%..
08:56:18.174033 IP (tos 0x0, ttl 64, id 51306, offset 0, flags [DF], proto: TCP (6), length: 63) 172.16.100.1.21 > 172.16.100.254.7663:
P, cksum 0x1b8e (correct), 55:78(23) ack 27 win 46
0x0000: 4500 003f c86a 4000 4006 512e ac10 6401 E..?.j@.@.Q...d.
0x0010: ac10 64fe 0015 1def 7efa 42bd fa2c b777 ..d.....~.B..,.w
0x0020: 5018 002e 1b8e 0000 3233 3020 4c6f 6769 P.......230.Logi
0x0030: 6e20 7375 6363 6573 7366 756c 2e0d 0a n.successful...
08:56:18.374019 IP (tos 0x0, ttl 64, id 9023, offset 0, flags [DF], proto: TCP (6), length: 40) 172.16.100.254.7663 > 172.16.100.1.21:
., cksum 0xf550 (correct), 27:27(0) ack 78 win 2028
0x0000: 4500 0028 233f 4000 4006 f670 ac10 64fe E..(#?@.@..p..d.
0x0010: ac10 6401 1def 0015 fa2c b777 7efa 42d4 ..d......,.w~.B.
0x0020: 5010 07ec f550 0000 0000 0000 0000 P....P........
13 packets captured
14 packets received by filter
0 packets dropped by kernel
提示:认证过程都是明文的及中间数据;
[root@Smoke vsftpd]# vim vsftpd.conf(编辑vsftpd.conf配置文件)
write_enable=YES(是否能上传文件)
[root@Smoke vsftpd]# getenforce
Permissive
提示:write_enable=YES写之前确保selinux处于关闭状态;
[root@Smoke vsftpd]# setenforce 0(关键selinux)
[root@Smoke vsftpd]# vim vsftpd.conf(编辑vsftpd.conf配置文件)
write_enable=YES(是否能上传文件)
测试:通过windows的浏览器输入ftp://172.16.100.1/使用用户hadoop上传文件;
这是匿名用户;
使用某个用户登录在浏览器输入ftp://hadoop:hadoop@172.16.100.1;
[root@Smoke vsftpd]# service vsftpd restart(重启vsftpd服务) Shutting down vsftpd: [ OK ] Starting vsftpd for vsftpd: [ OK ] [root@Smoke ~]# ftp 172.16.100.1(连接ftp服务器) Connected to 172.16.100.1. 220 (vsFTPd 2.0.5) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (172.16.100.1:root): hadoop(用户名) 331 Please specify the password. Password:(密码) 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls(查看当前目录文件及子目录) 227 Entering Passive Mode (172,16,100,1,53,186) 150 Here comes the directory listing. -rw-r--r-- 1 0 0 74 Nov 21 21:40 issue 226 Directory send OK. ftp> lcd /etc(切换客户端目录到/etc) Local directory now /etc ftp> put fstab(上传fstab文件) local: fstab remote: fstab 227 Entering Passive Mode (172,16,100,1,57,152) 150 Ok to send data. 226 File receive OK. 532 bytes sent in 9.8e-05 seconds (5.3e+03 Kbytes/s) ftp> ls(查看当前目录文件及子目录) 227 Entering Passive Mode (172,16,100,1,74,97) 150 Here comes the directory listing. -rw-r--r-- 1 501 501 532 Nov 22 01:13 fstab -rw-r--r-- 1 0 0 74 Nov 21 21:40 issue 226 Directory send OK. ftp> put inittab(上传inittab文件) local: inittab remote: inittab 227 Entering Passive Mode (172,16,100,1,76,39) 150 Ok to send data. 226 File receive OK. 1666 bytes sent in 0.0001 seconds (1.6e+04 Kbytes/s) ftp> ls(查看当前目录文件及子目录) 227 Entering Passive Mode (172,16,100,1,93,221) 150 Here comes the directory listing. -rw-r--r-- 1 501 501 532 Nov 22 01:13 fstab -rw-r--r-- 1 501 501 1666 Nov 22 01:15 inittab -rw-r--r-- 1 0 0 74 Nov 21 21:40 issue 226 Directory send OK. ftp> bye(退出) 221 Goodbye. [root@Smoke ~]# ftp 172.16.100.1(连接ftp服务) Connected to 172.16.100.1. 220 (vsFTPd 2.0.5) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (172.16.100.1:root): ftp(匿名用户) 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls(查看当前目录文件及子目录) 227 Entering Passive Mode (172,16,100,1,71,172) 150 Here comes the directory listing. drwxr-xr-x 2 0 0 4096 Dec 05 2011 pub 226 Directory send OK. ftp> lcd /etc(切换客户端目录到/etc目录) Local directory now /etc ftp> put fstab(上传fstab文件) local: fstab remote: fstab 227 Entering Passive Mode (172,16,100,1,20,153) 550 Permission denied.(拒绝上传) ftp> cd pub(切换服务器端目录到pub) 250 Directory successfully changed. ftp> put fstab(上传fstab文件) local: fstab remote: fstab 227 Entering Passive Mode (172,16,100,1,206,144) 550 Permission denied.(拒绝上传) ftp> bye(退出) 221 Goodbye. 提示:匿名用户对任何目录都没有上传权限; [root@Smoke vsftpd]# vim vsftpd.conf(编辑vsftpd.conf配置文件) anon_upload_enable=YES(是否允许匿名用户能上传文件) [root@Smoke vsftpd]# service vsftpd restart(重启vsftpd服务) Shutting down vsftpd: [ OK ] Starting vsftpd for vsftpd: [ OK ] [root@Smoke ~]# ftp 172.16.100.1(连接ftp服务器) Connected to 172.16.100.1. 220 (vsFTPd 2.0.5) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (172.16.100.1:root): ftp(用户名) 331 Please specify the password. Password:(密码) 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> lcd /etc(切换客户端目录到/etc) Local directory now /etc ftp> put fstab(上传fstab文件) local: fstab remote: fstab 227 Entering Passive Mode (172,16,100,1,89,89) 553 Could not create file.(不能上传,不能创建文件) ftp> cd pub(切换服务器端目录到pub) 250 Directory successfully changed. ftp> put fstab(上传fstab文件) local: fstab remote: fstab 227 Entering Passive Mode (172,16,100,1,201,249) 553 Could not create file.(不能上传,不能创建文件) ftp> [root@Smoke vsftpd]# ls -ld /var/ftp/(查看/var/ftp目录本身详细信息) drwxr-xr-x 3 root root 4096 Nov 22 04:29 /var/ftp/ 提示:/var/ftp目录属主属组为root; [root@Smoke vsftpd]# ps aux | grep vsftpd(查看所有终端进程,将结果送给管道只显示vsftpd相关) root 14862 0.0 0.0 5312 512 ? Ss 10:05 0:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf nobody 14894 0.0 0.0 5360 1020 ? Ss 10:06 0:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf ftp 14896 0.0 0.0 5384 884 ? S 10:06 0:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf root 14906 0.0 0.0 4220 608 pts/0 R+ 10:09 0:00 grep vsftpd 提示:ftp进程是以ftp身份运行,以root用户运行的是主控进程,它是不会响应用户请求的; [root@Smoke vsftpd]# ls -ld /var/ftp/(查看/var/ftp目录本身详细信息) drwxr-xr-x 3 root root 4096 Nov 22 04:29 /var/ftp/ 提示:我们的进程对这个目录没有写权限,没有写权限不能在里面上传文件,所以就算ftp功能打开了,但它仍然不能完成文件上传的; [root@Smoke vsftpd]# ls -ld /var/ftp/pub/(查看/var/ftp/pub目录本身详细信息) drwxr-xr-x 2 root root 4096 Dec 5 2011 /var/ftp/pub/ 提示:/var/ftp/pub目录属主属组仍然是root,ftp仍然没有写权限,所以上传不了,所以把pub目录改为让ftp用户有写权限就可以了; [root@Smoke vsftpd]# mkdir /var/ftp/upload(创建/var/ftp/upload目录) [root@Smoke vsftpd]# setfacl -m u:ftp:rwx /var/ftp/upload/(使用文件访问控制列表让ftp用户对upload目录有读写执行权限,-m设置额外访问控制列表) [root@Smoke vsftpd]# getfacl /var/ftp/upload/(查看/var/ftp/upload文件的额外访问控制列表) getfacl: Removing leading '/' from absolute path names # file: var/ftp/upload # owner: root # group: root user::rwx user:ftp:rwx group::r-x mask::rwx other::r-x 提示:ftp用户有读写执行权限; ftp> cd ../ 250 Directory successfully changed. ftp> ls 227 Entering Passive Mode (172,16,100,1,216,187) 150 Here comes the directory listing. drwxr-xr-x 2 0 0 4096 Dec 05 2011 pub drwxrwxr-x 2 0 0 4096 Nov 22 02:17 upload 226 Directory send OK. ftp> cd upload(切换服务器端目录到upload) 250 Directory successfully changed. ftp> put fstab(上传fstab文件) local: fstab remote: fstab 227 Entering Passive Mode (172,16,100,1,240,160) 150 Ok to send data. 226 File receive OK. 532 bytes sent in 3.3e-05 seconds (1.6e+04 Kbytes/s) ftp> ls(查看当前目录文件及子目录) 227 Entering Passive Mode (172,16,100,1,110,246) 150 Here comes the directory listing. -rw------- 1 14 50 532 Nov 22 02:23 fstab 226 Directory send OK. ftp> mkdir tset(创建test目录) 550 Permission denied.(不能创建) ftp> help(查看客户端命令帮主) Commands may be abbreviated. Commands are: ! cr mdir proxy send $ delete mget sendport site account debug mkdir put size append dir mls pwd status ascii disconnect mode quit struct bell form modtime quote system binary get mput recv sunique bye glob newer reget tenex case hash nmap rstatus trace ccc help nlist rhelp type cd idle ntrans rename user cdup image open reset umask chmod lcd passive restart verbose clear ls private rmdir ? close macdef prompt runique cprotect mdelete protect safe ftp> delete fstab(删除fstab文件) 550 Permission denied.(不能删除) ftp> bye 221 Goodbye. 提示:能上传,不能创建目录不能删除文件,因为他们属于不同的权限; [root@Smoke vsftpd]# vim vsftpd.conf(编辑vsftpd.conf配置文件) anon_mkdir_write_enable=YES(是否允许匿名用户创建目录) #anon_other_write_enable=YES(是否允许匿名用户其他的写权限) [root@Smoke vsftpd]# service vsftpd restart(重启vsftpd服务) Shutting down vsftpd: [ OK ] Starting vsftpd for vsftpd: [ OK ] [root@Smoke ~]# ftp 172.16.100.1(连接ftp服务器) Connected to 172.16.100.1. 220 (vsFTPd 2.0.5) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (172.16.100.1:root): ftp(匿名用户) 331 Please specify the password. Password:(密码空) 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> cd upload(切换到upload目录) 250 Directory successfully changed. ftp> mkdir test(创建test目录) 257 "/upload/test" created(创建成功) ftp> ls(查看当前目录文件及子目录) 227 Entering Passive Mode (172,16,100,1,28,228) 150 Here comes the directory listing. -rw------- 1 14 50 532 Nov 22 02:23 fstab drwx------ 2 14 50 4096 Nov 22 02:32 test 226 Directory send OK. ftp> delete fstab(删除fstab文件) 550 Permission denied.(拒绝删除) [root@Smoke vsftpd]# vim vsftpd.conf(编辑vsftpd.conf配置文件) anon_mkdir_write_enable=YES(是否允许匿名用户创建目录) anon_other_write_enable=YES(是否允许匿名用户其他的写权限) [root@Smoke vsftpd]# service vsftpd restart(重启vsftpd服务) Shutting down vsftpd: [ OK ] Starting vsftpd for vsftpd: [ OK ] ftp> delete fstab(删除fstab文件) 421 Service not available, remote server has closed connection(重启ftp服务器后,客户端还需要重新连接) ftp> bye(退出) [root@Smoke ~]# ftp 172.16.100.1(连接ftp服务器) Connected to 172.16.100.1. 220 (vsFTPd 2.0.5) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (172.16.100.1:root): ftp(匿名用户) 331 Please specify the password. Password:(空密码) 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> cd upload(切换到upload目录) 250 Directory successfully changed. ftp> delete fstab(删除fstab文件) 250 Delete operation successful.(删除成功) ftp> ls(查看当前目录文件及子目录) 227 Entering Passive Mode (172,16,100,1,207,67) 150 Here comes the directory listing. drwx------ 2 14 50 4096 Nov 22 02:32 test 226 Directory send OK. ftp> bye(退出) 提示:匿名用户能够上传文件、创建目录、删除文件非常危险; [root@Smoke vsftpd]# vim vsftpd.conf(编辑vsftpd.conf配置文件) dirmessage_enable=YES(当用户进入一个目录是否显示欢迎信息的) [root@Smoke vsftpd]# ls /var/ftp/upload/(查看/var/ftp/upload目录文件及子目录) test [root@Smoke vsftpd]# vim /var/ftp/upload/.message(创建.message隐藏文件) -- welcome to upload -- please do not upload unkown file. -- 提示:在/var/ftp/upload/目录创建.message文件写入欢迎信息; [root@Smoke ~]# ftp 172.16.100.1(连接ftp服务器) Connected to 172.16.100.1. 220 (vsFTPd 2.0.5) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (172.16.100.1:root): ftp(帐号) 331 Please specify the password. Password:(密码) 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> cd upload 250--- welcome to upload(编辑在/var/ftp/upload/.message文件中的欢迎信息) 250--- please do not upload unkown file. 250--- 250 Directory successfully changed. ftp> bye(退出) [root@Smoke vsftpd]# vim vsftpd.conf(编辑vsftpd.conf) xferlog_enable=YES(是否打开传输日志,如果用户在几点几分下载什么文件是否记录到日志里面去) [root@Smoke ~]# tail /var/log/messages(查看messages日志文件后10行) Nov 22 10:47:46 localhost last message repeated 6 times Nov 22 10:48:56 localhost last message repeated 5 times Nov 22 10:50:08 localhost last message repeated 6 times Nov 22 10:51:16 localhost last message repeated 5 times Nov 22 10:52:20 localhost last message repeated 4 times Nov 22 10:53:22 localhost last message repeated 5 times Nov 22 10:54:33 localhost last message repeated 5 times Nov 22 10:55:36 localhost last message repeated 6 times Nov 22 10:56:40 localhost last message repeated 4 times Nov 22 10:57:42 localhost last message repeated 4 times [root@Smoke vsftpd]# vim vsftpd.conf(编辑vsftpd.conf) xferlog_enable=YES(是否打开传输日志,如果用户在几点几分下载什么文件是否记录到日志里面去) xferlog_file=/var/log/vsftpd.log(启用传输日志保存文件 [root@Smoke vsftpd]# service vsftpd restart(重启vsftpd服务) Shutting down vsftpd: [ OK ] Starting vsftpd for vsftpd: [ OK ] [root@Smoke ~]# ftp 172.16.100.1(连接ftp服务器) Connected to 172.16.100.1. 220 (vsFTPd 2.0.5) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (172.16.100.1:root): ftp(匿名用户) 331 Please specify the password. Password:(空密码) 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> cd pub(切换服务器端目录到pub) 250 Directory successfully changed. ftp> ls(查看当前目录文件及子目录) 227 Entering Passive Mode (172,16,100,1,121,140) 150 Here comes the directory listing. 226 Directory send OK. ftp> cd upload(切换到upload目录) 550 Failed to change directory. ftp> ls(查看当前目录文件及子目录) 227 Entering Passive Mode (172,16,100,1,166,197) 150 Here comes the directory listing. 226 Directory send OK. ftp> cd ..(切换到上级目录) 250 Directory successfully changed. ftp> cd upload(切换到upload目录) 250--- welcome to upload 250--- please do not upload unkown file. 250--- 250 Directory successfully changed. ftp> lcd /etc(切换客户端目录到/etc) Local directory now /etc ftp> put fstab(上传fstab文件) local: fstab remote: fstab 227 Entering Passive Mode (172,16,100,1,255,2) 150 Ok to send data. 226 File receive OK. 532 bytes sent in 0.011 seconds (47 Kbytes/s) ftp> [root@Smoke ~]# tail /var/log/vsftpd.log(查看vsftpd.log日志文件后10行) Sat Nov 22 03:01:03 2014 1 172.16.100.1 532 /upload/fstab b _ i a ? ftp 0 * c [root@Smoke vsftpd]# vim vsftpd.conf(编辑vsftpd.conf配置文件) #chown_uploads=YES(将用户上传文件完成以后是否将用户的属主属组改为别的用户) #chown_username=whoever(上传完成以后更改为那个用户) xferlog_std_format=YES(日志文件格式,标准格式)
