###############################
#######   ldap网络帐号    #######
###############################
1.ldap是什么
ldap目录服务认证和windows活动目录类似就是记录数据的一种方式

2.ldap客户端所须软件
yum sssd krb5-workstation -y

3.如何开启ldap用户认证
authconfig-tui

┌────────────────┤ Authentication Configuration ├─────────────────┐
│                                                                 │
│  User Information        Authentication                         │
│  [ ] Cache Information   [ ] Use MD5 Passwords                  │
│  [*] Use LDAP            [*] Use Shadow Passwords               │
│  [ ] Use NIS             [ ] Use LDAP Authentication            │
│  [ ] Use IPAv2           [*] Use Kerberos                       │
│  [ ] Use Winbind         [ ] Use Fingerprint reader             │
│                          [ ] Use Winbind Authentication         │
│                          [*] Local authorization is sufficient  │
│                                                                 │
│            ┌────────┐                      ┌──────┐             │
│            │ Cancel │                      │ Next │             │
│            └────────┘                      └──────┘             │
│                                                                 │
│                                                                 │
└─────────────────────────────────────────────────────────────────┘

┌─────────────────┤ LDAP Settings ├─────────────────┐
│                                                   │
│          [*] Use TLS                              │
│  Server: ldap://classroom.example.com/___________ │
│ Base DN: dc=example,dc=com_______________________ │
│                                                   │
│         ┌──────┐                ┌──────┐          │
│         │ Back │                │ Next │          │
│         └──────┘                └──────┘          │
│                                                   │
│                                                   │
└───────────────────────────────────────────────────┘

┌─────────────────┤ Kerberos Settings ├──────────────────┐
│                                                        │
│        Realm: EXAMPLE.COM_____________________________ │
│          KDC: classroom.example.com___________________ │
│ Admin Server: classroom.example.com___________________ │
│               [ ] Use DNS to resolve hosts to realms   │
│               [ ] Use DNS to locate KDCs for realms    │
│                                                        │
│          ┌──────┐                    ┌────┐            │
│          │ Back │                    │ Ok │            │
│          └──────┘                    └────┘            │
│                                                        │
│                                                        │
└────────────────────────────────────────────────────────┘

<当出现以下报错时>
┌────────────────┤ Warning ├─────────────────┐
│                                            │
│ To connect to a LDAP server with TLS       │
│ protocol enabled you need a CA certificate │
│ which signed your server's certificate.    │
│ Copy the certificate in the PEM format to  │
│ the '/etc/openldap/cacerts' directory.     │
│ Then press OK.                             │
│                                            │
│                  ┌────┐                    │
│                  │ Ok │                    │
│                  └────┘                    │
│                                            │
│                                            │
└────────────────────────────────────────────┘
是因为tls的证书缺失需要到服务器端下载所需要的证书到/etc/openldap/cacerts
用到的命令
wget http://172.25.254.254/pub/example-ca.crt

<测试>
getent passwd ldapuser1
如果用户信息可以正常显示证明客户端认成功。

4.自动挂载用户家目录
yum install autofs -y
vim /etc/autofs.master
/home/guests    /etc/auto.ldap

vim /etc/auto.ldap
ldapuser1    172.25.254.254:/home/guests/ldapuser1
-----------------------------------------------------
*        172.25.254.254:/home/guests/&

systemctl restart autofs
systemctl restart autofs

ldp服务端配置在企业部分讲

####################
client:
[root@desktop15 ~]# grep bash$ /etc/passwd
root:x:0:0:root:/root:/bin/bash
student:x:1000:1000:Student User:/home/student:/bin/bash
[root@desktop15 ~]# getent passwd root
root:x:0:0:root:/root:/bin/bash
[root@desktop15 ~]# getent passwd student
student:x:1000:1000:Student User:/home/student:/bin/bash
[root@desktop15 ~]# getent passwd ldapuser1
[root@desktop15 ~]# getent passwd ldapuser2
[root@desktop15 ~]# getent passwd ldapuser3
[root@desktop15 ~]# yum install sssd krb5-workstation -y
......
>>>
=====方法1=====
[root@desktop15 ~]# authconfig-tui
......
[root@desktop15 ~]# cd /etc/openldap
[root@desktop15 openldap]# ls
cacerts  certs  ldap.conf
=====方法2=====
[root@desktop15 ~]# cd /etc/openldap
[root@desktop15 openldap]# ls
certs  ldap.conf
[root@desktop15 openldap]# mkdir cacerts/
>>>
[root@desktop15 openldap]# cd cacerts/
[root@desktop15 cacerts]# ls
[root@desktop15 cacerts]# wget http://172.25.254.254/pub/example-ca.crt
--2016-11-12 20:35:59--  http://172.25.254.254/pub/example-ca.crt
Connecting to 172.25.254.254:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1220 (1.2K)
Saving to: ‘example-ca.crt’

100%[=================================>] 1,220       --.-K/s   in 0s      

2016-11-12 20:35:59 (165 MB/s) - ‘example-ca.crt’ saved [1220/1220]

