pam_mysql 安装配置总结 (结合vsftpd)
前一段时间,论坛里总有朋友问到pam-mysql的安装问题。比较典型的有:
vsftp1.2+mysql4.1+pam_mysql0.5在RedHat AS4(32bit)下好像是有bug
还是mysql虚拟用户和vsftpd的登陆问题?
为了解答类似的问题,我动手试验了一下vsftpd+pam-mysql的配置过程,总结如下:
系统环境:
* RedHat AS 4
* MySQL 4.1.15
* pam_mysql-0.7pre3
说明一下,MySQL我是使用其官方网站的rpm包安装的,包括下面这4个:
1. MySQL-server-standard-4.1.15-0.rhel4.i386.rpm
2. MySQL-client-standard-4.1.15-0.rhel4.i386.rpm
3. MySQL-devel-standard-4.1.15-0.rhel4.i386.rpm
4. MySQL-shared-standard-4.1.15-0.rhel4.i386.rpm
vsftpd是RedHat自带的。
建立用于存放vsftpd虚拟用户的Schema的过程:
vsftp1.2+mysql4.1+pam_mysql0.5在RedHat AS4(32bit)下好像是有bug
还是mysql虚拟用户和vsftpd的登陆问题?
为了解答类似的问题,我动手试验了一下vsftpd+pam-mysql的配置过程,总结如下:
系统环境:
* RedHat AS 4
* MySQL 4.1.15
* pam_mysql-0.7pre3
说明一下,MySQL我是使用其官方网站的rpm包安装的,包括下面这4个:
1. MySQL-server-standard-4.1.15-0.rhel4.i386.rpm
2. MySQL-client-standard-4.1.15-0.rhel4.i386.rpm
3. MySQL-devel-standard-4.1.15-0.rhel4.i386.rpm
4. MySQL-shared-standard-4.1.15-0.rhel4.i386.rpm
vsftpd是RedHat自带的。
建立用于存放vsftpd虚拟用户的Schema的过程:
[Copy to clipboard] [
- ]
CODE:
mysql> create database vsftpd;
mysql> use vsftpd;
mysql> create table users (
-> id int AUTO_INCREMENT NOT NULL,
-> name char(16) binary NOT NULL,
-> passwd char(48) binary NOT NULL,
-> primary key(id)
-> );
mysql> describe users;
+--------+----------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+--------+----------+------+-----+---------+----------------+
| id | int(11) | | PRI | NULL | auto_increment |
| name | char(16) | | | | |
| passwd | char(48) | | | | |
+--------+----------+------+-----+---------+----------------+
mysql> create table logs (msg varchar(255),
-> user char(16),
-> pid int,
-> host char(32),
-> rhost char(32),
-> logtime timestamp
-> );
mysql> describe logs;
+---------+--------------+------+-----+-------------------+-------+
| Field | Type | Null | Key | Default | Extra |
+---------+--------------+------+-----+-------------------+-------+
| msg | varchar(255) | YES | | NULL | |
| user | varchar(16) | YES | | NULL | |
| pid | int(11) | YES | | NULL | |
| host | varchar(32) | YES | | NULL | |
| rhost | varchar(32) | YES | | NULL | |
| logtime | timestamp | YES | | CURRENT_TIMESTAMP | |
+---------+--------------+------+-----+-------------------+-------+
mysql> use vsftpd;
mysql> create table users (
-> id int AUTO_INCREMENT NOT NULL,
-> name char(16) binary NOT NULL,
-> passwd char(48) binary NOT NULL,
-> primary key(id)
-> );
mysql> describe users;
+--------+----------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+--------+----------+------+-----+---------+----------------+
| id | int(11) | | PRI | NULL | auto_increment |
| name | char(16) | | | | |
| passwd | char(48) | | | | |
+--------+----------+------+-----+---------+----------------+
mysql> create table logs (msg varchar(255),
-> user char(16),
-> pid int,
-> host char(32),
-> rhost char(32),
-> logtime timestamp
-> );
mysql> describe logs;
+---------+--------------+------+-----+-------------------+-------+
| Field | Type | Null | Key | Default | Extra |
+---------+--------------+------+-----+-------------------+-------+
| msg | varchar(255) | YES | | NULL | |
| user | varchar(16) | YES | | NULL | |
| pid | int(11) | YES | | NULL | |
| host | varchar(32) | YES | | NULL | |
| rhost | varchar(32) | YES | | NULL | |
| logtime | timestamp | YES | | CURRENT_TIMESTAMP | |
+---------+--------------+------+-----+-------------------+-------+
这里,用户密码这个字段的长度是48。这是根据MySQL加密函数的返回值的长度确定的。关于PASSWORD函数返回值的长度,可以参考这个:
http://dev.mysql.com/doc/refman/4.1/en/password-hashing.html
[Copy to clipboard] [
- ]
CODE:
mysql> select encrypt('foo');
+----------------+
| encrypt('foo') |
+----------------+
| 4Wwn2AXFYb.So |
+----------------+
mysql> select password('foo');
+-------------------------------------------+
| password('foo') |
+-------------------------------------------+
| *F3A2A51A9B0F2BE2468926B4132313728C250DBF |