守护进程:
独立守护: 适于于用户访问量比较大,在线时间比较长的服务;
瞬时守护: 适用于用户访问量比较小,在线时间不是特别长的服务;
由xinetd代为管理
Connection Restrictions
To limit the number of clients that may be connected
max_clients(最多允许多少客户端同时连接进来)
To limit the number of clients that may be connected from one IP address
max_per_ip(每一个IP地址最多允许发起几个连接请求)
vsftpd:
max_clients=#
max_per_ip=#
安全通信方式:
ftps: ftp+ssl/tls
sftp: OpenSSH, SubSystem, sftp(SSH)
使用ftps需要添加的参数:
ssl_enable=YES(是否启用ssl功能)
ssl_tlsv1=YES(支持ssl_tlsv1)
ssl_sslv2=YES(支持ssl_sslv2)
ssl_sslv3=YES(支持ssl_sslv3)
allow_anon_ssl=NO(匿名用户是否使用ssl)
force_local_data_ssl=YES(强制本地用户传输数据使用ssl)
force_local_logins_ssl=YES(强制本地用户登录认证使用ssl)
rsa_cert_file=/etc/vsftpd/ssl/vsftpd_cert.pem(rsa格式证书文件)
rsa_private_key_file=/etc/vsftpd/ssl/vsftpd_key.pem(rsa格式密钥文件)
vsftpd: PAM(手动定义配置文件)
匿名
本地
虚拟用户
MySQL: VSFTPD, users : Name,Password
/etc/vsftpd/vusers: --> db_load(转换成二进制文件)
USERNAME
PASSWORD
db4-utils
postconf -m(查看postfix支持查找表)
vsftp使用MySQL配置虚拟用户:
一、安装
1、事先安装好开发环境和mysql数据库;
2.安装pam_mysql-0.7RC1
#tar zxvf pam_mysql-0.7RC1.tar.gz
#cd pam_mysql-0.7RC1
#./configure --with-mysql=/usr/local/mysql(告诉mysql装在什么地方) --with-openssl
#make
#make install
#cp /usr/lib/security/pam_mysql.so /lib/security/
3.安装vsftpd-2.0.5
#mkdir -pv /usr/share/empty /var/ftp
#useradd -s /bin/false -d /var/ftp ftp
#tar xzvf vsftpd-2.0.5.tar.gz
#cd vsftpd-2.0.5
#make
#make install
安装配置文件
#cp vsftpd.conf /etc
编辑配置文件/etc/vsftpd.conf
添加: Listen=YES
启动服务器
#/usr/local/sbin/vsftpd &
二、配置
1.准备数据库及相关表
在此,我们建立名为vsftp的数据库来存放相关虚拟用户的帐号
mysql> create database vsftp;(创建数据库)
mysql> grant select on vsftp.* to vsftpd@localhost identified by '123456';
mysql> grant select on vsftp.* to vsftpd@127.0.0.1 identified by '123456';
mysql> use vsftp;
mysql> create table users ( (创建表)
-> id int AUTO INCREMENT NOT NULL,(四个字段,第一个字段id)
-> name char(20) binary NOT NULL,(第二个字段name)
-> passwd char(48) binary NOT NULL,(第三个字段passwd)
-> primary key(id)(定义索引)
-> );
添加测试的虚拟用户,其密码采取加密存放方式
mysql> insert into users(name,passwd) values('tom',password('123456'));
mysql> insert into users(name,passwd) values('jerry',password('123456'));
查找结果
mysql> select * from users;
3 rows inset (0.00 sec)
2.建立pam认证所需文件
#vi /etc/pam.d/vsftp.mysql
添加如下两行
auth required /lib/security/pam_mysql.so user=vsftpd passwd=123456 host=localhost db=vsftp table=users(使用pam_mysql.so检查,连接mysql数据使用的帐号为vsftpd,密码为123456,mysql数据库服务器是本地,数据库是vsftp,表为users)
usercolumn-name passwdcolumn-passwd crypt-2 account required /lib/security/pam_mysql.so user=vsftpd passwd=123456 host=localhost db=vsftp table=users usercolumn=name passwdcolumn=passwd crypt=2(usercolumn-name那个字段是用户名,passwdcolumn-passwd那个字段是密码,crypt-2加密类型是什么)
3.修改vsftpd的配置文件,使其适应mysql认证
建立虚拟用户应黑色的系统用户及对应的目录
#useradd -s /sbin/nologin -d /var/ftp2 vsftp
#chmod go+rx /var/ftp2
请确保/etc/vsftpd.conf中已经启动了以下选项
anonymous_enable=YES
local_enable=YES
anon_upload_enable=NO
anon_mkdir_write_enable=NO
chroot_local_user=YES
添加以下选项
guest_enable=YES(允许来宾帐号访问)
guest_username=vsftp(来宾帐号映射为vsftp)
listen=YES
pam_service_name=vsftpd.mysql(定义pam服务器名称为认证所需的文件)
三、启动vsftpd服务
#/user/local/sbin/vsftpd &
# netstat -tnlp | grep :21
tcp 0 0.0.0.0:21 0.0.0.0:* LISTEN 23286/vsftpd
使用虚拟用户登录,验证配置结果,以下为本机的命令方式测试,你也可以在其他Win Box上用IE或者FTP客户端工具登录验证
# ftp localhost
Connected to localhost(127.0.0.1).
220(vsFTPd 2.0.5)
Name (lcalhost:root): benet
331 Please specify the password.
Password:
230 login sucessful.
Remote system type is UNIX.
Using binary mode to transfer files,.
ftp> ls
227 Entering Passive Mode (127,0,0,1,235,31)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 155985 Jun 06 07:16 vsftpd-2.0.5.tar.gz
226 Directory send OK.
让不同匿名用户具有不同的权限:
vsftpd.conf
user_config_dir=/etc/vsftpd/vuser_dir
# mkdir /etc/vsftpd/vuser_dir/
# cd /etc/vsftpd/vuser_dir/
# touch tony
# vi peter
anon_upload_enable=YES
anon_mkdir_write_enable=YES
tony
peter
[root@Smoke vsftpd]# vim vsftpd.conf(编辑vsftpd.conf配置文件)
#idle_session_timeout=600(用户会话找过600秒就断开用户的连接,跟控制连接相关的)
#data_connection_timeout=120(跟数据连接相关的)
#ascii_upload_enable=YES(是否启用文本模式功能上传)
#ascii_download_enable=YES(是否启用文本模式功能下载)
chroot_list_enable=YES(是否用一个文件来定义将特定用户锁在它的家目录下)
chroot_list_file=/etc/vsftpd/chroot_list(在那一个文件当中创建一个用户列表,所有列在这个文件中的用户都将直接被禁锢在家目录当中)
[root@Smoke vsftpd]# touch chroot_list(创建chroot_list文件)
[root@Smoke vsftpd]# vim chroot_list(编辑chroot_list文件)
hadoop
提示:在这个文件中加入需要禁锢在家目录当中的用户;
[root@Smoke vsftpd]# service vsftpd restart(重启vsftpd服务)
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
[root@Smoke ~]# ftp 172.16.100.1(连接ftp服务器)
Connected to 172.16.100.1.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (172.16.100.1:root): hadoop(用户名)
331 Please specify the password.
Password:(密码)
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd(查看当前所处的路径)
257 "/"
ftp> bye(退出)
421 Timeout.
提示:当前所处在根目录下,事实上是在/home/hadoop;
[root@Smoke ~]# useradd hbase(添加用户hbase)
[root@Smoke ~]# passwd hbase(为hbase用户设置密码)
Changing password for user hbase.
New UNIX password:
BAD PASSWORD: it is too short
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@Smoke ~]# useradd redis(添加redis用户)
[root@Smoke ~]# passwd redis(为redis用户设置密码)
Changing password for user redis.
New UNIX password:
BAD PASSWORD: it is too short
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@Smoke ~]# ftp 172.16.100.1(连接ftp服务器)
Connected to 172.16.100.1.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (172.16.100.1:root): redis(用户)
331 Please specify the password.
Password:(密码)
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd(查看当前所处的路径)
257 "/home/redis"
ftp> bye(退出)
221 Goodbye.
提示:redis用户没有被禁锢在根目录下,这意味着只有卸载chroot_list文件中的用户才会被禁锢在家目录下;
[root@Smoke vsftpd]# vim chroot_list(编辑chroot_list文件)
hadoop
redis
[root@Smoke vsftpd]# service vsftpd restart(重启vsftpd服务)
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
[root@Smoke ~]# ftp 172.16.100.1(连接ftp服务器)
Connected to 172.16.100.1.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (172.16.100.1:root): redis(用户)
331 Please specify the password.
Password:(密码)
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> bye(退出)
421 Timeout.
提示:redis用户被禁锢在用户家目录下;
[root@Smoke vsftpd]# vim vsftpd.conf(编辑vsftpd.conf配置文件)
#chroot_list_enable=YES
#chroot_list_file=/etc/vsftpd/chroot_list
chroot_local_users=YES(将所有用户都禁锢到家目录下)
[root@Smoke vsftpd]# man vsftpd.conf(查看vsftpd.conf配置文件man帮助文档)
chroot_local_user(将所有用户都禁锢到家目录下)
If set to YES, local users will be (by default) placed in a chroot() jail in their home directory after
login. Warning: This option has security implications, especially if the users have upload permission, or
shell access. Only enable if you know what you are doing. Note that these security implications are not
vsftpd specific. They apply to all FTP daemons which offer to put local users in chroot() jails.
/chroot
[root@Smoke vsftpd]# vim vsftpd.conf(编辑vsftpd.conf配置文件)
chroot_local_user=YES(将所有用户都禁锢到家目录下)
[root@Smoke vsftpd]# !ser(重启vsftpd服务)
service vsftpd restart
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
[root@Smoke ~]# ftp 172.16.100.1(连接ftp服务器)
Connected to 172.16.100.1.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (172.16.100.1:root): hbase(用户)
331 Please specify the password.
Password:(密码)
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd(查看当前所处路径)
257 "/"
ftp> bye(退出)
221 Goodbye.
[root@Smoke vsftpd]# vim vsftpd.conf(编辑vsftpd.conf配置文件)
listen=YES(表示vsftpd是否工作一个独立守护进程)
[root@Smoke vsftpd]# ls /etc/xinetd.d/(查看/etc/xinetd.d目录文件及子目录)
chargen-dgram daytime-dgram discard-dgram echo-dgram eklogin gssftp krb5-telnet rmcp tcpmux-server time-dgram
chargen-stream daytime-stream discard-stream echo-stream ekrb5-telnet klogin kshell rsync tftp time-stream
提示:要配置成为瞬时守护进程要在/etc/xinetd.d目录下提供瞬时守护进程的脚本即可;
[root@Smoke vsftpd]# vim vsftpd.conf(编辑vsftpd.conf配置文件)
pam_service_name=vsftpd(vsftpd是接受pam控制的,pam配置文件在/etc/pam.d下叫什么名字)
userlist_enable=YES(
[root@Smoke ~]# ftp 172.16.100.1(连接ftp服务器)
Connected to 172.16.100.1.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (172.16.100.1:root): root(用户名)
530 Permission denied.
Login failed.
ftp> bye
221 Goodbye.
提示:使用root用户登录,根本不让输入密码,直接告诉拒绝,登录认证失败;
[root@Smoke vsftpd]# pwd(查看当前所处的路径)
/etc/vsftpd
[root@Smoke vsftpd]# ls(查看当前目录文件及子目录)
chroot_list ftpusers user_list vsftpd.conf vsftpd.conf.bak vsftpd_conf_migrate.sh
提示:默认情况下在/etc/vsftpd目录下有个文件ftpusers,所有写在这个文件中的用户都禁止访问ftp;
[root@Smoke vsftpd]# cat ftpusers(查看ftpusers文件内容)
# Users that are not allowed to login via ftp
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody
提示:所有卸载/etc/vsftpd/ftpusers中的用户都禁止拿来登录ftp服务的;
[root@Smoke vsftpd]# vim vsftpd.conf(编辑vsftpd.conf配置文件)
pam_service_name=vsftpd(默认情况下vsftpd认证用户靠的是pam)
[root@Smoke ~]# cat /etc/pam.d/vsftpd(查看/etc/pam.d/vsftpd文件内容)
#%PAM-1.0
session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny(敏感度拒绝) file=/etc/vsftpd/ftpusers(ftpusers文件中用户名) onerr=succeed
auth required pam_shells.so
auth include system-auth
account include system-auth
session include system-auth
session required pam_loginuid.so
提示:/etc/vsftpd/ftpusers文件中的用户名都要被拒绝访问,所以这里面就明确定义了这个文件中的用户都是明确被拒绝禁止访问ftp服务的,有些用户帐号是拿来运行系统的,
还有管理员的帐号密码对一个系统来讲是至关重要的,而ftp本身是明文的,或认证过程都是明文的,所以使用管理员直接登录,别人抓包分析之后就可以获得管理员帐号密码了,这
是非常危险的,这就是为什么root用户不允许登录访问ftp服务原因;
[root@Smoke vsftpd]# vim vsftpd.conf(编辑vsftpd.conf配置文件)
userlist_enable=YES
[root@Smoke ~]# cd /etc/vsftpd/(切换到/etc/vsftpd目录)
[root@Smoke vsftpd]# ls(查看当前目录文件及子目录)
chroot_list ftpusers user_list vsftpd.conf vsftpd.conf.bak vsftpd_conf_migrate.sh
[root@Smoke vsftpd]# cat user_list(查看user_list文件内容)
# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody
[root@Smoke vsftpd]# vim user_list(编辑user_list文件)
:1,$d(删除文件所有内容)
[root@Smoke vsftpd]# service vsftpd restart(重启vsftpd服务)
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
[root@Smoke vsftpd]# ftp 172.16.100.1(连接ftp服务)
Connected to 172.16.100.1.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (172.16.100.1:root): root(用户)
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.(认证登录失败)
ftp> bye(退出)
221 Goodbye.
提示:无法登录,刚才使用root用户登录连密码都不让输入,它的确是由user_list文件控制的,但是ftpusers文件也能够控制用户的登录情况的,所以现在输入密码是不可以的,
当把user_list文件清空以后才真正是由ftpusers文件控制的,而user_list文件也控制了那些用户能登录系统,那些用户不能登录,写在user_list文件中用户能不能登录是由
定义的;
[root@Smoke vsftpd]# vim vsftpd.conf(编辑vsftpd.conf配置文件)
userlist_enable=YES(当为YES表示启用user_list文件,使用这个文件来控制用户是否能登录,默认所有写在这个文件用户都是不能登录的)
userlist_deny=YES(想让写在user_list文件中的用户登录,让userlist_deny为YES,拒绝写在userlist文件用户登录)
[root@Smoke vsftpd]# vim user_list(编辑user_list文件)
hbase
[root@Smoke vsftpd]# !ser(重启ftp服务)
service vsftpd restart
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
[root@Smoke vsftpd]# ftp 172.16.100.1(连接ftp服务器)
Connected to 172.16.100.1.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (172.16.100.1:root): hbase(用户)
h530 Permission denied.(拒绝)
Login failed.(认证登录失败)
ftp> bye(退出)
221 Goodbye.
[root@Smoke vsftpd]# vim vsftpd.conf(编辑vsftpd.conf配置文件)
userlist_enable=YES
userlist_deny=NO(不拒绝userlist文件用户登录)
[root@Smoke vsftpd]# !ser(重启ftp服务)
service vsftpd restart
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
[root@Smoke vsftpd]# !ftp(连接ftp服务)
ftp 172.16.100.1
Connected to 172.16.100.1.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (172.16.100.1:root): hbase(用户名)
331 Please specify the password.
Password:(密码)
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd(查看当前所处路径)
257 "/"
ftp> ls(查看当前目录文件及子目录)
227 Entering Passive Mode (172,16,100,1,240,82)
150 Here comes the directory listing.
226 Directory send OK.
ftp> bye(退出)
221 Goodbye.
[root@Smoke vsftpd]# ftp 172.16.100.1(连接ftp服务器)
Connected to 172.16.100.1.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (172.16.100.1:root): hadoop(用户)
530 Permission denied.(拒绝登录)
Login failed.(认证登录失败)
ftp> bye(退出)
