简介
FTP:File Transfer Protocol 文件传输协议;它工作在 OSI 模型的第七层, TCP 模型的第四层, 即应用层, 使用 TCP 传输而不是 UDP, 客户在和服务器建立连接前要经过一个“三次握手”的过程, 保证客户与服务器之间的连接是可靠的, 而且是面向连接, 为数据传输提供可靠保证。
作用
提供文件共享服务,互联网上多数媒体资源和软件资源,大多数都是通过FTP服务器传递。
双通道协议
命令和数据连接
模式
从服务器角度
- 主动(PORT sytle):服务器主动连接
- 命令(控制):客户端:随机port >>> 服务器:tcp21
- 数据:客户端:随机port <<< 服务器:tcp20
- 被动(PASV style):客户端主动连接
- 命令(控制):客户端:随机port >>> 服务器:tcp21
- 数据:客户端:客户端:随机port >>> 服务器:随机port
软件
FTP服务器:vsftpd
FTP客户端:ftp、lftp、wget、curl
状态码
1XX:信息 125:数据连接打开
2XX:成功类状态 200:命令OK 230:登录成功
3XX:补充类 331:用户名OK
4XX:客户端错误 425:不能打开数据连接
5XX:服务器错误 530:不能登录
用户认证
- 匿名用户:
ftp,anonymous,对应Linux用户ftp;
映射为系统用户FTP,共享文件位置:/var/ftp;见下方实验一
- 系统用户:
Linux用户,用户/etc/passwd,密码/etc/shadow
共享文件位置:用户家目录;见下方实验一
- 虚拟用户:
特定服务的专用用户,独立的用户/密码文件
共享文件位置:为其映射的系统用户的家目录
配置文件
路径 | 说明 |
/etc/vsftpd/vsftpd.conf | ftp配置文件 |
/usr/sbin/vsftpd | ftp主程序 |
/etc/rc.d/init.d/vsftpd | ftp启动程序 |
/etc/pam.d/vsftpd | PAM认证文件(此文件中file=/etc/vsftpd/ftpusers字段,指明阻止访问的用户来自/etc/vsftpd/ftpusers文件中的用户) |
/etc/vsftpd/ftpusers | 禁止使用vsftpd的用户列表文件。记录不允许访问FTP服务器的用户名单,管理员可以把一些对系统安全有威胁的用户账号记录在此文件中,以免用户从FTP登录后获得大于上传下载操作的权利,而对系统造成损坏。 |
/etc/vsftpd/user_list | 禁止或允许使用vsftpd的用户列表文件。这个文件中指定的用户缺省情况(即在/etc/vsftpd/vsftpd.conf中设置userlist_deny=YES)下也不能访问FTP服务器,在设置了userlist_deny=NO时,仅允许user_list中指定的用户访问FTP服务器。 |
/var/ftp | 匿名用户主目录;本地用户主目录为:/home/用户主目录,即登录后进入自己家目录 |
/var/ftp/pub | 匿名用户的下载目录,此目录需赋权根chmod 1777 pub(1为特殊权限,使上载后无法删除) |
/etc/logrotate.d/vsftpd.log | vsftpd的日志文件 |
/etc/vsftpd/vsftpd.conf 默认配置说明
#是否启用匿名用户
anonymous_enable=NO
#是否允许Linux用户登录
local_enable=YES
#全局设置,是否允许写入(无论是本地用户还是匿名用户,若要启用上传功能,需要开启)
write_enable=YES
#本地用户上传文件的umask
local_umask=022
#匿名用户是否可以上传文件(非目录)
anon_upload_enable=YES
#匿名用户是否可以创建文件夹
anon_mkdir_write_enable=YES
#允许为目录配置显示信息,显示每个目录下的message_file文件的内容
dirmessage_enable=YES
#开启日记功能
xferlog_enable=YES
#使用端口20连接ftp
connect_from_port_20=YES
#所有匿名用户上传的文件的所属用户将会被更改成chown_username
chown_uploads=YES
#匿名用户上传文件所属用户名
chown_username=whoever
#日志文件位置
xferlog_file=/var/log/xferlog
#日志文件使用标准格式
xferlog_std_format=YES
#用户会话空闲600秒后中断
idle_session_timeout=600
#数据连接空闲120秒后中断
data_connection_timeout=120
#当服务器运行于最底层时使用的用户名
nopriv_user=ftpsecure
#
async_abor_enable=YES
#优先以文本方式传输 不建议开启
ascii_upload_enable=YES
#优先以文本方式传输 不建议开启
ascii_download_enable=YES
#登录时显示欢迎信息,如果设置了banner_file,则此设置无效
ftpd_banner=Welcome to blah FTP service.
