Loading ...
Sorry, an error occurred while loading the content.

RE: [nslu2-general] Can't login with Proftpd !!

Expand Messages
  • Inge Bjørnvall Arnesen
    Proftpd normally runs with authenication from /etc/passwd and login to people s home directory. I m not sure if you have problems logging in as non-anonymous
    Message 1 of 17 , Apr 8, 2005
    • 0 Attachment
      Proftpd normally runs with authenication from /etc/passwd and login to
      people's home directory. I'm not sure if you have problems logging in as
      non-anonymous in general or if it just with users in the ftp-group? What is
      the output in the log files when your logins fail?

      My setup is such that all users are registered in /etc/passwd with
      null-shell (no login) and when logging in they are all jailed in my public
      share area (see below). I have put all users that should not be allowed FTP
      access in /etc/ftpusers. Note that I have enabled WtmpLog, but Unslung has
      this disabled by default (you can disable it). Hope this helps.

      best,

      -- Inge

      ----------------------
      ServerName "ProFTPD on Naseem"
      ServerType inetd
      DefaultServer on
      WtmpLog on

      # Port 21 is the standard FTP port.
      Port 21

      Umask 022

      <Global>
      RootLogin On
      RequireValidShell off
      AuthUserFile /etc/passwd
      DefaultRoot /share/hdd/data/public
      TransferLog /opt/var/log/Naseem/proftpd.xferlog
      </Global>

      MaxInstances 5

      # Set the user and group under which the server will run.
      User nobody
      Group nobody

      # Normally, we want files to be overwriteable.
      AllowOverwrite on
      ----------------------------------------

      ----Original Message----
      From: Robert Hammond [mailto:rob.hammond@...]
      Sent: 3. april 2005 23:22
      To: nslu2-general@yahoogroups.com
      Subject: Re: [nslu2-general] Can't login with Proftpd !!

      > In message <d29ova+tid5@...>, lockmart100
      > <dontspam@...> writes
      > >
      > >
      > >
      > > Please forgive my ignorance on this. I haven't worked
      > > with a Unix OS in 20 years.
      > >
      > > I got my slug unslung without any problems. I have 2
      > > disks attached. Both seem to be working fine now.
      > >
      > > I installed SSH and Proftpd without issue. I can access
      > > the slig fine with "putty" and SSH. I can get anonymous logins using
      > > the basic conf script from web or local lan. Here lies 2 problems :
      > >
      > > 1 Anonymous login seems to give me root access. Not
      > > good. How can I set ftp to go to public shares and
      > > private folders only?
      > >
      > > 2 When I try to log in as a user that is setup as a
      > > member of the ftp group it asks for a password and it
      > > never accepts any password as correct. The ftp droup
      > > has DISK 1 and DISK 2 RW access only.
      > >
      > > Anybody willing to help a Linux newbie on his first
      > > setup?
      > >
      > Hi lockmart100
      > I have installed ProFTPD some weeks ago and see the same.
      > Unfortunately I have had very little time to try the various
      > configurations possible but intend to shortly.
      > Note that the VsFTPD program needs a password file manual
      > hack as reported in the Wiki so perhaps ProFTPD does also
      > - to be checked. --
      > Robert Hammond
      > PGP:0x154144DA
      >
      >
      >
      > Yahoo! Groups Links
      >
      >
      >
    • Robert Hammond
      In message , lockmart100 writes ... Unfortunately I can confirm this behaviour to some extent. My
      Message 2 of 17 , Apr 10, 2005
      • 0 Attachment
        In message <d29ova+tid5@...>, lockmart100 <dontspam@...>
        writes
        <snip>
        >2 When I try to log in as a user that is setup as a member of the ftp
        >group it asks for a password and it never accepts any password as
        >correct. The ftp droup has DISK 1 and DISK 2 RW access only.
        >
        <Snip>
        Unfortunately I can confirm this behaviour to some extent.
        My proftpd.conf file is very simple and based on the default file.
        I find that I can:-
        1. Login as Anonymous using email address as password
        2. Login as ftp, which is an alias for Anonymous.
        3. Login as root using my custom root password
        4. Login as admin using the default password as set by Linksys of
        'admin' (I do intent to change this some time in the future).

        Unfortunately I cannot Login with any user that I have made, these
        users have a password set using the web interface.