221 Goodbye.
[root@Smoke vsftpd]# vim vsftpd.conf(编辑vsftpd.conf配置文件)
userlist_enable=YES
userlist_deny=NO(仅允许userlist文件中的用户登录ftp服务)
使用ssl对ftp进行加密:
[root@Smoke vsftpd]# cd(切换到用户家目录)
[root@Smoke ~]# cd /etc/pki/CA/(切换到/etc/pki/CA目录)
[root@Smoke CA]# mkdir certs newcerts crl(创建certs、newcerts、crl目录)
[root@Smoke CA]# touch index.txt(创建index.txt文件)
[root@Smoke CA]# echo 01 > serial(显示01输出到serial文件)
[root@Smoke CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)(创建rsa类型2048长度的私钥,遮罩码为077,-out输出目录)
Generating RSA private key, 2048 bit long modulus
........................................................+++
......+++
e is 65537 (0x10001)
[root@Smoke CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650(生成自签证书,-new新证书,-x509自签证书,-key指
定私钥,-out输出文件目录名字,-days邮箱时间)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HN
Locality Name (eg, city) [Newbury]:ZZ
Organization Name (eg, company) [My Company Ltd]:MageEdu
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server's hostname) []:ca.magedu.com
Email Address []:
[root@Smoke CA]# mkdir /etc/vsftpd/ssl(创建ssl目录)
[root@Smoke CA]# cd /etc/vsftpd/ssl/(切换到/etc/vsftpd/ssl目录)
[root@Smoke ssl]# (umask 077;openssl genrsa -out vsftpd.key 2048)(生成2048长度rsa类型的私钥,遮罩码077,-out私钥文件)
Generating RSA private key, 2048 bit long modulus
................................+++
.......+++
e is 65537 (0x10001)
[root@Smoke ssl]# openssl req -new -key vsftpd.key -out vsftpd.csr(生成证书请求,-new新的,-key指定私钥,-out指定证书请求文件)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HN
Locality Name (eg, city) [Newbury]:ZZ
Organization Name (eg, company) [My Company Ltd]:MageEdu
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server's hostname) []:ftp.magedu.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@Smoke ssl]# vim /etc/pki/tls/openssl.cnf(编辑openssl配置文件)
dir = /etc/pki/CA # Where everything is kept
[root@Smoke ssl]# openssl ca -in vsftpd.csr -out vsftpd.crt(证书签发,-in指定证书请求,-out指定签发后保存名称)
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 22 06:06:54 2014 GMT
Not After : Nov 22 06:06:54 2015 GMT
Subject:
countryName = CN
stateOrProvinceName = HN
organizationName = MageEdu
organizationalUnitName = Tech
commonName = ftp.magedu.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
AF:BE:BD:FC:B4:85:91:E8:0A:B4:58:4D:8A:B1:C8:22:72:8A:AA:CA
X509v3 Authority Key Identifier:
keyid:2C:59:FE:40:89:F4:39:80:D8:18:9B:C6:75:73:69:C0:15:4E:37:18
Certificate is to be certified until Nov 22 06:06:54 2015 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@Smoke ssl]# cd ..(切换到上级目录)
[root@Smoke vsftpd]# vim vsftpd.conf(编辑vsftpd.conf配置文件)
# ssl or tls
ssl_enable=YES
ssl_sslv3=YES
ssl_tlsv1=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
rsa_cert_file=/etc/vsftpd/ssl/vsftpd.crt
rsa_private_key_file=/etc/vsftpd/ssl/vsftpd.key
[root@Smoke vsftpd]# service vsftpd restart(重启vsftpd服务)
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
[root@Smoke ~]# ftp 172.16.100.1(连接ftp服务器)
Connected to 172.16.100.1.
220 (vsFTPd 2.0.5)
504 Unknown AUTH type.
504 Unknown AUTH type.
KERBEROS_V4 rejected as an authentication type
Name (172.16.100.1:root): ftp(匿名用户)
530 Permission denied.(拒绝)
Login failed.(认证登录失败)
ftp> bye(退出)
[root@Smoke vsftpd]# vim vsftpd.conf(编辑vsftpd.conf配置文件)
pam_service_name=vsftpd
userlist_enable=YES
#userlist_deny=NO(注释仅允许userlist文件中的用户登录ftp服务)
tcp_wrappers=YES
[root@Smoke vsftpd]# !serv(重启ftp服务器)
service vsftpd restart
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
[root@Smoke ~]# ftp 172.16.100.1(连接ftp服务器)
Connected to 172.16.100.1.
220 (vsFTPd 2.0.5)
504 Unknown AUTH type.
504 Unknown AUTH type.
KERBEROS_V4 rejected as an authentication type
Name (172.16.100.1:root): ftp(匿名用户)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd(显示当前所处路径)
257 "/"
ftp> ls(查看当前目录文件及子目录)
227 Entering Passive Mode (172,16,100,1,232,201)
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Dec 05 2011 pub
drwxrwxr-x 3 0 0 4096 Nov 22 03:01 upload
226 Directory send OK.
ftp> cd pub(切换到pub目录)
250 Directory successfully changed.
ftp> ls(查看当前目录文件及子目录)
227 Entering Passive Mode (172,16,100,1,183,253)
150 Here comes the directory listing.
226 Directory send OK.
ftp> bye(退出)
221 Goodbye.
[root@Smoke ~]# ftp 172.16.100.1(连接ftp服务器)
Connected to 172.16.100.1.
220 (vsFTPd 2.0.5)
504 Unknown AUTH type.
504 Unknown AUTH type.
KERBEROS_V4 rejected as an authentication type
Name (172.16.100.1:root): hadoop
530 Non-anonymous sessions must use encryption.(报错,提示非匿名用户会话必须使用加密)
Login failed.
ftp> bye(退出)
221 Goodbye.
[root@Smoke ~]# openssl s_client -connect 172.16.100.1:21(通过openssl客户端s_client连接172.16.100.1的21号端口)
CONNECTED(00000003)
16605:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:588:
测试:通过windows系统安装FileZilla Client端登录,使用匿名用户ftp登录,主机为172.16.100.1;
使用用户hadoop,密码hadoop连接172.16.100.1的ftp服务器,无法连接;
必须要使用加密方式,点击文件--站点管理器,新建站点,点击确定;
点击连接,无法连接,软件问题问题;
换为FlashFXP软件测试,点击站点--站点管理器,新建站点,点击连接;
证书发过来,接收并保存;
连接成功;
[root@Smoke vsftpd]# vim vsftpd.conf(编辑vsftpd.conf配置文件)
# ssl or tls
ssl_enable=YES
ssl_sslv3=YES
ssl_tlsv1=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
rsa_cert_file=/etc/vsftpd/ssl/vsftpd.crt
rsa_private_key_file=/etc/vsftpd/ssl/vsftpd.key
vsftp使用虚拟用户:
[root@Smoke vsftpd]# cd(切换到用户家目录)
[root@Smoke ~]# yum -y install mysql-server mysql-devel(通过yum源安装mysql-server、mysql-devel包)
[root@Smoke ~]# yum -y groupinstall "Development Libraries" "Development Tools"(安装开发包组和开发库)
[root@Smoke ~]# lftp 172.16.0.1/pub/Sources(连接ftp服务器)
cd ok, cwd=/pub/Sources
lftp 172.16.0.1:/pub/Sources> cd vsftpd/(切换到vsftpd目录)
lftp 172.16.0.1:/pub/Sources/vsfptd> get pam_mysql-0.7RC1.tar.gz(下载pam_mysql-0.7RC1.tar.gz文件)
335240 bytes transferred
lftp 172.16.0.1:/pub/Sources/vsftpd> bye(退出)
[root@Smoke ~]# tar xf pam_mysql-0.7RC1.tar.gz(解压pam_mysql文件,x解压,f后面跟文件)
[root@Smoke ~]# ls(查看当前目录文件及子目录)
anaconda-ks.cfg install.log install.log.syslog pam_mysql-0.7RC1 pam_mysql-0.7RC1.tar.gz
[root@Smoke ~]# cd pam_mysql-0.7RC1(切换到pam_mysql-0.7RC1目录)
[root@Smoke pam_mysql-0.7RC1]# ls(查看当前目录文件及子目录)
acinclude.m4 config.guess configure CREDITS ltmain.sh missing pam_mysql.c pkg.m4
aclocal.m4 config.h.in configure.in INSTALL Makefile.am mkinstalldirs pam_mysql.spec README
ChangeLog config.sub COPYING install-sh Makefile.in NEWS pam_mysql.spec.in stamp-h.in
[root@Smoke pam_mysql-0.7RC1]# ./configure --with-mysql --with-openssl(配置pam_mysql,--with-mysql指定mysql安装位置,自动查找,--with-opens
sl和mysql通信支持openssl方式)
configure: error: Cannot locate mysql client library. Please check your mysql installation.(找不到mysql的客户端库)
[root@Smoke pam_mysql-0.7RC1]# ldconfig -v(搜索动态链接库)
[root@Smoke ~]# service mysqld start(启动mysql服务)
Initializing MySQL database: WARNING: The host 'Smoke.com' could not be looked up with resolveip.
This probably means that your libc libraries are not 100 % compatible
with this binary MySQL version. The MySQL daemon, mysqld, should work
normally with the exception that host name resolving will not work.
This means that you should use IP addresses instead of hostnames
when specifying MySQL privileges !
Installing MySQL system tables...
141122 18:22:30 [Warning] option 'max_join_size': unsigned value 18446744073709551615 adjusted to 4294967295
141122 18:22:30 [Warning] option 'max_join_size': unsigned value 18446744073709551615 adjusted to 4294967295
OK
Filling help tables...
141122 18:22:31 [Warning] option 'max_join_size': unsigned value 18446744073709551615 adjusted to 4294967295
141122 18:22:31 [Warning] option 'max_join_size': unsigned value 18446744073709551615 adjusted to 4294967295
OK
To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system
PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:
/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h Smoke.com password 'new-password'
Alternatively you can run:
/usr/bin/mysql_secure_installation
which will also give you the option of removing the test
databases and anonymous user created by default. This is
strongly recommended for production servers.
See the manual for more instructions.
You can start the MySQL daemon with:
cd /usr ; /usr/bin/mysqld_safe &
You can test the MySQL daemon with mysql-test-run.pl
cd mysql-test ; perl mysql-test-run.pl
Please report any problems with the /usr/bin/mysqlbug script!
The latest information about MySQL is available on the web at
http://www.mysql.com
Support MySQL by buying support/licenses at http://shop.mysql.com
[ OK ]
Starting MySQL: [ OK ]
[root@Smoke ~]# rpm -ql mysql-devel(查看安装mysql-devel生成那些文件)
/usr/include/mysql
/usr/include/mysql/chardefs.h
/usr/include/mysql/decimal.h
/usr/include/mysql/errmsg.h
/usr/include/mysql/history.h
/usr/include/mysql/keycache.h
/usr/include/mysql/keymaps.h
/usr/include/mysql/m_ctype.h
/usr/include/mysql/m_string.h
/usr/include/mysql/my_alloc.h
/usr/include/mysql/my_attribute.h
/usr/include/mysql/my_config.h
/usr/include/mysql/my_config_i386.h
/usr/include/mysql/my_dbug.h
/usr/include/mysql/my_dir.h
/usr/include/mysql/my_getopt.h
/usr/include/mysql/my_global.h
/usr/include/mysql/my_list.h
/usr/include/mysql/my_net.h
/usr/include/mysql/my_no_pthread.h
/usr/include/mysql/my_pthread.h
/usr/include/mysql/my_sys.h
/usr/include/mysql/my_xml.h
/usr/include/mysql/mysql.h
/usr/include/mysql/mysql_com.h
/usr/include/mysql/mysql_embed.h
/usr/include/mysql/mysql_time.h
/usr/include/mysql/mysql_version.h
/usr/include/mysql/mysqld_ername.h
/usr/include/mysql/mysqld_error.h
/usr/include/mysql/raid.h
/usr/include/mysql/readline.h
/usr/include/mysql/rlmbutil.h
/usr/include/mysql/rlprivate.h
/usr/include/mysql/rlshell.h
/usr/include/mysql/rltypedefs.h
/usr/include/mysql/sql_common.h
/usr/include/mysql/sql_state.h
/usr/include/mysql/sslopt-case.h
/usr/include/mysql/sslopt-longopts.h
/usr/include/mysql/sslopt-vars.h
/usr/include/mysql/tilde.h
/usr/include/mysql/typelib.h
/usr/include/mysql/xmalloc.h
/usr/lib/mysql/libdbug.a
/usr/lib/mysql/libheap.a
/usr/lib/mysql/libmyisam.a
/usr/lib/mysql/libmyisammrg.a
/usr/lib/mysql/libmysqlclient.a
/usr/lib/mysql/libmysqlclient.so
/usr/lib/mysql/libmysqlclient_r.a
/usr/lib/mysql/libmysqlclient_r.so
/usr/lib/mysql/libmystrings.a
/usr/lib/mysql/libmysys.a
/usr/lib/mysql/libvio.a
[root@Smoke ~]# rpm -q mysql(查看是否安装mysql软件)
mysql-5.0.77-4.el5_6.6
[root@Smoke ~]# rpm -ql mysql(查看安装mysql生成那些文件)
/etc/ld.so.conf.d/mysql-i386.conf
/etc/my.cnf
/usr/bin/msql2mysql
/usr/bin/my_print_defaults
/usr/bin/mysql
/usr/bin/mysql_config
/usr/bin/mysql_find_rows
/usr/bin/mysql_tableinfo
/usr/bin/mysql_waitpid
/usr/bin/mysqlaccess
/usr/bin/mysqladmin
/usr/bin/mysqlbinlog
/usr/bin/mysqlcheck
/usr/bin/mysqldump
/usr/bin/mysqlimport
/usr/bin/mysqlshow
/usr/lib/mysql
/usr/lib/mysql/libmysqlclient.so.15
/usr/lib/mysql/libmysqlclient.so.15.0.0
/usr/lib/mysql/libmysqlclient_r.so.15
/usr/lib/mysql/libmysqlclient_r.so.15.0.0
/usr/lib/mysql/mysql_config
/usr/lib/mysql/mysqlbug
/usr/share/doc/mysql-5.0.77
/usr/share/doc/mysql-5.0.77/COPYING
/usr/share/doc/mysql-5.0.77/EXCEPTIONS-CLIENT
/usr/share/doc/mysql-5.0.77/README
/usr/share/info/mysql.info.gz
/usr/share/man/man1/my_print_defaults.1.gz
/usr/share/man/man1/mysql.1.gz
/usr/share/man/man1/mysql_config.1.gz
/usr/share/man/man1/mysql_find_rows.1.gz
/usr/share/man/man1/mysql_tableinfo.1.gz
/usr/share/man/man1/mysql_waitpid.1.gz
/usr/share/man/man1/mysqlaccess.1.gz
/usr/share/man/man1/mysqladmin.1.gz
/usr/share/man/man1/mysqldump.1.gz
/usr/share/man/man1/mysqlshow.1.gz
/usr/share/mysql
/usr/share/mysql/charsets
/usr/share/mysql/charsets/Index.xml
/usr/share/mysql/charsets/README
/usr/share/mysql/charsets/armscii8.xml
/usr/share/mysql/charsets/ascii.xml
/usr/share/mysql/charsets/cp1250.xml
/usr/share/mysql/charsets/cp1251.xml
/usr/share/mysql/charsets/cp1256.xml
/usr/share/mysql/charsets/cp1257.xml
/usr/share/mysql/charsets/cp850.xml
/usr/share/mysql/charsets/cp852.xml
/usr/share/mysql/charsets/cp866.xml
/usr/share/mysql/charsets/dec8.xml
/usr/share/mysql/charsets/geostd8.xml
/usr/share/mysql/charsets/greek.xml
/usr/share/mysql/charsets/hebrew.xml
/usr/share/mysql/charsets/hp8.xml
/usr/share/mysql/charsets/keybcs2.xml
/usr/share/mysql/charsets/koi8r.xml
/usr/share/mysql/charsets/koi8u.xml
/usr/share/mysql/charsets/latin1.xml
/usr/share/mysql/charsets/latin2.xml
/usr/share/mysql/charsets/latin5.xml
/usr/share/mysql/charsets/latin7.xml
/usr/share/mysql/charsets/macce.xml
/usr/share/mysql/charsets/macroman.xml
/usr/share/mysql/charsets/swe7.xml
/usr/share/mysql/czech
/usr/share/mysql/czech/errmsg.sys
/usr/share/mysql/danish
/usr/share/mysql/danish/errmsg.sys
/usr/share/mysql/dutch
/usr/share/mysql/dutch/errmsg.sys
/usr/share/mysql/english
/usr/share/mysql/english/errmsg.sys
/usr/share/mysql/estonian
/usr/share/mysql/estonian/errmsg.sys
/usr/share/mysql/french
/usr/share/mysql/french/errmsg.sys
/usr/share/mysql/german
/usr/share/mysql/german/errmsg.sys
/usr/share/mysql/greek
/usr/share/mysql/greek/errmsg.sys
/usr/share/mysql/hungarian
/usr/share/mysql/hungarian/errmsg.sys
/usr/share/mysql/italian
/usr/share/mysql/italian/errmsg.sys
/usr/share/mysql/japanese
/usr/share/mysql/japanese/errmsg.sys
/usr/share/mysql/korean
/usr/share/mysql/korean/errmsg.sys
/usr/share/mysql/norwegian
/usr/share/mysql/norwegian-ny
/usr/share/mysql/norwegian-ny/errmsg.sys
/usr/share/mysql/norwegian/errmsg.sys
/usr/share/mysql/polish
/usr/share/mysql/polish/errmsg.sys
/usr/share/mysql/portuguese
/usr/share/mysql/portuguese/errmsg.sys
/usr/share/mysql/romanian
/usr/share/mysql/romanian/errmsg.sys
/usr/share/mysql/russian
/usr/share/mysql/russian/errmsg.sys
/usr/share/mysql/serbian
/usr/share/mysql/serbian/errmsg.sys
/usr/share/mysql/slovak
/usr/share/mysql/slovak/errmsg.sys
/usr/share/mysql/spanish
/usr/share/mysql/spanish/errmsg.sys
/usr/share/mysql/swedish
/usr/share/mysql/swedish/errmsg.sys
/usr/share/mysql/ukrainian
/usr/share/mysql/ukrainian/errmsg.sys
[root@Smoke pam_mysql-0.7RC1]# ./configure --with-mysql --with-openssl(配置pam_mysql,--with-mysql指定mysql安装位置,自动查找,--with-opens
sl和mysql通信支持openssl方式)
configure: error: Cannot locate mysql client library. Please check your mysql installation.(找不到mysql的客户端库)
[root@Smoke pam_mysql-0.7RC1]# ./configure --with-mysql=/usr --with-openssl(配置pam_mysql,--with-mysql指定mysql安装位置,--with-openssl和
mysql通信支持openssl方式)
[root@Smoke pam_mysql-0.7RC1]# make(编译)
[root@Smoke pam_mysql-0.7RC1]# ls(查看当前目录文件及子目录)
acinclude.m4 config.h config.sub CREDITS ltmain.sh missing pam_mysql.la pkg.m4
aclocal.m4 config.h.in configure INSTALL Makefile mkinstalldirs pam_mysql.lo README
ChangeLog config.log configure.in install-sh Makefile.am NEWS pam_mysql.spec stamp-h
config.guess config.status COPYING libtool Makefile.in pam_mysql.c pam_mysql.spec.in stamp-h.in
提示:make完成以后其实在当前目录下已经可以生成对应的模块文件了;
[root@Smoke pam_mysql-0.7RC1]# make install(安装)
make[1]: Entering directory `/root/pam_mysql-0.7RC1'
/bin/sh ./mkinstalldirs /usr/lib/security
/bin/sh ./libtool --mode=install /usr/bin/install -c pam_mysql.la /usr/lib/security/pam_mysql.la(静态库)
/usr/bin/install -c .libs/pam_mysql.so /usr/lib/security/pam_mysql.so(动态库)
/usr/bin/install -c .libs/pam_mysql.lai /usr/lib/security/pam_mysql.la
PATH="$PATH:/sbin" ldconfig -n /usr/lib/security
----------------------------------------------------------------------
Libraries have been installed in:
/usr/lib/security
If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:
- add LIBDIR to the `LD_LIBRARY_PATH' environment variable
during execution
- add LIBDIR to the `LD_RUN_PATH' environment variable
during linking
- use the `-Wl,--rpath -Wl,LIBDIR' linker flag
- have your system administrator add LIBDIR to `/etc/ld.so.conf'
See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------
make[1]: Nothing to be done for `install-data-am'.