#
deny_email_enable=YES
#
banned_email_file=/etc/vsftpd/banned_emails
#是否禁止用户离开设置的根目录
chroot_local_user=YES
#如果启动这项功能,则所有列在chroot_list_file之中的使用者不能更改根目录
chroot_list_enable=YES
#指出被锁定/允许 在自家目录中的用户的列表文件
#chroot_list_file=/etc/vsftpd/chroot_list
#是否能使用ls -R命令以防止浪费大量的服务器资源
#ls_recurse_enable=YES
#是否监听IPV4
listen=NO
#是否监听IPV6
listen_ipv6=YES
#设置PAM使用的名称,默认值为/etc/pam.d/vsftpd
pam_service_name=vsftpd
#限制了/etc/vsftpd/user_list文件里的用户不能访问
userlist_enable=YES
常用配置
- 命令端口
listen_port=21
- 主动模式端口
connect_from_port_20=YES 主动模式端口为20
ftp_data_port=20 (默认) 指定主动模式的端口
- 被动模式端口范围
linux 客户端默认使用被动模式
windows 客户端默认使用主动模式
pasv_min_port=6000 0为随机分配
pasv_max_port=6010
- 使用当地时间
use_localtime=YES 使用当地时间(默认为NO,使用GMT)
- 匿名用户
anonymous_enable=YES 支持匿名用户
no_anon_password=YES(默认NO) 匿名用户略过口令检查
anon_world_readable_only (默认YES)只能下载全部读的文件
anon_upload_enable=YES 匿名上传,注意:文件系统权限,不能给ftp根目录权限,只能给子目录权限
anon_mkdir_write_enable=YES 匿名建目录
anon_umask=077 指定匿名上传文件的umask
anon_other_write_enable=YES 可删除和修改上传的文件
指定上传文件的默认的所有者和权限
chown_uploads=YES(默认NO)
chown_username=用户名
chown_upload_mode=0644
- Linux系统用户
guest_enable=YES 所有系统用户都映射成guest用户,
guest_username=ftp 默认项,可不写;配合上面选项才生效,指定guest用户;见实验二
local_enable=YES 是否允许linux用户登录
write_enable=YES 允许linux用户上传文件
local_umask=022 指定系统用户上传文件的默认权限
local_root=/ftproot guest用户登录所在目录
- 禁锢所有系统用户在家目录中
chroot_local_user=YES(默认NO,不禁锢)禁锢系统用户
- 禁锢或不禁锢特定的系统用户在家目录中,与上面设置功能相反
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
当chroot_local_user=YES时,则chroot_list中用户不禁锢
当chroot_local_user=NO时,则chroot_list中用户禁锢
- wu-ftp日志:默认启用
xferlog_enable=YES (默认) 启用记录上传下载日志
xferlog_std_format=YES (默认) 使用wu-ftp日志格式
xferlog_file=/var/log/xferlog (默认)可自动生成
- vsftpd日志:默认不启用
dual_log_enable=YES 使用vsftpd日志格式,默认不启用
vsftpd_log_file=/var/log/vsftpd.log(默认)可自动生成
- 登录提示信息
dirmessage_enable=YES (默认)
message_file=.message(默认) 信息存放在指定目录下.message
- 使用pam(Pluggable Authentication Modules)完成用户认证
pam_service_name=vsftpd
pam配置文件:/etc/pam.d/vsftpd
/etc/vsftpd/ftpusers 默认文件中用户拒绝登录
- 是否启用控制用户登录的列表文件
userlist_enable=YES 默认有此设置
userlist_deny=YES(默认值) 黑名单,不提示口令,NO为白名单
userlist_file=/etc/vsftpd/users_list 此为默认值
- vsftpd服务指定用户身份运行
nopriv_user=nobody (默认值)
- 连接数限制
max_clients=0 最大并发连接数
max_per_ip=0 每个IP同时发起的最大连接数
- 传输速率:字节/秒
anon_max_rate=0 匿名用户的最大传输速率
local_max_rate=0 本地用户的最大传输速率
- 连接时间:秒为单位
connect_timeout=60 主动模式数据连接超时时长
accept_timeout=60 被动模式数据连接超时时长
data_connection_timeout=300 数据连接无数据输超时时长
idle_session_timeout=60 无命令操作超时时长
- 优先以文本方式传输;不建议开启
ascii_upload_enable=YES
ascii_download_enable=YES
实验
关闭防火墙和Selinux
fs(192.168.29.131) | centos7 | FTP服务器 |
ftpServer(192.168.29.141) | centos8 | FTP服务器 |
wenzi(192.168.29.142) | centos8 | 客户端 |
注意
centos7默认支持匿名(anonymous)用户登录
centos8默认不支持匿名(anonymous)用户登录
实验一:默认共享目录的区别
centos7
[root@fs ~]# yum -y install vsftpd
[root@fs ~]# systemctl start vsftpd
[root@fs ~]# ss -tnlp
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:22 *:* users:(("sshd",pid=1014,fd=3))
LISTEN 0 100 127.0.0.1:25 *:* users:(("master",pid=1175,fd=13))
LISTEN 0 32 [::]:21 [::]:* users:(("vsftpd",pid=1350,fd=4))
LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=1014,fd=4))
LISTEN 0 100 [::1]:25 [::]:* users:(("master",pid=1175,fd=14))
通过wenzi访问fs,匿名登录仍需要输入 anonymous 或 ftp
[root@wenzi ~]#ftp 192.168.29.131
Connected to 192.168.29.131 (192.168.29.131).