        Always comes back with the error - 530 Login Incorrect



        --
        Robert Hammond
        PGP:0x154144DA
      • Inge Bjørnvall Arnesen
        ... Ok - I try again: What is the output in the log files when your logins fail? It is hard to guess the cause to your troubles without proftpd.conf and log
        Message 3 of 17 , Apr 10, 2005
        • 0 Attachment
          > Unfortunately I cannot Login with any user that I have
          > made, these
          > users have a password set using the web interface.
          >
          > Always comes back with the error - 530 Login Incorrect

          Ok - I try again:

          "What is the output in the log files when your logins fail?"

          It is hard to guess the cause to your troubles without proftpd.conf and log
          feedback.

          Furthermore:

          - Do your users have valid home directories (check /etc/passwd)?

          - Can you create a user without a password by editing /etc/passwd manually.
          Enter (adjust for user ID - I used 2011 in my test) and try to ftp in as
          that user:

          "test::2011:501:Test:/home/empty:/bin/sh"


          best,

          -- Inge
        • Robert Hammond
          In message , Inge Bjørnvall Arnesen writes ... I have found the problem by comparing
          Message 4 of 17 , Apr 10, 2005
          • 0 Attachment
            In message <007801c53dfd$a2042cd0$a3b6f081@...>, Inge Bjørnvall
            Arnesen <i.b.arnesen@...> writes
            >
            >> Unfortunately I cannot Login with any user that I have
            >> made, these
            >> users have a password set using the web interface.
            >>
            >> Always comes back with the error - 530 Login Incorrect
            >
            >Ok - I try again:
            >
            >"What is the output in the log files when your logins fail?"
            >
            >It is hard to guess the cause to your troubles without proftpd.conf and log
            >feedback.
            >
            >Furthermore:
            >
            >- Do your users have valid home directories (check /etc/passwd)?
            >
            >- Can you create a user without a password by editing /etc/passwd manually.
            >Enter (adjust for user ID - I used 2011 in my test) and try to ftp in as
            >that user:
            >
            > "test::2011:501:Test:/home/empty:/bin/sh"
            >
            I have found the problem by comparing user that work to user that do
            not.
            I already have a test user including a password as follows:-
            test:hashpasswordhere:2003:501:Ftp test account::/dev/null

            The missing home directory is causing the problem. If I add a home
            directory such as '/' then the user will login:-
            test:hashpasswordhere:2003:501:Ftp test account:/:/dev/null

            Note that there is a directive for the proftpd.conf file called
            'CreateHome' but adding 'CreateHome on' to the global section does not
            correct this problem.

            Seems that users created in the web interface are missing a home
            directory even if you select the 'Create private folders' option. I was
            rather hopeing that I could use this program without manually hacking
            the passwd file, although only needs a small hack.
            --
            Robert Hammond
            PGP:0x154144DA
          • Robert Hammond
            In message , Robert Hammond writes ... This same fault is documented as part of Tip 1 in the vsftpd
            Message 5 of 17 , Apr 10, 2005
            • 0 Attachment
              In message <9DhllSJ$+XWCFw0l@...>, Robert Hammond
              <rob.hammond@...> writes
              >
              >In message <007801c53dfd$a2042cd0$a3b6f081@...>, Inge Bjørnvall
              >Arnesen <i.b.arnesen@...> writes
              >>
              >>> Unfortunately I cannot Login with any user that I have
              >>> made, these
              >>> users have a password set using the web interface.
              >>>
              >>> Always comes back with the error - 530 Login Incorrect
              >>
              >>Ok - I try again:
              >>
              >>"What is the output in the log files when your logins fail?"
              >>
              >>It is hard to guess the cause to your troubles without proftpd.conf and log
              >>feedback.
              >>
              >>Furthermore:
              >>
              >>- Do your users have valid home directories (check /etc/passwd)?
              >>
              >>- Can you create a user without a password by editing /etc/passwd manually.
              >>Enter (adjust for user ID - I used 2011 in my test) and try to ftp in as
              >>that user:
              >>
              >> "test::2011:501:Test:/home/empty:/bin/sh"
              >>
              >I have found the problem by comparing user that work to user that do
              >not.
              >I already have a test user including a password as follows:-
              >test:hashpasswordhere:2003:501:Ftp test account::/dev/null
              >
              >The missing home directory is causing the problem. If I add a home
              >directory such as '/' then the user will login:-
              >test:hashpasswordhere:2003:501:Ftp test account:/:/dev/null
              >
              >Note that there is a directive for the proftpd.conf file called
              >'CreateHome' but adding 'CreateHome on' to the global section does not
              >correct this problem.
              >
              >Seems that users created in the web interface are missing a home
              >directory even if you select the 'Create private folders' option. I was
              >rather hopeing that I could use this program without manually hacking
              >the passwd file, although only needs a small hack.