[root@desktop15 cacerts]# ls
example-ca.crt
[root@desktop15 cacerts]# authconfig-tui
......
[root@desktop15 cacerts]# getent passwd ldapuser1
ldapuser1:*:1701:1701:LDAP Test User 1:/home/guests/ldapuser1:/bin/bash
[root@desktop15 cacerts]# su - ldapuser1
su: warning: cannot change directory to /home/guests/ldapuser1: No such file directory
mkdir: cannot create directory '/home/guests': Permission denied
-bash-4.2$ whoami
ldapuser1
-bash-4.2$ pwd
/etc/openldap/cacerts
-bash-4.2$ logout
[root@desktop15 cacerts]# ping classroom.example.com
PING classroom.example.com (172.25.254.254) 56(84) bytes of data.
64 bytes from classroom.example.com (172.25.254.254): icmp_seq=1 ttl=64 time=0.456 ms
64 bytes from classroom.example.com (172.25.254.254): icmp_seq=2 ttl=64 time=0.326 ms
......
[root@desktop15 cacerts]# getent passwd ldapuser1
ldapuser1:*:1701:1701:LDAP Test User 1:/home/guests/ldapuser1:/bin/bash
[root@desktop15 cacerts]# getent passwd | grep ldapuser
[root@desktop15 cacerts]# man 5 sssd.conf
--------------------------------------------------
/bool                ##with values of “TRUE/FALSE”。bool的取值相当于功能的开关
按"n"向下查找
       enumerate (bool)        ##枚举
           Determines if a domain can be enumerated. This parameter can have
           one of the following values:

           TRUE = Users and groups are enumerated

           FALSE = No enumerations for this domain

           Default: FALSE
--------------------------------------------------
[root@desktop15 cacerts]# vim /etc/sssd/sssd.conf
--------------------------------------------------
 16 enumerate = True
:wq
--------------------------------------------------
[root@desktop15 cacerts]# systemctl restart sssd.service
[root@desktop15 cacerts]# getent passwd | grep ldapuser
ldapuser10:*:1710:1710:LDAP Test User 10:/home/guests/ldapuser10:/bin/bash
ldapuser11:*:1711:1711:LDAP Test User 11:/home/guests/ldapuser11:/bin/bash
ldapuser12:*:1712:1712:LDAP Test User 12:/home/guests/ldapuser12:/bin/bash
ldapuser13:*:1713:1713:LDAP Test User 13:/home/guests/ldapuser13:/bin/bash
ldapuser14:*:1714:1714:LDAP Test User 14:/home/guests/ldapuser14:/bin/bash
ldapuser15:*:1715:1715:LDAP Test User 15:/home/guests/ldapuser15:/bin/bash
ldapuser16:*:1716:1716:LDAP Test User 16:/home/guests/ldapuser16:/bin/bash
ldapuser17:*:1717:1717:LDAP Test User 17:/home/guests/ldapuser17:/bin/bash
ldapuser18:*:1718:1718:LDAP Test User 18:/home/guests/ldapuser18:/bin/bash
ldapuser19:*:1719:1719:LDAP Test User 19:/home/guests/ldapuser19:/bin/bash
ldapuser20:*:1720:1720:LDAP Test User 20:/home/guests/ldapuser20:/bin/bash
ldapuser0:*:1700:1700:LDAP Test User 0:/home/guests/ldapuser0:/bin/bash
ldapuser1:*:1701:1701:LDAP Test User 1:/home/guests/ldapuser1:/bin/bash
ldapuser2:*:1702:1702:LDAP Test User 2:/home/guests/ldapuser2:/bin/bash
ldapuser3:*:1703:1703:LDAP Test User 3:/home/guests/ldapuser3:/bin/bash
ldapuser4:*:1704:1704:LDAP Test User 4:/home/guests/ldapuser4:/bin/bash
ldapuser5:*:1705:1705:LDAP Test User 5:/home/guests/ldapuser5:/bin/bash
ldapuser6:*:1706:1706:LDAP Test User 6:/home/guests/ldapuser6:/bin/bash
ldapuser7:*:1707:1707:LDAP Test User 7:/home/guests/ldapuser7:/bin/bash
ldapuser8:*:1708:1708:LDAP Test User 8:/home/guests/ldapuser8:/bin/bash
ldapuser9:*:1709:1709:LDAP Test User 9:/home/guests/ldapuser9:/bin/bash
[root@desktop15 cacerts]# yum install autofs -y
......
[root@desktop15 cacerts]# vim /etc/auto.master
--------------------------------------------------
 14 /home/guests    /etc/auto.ldap
:wq
--------------------------------------------------
[root@desktop15 cacerts]# showmount -e 172.25.254.254
Export list for 172.25.254.254:
/home/guests 172.25.0.0/255.255.0.0
[root@desktop15 cacerts]# vim /etc/auto.ldap
--------------------------------------------------
ldapuser1       172.25.254.254:/home/guests/ldapuser1
:wq
--------------------------------------------------
[root@desktop15 cacerts]# systemctl restart autofs
[root@desktop15 cacerts]# su - ldapuser1
Last login: Sat Nov 12 20:32:55 EST 2016 on pts/0
[ldapuser1@desktop15 ~]# logout
[root@desktop15 cacerts]# vim /etc/auto.ldap
--------------------------------------------------
*       172.25.254.254:/home/guests/&
:wq
--------------------------------------------------
[root@desktop15 cacerts]# systemctl restart autofs
[root@desktop15 cacerts]# systemctl enable autofs
ln -s '/usr/lib/systemd/system/autofs.service' '/etc/systemd/system/multi-user.target.wants/autofs.service'
>注销图形使用ldapuser{0..20}重新登陆desktop0密码均为kerberos
>如果登陆时画面一闪又退回到登陆界面。说明配置有问题请检查配置。
>进入图形表示配置正确
>打开另外一台虚拟机"server15"编写脚本
[root@server15 ~]# authconfig --help |less    ##查看命令解释
[root@server15 ~]# vim set-ldap.sh
--------------------------------------------------
#!/bin/bash
echo "install software ing ..."
yum install sssd krb5-workstation autofs -y &> /dev/null

