ftp 的系统用户登录过程是什么
ftp 账号一般有三种,操作系统的用户,就是可以真实登录操作系统的账号,也叫本地用户。虚拟用户,这类用户一般和一个真实系统相关联,还有一种就是匿名用户,ftp 一般对应的是ftp这个用户。
了解 系统用户的登录过程,就需要查看配置文件
首先看下 vsftpd 的配置文件 vsftpd.conf
首先第一个配置是
local_enable=YES
表示允许本地用户登录,也是系统用户登录。
认证配置就是下面的配置信息
pam_service_name=vsftpd使用 pam ,查看pam 的配置内容
cat /etc/pam.d/vsftpd
# Standard behaviour for ftpd(8).
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
# Note: vsftpd handles anonymous logins on its own. Do not enable pam_ftp.so.
# Standard pam includes
@include common-account
@include common-session
@include common-auth
auth required pam_shells.so
可以看到有5条规则,有三条是 标准的认证规则 还有两条 auth 类型的, 使用的是 pam_listfile.so
pam_listfile.so -- 访问应用程的控制开关
至于 pam_listfile.so 作用是什么,可以通过 man pam_listfile 查看
PAM_LISTFILE(8) Linux-PAM Manual PAM_LISTFILE(8)
NAME
pam_listfile - deny or allow services based on an arbitrary file
SYNOPSIS
pam_listfile.so item=[tty|user|rhost|ruser|group|shell]
sense=[allow|deny] file=/path/filename
onerr=[succeed|fail] [apply=[user|@group]] [quiet]
DESCRIPTION
pam_listfile is a PAM module which provides a way to deny or allow
services based on an arbitrary file.
The module gets the item of the type specified -- user specifies the
username, PAM_USER; tty specifies the name of the terminal over which
the request has been made, PAM_TTY; rhost specifies the name of the
remote host (if any) from which the request was made, PAM_RHOST; and
ruser specifies the name of the remote user (if available) who made the
request, PAM_RUSER -- and looks for an instance of that item in the
file=filename. filename contains one line per item listed. If the item
is found, then if sense=allow, PAM_SUCCESS is returned, causing the
authorization request to succeed; else if sense=deny, PAM_AUTH_ERR is
returned, causing the authorization request to fail.
可以看到 pam_listfile.so 通过给定的文件 /etc/ftpusers 来阻止里面的用户登录。
pam_shells.so
pam_shells - PAM module to check for valid login shell