make[1]: Leaving directory `/root/pam_mysql-0.7RC1'
[root@Smoke pam_mysql-0.7RC1]# ls /lib/security/(查看/lib/security目录文件及子目录)
pam_access.so pam_filter pam_limits.so pam_pkcs11.so pam_smbpass.so pam_unix_auth.so
pam_ccreds.so pam_filter.so pam_listfile.so pam_postgresok.so pam_stack.so pam_unix_passwd.so
pam_chroot.so pam_ftp.so pam_localuser.so pam_pwhistory.so pam_stress.so pam_unix_session.so
pam_console.so pam_group.so pam_loginuid.so pam_rhosts_auth.so pam_succeed_if.so pam_unix.so
pam_cracklib.so pam_issue.so pam_mail.so pam_rhosts.so pam_tally2.so pam_userdb.so
pam_debug.so pam_keyinit.so pam_mkhomedir.so pam_rootok.so pam_tally.so pam_warn.so
pam_deny.so pam_krb5 pam_motd.so pam_rps.so pam_time.so pam_wheel.so
pam_echo.so pam_krb5afs.so pam_namespace.so pam_securetty.so pam_timestamp.so pam_winbind.so
pam_env.so pam_krb5.so pam_nologin.so pam_selinux.so pam_tty_audit.so pam_xauth.so
pam_exec.so pam_lastlog.so pam_passwdqc.so pam_shells.so pam_umask.so
pam_faildelay.so pam_ldap.so pam_permit.so pam_smb_auth.so pam_unix_acct.so
提示:pam_mysql.so没有安装到/lib/seccurity目录;
[root@Smoke pam_mysql-0.7RC1]# ls /usr/lib/security/(查看/usr/lib/security目录文件及子目录)
classpath.security pam_mysql.la pam_mysql.so
[root@Smoke pam_mysql-0.7RC1]# cp /usr/lib/security/pam_mysql.so /lib/security/(复制pam_mysql.so到/lib/security目录)
[root@Smoke pam_mysql-0.7RC1]# mysql(连接mysql数据库)
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.0.77 Source distribution
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> CREATE DATABASE vsftpd;(创建数据库vsftpd)
Query OK, 1 row affected (0.00 sec)
mysql> USE vsftpd;(打开数据库vsftpd)
Database changed
mysql> CREATE TABLE users ( (创建表users)
-> id SMALLINT AUTO_INCREMENT NOT NULL,(第一个字段id,类型小整型,AUTO_INCREMENT自动增加id号,NOT NULL不允许为空)
-> name CHAR(20) BINARY NOT NULL,(第二个字段name,字符型,20个字符,BINARY区分大小写,NOT NULL不允许为空)
-> password CHAR(48) BINARY NOT NULL,(第三个字段password,字符型,48个字符,BINARY区分大小写,NOT NULL不允许为空)
-> PRIMARY key(id))(主键为id)
-> ;
Query OK, 0 rows affected (0.01 sec)
mysql> DESC users;(查看users表的内容)
+----------+-------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+----------+-------------+------+-----+---------+----------------+
| id | smallint(6) | NO | PRI | NULL | auto_increment |
| name | char(20) | NO | | NULL | |
| password | char(48) | NO | | NULL | |
+----------+-------------+------+-----+---------+----------------+
3 rows in set (0.00 sec)
mysql> GRANT SELECT ON vsftpd.* TO vsftpd@localhost IDENTIFIED BY 'vsftpd';(授权用户vsftpd从本地只让查询数据库vsftpd中的所有表,密码vsftpd)
Query OK, 0 rows affected (0.00 sec)
mysql> GRANT SELECT ON vsftpd.* TO vsftpd@127.0.0.1 IDENTIFIED BY 'vsftpd';(授权用户vsftpd从本地只让查询数据库vsftpd中的所有表,密码vsftpd)
Query OK, 0 rows affected (0.00 sec)
mysql> FLUSH PRIVILEGES;(刷新授权表)
Query OK, 0 rows affected (0.00 sec)
mysql> INSERT INTO users (name,password) VALUE ('tom',password('redhat')),('jerry',password('redhat')); (插入两个用户,向users表中的name
和password字段插入值tom、redhat和jerry、redhat,并通过加密方式存放密码)
Query OK, 2 rows affected (0.00 sec)
Records: 2 Duplicates: 0 Warnings: 0
mysql> SELECT * FROM users;(查看users表内容)
+----+-------+------------------+
| id | name | password |
+----+-------+------------------+
| 1 | tom | 27c30f0241a5b69f |
| 2 | jerry | 27c30f0241a5b69f |
+----+-------+------------------+
2 rows in set (0.00 sec)
提示:密码都加密存放,如果用户密码一样加密后的字符串也一样,没有加salt(盐);
mysql> \q(退出数据库)
Bye
[root@Smoke pam_mysql-0.7RC1]# mysql -uvsftpd -p(通过vsftpd连接mysql,-u用户,-p密码)
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.0.77 Source distribution
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> SHOW DATABASES;(显示数据库)
+--------------------+
| Database |
+--------------------+
| information_schema |
| test |
| vsftpd |
+--------------------+
3 rows in set (0.00 sec)
mysql> USE vsftpd;(打开数据库vsftpd)
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> SHOW TABLES;(查看vsftpd库中的表)
+------------------+
| Tables_in_vsftpd |
+------------------+
| users |
+------------------+
1 row in set (0.00 sec)
mysql> SELECT * FROM users;(查询users表中的字段)
+----+-------+------------------+
| id | name | password |
+----+-------+------------------+
| 1 | tom | 27c30f0241a5b69f |
| 2 | jerry | 27c30f0241a5b69f |
+----+-------+------------------+
2 rows in set (0.00 sec)
mysql> \q(退出)
Bye
[root@Smoke pam_mysql-0.7RC1]# cd(切换到用户家目录)
[root@Smoke ~]# vim /etc/pam.d/vsftpd.mysql(编辑vsftpd.mysql文件)
auth required /lib/security/pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn=name pas
swdcolumn=password crypt=2
account required /lib/security/pam_mysql.so user=vsftpd passwd=vsftpd host=locaohost db=vsftpd table=users usercolumn=name passwdcolu
mn=password crypt=2
[root@Smoke ~]# useradd -s /sbin/nologin -d /var/ftproot vuser(添加用户vuser,-s指定默认shell,不允许登录,-d指定用户家目录)
[root@Smoke ~]# ls -ld /var/ftproot/(查看/var/ftproot目录详细信息,-l详细信息,-d目录本身)
drwx------ 3 vuser vuser 4096 Nov 22 19:22 /var/ftproot/
[root@Smoke ~]# chmod go+rx /var/ftproot/(让ftproot目录的组和其他具有读和执行权限)
[root@Smoke ~]# ls -ld /var/ftproot/(查看/var/ftproot目录本身详细信息,-l详细信息,-d目录本身)
drwxr-xr-x 3 vuser vuser 4096 Nov 22 19:22 /var/ftproot/
[root@Smoke ~]# vim /etc/vsftpd/vsftpd.conf(编辑vsftpd.conf配置文件)
pam_service_name=vsftpd.mysql
# ssl or tls
ssl_enable=YES
ssl_sslv3=YES
ssl_tlsv1=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
rsa_cert_file=/etc/vsftpd/ssl/vsftpd.crt
rsa_private_key_file=/etc/vsftpd/ssl/vsftpd.key
guest_enable=YES(允许来宾用户)
guest_username=vuser(来宾账户映射到vuser)
[root@Smoke ~]# service vsftpd restart(重启vsftpd服务)
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
[root@Smoke ~]# ftp 172.16.100.1(连接ftp服务器)
Connected to 172.16.100.1.
220 (vsFTPd 2.0.5)
504 Unknown AUTH type.
504 Unknown AUTH type.
KERBEROS_V4 rejected as an authentication type
Name (172.16.100.1:root): vuser(用户)
331 Please specify the password.
Password:(密码空)
530 Login incorrect.
Login failed.(认证登录失败)
ftp> bye
221 Goodbye.
[root@Smoke ~]# service vsftpd restart(重启vsftpd服务)
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
[root@Smoke ~]# ftp 172.16.100.1(连接ftp服务器)
Connected to 172.16.100.1.
220 (vsFTPd 2.0.5)
504 Unknown AUTH type.
504 Unknown AUTH type.
KERBEROS_V4 rejected as an authentication type
Name (172.16.100.1:root): tom(用户名)
331 Please specify the password.
Password:(密码)
530 Login incorrect.
Login failed.(认证登录失败)
ftp>
[root@Smoke ~]# mysql(连接mysql服务器)
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.0.77 Source distribution
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> \q(退出)
Bye
[root@Smoke ~]# tail /var/log/secure(查看securte日志文件后10行)
Nov 22 18:15:59 localhost sshd[17710]: Accepted password for root from 172.16.100.254 port 2998 ssh2
Nov 22 18:16:00 localhost sshd[17710]: pam_unix(sshd:session): session opened for user root by (uid=0)
Nov 22 18:16:00 localhost sshd[17710]: subsystem request for sftp
Nov 22 18:16:05 localhost sshd[17710]: subsystem request for sftp
Nov 22 18:16:07 localhost sshd[17710]: pam_unix(sshd:session): session closed for user root
Nov 22 19:22:55 localhost useradd[927]: new group: name=vuser, GID=504
Nov 22 19:22:55 localhost useradd[927]: new user: name=vuser, UID=504, GID=504, home=/var/ftproot, shell=/sbin/nologin
Nov 22 19:29:38 localhost vsftpd: pam_mysql - MySQL error (Unknown MySQL server host 'locaohost' (2))
Nov 22 19:31:18 localhost vsftpd: pam_mysql - MySQL error (Unknown MySQL server host 'locaohost' (2))
Nov 22 19:39:24 localhost vsftpd: pam_mysql - SELECT returned no result.(SELECT语句没有执行成功)
[root@Smoke vsftpd]# cd /etc/pam.d/(切换到/etc/pam.d目录)
[root@Smoke pam.d]# ls(查看当前目录文件及子目录)
atd gdm passwd runuser-l system-auth-ac system-config-securitylevel
authconfig gdm-autologin pirut sabayon system-cdinstall-helper system-config-selinux
authconfig-gtk gdmsetup pm-hibernate serviceconf system-config-authentication system-config-services
authconfig-tui gnome-screensaver pm-powersave setup system-config-date system-config-soundcard
chfn gnome-system-log pm-suspend smtp system-config-display system-config-time
chsh gssftp pm-suspend-hybrid smtp.sendmail system-config-kdump system-config-users
config-util halt poweroff sshd system-config-keyboard system-install-packages
cpufreq-selector kbdrate ppp su system-config-language vsftpd
crond kshell pup subscription-manager system-config-lvm vsftpd.mysql
cups ksu reboot subscription-manager-gui system-config-netboot xserver
cvs login remote sudo system-config-network
dateconfig neat rhn_register sudo-i system-config-network-cmd
eject newrole run_init su-l system-config-printer
ekshell other runuser system-auth system-config-rootpassword
[root@Smoke pam.d]# vim vsftpd.mysql(编辑vsftpd.mysql文件)
[root@Smoke pam.d]# mysql(连接mysql服务器)
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 5
Server version: 5.0.77 Source distribution
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> USE vsftpd(打开数据库vsftpd)
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> select * from users WHERE name='tom';(查询users表中的name字段为tom)
+----+------+------------------+
| id | name | password |
+----+------+------------------+
| 1 | tom | 27c30f0241a5b69f |
+----+------+------------------+
1 row in set (0.00 sec)
mysql> DESC users;(查看users表)
+----------+-------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+----------+-------------+------+-----+---------+----------------+
| id | smallint(6) | NO | PRI | NULL | auto_increment |
| name | char(20) | NO | | NULL | |
| password | char(48) | NO | | NULL | |
+----------+-------------+------+-----+---------+----------------+
3 rows in set (0.00 sec)
mysql> \q(退出)
Bye
[root@Smoke pam.d]# vim vsftpd.mysql(编辑vsftpd.mysql文件)
[root@Smoke pam.d]# ftp 172.16.100.1(连接ftp服务器)
Connected to 172.16.100.1.