echo "config ldap auth client ing ..."
authconfig \
--enableldap \
--enablekrb5 \
--disableldapauth \
--enableldaptls \
--ldaploadcacert=http://172.25.254.254/pub/example-ca.crt \
--ldapserver="classroom.example.com" \
--ldapbasedn="dc=example,dc=com" \
--krb5realm="EXAMPLE.COM" \
--krb5kdc="classroom.example.com" \
--krb5adminserver="classroom.example.com" \
--enablesssd \
--enablesssdauth \
--update

echo "config ldap user\'s home directory ing ..."
echo /home/guests    /etc/auto.ldap >> /etc/auto.master
echo "*        172.25.254.254:/home/guests/&" >> /etc/auto.ldap
systemctl restart autofs
systemctl enable autofs &> /dev/null

echo "all is successfully !!!"
--------------------------------------------------
##编写完脚本authconfig部分的配置使用命令"authconfig-tui"检查同时确保网络畅通。
[root@server15 ~]# chmod +x set-ldap.sh
[root@server15 ~]# ./set-ldap.sh
[root@server15 ~]# getent passwd ldapuser1
ldapuser1:*:1701:1701:LDAP Test User 1:/home/guests/ldapuser1:/bin/bash
>注销图形使用ldapuser{0..20}重新登陆desktop0密码均为kerberos
>如果登陆时画面一闪又退回到登陆界面。说明脚本有问题请检查脚本。
>进入图形表示配置正确
####################

####################
#### vsftpd服务    ####
####################
接11.12的笔记

####################
服务端
[root@server ~]# yum install vsftpd -y
[root@server ~]# systemctl start vsftpd
[root@server ~]# systemctl enable vsftpd
[root@server ~]# firewall-cmd --permanent --add-service=ftp
[root@server ~]# firewall-cmd --reload
##以上输出省略
[root@server ~]# vim /etc/sysconfig/selinux
--------------------------------------------------
 7 SELINUX=disabled
:wq
--------------------------------------------------
[root@server ~]# reboot
##等待重启
[root@server ~]# chgrp ftp /var/ftp/pub/
[root@server ~]# chmod 775 /var/ftp/pub/
####################

#<匿名用户使用的用户身份修改>
chown_uploads=YES
chown_username=student

####################
服务端
[root@server ~]# man 5 vsftpd.conf
--------------------------------------------------
       chown_uploads
              If  enabled, all anonymously uploaded files will have the owner‐
              ship changed to the user specified in  the  setting  chown_user‐
              name.   This is useful from an administrative, and perhaps secu‐
              rity, standpoint.

              Default: NO

       chown_username
              This  is  the  name of the user who is given ownership of anony‐
              mously uploaded files. This option is only relevant  if  another
              option, chown_uploads, is set.

              Default: root
--------------------------------------------------
[root@server ~]# vim /etc/vsftpd/vsftpd.conf
--------------------------------------------------
 29 anon_upload_enable=YES

 48 chown_uploads=YES
 49 chown_username=student
:wq
--------------------------------------------------
[root@server ~]# systemctl restart vsftpd
客户端
[root@desktop ~]# yum install lftp -y
[root@desktop ~]# lftp 172.25.50.200
lftp 172.25.50.200:/> cd pub/
lftp 172.25.50.200:/pub> ls
lftp 172.25.50.200:/pub> put /etc/passwd
2005 bytes transferred
lftp 172.25.50.200:/pub> ls
-rw-------    1 1000     50           2005 Nov 18 01:52 passwd
lftp 172.25.50.200:/pub> exit
服务端
[root@server ~]# cd /var/ftp/pub/
[root@server pub]# ll
total 4
-rw-------. 1 student ftp 2005 Nov 17 20:52 passwd
[root@server pub]# rm -fr *
####################

#<最大上传速率>
anon_max_rate=102400

####################
客户端
[root@desktop ~]# dd if=/dev/zero of=/mnt/file bs=1M count=1000
1000+0 records in
1000+0 records out
1048576000 bytes (1.0 GB) copied, 20.4023 s, 51.4 MB/s
[root@desktop ~]# lftp 172.25.50.200
lftp 172.25.50.200:/> cd pub/
lftp 172.25.50.200:/pub> ls
lftp 172.25.50.200:/pub> put /mnt/file
1048576000 bytes transferred in 26 seconds (38.28M/s)
lftp 172.25.50.200:/pub> exit
服务端
[root@server pub]# man 5 vsftpd.conf
--------------------------------------------------
       anon_max_rate
              The maximum data transfer rate permitted, in bytes  per  second,
              for anonymous clients.