              This same fault is documented as part of Tip 1 in the vsftpd section of
              the Wiki.

              One possible solution would be to re-compile the source code but with a
              small change to the relevant module adding the following functionality:-

              If HomeDirectory = Null then HomeDirectory = /share/hdd/data/public

              or perhaps a new key word to select the above if needed, suggest
              something similar to the RequireValidShell key word, perhaps
              RequireValidHomeDir.



              Then use the DefaultRoot and DefaultChdir keywords to override this is
              needed.


              --
              Robert Hammond
              PGP:0x154144DA
            • Inge Bjørnvall Arnesen
              Good that it s settled. I tried the CreateHome directive and it worked nicely for me. I added the following to my global section: CreateHome on 700 dirmode 711
              Message 6 of 17 , Apr 10, 2005
              • 0 Attachment
                Good that it's settled. I tried the CreateHome directive and it worked
                nicely for me. I added the following to my global section:

                CreateHome on 700 dirmode 711

                Please give me feedback if you can't get it to work. Note that use of
                DefaultRoot will also affect users with valid home dir and override home dir
                (it is still created though).

                > Note that there is a directive for the proftpd.conf file
                > called 'CreateHome' but adding 'CreateHome on' to the
                > global section does not correct this problem.

                CreateHome will only create the home directory if set in the /etc/passwd
                file. If I recall correctly this will be done by the web interface, but the
                directory will not be created (CreateHome will). Since I don't have a
                DevSlug and my slug doesn't run any of the Linksys stuff (like webinterface,
                watchdog or mounting utils), it is hard for me to test. Do I recall
                correctly (at least my admin users has the nice, non-existing home directory
                /home/user/admin set in my passwd file)?

                best,

                -- Inge
              • Robert Hammond
                In message , Inge Bjørnvall Arnesen writes ... Unfortunately with my 3.18beta, the
                Message 7 of 17 , Apr 10, 2005
                • 0 Attachment
                  In message <007a01c53e0d$a0e7a600$a3b6f081@...>, Inge Bjørnvall
                  Arnesen <i.b.arnesen@...> writes
                  >
                  >Good that it's settled. I tried the CreateHome directive and it worked
                  >nicely for me. I added the following to my global section:
                  >
                  > CreateHome on 700 dirmode 711
                  >
                  >Please give me feedback if you can't get it to work. Note that use of
                  >DefaultRoot will also affect users with valid home dir and override home dir
                  >(it is still created though).
                  >
                  >> Note that there is a directive for the proftpd.conf file
                  >> called 'CreateHome' but adding 'CreateHome on' to the
                  >> global section does not correct this problem.
                  >
                  >CreateHome will only create the home directory if set in the /etc/passwd
                  >file. If I recall correctly this will be done by the web interface, but the
                  >directory will not be created (CreateHome will). Since I don't have a
                  >DevSlug and my slug doesn't run any of the Linksys stuff (like webinterface,
                  >watchdog or mounting utils), it is hard for me to test. Do I recall
                  >correctly (at least my admin users has the nice, non-existing home directory
                  >/home/user/admin set in my passwd file)?
                  >
                  Unfortunately with my 3.18beta, the web interface does not add a home
                  directory to /etc/passwd, it is just left blank as '::'.
                  Also if you elect to create a Private folder it just creates the folder
                  as a share in file /etc/share.info and adds the share to a dedicated
                  group which is also created, the user is then given access to this
                  group (and hence has access to the Private folder). This private
                  folder seems to be an access restricted sub-directory off of
                  /share/hdd/data (or the equivalent flash) so for most configurations
                  /share/hdd/data would probably be the default home directory rather than
                  the private folder or another folder.