220 (vsFTPd 2.0.5)
504 Unknown AUTH type.
504 Unknown AUTH type.
KERBEROS_V4 rejected as an authentication type
Name (172.16.100.1:root): jerry(用户)
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.(认证登录失败)
ftp> bye(退出)
221 Goodbye.
[root@Smoke pam.d]# tail /var/log/messages(查看messages日志文件后10行)
Nov 22 19:40:47 localhost kernel: FAT: Directory bread(block 16387) failed
Nov 22 19:40:47 localhost kernel: scsi 31:0:0:0: rejecting I/O to dead device
Nov 22 19:40:47 localhost kernel: FAT: Directory bread(block 16388) failed
Nov 22 19:40:47 localhost kernel: scsi 31:0:0:0: rejecting I/O to dead device
Nov 22 19:40:47 localhost kernel: FAT: Directory bread(block 16389) failed
Nov 22 19:40:47 localhost kernel: scsi 31:0:0:0: rejecting I/O to dead device
Nov 22 19:40:47 localhost kernel: FAT: Directory bread(block 16390) failed
Nov 22 19:40:47 localhost kernel: scsi 31:0:0:0: rejecting I/O to dead device
Nov 22 19:40:47 localhost kernel: FAT: Directory bread(block 16391) failed
Nov 22 19:48:47 localhost setroubleshoot: SELinux is preventing vsftpd (ftpd_t) "search" to ./mysql (mysqld_db_t). For complete SELinux
messages. run sealert -l 1637e107-e1b3-454a-ae31-146fcd146a8b
[root@Smoke pam.d]# tail /var/log/secure(查看secure日志文件后10行)
Nov 22 19:40:22 localhost sshd[17498]: Received disconnect from 172.16.100.254: 0:
Nov 22 19:40:22 localhost sshd[17498]: pam_unix(sshd:session): session closed for user root
Nov 22 19:40:27 localhost sshd[17568]: Received disconnect from 172.16.100.254: 0:
Nov 22 19:40:27 localhost sshd[17568]: pam_unix(sshd:session): session closed for user root
Nov 22 19:41:25 localhost sshd[1279]: Accepted password for root from 172.16.100.254 port 1444 ssh2
Nov 22 19:41:25 localhost sshd[1279]: pam_unix(sshd:session): session opened for user root by (uid=0)
Nov 22 19:42:11 localhost sshd[1310]: Accepted password for root from 172.16.100.254 port 1477 ssh2
Nov 22 19:42:11 localhost sshd[1310]: pam_unix(sshd:session): session opened for user root by (uid=0)
Nov 22 19:42:13 localhost sshd[1341]: Accepted password for root from 172.16.100.254 port 1478 ssh2
Nov 22 19:42:13 localhost sshd[1341]: pam_unix(sshd:session): session opened for user root by (uid=0)
[root@Smoke pam.d]# date(查看系统时间)
Sat Nov 22 19:51:07 CST 2014
[root@Smoke pam.d]# service vsftpd restart(重启vsftpd服务器)
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
[root@Smoke pam.d]# tail /var/log/secure(查看secure日志文件后10行)
Nov 22 19:40:22 localhost sshd[17498]: Received disconnect from 172.16.100.254: 0:
Nov 22 19:40:22 localhost sshd[17498]: pam_unix(sshd:session): session closed for user root
Nov 22 19:40:27 localhost sshd[17568]: Received disconnect from 172.16.100.254: 0:
Nov 22 19:40:27 localhost sshd[17568]: pam_unix(sshd:session): session closed for user root
Nov 22 19:41:25 localhost sshd[1279]: Accepted password for root from 172.16.100.254 port 1444 ssh2
Nov 22 19:41:25 localhost sshd[1279]: pam_unix(sshd:session): session opened for user root by (uid=0)
Nov 22 19:42:11 localhost sshd[1310]: Accepted password for root from 172.16.100.254 port 1477 ssh2
Nov 22 19:42:11 localhost sshd[1310]: pam_unix(sshd:session): session opened for user root by (uid=0)
Nov 22 19:42:13 localhost sshd[1341]: Accepted password for root from 172.16.100.254 port 1478 ssh2
Nov 22 19:42:13 localhost sshd[1341]: pam_unix(sshd:session): session opened for user root by (uid=0)
[root@Smoke ~]# vim /etc/pam.d/vsftpd.mysql(编辑vsftpd.mysql文件)
auth required /lib/security/pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=p
assword crypt=0
account required /lib/security/pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn=name passwdcolum
n=password crypt=0
提示:将crypt改为0;
[root@Smoke ~]# cd pam_mysql-0.7RC1(切换到pam_mysql-0.7RC1)
[root@Smoke pam_mysql-0.7RC1]# ls(查看当前目录文件及子目录)
acinclude.m4 config.h config.sub CREDITS ltmain.sh missing pam_mysql.la pkg.m4
aclocal.m4 config.h.in configure INSTALL Makefile mkinstalldirs pam_mysql.lo README
ChangeLog config.log configure.in install-sh Makefile.am NEWS pam_mysql.spec stamp-h
config.guess config.status COPYING libtool Makefile.in pam_mysql.c pam_mysql.spec.in stamp-h.in
提示:README文件中描述了crypt值为多少指的什么意思;
[root@Smoke pam_mysql-0.7RC1]# less README(分页显示README文件)
crypt (plain)
The method to encrypt the user's password:
0 (or "plain") = No encryption. Passwords stored in plaintext.
HIGHLY DISCOURAGED.(表示密码放在mysql中是纯明文的,没有做任何加密)
1 (or "Y") = Use crypt(3) function.
2 (or "mysql") = Use MySQL PASSWORD() function. It is possible
that the encryption function used by PAM-MySQL
is different from that of the MySQL server, as
PAM-MySQL uses the function defined in MySQL's
C-client API instead of using PASSWORD() SQL function
in the query.(表示使用PASSWORD函数加密存放,但是PAM-MySQL用的函数跟mysql自己的PASSWORD函数不一样,功能并不完全匹配,也就是说
使用mysql加密字符串使用pam-mysql解密的时候可能解密不了,因为他俩的PASSWORD函数不相同)
3 (or "md5") = Use plain hex MD5.
4 (or "sha1") = Use plain hex SHA1.
[root@Smoke pam_mysql-0.7RC1]# cd(切换到用户家目录)
[root@Smoke ~]# vim /etc/pam.d/vsftpd.mysql(编辑vsftpd.mysql文件)
auth required /lib/security/pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=pa
ssword crypt=0
account required /lib/security/pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn=name passwdcolumn
=password crypt=0
[root@Smoke ~]# mysql(连接mysql服务器)
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 9
Server version: 5.0.77 Source distribution
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> USE vsftpd(进入vsftpd数据库)
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> INSERT INTO users (name,password) VALUE ('tony','redhat'),('peter','redhat');(向users表中的name和password字段插入用户tony和peter用户
,密码为redhat)
Query OK, 2 rows affected (0.00 sec)
Records: 2 Duplicates: 0 Warnings: 0
mysql> \q(退出)
Bye
[root@Smoke ~]# service vsftpd restart(重启vsftpd服务)
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
[root@Smoke ~]# ftp 172.16.100.1(连接ftp服务器)
Connected to 172.16.100.1.
220 (vsFTPd 2.0.5)
504 Unknown AUTH type.
504 Unknown AUTH type.
KERBEROS_V4 rejected as an authentication type
Name (172.16.100.1:root): tony(用户)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd(查看当前所处的路径)
257 "/"
ftp> ls(查看当前目录文件及子目录)
227 Entering Passive Mode (172,16,100,1,164,92)
150 Here comes the directory listing.
226 Directory send OK.
ftp> bye(退出)
221 Goodbye.
[root@Smoke ~]# cp /etc/fstab /var/ftproot/(复制fstab文件到/var/ftproot目录)
[root@Smoke ~]# ftp 172.16.100.1(连接ftp服务器)
Connected to 172.16.100.1.
220 (vsFTPd 2.0.5)
504 Unknown AUTH type.
504 Unknown AUTH type.
KERBEROS_V4 rejected as an authentication type
Name (172.16.100.1:root): tony(用户)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls(查看当前目录文件及子目录)
227 Entering Passive Mode (172,16,100,1,95,237)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 532 Nov 22 12:20 fstab
226 Directory send OK.
ftp> lcd /tmp(切换本地目录到/tmp)
Local directory now /tmp
ftp> get fstab(下载fstab文件)
local: fstab remote: fstab
227 Entering Passive Mode (172,16,100,1,131,82)
150 Opening BINARY mode data connection for fstab (532 bytes).
226 File send OK.
532 bytes received in 0.00022 seconds (2.3e+03 Kbytes/s)
ftp> lcd /etc(切换本地目录到/etc)
Local directory now /etc
ftp> put issue(上传issue文件)
local: issue remote: issue
227 Entering Passive Mode (172,16,100,1,77,156)
150 Ok to send data.
226 File receive OK.
74 bytes sent in 0.044 seconds (1.6 Kbytes/s)
ftp> bye(退出)
221 Goodbye.
[root@Smoke ~]# vim /etc/vsftpd/vsftpd.conf(编辑vsftpd.conf配置文件)
#anon_upload_enable=YES(匿名用户允许上传文件)
#anon_mkdir_write_enable=YES
#anon_other_write_enable=YES
提示:虚拟用户的指令都是被虚拟用户指令匹配的;
[root@Smoke ~]# service vsftpd restart(重启vsftpd服务)
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
[root@Smoke ~]# !ftp(连接ftp服务器)
ftp 172.16.100.1
Connected to 172.16.100.1.
220 (vsFTPd 2.0.5)
504 Unknown AUTH type.
504 Unknown AUTH type.
KERBEROS_V4 rejected as an authentication type
Name (172.16.100.1:root): tony(用户)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> lcd /etc(切换本地目录到/etc)
Local directory now /etc
ftp> put inittab(上传inittab文件)
local: inittab remote: inittab
227 Entering Passive Mode (172,16,100,1,179,9)
550 Permission denied.(拒绝)
ftp> bye(退出)
221 Goodbye.
[root@Smoke ~]# ftp 172.16.100.1(连接ftp服务器)
Connected to 172.16.100.1.
220 (vsFTPd 2.0.5)
504 Unknown AUTH type.
504 Unknown AUTH type.
KERBEROS_V4 rejected as an authentication type
Name (172.16.100.1:root): peter(用户)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> lcd /etc(切换本地目录到/etc)
Local directory now /etc
ftp> put inittab(上传inittab文件)
local: inittab remote: inittab
227 Entering Passive Mode (172,16,100,1,37,64)
550 Permission denied.(拒绝)
ftp> bye(退出)
221 Goodbye.
提示:所有的虚拟用户都映射到同一个叫vusers用户上去了,只要禁止了匿名用户不能上传,那就意味着每一个虚拟用户都不能上传,能不能定义不同的虚拟用户使用不同的配置权限
,比如tony不能上传下载,但是peter可以,不可以,所有的虚拟用户都必须映射到同一个帐号上来,因为guest_enable的guest_username只有一个,不能同时使用多个指令的,
没办法在它们之间一一建立映射关系,但是却可以让它们具有不同的权限;
[root@Smoke ~]# vim /etc/vsftpd/vsftpd.conf(编辑vsftpd.conf配置文件)
user_config_dir=/etc/vsftpd/vusers
[root@Smoke ~]# mkdir /etc/vsftpd/vusers(创建vusers目录)
[root@Smoke ~]# cd !$(切换到/etc/vsftpd/vusers目录)
cd /etc/vsftpd/vusers
[root@Smoke vusers]# touch tony peter(创建tony和peter文件)
[root@Smoke vusers]# vim tony(编辑tony文件)
anon_upload_enable=NO(不允许上传文件)
[root@Smoke vusers]# vim peter(编辑peter文件)
anon_upload_enable=YES(允许上传文件)
anon_mkdir_write_enable=YES(允许创建目录)
anon_other_write_enable=YES(允许删除文件)
[root@Smoke vusers]# service vsftpd restart(重启vsftpd服务)
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
[root@Smoke vusers]# ftp 172.16.100.1(连接ftp服务器)
Connected to 172.16.100.1.
220 (vsFTPd 2.0.5)
504 Unknown AUTH type.
504 Unknown AUTH type.
KERBEROS_V4 rejected as an authentication type
Name (172.16.100.1:root): tony(用户)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> lcd /etc (切换本地目录到/etc)
Local directory now /etc
ftp> put inittab(上传inittab文件)
local: inittab remote: inittab
227 Entering Passive Mode (172,16,100,1,189,97)
550 Permission denied.
ftp> bye(退出)
221 Goodbye.
[root@Smoke vusers]# ftp 172.16.100.1(连接ftp服务器)
Connected to 172.16.100.1.
220 (vsFTPd 2.0.5)
504 Unknown AUTH type.
504 Unknown AUTH type.
KERBEROS_V4 rejected as an authentication type
Name (172.16.100.1:root): peter(用户)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> lcd /etc(切换本地目录到/etc)
Local directory now /etc
ftp> put inittab(上传inittab文件)
local: inittab remote: inittab
227 Entering Passive Mode (172,16,100,1,176,183)
150 Ok to send data.
226 File receive OK.
1666 bytes sent in 0.036 seconds (46 Kbytes/s)
ftp> ls(查看当前目录文件及子目录)
227 Entering Passive Mode (172,16,100,1,177,79)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 532 Nov 22 12:20 fstab
-rw------- 1 504 504 1666 Nov 22 12:48 inittab
-rw------- 1 504 504 74 Nov 22 12:21 issue
226 Directory send OK.
ftp> bye(退出)
221 Goodbye.
提示:需要注意的是将mysql中用户的密码加密存放是一种比较好的做法,不然别人通过一些查询就可以得到所有的密码,只不过现在pam_mysql和mysql中PASSWORD函数不匹配只
好使用明文,尽管如此还有别的加密机制可以实现;
[root@Smoke vusers]# cd(切换到用户家目录)
[root@Smoke ~]# cd pam_mysql-0.7RC1
[root@Smoke pam_mysql-0.7RC1]# ls(查看当前目录文件及子目录)
acinclude.m4 config.h config.sub CREDITS ltmain.sh missing pam_mysql.la pkg.m4
aclocal.m4 config.h.in configure INSTALL Makefile mkinstalldirs pam_mysql.lo README
ChangeLog config.log configure.in install-sh Makefile.am NEWS pam_mysql.spec stamp-h
config.guess config.status COPYING libtool Makefile.in pam_mysql.c pam_mysql.spec.in stamp-h.in
[root@Smoke pam_mysql-0.7RC1]# less README(分页显示README文件)
crypt (plain)
The method to encrypt the user's password:
0 (or "plain") = No encryption. Passwords stored in plaintext.
HIGHLY DISCOURAGED.
1 (or "Y") = Use crypt(3) function.
2 (or "mysql") = Use MySQL PASSWORD() function. It is possible
that the encryption function used by PAM-MySQL
is different from that of the MySQL server, as
PAM-MySQL uses the function defined in MySQL's
C-client API instead of using PASSWORD() SQL function
in the query.