220 (vsFTPd 3.0.2)
Name (192.168.29.131:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,29,131,123,46).
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 6 Jun 09 2021 pub
226 Directory send OK.
ftp> pwd
257 "/"
ftp> exit
221 Goodbye.
通过windows访问fs
centos8
#安装vsftpd
[root@ftpServer ~]#yum -y install vsftpd
#启动ftp
[root@ftpServer ~]#systemctl enable --now vsftpd
Created symlink /etc/systemd/system/multi-user.target.wants/vsftpd.service → /usr/lib/systemd/system/vsftpd.service.
#查看端口号 21端口已打开
[root@ftpServer ~]#ss -tnlp
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=898,fd=4))
LISTEN 0 32 *:21 *:* users:(("vsftpd",pid=1655,fd=3))
LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=898,fd=6))
#创建新用户张三
[root@ftpServer ~]#useradd zhangsan
[root@ftpServer ~]#echo "admin" | passwd --stdin zhangsan
[root@ftpServer ~]#cd ~zhangsan
[root@ftpServer zhangsan]#touch zs.txt
[root@ftpServer zhangsan]#pwd
/home/zhangsan
通过windows访问ftpServer
[root@wenzi ~]#ftp 192.168.29.141
Connected to 192.168.29.141 (192.168.29.141).
220 (vsFTPd 3.0.3)
Name (192.168.29.141:root): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp> ls
530 Please login with USER and PASS.
Passive mode refused.
ftp> exit
221 Goodbye.
使用zhangsan用户登录ftp
[root@wenzi ~]#ftp 192.168.29.141
Connected to 192.168.29.141 (192.168.29.141).
220 (vsFTPd 3.0.3)
Name (192.168.29.141:root): zhangsan
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,29,141,54,103).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 0 Aug 01 13:49 zs.txt
226 Directory send OK.
ftp> pwd
257 "/home/zhangsan" is the current directory
ftp> exit
221 Goodbye.
修改vsftpd配置文件 vim /etc/vsftpd/vsftpd.conf ,开启匿名用户登录
重启vsftpd,再次通过windows访问ftpServer,可通过匿名登录
[root@wenzi ~]#ftp 192.168.29.141
Connected to 192.168.29.141 (192.168.29.141).
220 (vsFTPd 3.0.3)
Name (192.168.29.141:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,29,141,118,252).
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 6 Apr 22 2021 pub
226 Directory send OK.
ftp> pwd
257 "/" is the current directory
实验二:实现Linux用户上传下载功能
目标
- 禁止匿名用户登录,允许Linux用户登录
- 登录提示信息:“This is FTP Server”
- 将系统用户全部映射为guest用户并设置登录后所在目录为 /data/ftp,上传目录为 /data/ftp/upload
- 允许Linux用户下载、上传、新建目录、删除和修改上传的文件
- 指定系统用户上传文件的默认权限
- 启用vsftpd格式日志
ftp服务器配置
[root@ftpServer ~]#vim /etc/vsftpd/vsftpd.conf
# Example config file /etc/vsftpd/vsftpd.conf
...
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
...
# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access
#anon_upload_enable=YES
...