              Default: 0 (unlimited)
--------------------------------------------------
[root@server pub]# vim /etc/vsftpd/vsftpd.conf
--------------------------------------------------
 30 anon_max_rate=10240000            ##限制为每秒10兆

 49 #chown_uploads=YES
 50 #chown_username=student
:wq
--------------------------------------------------
[root@server pub]# systemctl restart vsftpd
[root@server pub]# ls
file
[root@server pub]# rm -fr *
客户端
[root@desktop ~]# lftp 172.25.50.200
lftp 172.25.50.200:/> cd pub/
lftp 172.25.50.200:/pub> ls
lftp 172.25.50.200:/pub> put /mnt/file
1048576000 bytes transferred in 102 seconds (9.76M/s)
lftp 172.25.50.200:/pub>
服务端
[root@server pub]# ls
file
[root@server pub]# rm -fr *
####################

#<最大链接数>
max_clients=2

####################
真机
[root@foundation50 Desktop]# lftp 172.25.50.200
lftp 172.25.50.200:~> ls
drwxrwxr-x    2 0        50             17 Nov 18 02:19 pub
lftp 172.25.50.200:~> exit
##虚拟机desktop使用lftp登陆后真机再使用lftp登陆不受影响
服务端
[root@server pub]# man 5 vsftpd.conf
--------------------------------------------------
       max_clients
              If vsftpd is in standalone mode, this is the maximum  number  of
              clients  which may be connected. Any additional clients connect‐
              ing will get an error message.

              Default: 0 (unlimited)
--------------------------------------------------
[root@server pub]# vim /etc/vsftpd/vsftpd.conf
--------------------------------------------------
 30 max_clients=1
:wq
--------------------------------------------------
[root@server pub]# systemctl restart vsftpd
真机
[root@foundation50 Desktop]# lftp 172.25.50.200
lftp 172.25.50.200:~> ls
Interrupt                  
lftp 172.25.50.200:~> exit
##虚拟机desktop使用lftp登陆后真机再使用lftp登陆无法执行任何操作
####################

2)本地用户设定
local_enable=YES|NO        ##本地用户登陆限制
write_enable=YES|NO        ##本地用户写权限限制

####################
服务端
[root@server pub]# useradd westos
[root@server pub]# echo westos | passwd westos --stdin
Changing password for user westos.
passwd: all authentication tokens updated successfully.
[root@server pub]# useradd redhat
[root@server pub]# echo redhat | passwd redhat --stdin
Changing password for user redhat.
passwd: all authentication tokens updated successfully.
[root@server pub]# id westos
uid=1001(westos) gid=1001(westos) groups=1001(westos)
[root@server pub]# id redhat
uid=1002(redhat) gid=1002(redhat) groups=1002(redhat)
客户端
lftp 172.25.50.200:/pub> exit
[root@desktop ~]# lftp 172.25.50.200 -u westos
Password:
lftp westos@172.25.50.200:~> ls
lftp westos@172.25.50.200:~> put /etc/passwd
2005 bytes transferred
lftp westos@172.25.50.200:~> ls
-rw-r--r--    1 1001     1001         2005 Nov 18 02:52 passwd
lftp westos@172.25.50.200:~> exit
服务端
[root@server pub]# cd /home/westos
[root@server westos]# ls
passwd
[root@server westos]# man 5 vsftpd.conf
--------------------------------------------------
       local_enable
              Controls whether local logins are permitted or not. If  enabled,
              normal user accounts in /etc/passwd (or wherever your PAM config
              references) may be used to log in. This must be enable  for  any
              non-anonymous login to work, including virtual users.

              Default: NO
--------------------------------------------------
[root@server westos]# vim /etc/vsftpd/vsftpd.conf
--------------------------------------------------
修改
 16 local_enable=NO
删除
 30 max_clients=1
--------------------------------------------------
[root@server westos]# systemctl restart vsftpd.service
客户端
[root@desktop ~]# lftp 172.25.50.200 -u westos
Password:
lftp westos@172.25.50.200:~> ls       
ls: Login failed: 530 This FTP server is anonymous only.
lftp westos@172.25.50.200:~> exit
服务端
[root@server westos]# man 5 vsftpd.conf
--------------------------------------------------
       write_enable
              This controls whether any FTP commands which change the filesys‐
              tem  are  allowed  or not. These commands are: STOR, DELE, RNFR,
              RNTO, MKD, RMD, APPE and SITE.

              Default: NO
--------------------------------------------------
[root@server westos]# vim /etc/vsftpd/vsftpd.conf
--------------------------------------------------
 16 local_enable=YES

 19 write_enable=NO
:wq
--------------------------------------------------
[root@server westos]# systemctl restart vsftpd.service
客户端
[root@desktop ~]# lftp 172.25.50.200 -u westos
Password:
lftp westos@172.25.50.200:~> ls       
-rw-r--r--    1 1001     1001         2005 Nov 18 02:52 passwd
lftp westos@172.25.50.200:~> put /etc/group
put: Access failed: 550 Permission denied. (group)
lftp westos@172.25.50.200:~> exit
####################

#<本地用户家目录修改>
local_root=/directory

####################
服务端
[root@server westos]# man 5 vsftpd.conf
--------------------------------------------------
       local_root
              This option represents a directory  which  vsftpd  will  try  to
              change into after a local (i.e. non-anonymous) login. Failure is
              silently ignored.

              Default: (none)
--------------------------------------------------
[root@server westos]# vim /etc/vsftpd/vsftpd.conf
--------------------------------------------------
 17 local_root=/etc

 20 write_enable=YES
:wq
--------------------------------------------------
[root@server westos]# systemctl restart vsftpd.service
客户端
[root@desktop ~]# lftp 172.25.50.200 -u westos
Password:
lftp westos@172.25.50.200:~> ls       
......
lftp westos@172.25.50.200:~> exit
####################

#<本地用户上传文件权限>
local_umask=xxx

####################
服务端
[root@server westos]# man 5 vsftpd.conf
--------------------------------------------------
       local_umask
              The  value  that the umask for file creation is set to for local
              users. NOTE! If you want to specify octal values,  remember  the
              "0"  prefix  otherwise  the  value  will be treated as a base 10
              integer!