+-------------------------------------------+
mysql> select md5('foo');
+----------------------------------+
| md5('foo') |
+----------------------------------+
| acbd18db4cc2f85cedef654fccc4a4d8 |
+----------------------------------+
+----------------+
| encrypt('foo') |
+----------------+
| 4Wwn2AXFYb.So |
+----------------+
mysql> select password('foo');
+-------------------------------------------+
| password('foo') |
+-------------------------------------------+
| *F3A2A51A9B0F2BE2468926B4132313728C250DBF |
+-------------------------------------------+
mysql> select md5('foo');
+----------------------------------+
| md5('foo') |
+----------------------------------+
| acbd18db4cc2f85cedef654fccc4a4d8 |
+----------------------------------+
如果你看到的数据与上面不符,那么就要引起注意了,因为这样会导至数据库用户登陆不了,这个问题的原因所在就是/etc/my.cnf中的old_password=1改为0就行了,当然你的数据库vsftpd也要重新创建
编译安装pam_mysql
[Copy to clipboard] [
- ]
CODE:
# ./configure --with-openssl
# make
# make install
# make
# make install
加上--with-openssl可以避免make时报有关md5.h的编译错误
建立/etc/pam.d/vsftpd.mysql(因为只是想验证pam_mysql的安装过程,所以我不想覆盖原有的vsftpd这个文件)。 注意只有两行,auth是一行,account是一行。
[Copy to clipboard] [
- ]
CODE:
auth required /lib/security/pam_mysql.so user=root passwd=123456 host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=passwd crypt=2 sqllog=1 logtable=logs logmsgcolumn=msg logusercolumn=user logpidcolumn=pid loghostcolumn=host logrhostcolumn=rhost logtimecolumn=logtime verbose=1
account required /lib/security/pam_mysql.so user=root passwd=123456 host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=passwd crypt=2 sqllog=1 logtable=logs logmsgcolumn=msg logusercolumn=user logpidcolumn=pid loghostcolumn=host logrhostcolumn=rhost logtimecolumn=logtime verbose=1
account required /lib/security/pam_mysql.so user=root passwd=123456 host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=passwd crypt=2 sqllog=1 logtable=logs logmsgcolumn=msg logusercolumn=user logpidcolumn=pid loghostcolumn=host logrhostcolumn=rhost logtimecolumn=logtime verbose=1
注意这里pam_mysql.so的路径是/lib/security;指定了sqllog;加密方式是2,也就是用MySQL PASSWORD()函数;verbose=1,设置这个可以帮助调试,日志信息输出在/var/log/messages里。
建立/etc/vsftpd/vsftpd.mysql.conf(同样,不影响已有的vsftpd服务,执行service vsftpd restart时会启动两个vsftpd服务,端口不一样)
主要的设置如下:
[Copy to clipboard] [
- ]
CODE:
pam_service_name=vsftpd.mysql
listen=YES
tcp_wrappers=YES
local_enable=YES
guest_enable=YES
guest_username=ftp
listen_port=2121
listen=YES
tcp_wrappers=YES
local_enable=YES
guest_enable=YES
guest_username=ftp
listen_port=2121
注意pam_service_name=vsftpd.mysql指定了使用刚才设置的pam_mysql。
经过我反复测试如果单用vsftpd.mysql.conf上面这段代码,那么可以正常本地登陆,但是会出现421错误,win32窗口下也登陆不了,所以还是要配合/etc/vsftpd/vsftpd.conf文件,具体那个地方导致的,我没有深入研究,只是把pam_service_name=vsftpd.mysql以及guest_username=ftp这两段加到了原始的/etc/vsftpd/vsftpd.conf文件里就成功了
插入用户信息:
插入用户信息:
[Copy to clipboard] [
- ]
CODE:
mysql> insert into users (name,passwd) values('tom',password('foo'));
mysql> insert into users (name,passwd) values('jerry',password('bar'));
mysql> select * from users;
+----+-------+-------------------------------------------+
| id | name | passwd |
+----+-------+-------------------------------------------+
| 1 | tom | *F3A2A51A9B0F2BE2468926B4132313728C250DBF |
| 2 | jerry | *E8D46CE25265E545D225A8A6F1BAF642FEBEE5CB |
+----+-------+-------------------------------------------+
mysql> insert into users (name,passwd) values('jerry',password('bar'));
mysql> select * from users;
+----+-------+-------------------------------------------+
| id | name | passwd |
+----+-------+-------------------------------------------+
| 1 | tom | *F3A2A51A9B0F2BE2468926B4132313728C250DBF |
| 2 | jerry | *E8D46CE25265E545D225A8A6F1BAF642FEBEE5CB |
+----+-------+-------------------------------------------+
启动vsftpd服务,测试配置:
# ftp localhost 2121
登录失败,检查/var/log/messages,发现:
# tail -f /var/log/messages
[Copy to clipboard] [
- ]
CODE:
Nov 29 14:52:04 javadev vsftpd[17683]: PAM unable to dlopen(/lib/security/pam_mysql.so)
Nov 29 14:52:04 javadev vsftpd[17683]: PAM [dlerror: /lib/security/pam_mysql.so: cannot open shared object file: No such file or directory]
Nov 29 14:52:04 javadev vsftpd[17683]: PAM adding faulty module: /lib/security/pam_mysql.so
Nov 29 14:52:04 javadev vsftpd[17683]: PAM [dlerror: /lib/security/pam_mysql.so: cannot open shared object file: No such file or directory]
Nov 29 14:52:04 javadev vsftpd[17683]: PAM adding faulty module: /lib/security/pam_mysql.so
看来是没找到pam_mysql.so,怎么会呢?
用find(也可以用locate,不过得先updatedb一下,慢)找了一下,原来make install的时候默认安装在/usr/local/lib下。修改/etc/pam.d/vsftpd.mysql或者把lib拷到/lib/security目录
[Copy to clipboard] [
- ]
CODE:
auth required /usr/local/lib/security/pam_mysql.so user=root passwd=123456 host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=passwd crypt=2 sqllog=1 logtable=logs logmsgcolumn=msg logusercolumn=user logpidcolumn=pid loghostcolumn=host logrhostcolumn=rhost logtimecolumn=logtime verbose=1
account required /usr/local/lib/security/pam_mysql.so user=root passwd=123456 host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=passwd crypt=2 sqllog=1 logtable=logs logmsgcolumn=msg logusercolumn=user logpidcolumn=pid loghostcolumn=host logrhostcolumn=rhost logtimecolumn=logtime verbose=1
account required /usr/local/lib/security/pam_mysql.so user=root passwd=123456 host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=passwd crypt=2 sqllog=1 logtable=logs logmsgcolumn=msg logusercolumn=user logpidcolumn=pid loghostcolumn=host logrhostcolumn=rhost logtimecolumn=logtime verbose=1
再登录,成功!换用其他加密方式,也都可以。
然后试验pam_mysql v0.7新加的config_file配置选项。这个选项用来指定一个配置文件,可以把所有pam_mysql的配置放在这个文件中。这样的话,/etc/pam.d/vsftpd.mysql的内容变成这样:
[Copy to clipboard] [
- ]
CODE:
auth required /usr/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf
account required /usr/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf
account required /usr/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf
/etc/security/pam_mysql.conf的内容:
[Copy to clipboard] [
- ]
CODE:
users.host=localhost
users.database=vsftpd
users.db_user=root
users.db_passwd=123456
users.table=users
users.user_column=name
users.password_column=passwd
users.password_crypt=3
verbose=1
log.enabled=1
log.table=logs
log.message_column=msg
log.pid_column=pid
log.user_column=user
log.host_column=host
log.rhost_column=rhost
log.time_column=logtime
users.database=vsftpd
users.db_user=root
users.db_passwd=123456
users.table=users
users.user_column=name
users.password_column=passwd
users.password_crypt=3
verbose=1
log.enabled=1
log.table=logs
log.message_column=msg
log.pid_column=pid
log.user_column=user
log.host_column=host
log.rhost_column=rhost
log.time_column=logtime
按照楼主贴的的意思,那么其中users.password_crypt=3就要改为users.password_crypt=2,要不也会出现登陆不了
改好这些以后,用之前建好的虚拟用户登录,居然不行!而且这次/var/log/messages里没有任何错误消息。ls -ltr /var/log 发现secure这个文件最新,试着打开,果然发现了pam_mysql的调试信息:
[Copy to clipboard] [
- ]
CODE:
Dec 26 16:18:37 javadev vsftpd[6175]: pam_mysql - option verbose is set to "1"
Dec 26 16:18:37 javadev vsftpd[6175]: pam_mysql - option log.enabled is set to "1 "
Dec 26 16:18:37 javadev vsftpd[6175]: pam_mysql - option log.table is set to "logs"
Dec 26 16:18:37 javadev vsftpd[6175]: pam_mysql - option log.message_column is set to "msg"
Dec 26 16:18:37 javadev vsftpd[6175]: pam_mysql - option log.pid_column is set to "pid"
Dec 26 16:18:37 javadev vsftpd[6175]: pam_mysql - option log.user_column is set to "user"
Dec 26 16:18:37 javadev vsftpd[6175]: pam_mysql - option log.host_column is set to "host"
Dec 26 16:18:37 javadev vsftpd[6175]: pam_mysql - option log.rhost_column is set to "rhost"
Dec 26 16:18:37 javadev vsftpd[6175]: pam_mysql - option log.time_column is set to "logtime"
Dec 26 16:18:37 javadev vsftpd[6175]: pam_mysql - pam_sm_authenticate() called.