# go into a certain directory.
dirmessage_enable=YES
#
...
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
...
# with the listen_ipv6 directive.
listen=NO
#
...
# Make sure, that one of the listen options is commented !!
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
ftpd_banner="This is FTP Server"
guest_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
local_root=/data/ftp
dual_log_enable=YES
vsftpd_log_file=/var/log/vsftpd.log
[root@ftpServer ~]#mkdir /data/ftp -p
[root@ftpServer ~]#mkdir /data/ftp/upload
[root@ftpServer ~]#chmod 777 /data/ftp/upload/
[root@ftpServer ~]#systemctl restart vsftpd.service
客户端测试
[root@wenzi ~]#ll
total 8
-rw-r--r-- 1 root root 0 Aug 2 02:03 111.txt
-rw-------. 1 root root 1279 May 15 01:30 anaconda-ks.cfg
[root@wenzi ~]#ftp 192.168.29.141
Connected to 192.168.29.141 (192.168.29.141).
220 "This is FTP Server"
Name (192.168.29.141:root): zhangsan
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,29,141,19,185).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 0 Aug 01 18:02 sy2.txt
drwxrwxrwx 2 0 0 6 Aug 01 21:14 upload
226 Directory send OK.
ftp> pwd
257 "/" is the current directory
#下载
ftp> get sy2.txt
local: sy2.txt remote: sy2.txt
227 Entering Passive Mode (192,168,29,141,119,145).
150 Opening BINARY mode data connection for sy2.txt (0 bytes).
226 Transfer complete.
ftp> cd upload
250 Directory successfully changed.
ftp> pwd
257 "/upload" is the current directory
#上传
ftp> put 111.txt
local: 111.txt remote: 111.txt
227 Entering Passive Mode (192,168,29,141,153,176).
150 Ok to send data.
226 Transfer complete.
ftp> ls
227 Entering Passive Mode (192,168,29,141,116,132).
150 Here comes the directory listing.
-rw------- 1 14 50 0 Aug 01 21:17 111.txt
226 Directory send OK.
ftp> help
Commands may be abbreviated. Commands are:
! debug mdir sendport site
$ dir mget put size
account disconnect mkdir pwd status
append exit mls quit struct
ascii form mode quote system
bell get modtime recv sunique
binary glob mput reget tenex
bye hash newer rstatus tick
case help nmap rhelp trace
cd idle nlist rename type
cdup image ntrans reset user
chmod lcd open restart umask
close ls prompt rmdir verbose
cr macdef passive runique ?