              Default: 077
--------------------------------------------------
[root@server westos]# vim /etc/vsftpd/vsftpd.conf
--------------------------------------------------
删除
 17 local_root=/etc
修改
 23 local_umask=077                ##原来是022
:wq
--------------------------------------------------
[root@server westos]# systemctl restart vsftpd.service
客户端
[root@desktop ~]# lftp 172.25.50.200 -u westos
Password:
lftp westos@172.25.50.200:~> put /etc/group
850 bytes transferred                                          
lftp westos@172.25.50.200:~> ls
-rw-------    1 1001     1001          850 Nov 18 03:16 group
-rw-r--r--    1 1001     1001         2005 Nov 18 02:52 passwd
lftp westos@172.25.50.200:~> exit
####################

#<限制本地用户浏览/目录>
所有用户被锁定到自己的家目录中
chroot_local_user=YES
chmod u-w /home/*

####################
[root@desktop ~]# lftp 172.25.50.200 -u redhat
Password:
lftp redhat@172.25.50.200:~> ls       
lftp redhat@172.25.50.200:~> cd /
cd ok, cwd=/
lftp redhat@172.25.50.200:/> ls
lrwxrwxrwx    1 0        0               7 May 07  2014 bin -> usr/bin
dr-xr-xr-x    4 0        0            4096 Jul 10  2014 boot
drwxr-xr-x   18 0        0            2800 Nov 18 01:00 dev
drwxr-xr-x  134 0        0            8192 Nov 18 02:51 etc
drwxr-xr-x    5 0        0              46 Nov 18 02:44 home
lrwxrwxrwx    1 0        0               7 May 07  2014 lib -> usr/lib
lrwxrwxrwx    1 0        0               9 May 07  2014 lib64 -> usr/lib64
drwxr-xr-x    2 0        0               6 Mar 13  2014 media
drwxr-xr-x    2 0        0               6 Nov 18 02:19 mnt
drwxr-xr-x    3 0        0              15 Jul 10  2014 opt
dr-xr-xr-x  131 0        0               0 Nov 18 00:59 proc
dr-xr-x---   14 0        0            4096 Nov 18 03:19 root
drwxr-xr-x   35 0        0            1140 Nov 18 02:33 run
lrwxrwxrwx    1 0        0               8 May 07  2014 sbin -> usr/sbin
drwxr-xr-x    2 0        0               6 Mar 13  2014 srv
dr-xr-xr-x   13 0        0               0 Nov 18 00:59 sys
drwxrwxrwt   10 0        0            4096 Nov 18 02:33 tmp
drwxr-xr-x   13 0        0            4096 May 07  2014 usr
drwxr-xr-x   23 0        0            4096 Nov 18 00:59 var
lftp redhat@172.25.50.200:/> exit
服务端
[root@server westos]# man 5 vsftpd.conf
--------------------------------------------------
       chroot_local_user
              If set to YES, local users will be  (by  default)  placed  in  a
              chroot()  jail  in  their  home directory after login.  Warning:
              This option has security implications, especially if  the  users
              have upload permission, or shell access. Only enable if you know
              what you are doing.  Note that these security  implications  are
              not  vsftpd  specific. They apply to all FTP daemons which offer
              to put local users in chroot() jails.

              Default: NO
--------------------------------------------------
[root@server westos]# vim /etc/vsftpd/vsftpd.conf
--------------------------------------------------
101 chroot_local_user=YES
:wq
--------------------------------------------------
[root@server westos]# systemctl restart vsftpd.service
客户端
[root@desktop ~]# lftp 172.25.50.200 -u redhat
Password:
lftp redhat@172.25.50.200:~> ls
ls: Login failed: 500 OOPS: vsftpd: refusing to run with writable root inside chroot()
lftp redhat@172.25.50.200:~> cd /
cd: Login failed: 500 OOPS: vsftpd: refusing to run with writable root inside chroot()
lftp redhat@172.25.50.200:~> exit
服务端
[root@server westos]# ll /home
total 4
drwx------. 4 redhat  redhat    88 Nov 17 21:44 redhat
drwx------. 4 student student   84 Jul 10  2014 student
drwx------. 4 westos  westos  4096 Nov 17 22:16 westos
[root@server westos]# chmod u-w /home/*
[root@server westos]# ll /home
total 4
dr-x------. 4 redhat  redhat    88 Nov 17 21:44 redhat
dr-x------. 4 student student   84 Jul 10  2014 student
dr-x------. 4 westos  westos  4096 Nov 17 22:16 westos
客户端
[root@desktop ~]# lftp 172.25.50.200 -u redhat
Password:
lftp redhat@172.25.50.200:~> ls       
lftp redhat@172.25.50.200:/> cd /
lftp redhat@172.25.50.200:/> ls
lftp redhat@172.25.50.200:/> exit
[root@desktop ~]# lftp 172.25.50.200 -u westos
Password:
lftp westos@172.25.50.200:~> ls       
-rw-------    1 1001     1001          850 Nov 18 03:16 group
-rw-r--r--    1 1001     1001         2005 Nov 18 02:52 passwd
lftp westos@172.25.50.200:/> cd /
lftp westos@172.25.50.200:/> ls
-rw-------    1 1001     1001          850 Nov 18 03:16 group
-rw-r--r--    1 1001     1001         2005 Nov 18 02:52 passwd
lftp westos@172.25.50.200:/> exit
####################

用户黑名单建立
chroot_local_user=NO
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list

用户白名单建立
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list

####################
服务端
[root@server westos]# man 5 vsftpd.conf
--------------------------------------------------
       chroot_list_enable
              If activated, you may provide a list  of  local  users  who  are
              placed  in  a  chroot() jail in their home directory upon login.
              The meaning is slightly different if chroot_local_user is set to
              YES.  In  this  case, the list becomes a list of users which are
              NOT to be placed in a chroot() jail.  By default, the file  con‐
              taining  this list is /etc/vsftpd/chroot_list, but you may over‐
              ride this with the chroot_list_file setting.