                  I think that this leaves the work around to be to add you config line
                  above but also to manually add a home directory to /etc/passwd as stated
                  in Tip 1 VsFTPD Wiki. Not ideal but workable for users who want
                  created user restricted access.
                  --
                  Robert Hammond
                  PGP:0x154144DA
                • Robert Hammond
                  In message , Robert Hammond writes ... Another thought would be to modify the code so that if the
                  Message 8 of 17 , Apr 10, 2005
                  • 0 Attachment
                    In message <KcbYCkKW0YWCFwC8@...>, Robert Hammond
                    <rob.hammond@...> writes
                    >
                    >In message <9DhllSJ$+XWCFw0l@...>, Robert Hammond
                    ><rob.hammond@...> writes
                    >>
                    >>In message <007801c53dfd$a2042cd0$a3b6f081@...>, Inge Bjørnvall
                    >>Arnesen <i.b.arnesen@...> writes
                    >>>
                    >>>> Unfortunately I cannot Login with any user that I have
                    >>>> made, these
                    >>>> users have a password set using the web interface.
                    >>>>
                    >>>> Always comes back with the error - 530 Login Incorrect
                    >>>
                    >>>Ok - I try again:
                    >>>
                    >>>"What is the output in the log files when your logins fail?"
                    >>>
                    >>>It is hard to guess the cause to your troubles without proftpd.conf and log
                    >>>feedback.
                    >>>
                    >>>Furthermore:
                    >>>
                    >>>- Do your users have valid home directories (check /etc/passwd)?
                    >>>
                    >>>- Can you create a user without a password by editing /etc/passwd manually.
                    >>>Enter (adjust for user ID - I used 2011 in my test) and try to ftp in as
                    >>>that user:
                    >>>
                    >>> "test::2011:501:Test:/home/empty:/bin/sh"
                    >>>
                    >>I have found the problem by comparing user that work to user that do
                    >>not.
                    >>I already have a test user including a password as follows:-
                    >>test:hashpasswordhere:2003:501:Ftp test account::/dev/null
                    >>
                    >>The missing home directory is causing the problem. If I add a home
                    >>directory such as '/' then the user will login:-
                    >>test:hashpasswordhere:2003:501:Ftp test account:/:/dev/null
                    >>
                    >>Note that there is a directive for the proftpd.conf file called
                    >>'CreateHome' but adding 'CreateHome on' to the global section does not
                    >>correct this problem.
                    >>
                    >>Seems that users created in the web interface are missing a home
                    >>directory even if you select the 'Create private folders' option. I was
                    >>rather hopeing that I could use this program without manually hacking
                    >>the passwd file, although only needs a small hack.
                    >
                    >This same fault is documented as part of Tip 1 in the vsftpd section of
                    >the Wiki.
                    >
                    >One possible solution would be to re-compile the source code but with a
                    >small change to the relevant module adding the following functionality:-
                    >
                    >If HomeDirectory = Null then HomeDirectory = /share/hdd/data/public
                    >
                    >or perhaps a new key word to select the above if needed, suggest
                    >something similar to the RequireValidShell key word, perhaps
                    >RequireValidHomeDir.
                    >
                    >
                    >
                    >Then use the DefaultRoot and DefaultChdir keywords to override this is
                    >needed.
                    >
                    >
                    Another thought would be to modify the code so that if the home
                    directory is missing from /etc/passwd then check the various DefaultRoot
                    directives for a valid directive before declaring a 530 Login Incorrect
                    instruction. Would most probably be a complex piece of coding
                    required.
                    --
                    Robert Hammond
                    PGP:0x154144DA
                  • Inge Bjørnvall Arnesen
                    ... That is unfortunate. According to my passwd(5) man page, only the GECOS field is optional, so Linksys seem to operate using a broken passwd file. Can you
                    Message 9 of 17 , Apr 10, 2005
                    • 0 Attachment
                      > Unfortunately with my 3.18beta, the web interface does
                      > not add a home directory to /etc/passwd, it is just left
                      > blank as '::'.

                      That is unfortunate. According to my passwd(5) man page, only the GECOS
                      field is optional, so Linksys seem to operate using a broken passwd file.
                      Can you update the Proftpd wiki page wrt. to this?

                      best,

                      -- Inge
                    • Robert Hammond
                      In message , Inge Bjørnvall Arnesen writes ... I will update the page, have been
                      Message 10 of 17 , Apr 11, 2005
                      • 0 Attachment
                        In message <008101c53e1d$6be34f80$a3b6f081@...>, Inge Bjørnvall
                        Arnesen <i.b.arnesen@...> writes
                        >
                        >> Unfortunately with my 3.18beta, the web interface does
                        >> not add a home directory to /etc/passwd, it is just left
                        >> blank as '::'.
                        >
                        >That is unfortunate. According to my passwd(5) man page, only the GECOS
                        >field is optional, so Linksys seem to operate using a broken passwd file.
                        >Can you update the Proftpd wiki page wrt. to this?
                        >
                        I will update the page, have been meaning to update a number of pages
                        for some time.
                        --
                        Robert Hammond
                        PGP:0x154144DA
                      • Robert Hammond
                        In message , Inge Bjørnvall Arnesen writes ... Yet another problem (I
                        Message 11 of 17 , Apr 11, 2005
                        • 0 Attachment
                          In message <004801c53c30$acd19400$a3b6f081@...>, Inge Bjørnvall
                          Arnesen <i.b.arnesen@...> writes
                          <snip>
                          > I have put all users that should not be allowed FTP
                          >access in /etc/ftpusers.
                          <Snip>

                          Yet another problem (I just love beta test debugging). I have created
                          the file ftpusers in /etc/ but this feature of disallowing users to
                          login does not work for reasons that are currently unknown.

