Problem with SSL and vsftpd, receiving error "530 This FTP Server is Anonymous Only"

Phoenix_Zero · 06-18-2007, 11:47 PM

Hi. I'm a bit confused as to what's going on here as I try to get vsftpd to allow ssl logins (ftps).
I don't want FTP over SSH as that requires the users to have shell logins and I reallllly don't want to have to deal with that. I'm running Debian etch
my current vsftpd.conf file is:

anonymous_enable=NO
local_enable=YES
ssl_enable=YES
force_local_data_ssl=YES
force_local_logins_SSL=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
rsa_cert_file=/etc/vsftpd.pem
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES

thats all I have for it.

the error I get when I try to connect with AUTH TLS or AUTH SSL (or any ssl) on clients is "530 this FTP Server is Anonymous Only" yet I have anonymous logons disabled in the .conf file. I'm quite confused here. I seem able to connect with sftp (ftp over ssh on port 22), but I want my users to not have to have shell accounts on the machine as this server only exists for a couple of my friends to grab some files, not home directories or anything of the like. Thanks for your time

RedHatCat · 06-19-2007, 10:08 AM

Possibly unrelated, since I've never used vsftpd over ssh, and haven't used plain vsftpd in a while, but do you need to add the usernames to /etc/vsftpd.ftpusers & /etc/vsftpd.allow - or is it hash the usernames out(?) I forget now, but either way that's what I'd check. I'm being vague I know, but all I've got is an XP box here atm so I can't check. GL

Phoenix_Zero · 06-19-2007, 12:03 PM

hi Redhatcat,
thanks for replying to my post. I'm looking at /etc right now (where my vsftpd.conf is) and the only files I have mentioning vsftpd are
vsftpd.conf
vsftpd.conf.bak (backup of the example file)
vsftpd.pem (the rsa cert)

do I have to create vsftpd.ftpusers or vsftpd.allow?

Thanks,
Phoenix

RedHatCat · 06-19-2007, 01:27 PM

Hey Phoenix, I just got back & realised none of my boxes here have any vsftpd files/service on

but from memory usually I find the config file in /etc/vsftpd/vsftpd.conf & tweak it as required (the /etc/vsftpd sub-folder is default on RH ES)- then I also edit the /etc/vsftpd.ftpusers & /etc/vsftpd.user_list (not vsftpd.allow, I got confused earlier) as required. I found a reference to those files on Step 5 on this page: http://www.vsftpdrocks.org/rpm/ which probably explains their role better than me.

I have another installation to do soon, I will try to make it a RHES with vsftpd included so I can have a play with it this time

Phoenix_Zero · 06-19-2007, 01:41 PM

Thanks again redhatcat.
I'm going to give that page a read today and I'll post again when it works or doesnt =).
-
Phoenix

Phoenix_Zero · 06-19-2007, 04:04 PM

redhatcat,
I dont think vsftpd.ftpusers and vsftpd.user_list is what I'm looking for here.
The site you linked me to mentioned their use for allow & deny lists.
What I'm looking for is being able to log in to the ftp at all with a username/password instead of being anonymous while using SSL. (not ssh which requires a shell account).
My system does have PAM, which I don't really understand that well at all.
Any other ideas?
Might this have something to do with PAM?

flashingcurser · 06-19-2007, 06:58 PM

sftp is irrelevant, as it is part of ssh suite. ftps is a little sketchy. From what I read in the docs, vsftpd uses tls by default. Turn off all of the extra ssl stuff then try many different clients. Just leave the ssl_enable option on. I would do this over your local network to eliminate passive/active ftp problems. Fix those later.

Also look at these options to play with:
check_shell = no
chroot_local_user = yes
force_local_data_ssl = no (Whats important your server or their data? some clients really choke on this)

Post your vsftpd part of /etc/pam.d/ (or where ever it is in distro)
Oh and yes it could very well have something to do with Pluggable Authentication Modules (PAM)

Phoenix_Zero · 06-19-2007, 11:43 PM

vsftpd.conf:

anonymous_enable=YES
local_enable=YES
ssl_enable=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd.pem
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
ftpd_banner="Welcome"
connect_from_port_20=YES

contents of /etc/pam.d/vsftpd:

#Standard behavior for ftpd(8)
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers
onerr=succeed

#Note: vsftpd handles anonymous logins on its own. Do not enable
# pam_ftp.so.

#Standard blurb
@include common-account
@include common-session

@include common-auth

auth required pam_shells.so

That's the whole thing. I have to admit I know next to nothing about PAM.

Thanks

flashingcurser · 06-20-2007, 09:35 AM

First try some of the options in my first post. Don't fight firewalls, do it over the local network. Troubleshoot firewalls after you get everything else working. Try different ftp clients for secure connections.

Post what is in the /etc/ftpusers file. ftpusers file is normally to block dangerous users like root, but may be blocking others.

Also, make double sure the service has completely stopped and restarted since you made the changes to the config files. It may be an old process listening for ftp connections.

Check your logs- /var/log/vsftpd/ also for pam errors look in /var/log/auth.log right after you try to connect.