Dec 26 16:18:37 javadev vsftpd[6175]: pam_mysql - pam_mysql_open_db() called.
Dec 26 16:18:42 javadev vsftpd[6175]: pam_mysql - MySQL error (Unknown MySQL server host 'localhost ' (3))
Dec 26 16:18:42 javadev vsftpd[6175]: pam_mysql - pam_mysql_open_db() returning 5.
Dec 26 16:18:42 javadev vsftpd[6175]: pam_mysql - pam_sm_authenticate() returning 9.
Dec 26 16:18:42 javadev vsftpd[6175]: pam_mysql - pam_mysql_release_ctx() called.
Dec 26 16:18:42 javadev vsftpd[6175]: pam_mysql - pam_mysql_destroy_ctx() called.
Dec 26 16:18:42 javadev vsftpd[6175]: pam_mysql - pam_mysql_close_db() called.
Dec 26 16:18:37 javadev vsftpd[6175]: pam_mysql - option log.enabled is set to "1 "
Dec 26 16:18:37 javadev vsftpd[6175]: pam_mysql - option log.table is set to "logs"
Dec 26 16:18:37 javadev vsftpd[6175]: pam_mysql - option log.message_column is set to "msg"
Dec 26 16:18:37 javadev vsftpd[6175]: pam_mysql - option log.pid_column is set to "pid"
Dec 26 16:18:37 javadev vsftpd[6175]: pam_mysql - option log.user_column is set to "user"
Dec 26 16:18:37 javadev vsftpd[6175]: pam_mysql - option log.host_column is set to "host"
Dec 26 16:18:37 javadev vsftpd[6175]: pam_mysql - option log.rhost_column is set to "rhost"
Dec 26 16:18:37 javadev vsftpd[6175]: pam_mysql - option log.time_column is set to "logtime"
Dec 26 16:18:37 javadev vsftpd[6175]: pam_mysql - pam_sm_authenticate() called.
Dec 26 16:18:37 javadev vsftpd[6175]: pam_mysql - pam_mysql_open_db() called.
Dec 26 16:18:42 javadev vsftpd[6175]: pam_mysql - MySQL error (Unknown MySQL server host 'localhost ' (3))
Dec 26 16:18:42 javadev vsftpd[6175]: pam_mysql - pam_mysql_open_db() returning 5.
Dec 26 16:18:42 javadev vsftpd[6175]: pam_mysql - pam_sm_authenticate() returning 9.
Dec 26 16:18:42 javadev vsftpd[6175]: pam_mysql - pam_mysql_release_ctx() called.
Dec 26 16:18:42 javadev vsftpd[6175]: pam_mysql - pam_mysql_destroy_ctx() called.
Dec 26 16:18:42 javadev vsftpd[6175]: pam_mysql - pam_mysql_close_db() called.
仔细检查,发现原因在这里:
pam_mysql - MySQL error (Unknown MySQL server host 'localhost ' (3))
原来配置文件里users.host=localhost 这行行尾多了一个空格!郁闷!修改以后就可以登录了。
最后,我在论坛里回复时说过不能用password这种方式,原因是
2 (or "mysql") = Use MySQL PASSWORD() function. It is possible
that the encryption function used by PAM-MySQL
is different from that of the MySQL server, as
PAM-MySQL uses the function defined in MySQL's
C-client API instead of using PASSWORD() SQL function
in the query.
事实证明我 说错了。 :oops:
还有,两个log可以帮助分析故障(当然可能仅在RedHat下),/var/log/messages和/var/log/secure
如果出现/etc/lib/mysql/mysql.sock(2)类似错误,可以使用下面方法解决
#ln -sf /tmp/mysql.sock /etc/lib/mysql/mysql.sock