delete mdelete proxy send
#改名
ftp> rename 111.txt 222.txt
350 Ready for RNTO.
250 Rename successful.
ftp> ls
227 Entering Passive Mode (192,168,29,141,151,67).
150 Here comes the directory listing.
-rw------- 1 14 50 0 Aug 01 21:17 222.txt
226 Directory send OK.
#新建目录
ftp> mkdir abc
257 "/upload/abc" created
ftp> ls
227 Entering Passive Mode (192,168,29,141,124,143).
150 Here comes the directory listing.
-rw------- 1 14 50 0 Aug 01 21:17 222.txt
drwx------ 2 14 50 6 Aug 01 21:17 abc
226 Directory send OK.
#删除目录
ftp> rmdir abc
250 Remove directory operation successful.
ftp服务器端查看日志
[root@ftpServer ftp]#cat /var/log/vsftpd.log
ed Aug 2 05:15:56 2023 [pid 3426] CONNECT: Client "::ffff:192.168.29.142"
Wed Aug 2 05:16:01 2023 [pid 3425] [zhangsan] OK LOGIN: Client "::ffff:192.168.29.142"
Wed Aug 2 05:16:29 2023 [pid 3427] [zhangsan] OK DOWNLOAD: Client "::ffff:192.168.29.142", "/sy2.txt", 0.00Kbyte/sec
Wed Aug 2 05:17:01 2023 [pid 3427] [zhangsan] OK UPLOAD: Client "::ffff:192.168.29.142", "/upload/111.txt", 0.00Kbyte/sec
Wed Aug 2 05:17:33 2023 [pid 3427] [zhangsan] OK RENAME: Client "::ffff:192.168.29.142", "/upload/111.txt /upload/222.txt"
Wed Aug 2 05:17:48 2023 [pid 3427] [zhangsan] OK MKDIR: Client "::ffff:192.168.29.142", "/upload/abc"
Wed Aug 2 05:20:15 2023 [pid 3432] [zhangsan] OK RMDIR: Client "::ffff:192.168.29.142", "/upload/abc"
实验三:基于SSL的FTPS
#Centos7 可以实现直接生成一个包括私钥和证书的文件
#查看是否支持SSL
[root@fs ~]# ldd `which vsftpd` | grep ssl
libssl.so.10 => /lib64/libssl.so.10 (0x00007f8a15030000)
[root@fs ~]# cd /etc/pki/tls/certs/
[root@fs certs]# ll
总用量 12
lrwxrwxrwx. 1 root root 49 5月 25 21:13 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. 1 root root 55 5月 25 21:13 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rwxr-xr-x. 1 root root 610 8月 9 2019 make-dummy-cert
-rw-r--r--. 1 root root 2516 8月 9 2019 Makefile
-rwxr-xr-x. 1 root root 829 8月 9 2019 renew-dummy-cert
#文件结尾是.pem的,即私钥和证书合二为一
[root@fs certs]# make vsftpd.pem
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -utf8 -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 ; \
cat $PEM1 > vsftpd.pem ; \
echo "" >> vsftpd.pem ; \
cat $PEM2 >> vsftpd.pem ; \
rm -f $PEM1 $PEM2
Generating a 2048 bit RSA private key
................................+++
.......+++
writing new private key to '/tmp/openssl.CGeh1N'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:wenzi
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:wenzi.com
Email Address []:youxiang@qq.com
[root@fs certs]# ll
总用量 16
lrwxrwxrwx. 1 root root 49 5月 25 21:13 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. 1 root root 55 5月 25 21:13 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rwxr-xr-x. 1 root root 610 8月 9 2019 make-dummy-cert