              Default: NO

       chroot_list_file
              The  option  is  the  name  of a file containing a list of local
              users which will be placed in a  chroot()  jail  in  their  home
              directory.   This   option   is  only  relevant  if  the  option
              chroot_list_enable is enabled. If the  option  chroot_local_user
              is  enabled,  then  the list file becomes a list of users to NOT
              place in a chroot() jail.

              Default: /etvsftpd.confc/vsftpd.chroot_list
--------------------------------------------------
[root@server westos]# vim /etc/vsftpd/vsftpd.conf
--------------------------------------------------
102 chroot_list_enable=YES

104 chroot_list_file=/etc/vsftpd/chroot_list
:wq
--------------------------------------------------
[root@server westos]# systemctl restart vsftpd.service
客户端
[root@desktop ~]# lftp 172.25.50.200 -u westos
Password:
lftp westos@172.25.50.200:~> ls
ls: Login failed: 500 OOPS: could not read chroot() list file:/etc/vsftpd/chroot_list
lftp westos@172.25.50.200:~> cd /     
cd: Login failed: 500 OOPS: could not read chroot() list file:/etc/vsftpd/chroot_list
lftp westos@172.25.50.200:~> exit
服务端
[root@server westos]# ll /etc/vsftpd/chroot_list
ls: cannot access /etc/vsftpd/chroot_list: No such file or directory
[root@server westos]# touch /etc/vsftpd/chroot_list
客户端
[root@desktop ~]# lftp 172.25.50.200 -u westos
Password:
lftp westos@172.25.50.200:~> ls       
-rw-------    1 1001     1001          850 Nov 18 03:16 group
-rw-r--r--    1 1001     1001         2005 Nov 18 02:52 passwd
lftp westos@172.25.50.200:/> cd /
lftp westos@172.25.50.200:/> ls
-rw-------    1 1001     1001          850 Nov 18 03:16 group
-rw-r--r--    1 1001     1001         2005 Nov 18 02:52 passwd
lftp westos@172.25.50.200:/> exit
服务端
[root@server westos]# vim /etc/vsftpd/chroot_list
--------------------------------------------------
westos
:wq
--------------------------------------------------
客户端
[root@desktop ~]# lftp 172.25.50.200 -u westos
Password:
lftp westos@172.25.50.200:~> ls       
-rw-------    1 1001     1001          850 Nov 18 03:16 group
-rw-r--r--    1 1001     1001         2005 Nov 18 02:52 passwd
lftp westos@172.25.50.200:~> cd /
cd ok, cwd=/
lftp westos@172.25.50.200:/> ls
lrwxrwxrwx    1 0        0               7 May 07  2014 bin -> usr/bin
dr-xr-xr-x    4 0        0            4096 Jul 10  2014 boot
drwxr-xr-x   18 0        0            2800 Nov 18 01:00 dev
drwxr-xr-x  134 0        0            8192 Nov 18 02:51 etc
drwxr-xr-x    5 0        0              46 Nov 18 02:44 home
lrwxrwxrwx    1 0        0               7 May 07  2014 lib -> usr/lib
lrwxrwxrwx    1 0        0               9 May 07  2014 lib64 -> usr/lib64
drwxr-xr-x    2 0        0               6 Mar 13  2014 media
drwxr-xr-x    2 0        0               6 Nov 18 02:19 mnt
drwxr-xr-x    3 0        0              15 Jul 10  2014 opt
dr-xr-xr-x  131 0        0               0 Nov 18 00:59 proc
dr-xr-x---   14 0        0            4096 Nov 18 03:48 root
drwxr-xr-x   35 0        0            1140 Nov 18 02:33 run
lrwxrwxrwx    1 0        0               8 May 07  2014 sbin -> usr/sbin
drwxr-xr-x    2 0        0               6 Mar 13  2014 srv
dr-xr-xr-x   13 0        0               0 Nov 18 00:59 sys
drwxrwxrwt   10 0        0            4096 Nov 18 03:42 tmp
drwxr-xr-x   13 0        0            4096 May 07  2014 usr
drwxr-xr-x   23 0        0            4096 Nov 18 00:59 var
lftp westos@172.25.50.200:/> exit
[root@desktop ~]# lftp 172.25.50.200 -u redhat
Password:
lftp redhat@172.25.50.200:~> ls       
lftp redhat@172.25.50.200:/> cd /
lftp redhat@172.25.50.200:/> ls
lftp redhat@172.25.50.200:/> exit
服务端
[root@server westos]# vim /etc/vsftpd/vsftpd.conf
--------------------------------------------------
101 chroot_local_user=NO
:wq
--------------------------------------------------
[root@server westos]# systemctl restart vsftpd.service
客户端
[root@desktop ~]# lftp 172.25.50.200 -u westos
Password:
lftp westos@172.25.50.200:~> ls       
-rw-------    1 1001     1001          850 Nov 18 03:16 group
-rw-r--r--    1 1001     1001         2005 Nov 18 02:52 passwd
lftp westos@172.25.50.200:/> cd /
lftp westos@172.25.50.200:/> ls
-rw-------    1 1001     1001          850 Nov 18 03:16 group
-rw-r--r--    1 1001     1001         2005 Nov 18 02:52 passwd
lftp westos@172.25.50.200:/> exit
[root@desktop ~]# lftp 172.25.50.200 -u redhat
Password:
lftp redhat@172.25.50.200:~> ls       
lftp redhat@172.25.50.200:~> cd /
cd ok, cwd=/
lftp redhat@172.25.50.200:/> ls
lrwxrwxrwx    1 0        0               7 May 07  2014 bin -> usr/bin
dr-xr-xr-x    4 0        0            4096 Jul 10  2014 boot
drwxr-xr-x   18 0        0            2800 Nov 18 01:00 dev
drwxr-xr-x  134 0        0            8192 Nov 18 02:51 etc
drwxr-xr-x    5 0        0              46 Nov 18 02:44 home
lrwxrwxrwx    1 0        0               7 May 07  2014 lib -> usr/lib
lrwxrwxrwx    1 0        0               9 May 07  2014 lib64 -> usr/lib64
drwxr-xr-x    2 0        0               6 Mar 13  2014 media
drwxr-xr-x    2 0        0               6 Nov 18 02:19 mnt
drwxr-xr-x    3 0        0              15 Jul 10  2014 opt
dr-xr-xr-x  131 0        0               0 Nov 18 00:59 proc
dr-xr-x---   14 0        0            4096 Nov 18 03:56 root
drwxr-xr-x   35 0        0            1140 Nov 18 02:33 run
lrwxrwxrwx    1 0        0               8 May 07  2014 sbin -> usr/sbin
drwxr-xr-x    2 0        0               6 Mar 13  2014 srv
dr-xr-xr-x   13 0        0               0 Nov 18 00:59 sys
drwxrwxrwt   10 0        0            4096 Nov 18 03:42 tmp
drwxr-xr-x   13 0        0            4096 May 07  2014 usr
drwxr-xr-x   23 0        0            4096 Nov 18 00:59 var
lftp redhat@172.25.50.200:/> exit
####################