3 (or "md5") = Use plain hex MD5.(md5加密)
4 (or "sha1") = Use plain hex SHA1.(sha1加密)
NFS: Network File System(网络文件系统)
exit3, ext2: Kernel Space
mke2fs: 用户空间,文件系统管理工具
NFS:
什么是文件系统:
管理文件的系统,在磁盘分区上有一层软件,或者磁盘分区本来是存储数据这段空间,但是它本身其实都是磁道,为了方便其中文件规范有序的管理,在内核上将这个空间给它映射了一层软件结构,注意在内核里比如基于ext3这样的文件系统,把它格式化为ext3以后,意味着在这样一个磁盘空间上把它划分成所谓的元数据区域和数据区域,在元数据区域存储的是非文件内容的相关信息,数据区域将会划分成一个一个能够存储数据的磁盘块,但是这个块并没有真正划分到磁盘空间上,而是由元数据维护的一个映射表,所以其实元数据空间本身就是实现将整个磁盘分区完成规范有序管理的一种软件,一种内核模块,事实上NFS也是内核上这样的工具,只不过它可以通过网络来工作,也就意味着我们某一个主机它完全可以实现在自己目录下某一个路径上,比如在/mydata/data目录上挂载一个设备,我们每一个目录都可以挂载一个独立的设备,从而这个目录就成为了这个设备访问入口,现在基于NFS的时候这个设备本身它所标志的文件系统不在本机上了,而完全在另外一台主机上,在另外一台主机上有一个磁盘分区,甚至是一个目录,通过网络将它输出出来告诉别人我们这里有存储空间谁都可以过来用,而在客户机上我们准备好/mydata/data这样一个目录,让它去挂载位于远程主机上的一个设备,指定那个主机上的那一个文件系统,比如将/vaf/ftp这个文件系统给它共享出来了,那也就意味着我们通过网络可以访问这个文件系统,但是作为文件系统来讲我们访问显然不能将它当作一个,包括此前写数据也不是直接写,首先有一个挂载点把它挂载起来才能访问的,这边的设备也是,它把这个/var/ftp目录共享出来以后就相当于一个文件系统通过一个主机给我们输出出来了,而在客户机上我们只需要将这样一个设备给它挂载至本地某个目录上,而后当用户的应用程序再打算写数据至此目录当中的时候,这个数据事实上被通过网络给它发送至另外一台主机上,另外一台主机接收下来以后真正保存在本地的磁盘空间当中,所以当我们去读取文件系统的时候也是如此,先向文件里面发起read调用,发起系统调用说要从里面读文件,但是我们的内核发现,内核能够知道它本身用户所访问的设备并不在本地主机上,于是我们的内核自己会通过网络请求远程主机我要访问这个文件,远程主机在接到请求以后把用户所请求的文件内容发送给客户端,所以客户端就像访问本地文件设备一样来使用远程主机上的存储空间,这就是我们简单的所谓网络文件系统工作机制,文件系统实在内核空间中提供的,当用户试图往一个文件系统中写数据的时候它该怎么完成呢,简单来讲,事实上能够实现对硬件操作的只有内核,而内核通过对硬件的操作是通过一个一个系统调用输出给用户空间的,对文件系统来讲它也有所谓的系统调用,比如我要读一个文件就使用read()这种系统调用,说白了这就是一个函数,如果写一个数据就是用write(),向内核发起write系统调用,内核接收到调用以后,我们发起系统调用以后会传递给内核一些参数,于是内核就去在内核空间中执行这么一个函数,并且将执行结果可能会保存在磁盘上,这个过程就称作过程调用,或者叫做函数调用,但是函数本身要执行一系列的操作,这一系列的操作我们可以理解为一个操作过程,所以函数调用有时候也把它称作过程调用,一般来讲本地应用程序实现某个操作时候都是通过本地过程调用(local procedure call)来完成的,说白了就是本地两个程序,或者程序和内核之间调用函数完成某种功能的过程,作为一个程序员来讲我们要开发这样的程序,开发一个能够和其他模块或者和其它组件交互的程序,只要其他组件提供了函数我们就可以跟它交互了,包括此前写shell脚本的时候怎么用函数,假如把函数定义在另外一个文件里面,只需要把这个文件载入到当前程序文件中来,而后直接去调用这个函数就可以了,这个过程也称作本地过程调用,如果我们的程序员所写的程序需要在两个主机之间完成程序协作的时候该怎么办,比如这台主机的某个应用程序它需要调用的这个功能本地主机没有,却在另外一台主机上提供了,怎么办呢,就以我们的web服务为例,一个本地主机上的用户,或者一个进程所请求的内容在另外一台主机上怎么办,浏览器必须要初始化一个请求,自己定义向内核完成系统请求,由内核封装我们的请求报文转给服务器端,转给服务器端的tcp/ip协议栈,tcp/ip协议经过解码以后将用户请求转交给对方的web服务器,也就意味着,我们要开发一个web服务器程序要负责处理当用户请求到来的时候,这个请求报文它一定是遵循http格式的报文,作为web服务器来讲它必须要能解码这个报文并理解用户的请求才能响应,我们要响应客户端的时候我这个web服务器本身如果同时面临多个用户同时请求怎么办,基于prefork模型时候我们就意味着每一个请求我们都得给它用一个进程来响应,所以这就是一个网络上两个进程之间互相通信的时候我们的服务器端,我们的程序无论是程序端还是服务器端在开发的时候都必须要自我考虑在网络上其到底是怎么工作的,它必须要能够完成自己基于网络跟客户端或者服务器端之间进行通信的机制,如果我们要开发一种文件系统,而这种文件系统在另外一个主机上,客户端在本地主机上,比如mkdir命令就是客户端命令,它请求创建一个目录,但是这个文件要保存在另外一台主机上所对应的磁盘分区上,这也是通过网络来协作的,怎么去开发这种程序,本地客户端它有一个应用程序它要完成一个请求,但是它的请求一定是请求给内核的,本地内核中发现用户所请求的设备不在本地,也就意味着我们这样一个应用程序自身,我们的web服务器在浏览器(browser)中怎么输入我们的资源的,我们必须要输入指定协议、指定主机、指定端口、指定要请求的资源,但是mkdir创建一个目录的时候,它本身不具备网络识别功能,但是浏览器(browser)要具备识别这种功能,所以任何一个要通过网络来完成客户端和服务器端协调的应用程序它必须要自身能够处理网络请求的机制,而我们的服务器端也必须能够解决网络请求的机制,但是像mkdir这样的命令我们基于文件系统来实现完成这种功能的时候,好像mkdir没办法说传输一个IP地址,也就意味着mkdir自身是无法处理网络功能的,但是这就意味着mkdir就无法完成在另外一台主机上的某个文件系统创建文件了呢,显然不是的,NFS本来就能解决这种问题,那它到底是怎么功能的呢,文件系统自身没有网络功能,它自身就是一个内核模块,首先作为服务器端我们的文件系统设备上的存储空间有内核模块所提供的功能没有网络功能,而我们的客户端mkdir也没有网络功能,但它们彼此之间好像可以完成通信,这是为什么呢,这是因为在我们两台主机上客户端和服务器端之间虽然说本身不具备网络功能,但是我们需要借助于其它的网络功能将二者之间建立起来关联关系,但是客户端和服务器端之间并不能意识到它是工作在网络上的,所以我们的客户端就好像自己只需要知道工作在本地的,我们的服务器端也是,它也完全在开发程序的时候,我们的程序员只需要考虑自己是本地的,不需要考虑网络,但是它们又怎么能实现基于网络通信,这要借助于rpc了,当我们的客户端需要向内核发起系统调用的时候,或者发起函数调用的时候,它不是直接发给内核,而是我们的程序自身所工作的这台主机有一个著名的客户端程序,这个客户端程序只需要在编程的时候发起一个特殊的系统调用,这个系统调用是rpc客户端的stub(存根调用)调用,也就意味着我们在客户端开发这个mkdir程序的时候,或者开发某些命令程序,某些系统调用过程的时候,这个调用本身可以基于一个额外的头文件完成一种额外的功能,而这种额外的功能本身依赖一个模块,我们称作rpc客户端程序,我们称作stub,而在服务器端上需要运行服务器进程,这个服务器进程称作rpc server,所当客户端执行mkdir并真正去调用我们系统内核中的功能的时候,mkdir创建文件系统的时候一定是创建在某个目录下的,这个目录对应于存储空间来讲一定是由内核提供的,我们内核发现用户请求的文件系统设备不是在本地,它于是就可以借助本地这么一个存根调用,这个存根可以理解为rpc的客户端,它于是将请求转给rpc的客户端,而rpc客户端请求rpc的服务器端,rpc服务器端在接收到请求以后在本地完成用户请求的结果,并且将处理结果所涉及的数据返回给rpc的客户端,rpc客户端经过层层处理机制之后又返回给客户端了,这个客户端创建命令就可以继续进行了,所以对于客户端程序和服务器端程序来讲这个过程压根就是透明的,但是我们需要一个rpc的客户端和服务器端之间在中继负责协调工作,这样客户端称作rpc客户端和rpc的服务器端,我们本地程序客户端它就好像自己完全在自己内存中工作,在当前主机上工作,而且所调用的结果返回回来的时候,它也并不知道是来自于网络的,而它就认为是内核返回给它的,所以这一切的网络通信过程都隐藏在了rpc机制的背后,在服务器端运行一个rpc服务器程序,监听在某个接口上,在客户端上它有一个所谓叫存根调用,有一个应用程序放在这里,随时可以被调用,当用户请求一个结果当来自于上端应用程序所请求的一个内容被我们内核发现用户所请求的内容是网络上的其它程序所提供的时候,它会自动透明的在内部将请求转发给rpc客户端,客户端和服务器端之间它俩之间建立联络关系了,它可能基于tcp,也可能基于udp协议,最终建立通信以后将用户请求转发给服务器端了,服务器端在处理结果拿到以后就将结果返回给客户端,但是在我们服务器端上需要工作一个客户端请求的服务程序,这个服务程序它自己不需要考虑网络功能,虽然不需要考虑网络功能,但是客户端要请求进来了,它要能接收,它自己也要能够监听在套接字上,毕竟用户的请求是来自于远程主机上的,无论如何都来自于远程主机的,它也要监听在某个套接字上,而自己所监听这个套接字本身这个地址是随机的,这个服务器本身它并不需要考虑网络上怎么去接收客户端所发送过来数据,而且返回的时候到底网络传输给客户端,它也不需要考虑,而是由rpc的客户端和rpc的服务器端,不是我们的应用程序服务器端和客户端,应用程序客户端mkdir命令,应用程序服务器端文件系统,但是这个文件系统本身无论如何也要接受客户端所发来的数据,很显然如果这每一个步骤都要有stub跟我们的rpc server进行通信的话,我们的rpc server是一种通用框架,它可能需要为多个不想自己开发网络功能的程序提供服务的,所以你的文件系统本身虽然工作在内核当中,它自己不需要封装网络请求的报文和响应报文,但是它也必须要工作在网络上,并且能够客户端和服务器端之间建立通信,尤其是我们的stub跟文件系统之间建立通信,所以其实文件系统本身也需要借助于某一个程序监听在某个套接字上,监听在某个端口上,只不过这个端口本身应该是多少,它不需要直接指定,它不需要告诉客户端,而只需要告诉rpc,因为它只是在主机内部跟rpc通信,它虽然不需要跟客户端通信,假说我们文件系统本身创建一个前端的服务器端,这个服务器端,这次启动的时候它说要监听在808端口上,它只需要告诉rpc server就行了,当客户端请求服务器端所提供的文件系统服务的时候,由stub向rpc server发起请求,rpc server在接收到客户端请求以后它不会直接处理用户请求,因为它压根不是能够理解用户所请求内容的服务器,它仅仅是一个用于帮助封装网络报文的服务器,所以当用户请求到来之后,它在自己内部将请求要转发这样的套接字,这只是一种工作机制,还有另外一种工作机制,其实我们的服务器端也可以工作在网络上,只不过它不接收报文,仍然由rpc接收报文,刚开始的时候,尤其由rpc初始化请求,一旦请求初始化完成之后,客户端将发起请求给我们服务器端,只不过这个初始化的连接是由rpc建立的,我们的NFS恰恰就工作在这种机制上,对于linux系统而言提供rpc server的程序叫portmap,portmap自身监听在111/tcp和111/udp端口上,所以当客户端需要跟网络通信的时候,它只需要向服务器端111端口发起请求即可,rpc server在接收到客户端请求以后,它会理解客户端到底请求的是那一个rpc服务,于是它将对应的rpc服务注册到rpc上面所使用的端口号返回给客户端,客户端再自己去连接真正提供文件系统服务的服务器程序,所以NFS本身需要监听在某个套接字上,所以RPC是一种编程技术,这种编程技术主要是用于实现它能够简化分布式应用程序的开发;
RPC: Rmote Procedure Call(远程过程调用)
linux: 提供rpc服务器的程序,Portmap: 111/tcp, 111/udp
RPC: 编程技术,简化分布式应用程序的开发,RPC: C --> RPC C --> RPC S --> S
NFS Client --> NFS Server
Browser --> Server html格式
RPC: 二进制格式,文本格式(XMLRPC) --> SOAP(Simple Object Access Protocol)简单对象访问协议
XMLRPC工作机制:
首先有客户端和服务器端,因为我们的客户端和服务器端必须要借助于tcp/ip网络才能交换数据的,在众多协议里面,我们的ftp报文,它是实现ftp数据包交互的,http报文是完成http数据包交互的,而rpc报文是完成RPC数据报文交换的,而rpc本身是基于二进制工作的,也可以基于文本格式工作,但是rpc本身只是一种编程技术,它并没有真正意义的实现,真正的实现要靠软件,或者它只是一种协议,用于实现协议的portmap,这是linux上实现rpc的软件,所以这是一种实现,就像http和apache关系一样,但是能够提供web服务的程序除了包含httpd之外还有nginx和lightty等等,同样能够实现rpc协议不光有portmap还有其他程序,比如rpc还可以基于http实现,这样我们能够基于http的客户端和服务器端之间,它就是通过httpd交换报文,这样我们把数据报文传过去以后,我们的服务器怎么理解这个报文,按道理来讲httpd传输的是httpd报文,但是它借助于httpd可以传输xml格式报文,而httpd客户端和服务器端之间只是向其它应用程序提供数据交换的平台框架,所以这个应用程序需要请求服务器端所提供的功能的时候,首先通过本地的系统调用转交给本地的rpc客户端,或者叫web服务客户端,web服务客户端将请求转发给web服务端,web服务端将内容转发给应用程序的服务器端,基于httpd这种连接也能够实现让其它两个程序互相交换数据和通信的,这时候httpd不是web服务器通道,而是数据交换的通道,而是一个rpc的通道,web服务也好,ftp服务也好,rpc服务也好,它们都是为了完成数据交换的,只要能够实现报文交换,不一定非得把某种协议给它固定在某个相关的概念上,也不一定非得考虑ftp服务就是实现文件上传下载的,它也能够完成提供数据交换平台,让另外两个应用程序基于它来工作,像这种概念能够基于web的客户端和服务器端之间交换xml报文,而且又能让两个应用程序,就是我们的客户端和服务器端基于httpd协议完成报文交换的,基于httpd本身所提供的框架完成报文交换的就叫做xmlrpc;
RPC: 编程技术,协议
NFS: Sun
NFSv2, NFSv3, NFSv4
NFS: Unix/linux
Windows
服务器端: nfs-utils
nfs: nfsd,(nfs主服务) mountd,(接受客户端挂载请求的) quotad(配额进程,限定客户端在本地只能使用多大磁盘空间的)
nfsd: 2049/tcp, 2049/udp
mountd: 端口
quotad: 端口
半随机的
/etc/exports: nfs服务配置文件;
/path/to/somedir CLIENT_LIST
多个客户端之间使用空白字符分割
每个客户端后面必须跟一个小括号,里面定义了此客户端访问特性,如访问权限等
172.16.0.0/16(ro,async) 192.16.0.0/24(rw,sync)
showmount -e NFS_SERVER: 查看NFS服务器"导出"的各文件系统;
showmount -a NFS_SERVER: 查看NFS服务器所有被挂载的文件系统及其客户端对应关系列表;
showmount -d NFS_SERVER: 显示NFS服务器所有导出的文件系统中被客户端挂载了文件系统列表;
exportfs命令:
-a: 跟-r或-u选项同时使用,表示重新挂载所有文件系统或取消导出所有文件系统;
-r: 重新导出
-u: 取消导出
-v: 显示详细信息
客户端使用mount命令挂载
mount -t nfs NFS_SERVER:/PATH/TO/SOME_EXPORT /PATH/TO/SOMEWHERE
文件系统导出属性:
ro:只读
rw:读写
sync:同步
async:异步
root_squash: 将root用户映射为来宾帐号;
no_root_squash: 保留管理员权限;
all_squash:将全部用户都映射为来宾帐号;
anonuid, anonuid: 指定映射的来宾帐号的UID和GID;
让mountd和quotod等进程监听在固定端口,编辑配置文件/etc/sysconfig/nfs
WebServer: LAMP
NFS服务端: /var/www: 共享出去
NFS客户端:挂载NFSERVER:/var/www至本地的/var/www
/etc/exports
The file /etc/exports serves as the access control list for file systems which may be exported to NFS clients.
Each line contains an export point and a whitespace-separated list of clients allowed to mount the file system at that point.(每一行包含一个共享出去的文件系统以及那些客户端可以访问此文件系统)
Each listed client may be immediately followed by parenthesized,comma-separated list of export options for thhat client.(每一个客户端必须要在这个客户端之后立即跟上一个小括号,小括号内部定义了这个客户端来访问此文件系统的时候所具有的访问属性)
No whitespace is permitted between a client and its option list.
Blank lines are ignored
A pound sign("#")introduces a comment to the end of the line(任何以#号开头的信息都是注释行)
If an export name contains spaces it should be quoted using double quotes.
Machine Name Formats
single host(单个主机)
the FQDN, or an IP address(使用FQDN或IP地址定义)
netgroups(网络组)
NIS netgroups may be given as @group.
wildcards(通配符)
Machine names may contain the wildcard characters * and?