-rw-r--r--. 1 root root 2516 8月 9 2019 Makefile
-rwxr-xr-x. 1 root root 829 8月 9 2019 renew-dummy-cert
-rw------- 1 root root 3100 8月 2 00:10 vsftpd.pem
#查看生成的私钥和证书合二为一的文件;上方是私钥,下方是证书
[root@fs certs]# cat vsftpd.pem
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCcCHH/tA+U8FmT
4/EQbCviOItC7Cs59fsUkoyeD7zxZFfs6Zk/HoErsFXtdzlMKHbPKjd1D7gfLZxM
+UuoIIDX0abftraBTTA/AQ41pHAymBCFvxVPjJtW4HJ1verrQQK6ur+gaVpZY0ZY
A9DBecy0Yi5hsu8lpdKmHYeRbm1Um0E3N7azCwjEWyd15fsU0aGis+NG8xkFGFgu
Zu4dZsbxHPM6tvZw9EQC+Yg5QtTzEFZiRXpONmyAjcQQ5SmDb4d0ujqsv+qulhvn
QTNim09ti96nzGpCCni3x400IOaBTXevpcC+2oqErof9gGE9X3clyhLV0TVaIay9
g01jrwepAgMBAAECggEAYKLGX9SX9elpwTNiIIauIxxb+6WjG/GhgFtHJbmfjm1U
G1GN7M6qt3EttrWpUeaZtrJxyFlk8kJgVDftyIHg6klZLaLOo4Q3xj2UHFrsdhlB
2mO/AhaWOpclrJBkBzGrTBTPC71UDJp0fZxXVQxnYKySB0Y34Lwzm1gcl1Cp+8R4
X+nT0Fl3VKHH4VIJmvJNWnQpWPcgtIakl1/yRlgB0RFmw43rdMo/PDS4eJa/MHzd
MQYThkDHhdH8P7RBhCANvUCGPKEr7MEiAkrSVG/FN76trH5KkqDnOVj+VY24Bad+
HggwwH7uDShBvFIvMPvdf/flq/E5865EsBW27iz9AQKBgQDMKT70iqIa3DwQZ4db
pzyVlG+9jFEyFsC62Bk6C7kcNoADmeSZPCtK/6wsV1c07MgcW5MWfhMmDtuWWjvX
N7ckivOnRL0RHW/7Sf5mCWw+Q+5wp2bCdXT6KsawSX9ifpYlMH9M+qxMaW4ZZ7Ik
/V2pi7Xjj1sjDDOmITKXbA78IQKBgQDDps4ESXa5m37V2JoUnVWFEnan9s/iE6Px
VdiVDhm4OCyIDyRGUcfhpGLxpkw5+UbIy4WMj7IqIK2BKkL2MlsPh/G1CPDz+1EC
1FEiYsBKdAiNua6KS3/RUu6pn56y9WEstRY5r5vZyOQqagJpNmUGGIph7CgKVs8P
0rYy3jbaiQKBgQCoMJqCjur4wdJhmUhzgxRwDbb4Km6BmyjvRDOUFDBNQ8C2NsOS
UXVA9dv7M4DOQvqgEfjcoMRZqAfSl0eRB39DBY2wkPpI7T1hgRWpLb4UlZYLDH2l
WWoi5baFaCcfFzXOMWPOIPxsfraLC1hBDNFqaYRQkbr85oJuLA8nm4fEwQKBgAuV
TI0kbEsA0bmHYVfnGLEQLsYy7ovL7eDT3Ea21v75FGnZu6QOI29QdCsqVUj5YR9y
LS3tM/caiCslfWFmCc4Zlk3JgbpwHpO0Tjli7095HyiE3biCT8bsygRw1sxxipdD
AVXY97klE50POaVQ+xopScgSWyyBhzDAoNjSHx1BAoGARArY69CrhrdIh4g1WI/7
W965s7lLt3hCuKmBqnedF5L21o4c7CUEaIA3OBLCe/X5Q7+CzZoO/p9YUAIDzMVw
OPtUVnGw5xv2cbtY5wZ3T48mbukOT9OIq9gtmCV84WFatDNojsc/pNhYBBWNi/Pu
S5xGCYromjR80ssRs3jIIIo=
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIID2TCCAsGgAwIBAgIJAPoRcK5w6KzaMA0GCSqGSIb3DQEBCwUAMIGCMQswCQYD
VQQGEwJDTjEQMA4GA1UECAwHYmVpamluZzEQMA4GA1UEBwwHYmVpamluZzEOMAwG
A1UECgwFd2VuemkxCzAJBgNVBAsMAml0MRIwEAYDVQQDDAl3ZW56aS5jb20xHjAc
BgkqhkiG9w0BCQEWD3lvdXhpYW5nQHFxLmNvbTAeFw0yMzA4MDExNjEwMDNaFw0y
NDA3MzExNjEwMDNaMIGCMQswCQYDVQQGEwJDTjEQMA4GA1UECAwHYmVpamluZzEQ
MA4GA1UEBwwHYmVpamluZzEOMAwGA1UECgwFd2VuemkxCzAJBgNVBAsMAml0MRIw
EAYDVQQDDAl3ZW56aS5jb20xHjAcBgkqhkiG9w0BCQEWD3lvdXhpYW5nQHFxLmNv
bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJwIcf+0D5TwWZPj8RBs
K+I4i0LsKzn1+xSSjJ4PvPFkV+zpmT8egSuwVe13OUwods8qN3UPuB8tnEz5S6gg
gNfRpt+2toFNMD8BDjWkcDKYEIW/FU+Mm1bgcnW96utBArq6v6BpWlljRlgD0MF5