BTW: if your users have shell accounts anyway, why not have them use winscp? sftp is faster, more secure, less hassle, doesn't mind portforwarding, and winscp is a great windows client. (latest beta is also a great ftp client too)
Link:
http://sourceforge.net/project/showf...ease_id=512063

Phoenix_Zero · 06-20-2007, 09:24 PM

flashingcursor.
Your suggestion of just saying screw it to ftps and using sftp is becoming persusive given the amount of work on this. Partially because I already got it to work and partially because you mentioned its more secure, I had it backwards then in what I thought.

I still don't understand PAM at all. Is there a particular resource doc or tutorial you would suggest for me?

Thank you again,
(and you too redhatcat!)
--
Phoenix

Phoenix_Zero · 06-22-2007, 07:21 PM

Ok I have the FTP server working now per se...
My user can log in to /srv/ftpsrv but all other users (even those that are part of the group that owns /srv/ftpsrv and has the same rights as the owner) can't access it and receive an 'access denied' message.
Any idea what I could do or things I could post here to help figure it out?

[edit]
I think I got it, stupid error on my part, I had changed the group ownership but not added read capabilities...heh.

Marcelus Vas · 06-28-2007, 04:35 PM

Hi,

Check my install log. Everything is working fine for the user support. All the other users are successfully blocked.
The operating system here is the RedHat Enterprise 3.

##### The install #####

[root@sshgw root]# ls
anaconda-ks.cfg javastat.tgz teste_radar01.tcp
install.log lrzsz-0.12.20-22.1.i386.rpm vsftpd-1.2.0-4.src.rpm
install.log.syslog sshes.tcp

[root@sshgw root]# rpm -ivh vsftpd-1.2.0-4.src.rpm
1:vsftpd ########################################### [100%]

##### The configuration #####
In case of missing config. files, create `em...

[root@sshgw root]# ls -lrt /etc/vsftp*
-rw-r--r-- 1 root root 8 Jun 28 10:49 /etc/vsftpd.chroot_list
-rw-r--r-- 1 root root 8 Jun 28 14:49 /etc/vsftpd.allow
-rw-r--r-- 1 root root 135 Jun 28 14:56 /etc/vsftpd.ftpusers
-rw------- 1 root root 4146 Jun 28 15:32 /etc/vsftpd.conf
-rw-r--r-- 1 root root 371 Jun 28 15:41 /etc/vsftpd.user_list

[root@sshgw root]# more /etc/vsftpd.chroot_list
support

[root@sshgw root]# more /etc/vsftpd.allow
support

[root@sshgw root]# more /etc/vsftpd.ftpusers
# Users that are not allowed to login via ftp
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody
anonymous

[root@sshgw root]# more /etc/vsftpd.user_list
# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd.ftpusers
# for users that are denied.
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody
anonymous

[root@sshgw root]# more /etc/xinetd.d/vsftpd
# default: off
# description: The vsftpd FTP server serves FTP connections. It uses \
# normal, unencrypted usernames and passwords for authentication.
service ftp
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/sbin/vsftpd
nice = 10
}

[root@sshgw root]# more /etc/vsftpd.conf
# Example config file /etc/vsftpd.conf
#
# The default compiled in settings are very paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
#
# Allow anonymous FTP?
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
pasv_enable=YES
pasv_promiscuous=NO
port_enable=YES
setproctitle_enable=YES
text_userdb_names=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that turning on ascii_download_enable enables malicious remote parties
# to consume your I/O resources, by issuing the command "SIZE /big/file" in
# ASCII mode.
# These ASCII options are split into upload and download because you may wish
# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be
# on the client anyway..
ascii_upload_enable=YES
ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_local_user=YES
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
accept_timeout=60
ftp_data_port=20
#userlist_file=/etc/vsftpd.allow
#userlist_file=/var/vsftpd.user_list
userlist_file=/etc/vsftpd.user_list
nopriv_user=libretto
pam_service_name=vsftpd
userlist_enable=YES
userlist_deny=YES
#enable for standalone mode
listen=NO
tcp_wrappers=YES

##### The tests #####

[root@sshgw root]# ftp 172.23.0.36
Connected to 172.23.0.36.
220 (vsFTPd 1.1.3)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (172.23.0.36:root): support
331 Please specify the password.
Password:
230 Login successful. Have fun.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> bye
221 Goodbye.

[root@sshgw root]# ftp 172.23.0.36
Connected to 172.23.0.36.
220 (vsFTPd 1.1.3)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (172.23.0.36:root): root
530 Permission denied.
Login failed.
ftp> bye
221 Goodbye.

[root@sshgw root]# ftp 172.23.0.36
Connected to 172.23.0.36.
220 (vsFTPd 1.1.3)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (172.23.0.36:root): anonymous
530 Permission denied.
Login failed.
ftp> bye
221 Goodbye.

Bye !

Marcelus Vas · 06-28-2007, 05:22 PM

Hi,

The "vsftpd.chroot_list" file has to be empty not to allow the support user to change from it's home directory.

[root@sshgw root]# more /etc/vsftpd.chroot_list <= This list file has to be empty.

To restart the service do:

[root@sshgw etc]# /etc/init.d/xinetd restart
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]

That's all.