#<限制本地用户登陆>
vim /etc/vsftpd/ftpusers        ##用户永久黑名单
vim /etc/vsftpd/user_list        ##用户临时黑名单

如果用户不设定密码就会被冻结禁止登陆

####################
服务端
[root@server westos]# cd /etc/vsftpd/
[root@server vsftpd]# ls
chroot_list  ftpusers  user_list  vsftpd.conf  vsftpd_conf_migrate.sh
[root@server vsftpd]# vim ftpusers
--------------------------------------------------
在最后添加
westos
:wq
--------------------------------------------------
客户端
[root@desktop ~]# lftp 172.25.50.200 -u westos
Password:
lftp westos@172.25.50.200:~> ls       
ls: Login failed: 530 Login incorrect.          ##直接提示登陆不正确
lftp westos@172.25.50.200:~> exit
[root@desktop ~]# lftp 172.25.50.200 -u redhat
Password:
lftp redhat@172.25.50.200:~> ls       
lftp redhat@172.25.50.200:~> exit
服务端
[root@server vsftpd]# vim ftpusers
--------------------------------------------------
删除
westos
:wq
--------------------------------------------------
[root@server vsftpd]# vim user_list
--------------------------------------------------
在最后添加
westos
:wq
--------------------------------------------------
客户端
[root@desktop ~]# lftp 172.25.50.200 -u westos
Password:
lftp westos@172.25.50.200:~> ls       
ls: Login failed: 530 Permission denied.          
lftp westos@172.25.50.200:~> exit
[root@desktop ~]# lftp 172.25.50.200 -u redhat
Password:
lftp redhat@172.25.50.200:~> ls       
lftp redhat@172.25.50.200:~> exit
####################

用户白名单设定
userlist_deny=NO
/etc/vsftpd/user_list            ##参数设定此文件变成用户白名单只在名单中出现的用户可以登陆ftp

####################
服务端
[root@server vsftpd]# man 5 vsftpd.conf
--------------------------------------------------
       userlist_deny
              This  option is examined if userlist_enable is activated. If you
              set this setting to NO, then users will be denied  login  unless
              they   are   explicitly   listed   in   the  file  specified  by
              userlist_file.  When login  is  denied,  the  denial  is  issued
              before the user is asked for a password.