zLRiLmGy7yWl0qYdh5FubVSbQTc3trMLCMRbJ3Xl+xTRoaKz40bzGQUYWC5m7h1m
xvEc8zq29nD0RAL5iDlC1PMQVmJFek42bICNxBDlKYNvh3S6Oqy/6q6WG+dBM2Kb
T22L3qfMakIKeLfHjTQg5oFNd6+lwL7aioSuh/2AYT1fdyXKEtXRNVohrL2DTWOv
B6kCAwEAAaNQME4wHQYDVR0OBBYEFK/58aSYGbc7l7bDemVyakvFe4nDMB8GA1Ud
IwQYMBaAFK/58aSYGbc7l7bDemVyakvFe4nDMAwGA1UdEwQFMAMBAf8wDQYJKoZI
hvcNAQELBQADggEBAH0TSuhr9efKIVB9lpCRjBDyxQpTkkQYAb+QDBIGUfryHDje
2HJASg3EW7SKarzaDVkNdfGRtg5oHMbq44BxxR53j6kel1ZoP+PUz/TS6R5pAIDz
OPrdN+xOQX6gVGoSKakVP71Zq/0/F/3dMCmwYRwIUTqIUkTkdMu3bm5SI58Wox4U
osiPtJMkRoj0k5Du2gdTXbrFjmY2lXG39U89j+XfFyCZnTi7OvlexvGUsXw4Gdwm
l8izjDfg7frm42q+JUGWFCc2uuqeLdq0QnlbD/aJMwO9FVgL0MNBGdWzEAKsVjQB
otN5Ez/heedcLEm99dscGABpSBrfpRAeBc3UaU8=
-----END CERTIFICATE-----
#centos8 需要手动分别生成一个证书和私钥文件,再合并成一个文件
[root@ftpServer ~]#ldd `which vsftpd` | grep ssl
libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007f53dd410000)
[root@ftpServer ~]#mkdir /etc/vsftpd/ssl
[root@ftpServer ~]#cd /etc/vsftpd/ssl/
[root@ftpServer ssl]#openssl req -x509 -nodes -keyout vsftpd.key -out vsftpd.crt -days 365 -newkey rsa:2048
Generating a RSA private key
...........................+++++
..................................................................................+++++
writing new private key to 'vsftpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:zz
Locality Name (eg, city) [Default City]:zz
Organization Name (eg, company) [Default Company Ltd]:wenzi
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:wenzi.com
Email Address []:youxiang@163.com
[root@ftpServer ssl]#ll
total 8
-rw-r--r-- 1 root root 1387 Aug 2 00:18 vsftpd.crt
-rw------- 1 root root 1704 Aug 2 00:17 vsftpd.key
[root@ftpServer ssl]#cat * > vsftpd.pem
[root@ftpServer ssl]#cat vsftpd.pem
-----BEGIN CERTIFICATE-----
MIID0zCCArugAwIBAgIUOTggOPKZd8re8fs2WaIKC8giCQgwDQYJKoZIhvcNAQEL
BQAweTELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAnp6MQswCQYDVQQHDAJ6ejEOMAwG
A1UECgwFd2VuemkxCzAJBgNVBAsMAml0MRIwEAYDVQQDDAl3ZW56aS5jb20xHzAd
BgkqhkiG9w0BCQEWEHlvdXhpYW5nQDE2My5jb20wHhcNMjMwODAxMTYxODI4WhcN
MjQwNzMxMTYxODI4WjB5MQswCQYDVQQGEwJDTjELMAkGA1UECAwCenoxCzAJBgNV
BAcMAnp6MQ4wDAYDVQQKDAV3ZW56aTELMAkGA1UECwwCaXQxEjAQBgNVBAMMCXdl
bnppLmNvbTEfMB0GCSqGSIb3DQEJARYQeW91eGlhbmdAMTYzLmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2vmKixV0dHvqPdxWdAjdh4U605itlo
AZ9x3GegleVFHWe0gABGvf36Kl9KQmJtHYn6nbcGGLzmPDgdl7PhpHVViFY9H+br
0tpjRZSN+24nAWT9s1lKYQk0SIFYjSp0d01mTDzXOGrncHfdcXVFdx8Mjv4r76nB
V4/CkN436ampLwysJ/Ohvgqd6Af+HRkKJzBfbzLTqLQAwZOojvnw9ylin5O2lSzB
rJ94RSKgMPbpHV/2xET2ghVxz06WxtwMsrfBPArZmI7r8mQaQbZ8rmQhVfPVT+Tl
i5lqFee+OnmTHpucVYQwmU8Tamg95VGTSLbbS3fQBnVGQ4UBx8xCaJ0CAwEAAaNT