For example: *.example.com
IP networks(IP网络)
An IP address and netmask pair as address/netmask(使用地址/掩码)
the netmask can be secified in dotted-decimal format,or as a contiguous mask length
Mounting and Using NFSv3
When an NFSv3 client attempts to mount an exported file system from an NFS server
Client contacts and asks server's portmap service for the port used by rpc.mountd(客户端先去联系服务器上的portmap,rpc服务器会告诉客户端mountd进程所监听的端口)
The rpc.mountd service determines if access is allowed,typically based only on the source IP address of client(当mountd监听的端口回传给客户端以后)
If allowed,rpc.mountd issues client an initial file handle to file system(客户端会重新连接rpc.mountd,rpc.moutd返回客户端一个初始化文件句柄)
Client uses the initial file handle to access and change the file system through server's nfsd service on TCP or UDP port 2049(客户端找nfsd)
File locks are managed by lockd and rpc.statd services
Most of the NFSv3 protocol are stateless on the server side
When the file locking lost,client many need to re-establish the file
rpc statd service is used to notify clients
[root@Smoke pam_mysql-0.7RC1]# cd(切换到用户家目录)
[root@Smoke ~]# rpm -ql nfs-utils(查看nfs-utils安装生成那些文件)
/etc/idmapd.conf
/etc/rc.d/init.d/nfs(服务脚本)
/etc/rc.d/init.d/nfslock(服务脚本)
/etc/rc.d/init.d/rpcgssd
/etc/rc.d/init.d/rpcidmapd
/etc/rc.d/init.d/rpcsvcgssd
/etc/sysconfig/nfs
/sbin/mount.nfs
/sbin/mount.nfs4
/sbin/rpc.lockd
/sbin/rpc.statd
/sbin/umount.nfs
/sbin/umount.nfs4
/usr/sbin/exportfs
/usr/sbin/gss_clnt_send_err
/usr/sbin/gss_destroy_creds
/usr/sbin/mountstats
/usr/sbin/nfsiostat
/usr/sbin/nfsstat
/usr/sbin/nhfsgraph
/usr/sbin/nhfsnums
/usr/sbin/nhfsrun
/usr/sbin/nhfsstone
/usr/sbin/rpc.gssd
/usr/sbin/rpc.idmapd
/usr/sbin/rpc.mountd(核心程序)
/usr/sbin/rpc.nfsd(核心程序)
/usr/sbin/rpc.svcgssd
/usr/sbin/rpcdebug
/usr/sbin/showmount
/usr/share/doc/nfs-utils-1.0.9
/usr/share/doc/nfs-utils-1.0.9/ChangeLog
/usr/share/doc/nfs-utils-1.0.9/INSTALL
/usr/share/doc/nfs-utils-1.0.9/KNOWNBUGS
/usr/share/doc/nfs-utils-1.0.9/Makefile
/usr/share/doc/nfs-utils-1.0.9/Makefile.am
/usr/share/doc/nfs-utils-1.0.9/Makefile.in
/usr/share/doc/nfs-utils-1.0.9/NEW
/usr/share/doc/nfs-utils-1.0.9/README
/usr/share/doc/nfs-utils-1.0.9/THANKS
/usr/share/doc/nfs-utils-1.0.9/TODO
/usr/share/man/man5/exports.5.gz
/usr/share/man/man5/idmapd.conf.5.gz
/usr/share/man/man5/nfs.5.gz
/usr/share/man/man7/nfsd.7.gz
/usr/share/man/man8/exportfs.8.gz
/usr/share/man/man8/gssd.8.gz
/usr/share/man/man8/idmapd.8.gz
/usr/share/man/man8/lockd.8.gz
/usr/share/man/man8/mount.nfs.8.gz
/usr/share/man/man8/mountd.8.gz
/usr/share/man/man8/mountstats.8.gz
/usr/share/man/man8/nfsd.8.gz
/usr/share/man/man8/nfsiostat.8.gz
/usr/share/man/man8/nfsstat.8.gz
/usr/share/man/man8/nhfsgraph.8.gz
/usr/share/man/man8/nhfsnums.8.gz
/usr/share/man/man8/nhfsrun.8.gz
/usr/share/man/man8/nhfsstone.8.gz
/usr/share/man/man8/rpc.gssd.8.gz
/usr/share/man/man8/rpc.idmapd.8.gz
/usr/share/man/man8/rpc.lockd.8.gz
/usr/share/man/man8/rpc.mountd.8.gz
/usr/share/man/man8/rpc.nfsd.8.gz
/usr/share/man/man8/rpc.statd.8.gz
/usr/share/man/man8/rpc.svcgssd.8.gz
/usr/share/man/man8/rpcdebug.8.gz
/usr/share/man/man8/showmount.8.gz
/usr/share/man/man8/statd.8.gz
/usr/share/man/man8/svcgssd.8.gz
/usr/share/man/man8/umount.nfs.8.gz
/var/lib/nfs
/var/lib/nfs/etab
/var/lib/nfs/rmtab
/var/lib/nfs/rpc_pipefs
/var/lib/nfs/statd
/var/lib/nfs/state
/var/lib/nfs/v4recovery
/var/lib/nfs/xtab
[root@Smoke ~]# service nfs start(启动nfs服务)
Starting NFS services: [ OK ]
Starting NFS quotas: [ OK ]
Starting NFS daemon: [ OK ]
Starting NFS mountd: [ OK ]
[root@Smoke ~]# service portmap status(查看portmap服务状态)
portmap (pid 3175) is running...
提示:nfs是基于rpc工作的,所以要想启动nfs先确保portmap启动;
[root@Smoke ~]# netstat -tunlp(查看系统服务,-t代表tcp,-u代表udp,-n以数字显示,-l监听端口,-p显示服务名称)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 3494/./hpiod
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 1142/mysqld
tcp 0 0 0.0.0.0:52876 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 3175/portmap
tcp 0 0 0.0.0.0:852 0.0.0.0:* LISTEN 3214/rpc.statd
tcp 0 0 0.0.0.0:821 0.0.0.0:* LISTEN 17602/rpc.mountd
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 1624/vsftpd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3515/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 3527/cupsd
tcp 0 0 0.0.0.0:793 0.0.0.0:* LISTEN 17573/rpc.rquotad
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3564/sendmail
tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 1853/sshd
tcp 0 0 127.0.0.1:6011 0.0.0.0:* LISTEN 17440/sshd
tcp 0 0 127.0.0.1:6012 0.0.0.0:* LISTEN 17471/sshd
tcp 0 0 127.0.0.1:6013 0.0.0.0:* LISTEN 17502/sshd
tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN 3499/python
tcp 0 0 :::22 :::* LISTEN 3515/sshd
tcp 0 0 ::1:6010 :::* LISTEN 1853/sshd
tcp 0 0 ::1:6011 :::* LISTEN 17440/sshd
tcp 0 0 ::1:6012 :::* LISTEN 17471/sshd
tcp 0 0 ::1:6013 :::* LISTEN 17502/sshd
udp 0 0 0.0.0.0:2049 0.0.0.0:* -
udp 0 0 0.0.0.0:790 0.0.0.0:* 17573/rpc.rquotad
udp 0 0 0.0.0.0:43547 0.0.0.0:* 3701/avahi-daemon
udp 0 0 0.0.0.0:818 0.0.0.0:* 17602/rpc.mountd
udp 0 0 0.0.0.0:55611 0.0.0.0:* -
udp 0 0 0.0.0.0:846 0.0.0.0:* 3214/rpc.statd
udp 0 0 0.0.0.0:849 0.0.0.0:* 3214/rpc.statd
udp 0 0 0.0.0.0:5353 0.0.0.0:* 3701/avahi-daemon
udp 0 0 0.0.0.0:111 0.0.0.0:* 3175/portmap
udp 0 0 0.0.0.0:631 0.0.0.0:* 3527/cupsd
udp 0 0 :::40122 :::* 3701/avahi-daemon
udp 0 0 :::5353 :::* 3701/avahi-daemon
提示:portmap监听在tcp/udp的111端口;
[root@Smoke ~]# rpcinfo -p localhost(查看本机上所有rcp进程所监听端口号)
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 849 status
100024 1 tcp 852 status
100011 1 udp 790 rquotad
100011 2 udp 790 rquotad
100011 1 tcp 793 rquotad
100011 2 tcp 793 rquotad
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100021 1 udp 55611 nlockmgr
100021 3 udp 55611 nlockmgr
100021 4 udp 55611 nlockmgr
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100021 1 tcp 52876 nlockmgr
100021 3 tcp 52876 nlockmgr
100021 4 tcp 52876 nlockmgr
100005 1 udp 818 mountd
100005 1 tcp 821 mountd
100005 2 udp 818 mountd
100005 2 tcp 821 mountd
100005 3 udp 818 mountd
100005 3 tcp 821 mountd
[root@Smoke ~]# service nfs stop(停止nfs服务)
Shutting down NFS mountd: [ OK ]
Shutting down NFS daemon: [ OK ]
Shutting down NFS quotas: [ OK ]
[root@Smoke ~]# rpcinfo -p localhost(查看本机上所有rcp进程所监听端口号)
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 849 status
100024 1 tcp 852 status
[root@Smoke ~]# service nfs start(启动nfs服务)
Starting NFS services: [ OK ]
Starting NFS quotas: [ OK ]
Starting NFS daemon: [ OK ]
Starting NFS mountd: [ OK ]
提示:启动nfs以后,nfs会向portmap注册使用一堆的端口;
[root@Smoke ~]# rpcinfo -p localhost(查看本机上所有rcp进程所监听端口号)
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 849 status
100024 1 tcp 852 status
100011 1 udp 943 rquotad
100011 2 udp 943 rquotad
100011 1 tcp 946 rquotad
100011 2 tcp 946 rquotad
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100021 1 udp 42179 nlockmgr
100021 3 udp 42179 nlockmgr
100021 4 udp 42179 nlockmgr
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100021 1 tcp 51948 nlockmgr
100021 3 tcp 51948 nlockmgr
100021 4 tcp 51948 nlockmgr
100005 1 udp 958 mountd
100005 1 tcp 961 mountd
100005 2 udp 958 mountd
100005 2 tcp 961 mountd
100005 3 udp 958 mountd
100005 3 tcp 961 mountd
[root@Smoke ~]# service nfs restart(重启nfs服务)
Shutting down NFS mountd: [ OK ]
Shutting down NFS daemon: [ OK ]
Shutting down NFS quotas: [ OK ]
Starting NFS services: [ OK ]
Starting NFS quotas: [ OK ]
Starting NFS daemon: [ OK ]
Starting NFS mountd: [ OK ]
[root@Smoke ~]# rpcinfo -p localhost(查看本机上所有rcp进程所监听端口号)
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 849 status
100024 1 tcp 852 status
100011 1 udp 645 rquotad
100011 2 udp 645 rquotad
100011 1 tcp 648 rquotad
100011 2 tcp 648 rquotad
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100021 1 udp 58830 nlockmgr
100021 3 udp 58830 nlockmgr
100021 4 udp 58830 nlockmgr
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100021 1 tcp 44417 nlockmgr
100021 3 tcp 44417 nlockmgr
100021 4 tcp 44417 nlockmgr
100005 1 udp 660 mountd
100005 1 tcp 663 mountd
100005 2 udp 660 mountd
100005 2 tcp 663 mountd
100005 3 udp 660 mountd
100005 3 tcp 663 mountd
[root@Smoke ~]# service nfs status(查看nfs服务状态)
rpc.mountd (pid 17868) is running...
nfsd (pid 17865 17864 17863 17862 17861 17860 17859 17858) is running...
rpc.rquotad (pid 17852) is running...
[root@Smoke ~]# chkconfig nfs on(让nfs开机自动启动)
[root@Smoke ~]# man exports(查看exports的man帮助文档)
exports - NFS file systems being exported (for Kernel based NFS)
[root@Smoke ~]# mkdir /shared(创建shared目录)
[root@Smoke ~]# vim /etc/exports(编辑exports文件)
/shared 172.16.0.0/16(ro)
[root@Smoke ~]# service nfs restart(重启nfs服务)
Shutting down NFS mountd: [ OK ]
Shutting down NFS daemon: [ OK ]
Shutting down NFS quotas: [ OK ]
Starting NFS services: [ OK ]
Starting NFS quotas: [ OK ]
Starting NFS daemon: [ OK ]
Starting NFS mountd: [ OK ]
[root@Smoke ~]# man showmount(查看showmount的man帮助文档)
showmount - show mount information for an NFS server
-a or --all
List both the client hostname or IP address and mounted directory in host:dir format. This info should not be
considered reliable. See the notes on rmtab in rpc.mountd(8).(列出所有客户端名称和IP地址以及挂载的目录,显示本机所有已经被客户端挂载的文件系统)
-e or --exports
Show the NFS server's export list.(显示服务器共享那些目录)
[root@Smoke ~]# showmount -e 172.16.100.1(显示172.16.100.1的nfs服务器共享那些目录)
Export list for 172.16.100.1:
/shared 172.16.0.0/16
[root@Smoke ~]# ifconfig(查看网卡接口配置)
eth0 Link encap:Ethernet HWaddr 00:0C:29:CC:FA:AE
inet addr:172.16.100.1 Bcast:172.16.100.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fecc:faae/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:38163 errors:0 dropped:0 overruns:0 frame:0
TX packets:36901 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3510610 (3.3 MiB) TX bytes:5702177 (5.4 MiB)
Interrupt:67 Base address:0x2000
eth1 Link encap:Ethernet HWaddr 00:0C:29:CC:FA:B8
inet6 addr: fe80::20c:29ff:fecc:fab8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3472 errors:0 dropped:0 overruns:0 frame:0
TX packets:3900 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:328585 (320.8 KiB) TX bytes:201491 (196.7 KiB)
Interrupt:83 Base address:0x2080
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:3170 errors:0 dropped:0 overruns:0 frame:0
TX packets:3170 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:582082 (568.4 KiB) TX bytes:582082 (568.4 KiB)
测试:启动另外一台linux客户端,将IP地址设置为172.16.100.8,进行挂载使用nfs服务器上共享出来的/shared目录;
切换到nfs客户端:
[root@localhost ~]# showmount -e 172.16.100.1(查看172.16.100.1的nfs服务器共享那些目录)
Export list for 172.16.100.1:
/shared 172.16.0.0/16
[root@localhost ~]# mkdir /mnt/nfs(创建nfs目录)
[root@localhost ~]# mount -t nfs 172.16.100.1:/shared /mnt/nfs/(挂载nfs服务器172.16.100.1的/shared目录到本地的/mnt/nfs目录)
[root@localhost ~]# cd /mnt/nfs/(切换到/mnt/nfs目录)
[root@localhost nfs]# ls(查看当前目录文件及子目录)
切换到nfs服务器:
[root@Smoke ~]# cp /etc/fstab /shared/(复制fstab文件到/shared目录)
切换到nfs客户端:
[root@localhost nfs]# ls(查看当前目录文件及子目录)
fstab
[root@localhost nfs]# cp fstab /tmp/(复制fstab到/tmp目录)
[root@localhost nfs]# rm fstab(删除fstab文件)
rm:是否删除有写保护的 一般文件 “fstab”? y
rm: 无法删除 “fstab”: 只读文件系统
提示:导出的是ro的所以不能删除文件;
切换到nfs服务器:
[root@Smoke ~]# showmount -a 172.16.100.1(查看nfs服务器172.16.100.1导出的目录有那些客户端挂载)
All mount points on 172.16.100.1:
172.16.100.8:/shared
切换到nfs客户端:
[root@localhost nfs]# showmount -a 172.16.100.1(查看nfs服务器172.16.100.1导出的目录有那些客户端挂载)
All mount points on 172.16.100.1:
172.16.100.8:/shared
[root@localhost nfs]# man showmount(查看showmount命令的man帮助文档)
-d or --directories
List only the directories mounted by some client.(显示NFS服务器所有导出的文件系统中被客户端挂载了文件系统列表)
切换到nfs服务器:
[root@Smoke ~]# vim /etc/exports(编辑exports文件)
/shared 172.16.0.0/16(ro)
/var/ftp 172.16.0.0/16(ro)
[root@Smoke ~]# service nfs restart(重启nfs服务)
Shutting down NFS mountd: [ OK ]
Shutting down NFS daemon: [ OK ]
Shutting down NFS quotas: [ OK ]
Shutting down NFS services: [ OK ]
Starting NFS services: [ OK ]
Starting NFS quotas: [ OK ]
Starting NFS daemon: [ OK ]
Starting NFS mountd: [ OK ]
切换到nfs客户端:
[root@localhost nfs]# showmount -d 172.16.100.1(显示172.16.100.1的nfs服务器已经被客户端挂载的文件系统)
Directories on 172.16.100.1:
/shared
提示:因为/var/ftp没有被任何客户端挂载,所以不会显示;
[root@localhost nfs]# showmount -a 172.16.100.1(查看nfs服务器172.16.100.1导出的目录有那些客户端挂载)
All mount points on 172.16.100.1:
172.16.100.8:/shared
切换到nfs服务器:
[root@Smoke ~]# vim /etc/exports(编辑exports文件)
/shared 172.16.0.0/16(ro)
/var/ftp 172.16.0.0/16(ro)
提示:每次新建一个共享都要重启服务,但是假如有一个客户端挂载上来正在往里面存文件,重启服务意味着它的存储过程可能会中断的,为了不影响,修改exports文件又能立即生效怎么办;
[root@Smoke ~]# man exportfs(查看exportfs的man帮助手册)
exportfs - maintain list of NFS exported file systems
/usr/sbin/exportfs [-avi] [-o options,..] [client:/path ..]