                          Example - I have currently left the admin user and default password (of
                          admin) untouched.
                          Have added admin to the /etc/ftpusers file.
                          I can still login as admin using my ftp client??

                          Note that I have tried with a the proftpd.conf directive UseFtpUsers on
                          (which is the default) but still has no effect.

                          --
                          Robert Hammond
                          PGP:0x154144DA
                        • Inge Bjørnvall Arnesen
                          ... Oh, that is probably correct. rwhitby changed it to /opt/etc/ftpusers - my mistake, no bug that either. best, -- Inge
                          Message 12 of 17 , Apr 11, 2005
                          • 0 Attachment
                            > Yet another problem (I just love beta test debugging). I have created
                            > the file ftpusers in /etc/ but this feature of disallowing users to
                            > login does not work for reasons that are currently unknown.

                            Oh, that is probably correct. rwhitby changed it to /opt/etc/ftpusers - my
                            mistake, no bug that either.

                            best,

                            -- Inge
                          • Robert Hammond
                            In message , Inge Bjørnvall Arnesen writes ... I prefer the file location of
                            Message 13 of 17 , Apr 11, 2005
                            • 0 Attachment
                              In message <000501c53ed1$d0352d00$5201a8c0@...>, Inge Bjørnvall
                              Arnesen <i.b.arnesen@...> writes
                              >
                              >> Yet another problem (I just love beta test debugging). I have created
                              >> the file ftpusers in /etc/ but this feature of disallowing users to
                              >> login does not work for reasons that are currently unknown.
                              >
                              >Oh, that is probably correct. rwhitby changed it to /opt/etc/ftpusers - my
                              >mistake, no bug that either.
                              >
                              I prefer the file location of /opt/etc/ due to being a disk directory.
                              I will add this to the Wiki later this week when time permits together
                              with the other updates.

                              I am using WsFtp pro on a PC as my client, seems to be a brilliant way
                              to explore the directory structure and configure the slug, recommend
                              this method to everyone. Using WsFTP the sim links etc all show up
                              correctly, as good as using a file explorer. Also an easy method to
                              modify the config files by copying the file to the PC HD, I use
                              Textpad from www.textpad.com as a Unix full function text editor and
                              then copy the file back.

                              Hope to have a go at configuring SSL access later this week.
                              --
                              Robert Hammond
                              PGP:0x154144DA
                            • Robert Hammond
                              In message , Inge Bjørnvall Arnesen writes ... As stated on the Wiki Tip1 VsFTPD any
                              Message 14 of 17 , Apr 11, 2005
                              • 0 Attachment
                                In message <008101c53e1d$6be34f80$a3b6f081@...>, Inge Bjørnvall
                                Arnesen <i.b.arnesen@...> writes
                                >
                                >> Unfortunately with my 3.18beta, the web interface does
                                >> not add a home directory to /etc/passwd, it is just left
                                >> blank as '::'.
                                >
                                >That is unfortunate. According to my passwd(5) man page, only the GECOS
                                >field is optional, so Linksys seem to operate using a broken passwd file.
                                >Can you update the Proftpd wiki page wrt. to this?
                                >
                                As stated on the Wiki Tip1 VsFTPD any manual changes made to the
                                /etc/passwd file will not withstand a re-boot of the slug or withstand
                                any changes made to some of the web configuration pages. Does make
                                running a reliable VsFTPD or ProFTPD server a little un-reliable.

                                ProFTPD does have a workable work around for this for at least some
                                users by configuring a dedicated passwd file just for use by ProFTPD,
                                suggested location for such a file is a disk directory such as /opt/etc/
                                .

                                So...
                                1. Change the relevent proftpd.conf directive located in the global
                                section to read:-
                                AuthUserFile /opt/etc/passwd.proftpd

                                2. You may have to add another directive to this section to point to
                                the system group file (to be checked):-
                                AuthGroupFile /etc/group

                                3. Populate the new /opt/etc/passwd.proftpd file using a text editor
                                with your required users by copying them from the system /etc/passwd
                                file. Modify these users as required following the passwd file
                                conventions (as a minimum you will definitely need to add a home
                                directory to allow copied users to login).

                                I will double check this later this week but am quite sure this will
                                work as posted.


                                --
                                Robert Hammond
                                PGP:0x154144DA
                              Your message has been successfully submitted and would be delivered to recipients shortly.