MFEwHQYDVR0OBBYEFLwFIH5UyVDWhJyzyKfTwBZKqEDoMB8GA1UdIwQYMBaAFLwF
IH5UyVDWhJyzyKfTwBZKqEDoMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
BQADggEBAGOySp/mrY8FBLUWWrCCGe8oL+tUuIwFNwrPEw31QMytRO/z/NPa0Vh8
a2/EJgKCMj2eF6McaUpxFNJpfnVrhgtJpod888xR8FIZawYNcf8gz2jlaHzmG6oV
mmfI3pW0gFqvdx0iDyPAt3NsbbHP2amZJhlQ8xR+Qao4QvXyVpnSUQ2Bo4tP8sMk
0LnHsiMZ73auMqrz8s5E54ZHj5EV3AgyqO6Nj0M1VoWOLzKUgbpZsTs/KNPDVLIk
BpGQwxGUuJ9120S3MdPg7EOITDSRYdrHf4lTG0idSNgKUhLoJP/t9zj3bBc4MnM8
Hbg5/Ny75fblGLcKV4V7PBjDvp9iNM8=
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCtr5iosVdHR76j
3cVnQI3YeFOtOYrZaAGfcdxnoJXlRR1ntIAARr39+ipfSkJibR2J+p23Bhi85jw4
HZez4aR1VYhWPR/m69LaY0WUjftuJwFk/bNZSmEJNEiBWI0qdHdNZkw81zhq53B3
3XF1RXcfDI7+K++pwVePwpDeN+mpqS8MrCfzob4KnegH/h0ZCicwX28y06i0AMGT
qI758PcpYp+TtpUswayfeEUioDD26R1f9sRE9oIVcc9OlsbcDLK3wTwK2ZiO6/Jk
GkG2fK5kIVXz1U/k5YuZahXnvjp5kx6bnFWEMJlPE2poPeVRk0i220t30AZ1RkOF
AcfMQmidAgMBAAECggEAT7/tDKhBNw2OT5eo6HwPpXG6mjNtud2zwQ568Woe6aMO
mWubyoSxAEk5438pdCA+C/jzKfK2sSXWSL3txj65UNbxPwfZ+iIWMwiaDlgTNsTa
MxD6pOkuHRfQovOR/gh0Lynln5oC4bNbRO59BifbRnpxvetWpE+OcQgZlK9/rtKq
KxyvnuUmmTBjhHXDfSWpn3ok8w2jWHA/gK3XdP3K/WJQlEb7ywo799mGanBVd0Q1
E0faOUN8l694UsVRTImYLbBDPCyHxK1gKILZ5FxayK5sxb8PWjJ3eCiZDFwse16+
MEs/kO/qCikx80Z+rdzCg3GBM18FfepLdFmezmyxAQKBgQDgr69xbidtn9PlP3E5
XgfHDO/x5+szKenMPv5tccHmbmj7Eo61VVULq8aJyk8hoXvdRbVIDUO5g9rtyxon
k+BkxDH+VXM+Rd//hb50jgUGeOprgVwQI/VztpVGeSPlUPm+1KIcjagWD/hB55yf
/zAvSLzt1CC0FtW5IWe5irbxkQKBgQDF5FSEvZXDR3ENmO7TTcQ3DkV+eTMQdKem
aN3JKywJdIYqYvEWTf+Bl/B++lbYe32u+Sv3Uy3icBH/Z/GC2hlGtZbJoc0WLt5g
dbpY9LCyHmJBoMEklnz+PWp1nxVxPIM99ezZrih1JA8/Q4tOM0oVuCGpPoyAtVn3
vFcYBZ/ATQKBgQCni5qCNSgFoRc7bdGae7nE/qq2csB6iJilC5xiNF/o2xBBmRb9
tUITz+XevhO/+lEJMX/62JlV7zMD+13ngWfk/EBjbYjgOO7N9geNlpG8v9HelLn3
9ziDLvWldZQE3hs96AVy0Vc0DHiNfI7Y6EwgFld76aDxac25nWVhgETnYQKBgQCA
OZfuPu3oj8UYW2z8q9olFnE/JwdIdV4gPLjg3cF2CvPYSS4QFtAlR69Eh694LGRe
2QN9CX+kxptS1CYwdGOGZqli0x2RbyMWe5IYi8xmTbu67I/Zxk0Na/wsZL0/F0ev
AUfMMMX0ST477uc375Hkit/8yxO9XkUCeh4w6Yv+zQKBgCBN7XJSjs2lo85HIctI
9fPB2IJHN4XB1lKYZZraJ5w7ywhsnR7QreDVNhOweFG5N0VEEkZkU54d0rmfzRq9
DJpQLHONbQCU8QF7ll7gCxzzcUmIByUH6aGgR01/EgtQSqaZJzR39ZUKT+yO5/cY
eZNrxFP6s+BPWchNksxx02j2
-----END PRIVATE KEY-----
[root@ftpServer ssl]#ll
total 12
-rw-r--r-- 1 root root 1387 Aug 2 00:18 vsftpd.crt
-rw------- 1 root root 1704 Aug 2 00:17 vsftpd.key
-rw-r--r-- 1 root root 3091 Aug 2 00:18 vsftpd.pem
[root@ftpServer ssl]#vim /etc/vsftpd/vsftpd.conf
...
#启用SSL
ssl_enable=YES
#匿名不支持SSL
allow_anon_ssl=NO
#本地用户登录加密
force_local_logins_ssl=YES
#本地用户数据传输加密
force_local_data_ssl=YES
#一个文件包含私钥和证书
rsa_cert_file=/etc/vsftpd/ssl/vsftpd.pem
[root@ftpServer ssl]#systemctl restart vsftpd
使用Filezilla连接ftpServer验证