              Default: YES
--------------------------------------------------
[root@server vsftpd]# vim /etc/vsftpd/vsftpd.conf
--------------------------------------------------
128 userlist_deny=NO
:wq
--------------------------------------------------
[root@server vsftpd]# systemctl restart vsftpd.service
客户端
[root@desktop ~]# lftp 172.25.50.200 -u westos
Password:
lftp westos@172.25.50.200:~> ls       
-rw-------    1 1001     1001          850 Nov 18 03:16 group
-rw-r--r--    1 1001     1001         2005 Nov 18 02:52 passwd
lftp westos@172.25.50.200:/> exit
[root@desktop ~]# lftp 172.25.50.200 -u redhat
Password:
lftp redhat@172.25.50.200:~> ls       
ls: Login failed: 530 Permission denied.          
lftp redhat@172.25.50.200:~> exit
####################

#<ftp虚拟用户的设定>
创建虚拟帐号身份)
vim /etc/vsftpd/loginusers    ##文件名称任意
ftpuser1
123
ftpuser2
123
ftpuser3
123

db_load -T -t hash -f /etc/vsftpd/loginusers loginusers.db
-T    ##表示转换
-t    ##指定加密方式

vim /etc/pam.d/ckvsftpd        ##文件名称任意
account        required    pam_userdb.so    db=/etc/vsftpd/loginusers
auth        required    pam_userdb.so    db=/etc/vsftpd/loginusers

vim /etc/vsftpd/vsftpd.conf
pam_service_name=ckvsftpd
guest_enable=YES

虚拟帐号身份指定
guest_username=ftpuser
chmod u-w /home/ftpuser

虚拟用户只在ftp上是本地用户

####################
服务端
[root@server vsftpd]# vim /etc/vsftpd/userfile
--------------------------------------------------
westos1
123
westos2
123
westos3
123
:wq
--------------------------------------------------
[root@server vsftpd]# db_load -T -t hash -f userfile userfile.db
[root@server vsftpd]# ls
chroot_list  userfile     user_list    vsftpd_conf_migrate.sh
ftpusers     userfile.db  vsftpd.conf
[root@server vsftpd]# rm -fr userfile
[root@server vsftpd]# cat userfile.db
D@&эh^123westos2
[root@server vsftpd]# vim /etc/vsftpd/vsftpd.conf
--------------------------------------------------
发现
126 pam_service_name=vsftpd
:q
--------------------------------------------------
[root@server vsftpd]# cat /etc/pam.d/vsftpd
#%PAM-1.0
session    optional     pam_keyinit.so    force revoke
auth       required    pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth       required    pam_shells.so
auth       include    password-auth
account    include    password-auth
session    required     pam_loginuid.so
session    include    password-auth
[root@server vsftpd]# find /usr -name pam_userdb.so
/usr/lib64/security/pam_userdb.so
[root@server vsftpd]# vim /etc/pam.d/westos
--------------------------------------------------
account         required        pam_userdb.so   db=/etc/vsftpd/userfile
auth            required        pam_userdb.so   db=/etc/vsftpd/userfile
--------------------------------------------------
[root@server vsftpd]# vim /etc/vsftpd/vsftpd.conf
--------------------------------------------------
修改
126 pam_service_name=westos
删除
128 userlist_deny=NO
添加
129 guest_enable=YES
130 guest_username=ftp            ##默认就是ftp
:wq
--------------------------------------------------
[root@server vsftpd]# systemctl restart vsftpd.service
客户端
[root@desktop ~]# lftp 172.25.50.200 -u westos1
Password:
lftp westos1@172.25.50.200:/> cd pub/
lftp westos1@172.25.50.200:/pub> ls
lftp westos1@172.25.50.200:/pub> put /etc/passwd
2005 bytes transferred                                           
lftp westos1@172.25.50.200:/pub> ls
-rw-------    1 14       50           2005 Nov 18 08:14 passwd
lftp westos1@172.25.50.200:/pub> exit
[root@desktop ~]# lftp 172.25.50.200 -u westos2
Password:
lftp westos2@172.25.50.200:~> ls      
drwxrwxr-x    2 0        50             19 Nov 18 08:38 pub
lftp westos2@172.25.50.200:/> exit
[root@desktop ~]# lftp 172.25.50.200 -u westos3
Password:
lftp westos3@172.25.50.200:~> ls      
drwxrwxr-x    2 0        50             19 Nov 18 08:38 pub
lftp westos3@172.25.50.200:/> exit
####################

虚拟帐号家目录独立设定
vim /etc/vsftpd/vsftpd.conf
local_root=/ftpuserhome/$USER
user_sub_token=$USER

####################
服务端
[root@server vsftpd]# mkdir /ftp/westos1 -p
[root@server vsftpd]# mkdir /ftp/westos2 -p
[root@server vsftpd]# mkdir /ftp/westos3 -p
[root@server vsftpd]# touch /ftp/westos1/file1
[root@server vsftpd]# touch /ftp/westos2/file2
[root@server vsftpd]# touch /ftp/westos3/file3
[root@server vsftpd]# echo $USER
root
[root@server vsftpd]# su - student
[student@server ~]$ echo $USER
student
[student@server ~]$ exit
logout
[root@server vsftpd]# vim /etc/vsftpd/vsftpd.conf
--------------------------------------------------
131 local_root=/ftp/$USER
132 user_sub_token=$USER
:wq
--------------------------------------------------
[root@server vsftpd]# systemctl restart vsftpd.service
客户端
[root@desktop ~]# lftp 172.25.50.200 -u westos1
Password:
lftp westos1@172.25.50.200:~> ls      
-rw-r--r--    1 0        0               0 Nov 18 08:50 file1
lftp westos1@172.25.50.200:/> exit
[root@desktop ~]# lftp 172.25.50.200 -u westos2
Password:
lftp westos2@172.25.50.200:~> ls      
-rw-r--r--    1 0        0               0 Nov 18 09:01 file2
lftp westos2@172.25.50.200:/> exit
[root@desktop ~]# lftp 172.25.50.200 -u westos3
Password:
lftp westos3@172.25.50.200:~> ls      
-rw-r--r--    1 0        0               0 Nov 18 09:01 file3
lftp westos3@172.25.50.200:/> exit
####################