/usr/sbin/exportfs -r [-v]
/usr/sbin/exportfs [-av] -u [client:/path ..]
/usr/sbin/exportfs [-v]
/usr/sbin/exportfs -f
-a Export or unexport all directories.(导出或取消导出所有文件系统)
-r Reexport all directories. It synchronizes /var/lib/nfs/xtab with /etc/exports. It removes(重新导出)
entries in /var/lib/nfs/xtab which are deleted from /etc/exports, and remove any entries from
the kernel export table which are no longer valid.
-u Unexport one or more directories.(取消导出)
-v Be verbose. When exporting or unexporting, show what's going on. When displaying the current
export list, also display the list of export options.(显示详细信息)
[root@Smoke ~]# vim /etc/exports(编辑exports文件)
/shared 172.16.0.0/16(ro)
切换到nfs客户端:
[root@localhost nfs]# showmount -a 172.16.100.1(查看nfs服务器172.16.100.1导出的目录有那些客户端挂载)
All mount points on 172.16.100.1:
172.16.100.8:/shared
[root@localhost nfs]# showmount -e 172.16.100.1(查看172.16.100.1的nfs服务器共享那些目录)
Export list for 172.16.100.1:
/shared 172.16.0.0/16
/var/ftp 172.16.0.0/16
切换到nfs服务器:
[root@Smoke ~]# exportfs -rav(重新导出所有文件系统,-r重新导出,-a所有,-v详细信息)
exporting 172.16.0.0/16:/shared
切换到nfs客户端:
[root@localhost nfs]# showmount -e 172.16.100.1(查看172.16.100.1的nfs服务器共享那些目录)
Export list for 172.16.100.1:
/shared 172.16.0.0/16
切换到nfs服务器:
[root@Smoke ~]# exportfs -ua(取消所有导出的文件系统)
切换到nfs客户端:
[root@localhost nfs]# showmount -e 172.16.100.1(查看172.16.100.1的nfs服务器共享那些目录)
Export list for 172.16.100.1:
[root@localhost nfs]# ls(查看当前目录文件及子目录)
ls: .: 权限不够
提示:虽然挂载了照样也访问不到;
[root@localhost nfs]# cd(切换到用户家目录)
[root@localhost ~]# umount /mnt/nfs(卸载/mnt/nfs挂载的文件系统)
切换到nfs服务器:
[root@Smoke ~]# id hadoop(查看hadoop用户的信息)
uid=501(hadoop) gid=501(hadoop) groups=501(hadoop) context=root:system_r:unconfined_t:SystemLow-SystemHigh
提示:hadoop用户的uid和gid为501;
[root@Smoke ~]# setfacl -m u:hadoop:rwx /shared/(通过文件访问列表让hadoo用户对/shared有读写执行权限)
[root@Smoke ~]# su - hadoop(切换到hadoop用户)
[hadoop@Smoke ~]$ cd /shared/(切换到shared目录)
[hadoop@Smoke shared]$ touch a.hadoop(创建a.hadoop文件)
[hadoop@Smoke shared]$ ls -l(查看当前目录文件及子目录)
total 12
-rw-rw-r-- 1 hadoop hadoop 0 Nov 23 08:33 a.hadoop
-rw-r--r-- 1 root root 532 Nov 23 06:39 fstab
切换到nfs客户端:
[root@localhost ~]# groupadd -g 501 openstack(添加openstack组,-g指定gid为501)
[root@localhost ~]# useradd -g 501 -u 501 openstack(添加openstack用户,-g指定组为501,-u指定uid为501)
切换到nfs服务器:
[root@Smoke ~]# vim /etc/exports(编辑exports文件)
[root@Smoke ~]# exportfs -rav(重新导出所有文件系统,-r重新导出,-a所有,-v显示过程)
exporting 172.16.0.0/16:/shared
切换到nfs客户端:
[root@localhost ~]# mount -t nfs 172.16.100.1:/shared /mnt/nfs/(挂载nfs服务器172.16.100.1的shared目录到本地的/mnt/nfs目录)
[root@localhost ~]# ls /mnt/nfs/(查看/mnt/nfs目录文件及子目录)
a.hadoop fstab
[root@localhost ~]# ls -l /mnt/nfs/(查看/mnt/nfs目录文件及子目录详细信息)
总计 12
-rw-rw-r-- 1 openstack openstack 0 2014-11-23 a.hadoop
-rw-r--r-- 1 root root 532 2014-11-23 fstab
提示:a.hadoop的属主属组变为openstack;
切换到nfs服务器:
[root@Smoke ~]# vim /etc/exports(编辑exports文件)
/shared 172.16.0.0/16(rw)
切换到nfs客户端:
[root@localhost ~]# su - openstack(切换到openstack用户)
[openstack@localhost ~]$ cd /mnt/nfs/(切换到/mnt/nfs目录)
[openstack@localhost nfs]$ pwd(查看当前所处的路径)
/mnt/nfs
[openstack@localhost nfs]$ touch b.openstack(创建b.openstack文件)
touch: 无法触碰 “b.openstack”: 只读文件系统
切换到nfs服务器:
[root@Smoke ~]# exportfs -rav(重新导出所有文件系统,-r重新导出,-a所有,-v显示过程)
exporting 172.16.0.0/16:/shared
切换到nfs客户端:
[openstack@localhost nfs]$ touch b.openstack(创建b.openstack文件)
[openstack@localhost nfs]$ ls -l(查看当前目录文件及子目录详细信息)
总计 16
-rw-rw-r-- 1 openstack openstack 0 2014-11-23 a.hadoop
-rw-rw-r-- 1 openstack openstack 0 2014-11-23 b.openstack
-rw-r--r-- 1 root root 532 2014-11-23 fstab
提示:在客户端上看a.hadoop、b.openstack文件都是openstack自己的;
切换到nfs服务器:
[root@Smoke ~]# ls -l /shared/(查看/shared目录文件及子目录详细信息)
total 16
-rw-rw-r-- 1 hadoop hadoop 0 Nov 23 08:33 a.hadoop
-rw-rw-r-- 1 hadoop hadoop 0 Nov 23 08:46 b.openstack
-rw-r--r-- 1 root root 532 Nov 23 06:39 fstab
提示:在服务器上看a.hadoop、b.openstack文件都是hadoop用户的,所以它是简单通过映射用户ID来标识文件的属主属组的,本来在服务器端只共享给hadoop有读写权限,客户端的
用户的ID和hadoop一样就可以有读写权限;
切换到nfs客户端:
[openstack@localhost nfs]$ exit(退出到root用户)
logout
[root@localhost ~]# cd /mnt/nfs/(切换到/mnt/nfs目录)
[root@localhost nfs]# ls(查看当前目录文件及子目录)
a.hadoop b.openstack fstab
[root@localhost nfs]# ll(查看当前目录文件及子目录详细信息)
总计 16
-rw-rw-r-- 1 openstack openstack 0 2014-11-23 a.hadoop
-rw-rw-r-- 1 openstack openstack 0 2014-11-23 b.openstack
-rw-r--r-- 1 root root 532 2014-11-23 fstab
[root@localhost nfs]# rm b.openstack(删除b.openstack文件)
rm:是否删除有写保护的 一般空文件 “b.openstack”? y
rm: 无法删除 “b.openstack”: 权限不够
提示:root用户具有最高权限,反而无法删除b.openstack文件,导出的时候任意用户都具有任意权限的,直接映射的,很显然对于本地的root用户相当于远程主机的root用户,拿着
本机的root用户就能够相当于别的主机的root用户来操作别的主机的root用户的资源,所以一般来讲nfs知道自身是有缺陷的,所以默认情况下root用户是不允许的;
切换到nfs服务器:
[hadoop@Smoke shared]$ man expors(查看exports的man帮助文档)
root_squash
Map requests from uid/gid 0 to the anonymous uid/gid. Note that this does not apply to any other
uids that might be equally sensitive, such as user bin.(如果你的用户是root用户那么就将你转换成匿名用户的UID和GID,最小权限,默认功能)
no_root_squash
Turn off root squashing. This option is mainly useful for diskless clients.
all_squash
Map all uids and gids to the anonymous user. Useful for NFS-exported public FTP directories,
news spool directories, etc. The opposite option is no_all_squash, which is the default setting.(无论是谁统统转为来宾帐号)
anonuid and anongid
These options explicitly set the uid and gid of the anonymous account. This option is primarily
useful for PC/NFS clients, where you might want all requests appear to be from one user. As an
example, consider the export entry for /home/joe in the example section below, which maps all
requests to uid 150 (which is supposedly that of user joe).(指定来宾帐号)
期望把所有的帐号都映射为ID号为510的帐号:
[root@Smoke ~]# useradd -u 510 nfstest(添加帐号nfstest指定uid为510)
[root@Smoke ~]# touch /shared/nfstest(创建nfstest文件)
[root@Smoke ~]# chown nfstest.nfstest /shared/nfstest(更改nfstest文件属主属组为nfstest)
[root@Smoke ~]# vim /etc/exports(编辑exports文件)
/shared 172.16.0.0/16(rw,all_squash,anonuid=510,anongid=510)
[root@Smoke ~]# exportfs -rav(重新导出所有文件系统,-r重新导出,-a所有,-v显示过程)
exporting 172.16.0.0/16:/shared
[root@Smoke ~]# showmount -e 172.16.100.1(查看nfs服务器172.16.100.1共享那些文件系统)
Export list for 172.16.100.1:
/shared 172.16.0.0/16
切换到nfs客户端:
[root@localhost nfs]# cd(切换到用户家目录)
[root@localhost ~]# umount /mnt/nfs/(卸载/mnt/nfs目录挂载的文件系统)
[root@localhost ~]# mount -t nfs 172.16.100.1:/shared /mnt/nfs/(挂载nfs服务器172.16.100.1的shared目录到本地的/mnt/nfs目录)
[root@localhost ~]# cd /mnt/nfs/(切换到/mnt/nfs目录)
[root@localhost nfs]# ls(查看当前目录文件及子目录)
a.hadoop b.openstack fstab nfstest
[root@localhost nfs]# ls -l(查看当前目录文件及子目录详细信息)
总计 20
-rw-rw-r-- 1 openstack openstack 0 2014-11-23 a.hadoop
-rw-rw-r-- 1 openstack openstack 0 2014-11-23 b.openstack
-rw-r--r-- 1 root root 532 2014-11-23 fstab
-rw-r--r-- 1 510 510 0 2014-11-23 nfstest
提示:所有用户统统映射为510,包括管理员也是,所以510对它有写权限,管理员也有写权限;
[root@Smoke ~]# man exports(查看exports的man帮助文档)
rw Allow both read and write requests on this NFS volume. The default is to disallow any request
which changes the filesystem. This can also be made explicit by using the ro option.
async This option allows the NFS server to violate the NFS protocol and reply to requests before any
changes made by that request have been committed to stable storage (e.g. disc drive).
sync Reply to requests only after the changes have been committed to stable storage (see async
above).
让nfs开机自动挂载:
[root@Smoke ~]# vim /etc/fstab(编辑/fstab文件)
LABEL=/ / ext3 defaults 1 1
LABEL=/boot /boot ext3 defaults 1 2
tmpfs /dev/shm tmpfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
sysfs /sys sysfs defaults 0 0
proc /proc proc defaults 0 0
LABEL=SWAP-sda3 swap swap defaults 0 0
172.16.100.1:/shared /mnt/nfs nfs defaults 0 0
[root@Smoke ~]# man mount(查看mount的man帮助文档)
_rnetdev
Like _netdev, except "fsck -a" checks this filesystem during rc.sysinit.(指定这是个网络设备如果开机挂不上,系统会忽略掉,
否则卸载fstab文件里面的文件系统挂不上,系统启动到这里就不走了)
/netdeve
[root@localhost nfs]# vim /etc/fstab
LABEL=/ / ext3 defaults 1 1
LABEL=/boot /boot ext3 defaults 1 2
tmpfs /dev/shm tmpfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
sysfs /sys sysfs defaults 0 0
proc /proc proc defaults 0 0
LABEL=SWAP-sda3 swap swap defaults 0 0
172.16.100.1:/shared /mnt/nfs nfs defaults,_rnetdev 0 0
[root@localhost nfs]# cd(切换到用户家目录)
[root@localhost ~]# !umoun(卸载/mnt/nfs目录挂载的文件系统)
umount /mnt/nfs/
[root@localhost ~]# mount -a(挂载fstab文件中所有文件系统)
[root@localhost ~]# mount(查看系统上所有挂载的文件系统)
/dev/sda2 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/sda1 on /boot type ext3 (rw)
tmpfs on /dev/shm type tmpfs (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
/dev/sr0 on /media type iso9660 (ro)
172.16.100.1:/shared on /mnt/nfs type nfs (rw,addr=172.16.100.1)
[root@Smoke ~]# vim /etc/exports
/shared 172.16.0.0/16(rw,all_squash,anonuid=510,anongid=510)
[root@Smoke ~]# vim /etc/sysconfig/nfs(编辑nfs文件)
#MOUNTD_PORT=892
MOUNTD_PORT=892
#RQUOTAD_PORT=875
RQUOTAD_PORT=875
#LOCKD_TCPPORT=32803
LOCKD_TCPPORT=32803
#LOCKD_UDPPORT=32769
LOCKD_UDPPORT=32769
[root@Smoke ~]# service nfs restart(重启nfs服务)
Shutting down NFS mountd: [ OK ]
Shutting down NFS daemon: [ OK ]
Shutting down NFS quotas: [ OK ]
Shutting down NFS services: [ OK ]
Starting NFS services: [ OK ]
Starting NFS quotas: [ OK ]
Starting NFS daemon: [ OK ]
Starting NFS mountd: [ OK ]
[root@Smoke ~]# rpcinfo -p localhost(查看本机上所有rcp进程所监听端口号)
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 849 status
100024 1 tcp 852 status
100011 1 udp 875 rquotad
100011 2 udp 875 rquotad
100011 1 tcp 875 rquotad
100011 2 tcp 875 rquotad
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100021 1 udp 32769 nlockmgr
100021 3 udp 32769 nlockmgr
100021 4 udp 32769 nlockmgr
100021 1 tcp 32803 nlockmgr
100021 3 tcp 32803 nlockmgr
100021 4 tcp 32803 nlockmgr
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100005 1 udp 892 mountd
100005 1 tcp 892 mountd
100005 2 udp 892 mountd
100005 2 tcp 892 mountd
100005 3 udp 892 mountd
100005 3 tcp 892 mountd
[root@Smoke ~]# service nfs restart
Shutting down NFS mountd: [ OK ]
Shutting down NFS daemon: [ OK ]
Shutting down NFS quotas: [ OK ]
Shutting down NFS services: [ OK ]
Starting NFS services: [ OK ]
Starting NFS quotas: [ OK ]
Starting NFS daemon: [ OK ]
Starting NFS mountd: [ OK ]
[root@Smoke ~]# rpcinfo -p localhost(查看本机上所有rcp进程所监听端口号)
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 849 status
100024 1 tcp 852 status
100011 1 udp 875 rquotad
100011 2 udp 875 rquotad
100011 1 tcp 875 rquotad
100011 2 tcp 875 rquotad
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100021 1 udp 32769 nlockmgr
100021 3 udp 32769 nlockmgr
100021 4 udp 32769 nlockmgr
100021 1 tcp 32803 nlockmgr
100021 3 tcp 32803 nlockmgr
100021 4 tcp 32803 nlockmgr
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100005 1 udp 892 mountd
100005 1 tcp 892 mountd
100005 2 udp 892 mountd
100005 2 tcp 892 mountd
100005 3 udp 892 mountd
100005 3 tcp 892 mountd
提示:rquotad、mountd使用了固定端口;
[root@Smoke ~]# vim /etc/sysconfig/nfs(编辑nfs文件)
#MOUNTD_PORT=892
MOUNTD_PORT=892
#RQUOTAD_PORT=875
RQUOTAD_PORT=875
#LOCKD_TCPPORT=32803
LOCKD_TCPPORT=32803
#LOCKD_UDPPORT=32769
LOCKD_UDPPORT=32769
浙公网安备 33010602011771号