I have a vsftpd server that uses virtual users to give each user access to its own files and folders.
I want to configure vsftpd to use FTPS and have tried numerous times, but it hasn’t succeeded yet.
This is the config I use for testing that got me furthest:
ftpd_banner="experimental FTP service on EPC353"
dirmessage_enable=YES
hide_ids=YES
chmod_enable=NO
cmds_denied=RMD
# local_enable needs to be yes for virtual users
local_enable=yes
local_umask=066
anonymous_enable=NO
# next line ensures that anon-user can't see/get anything (in case of anonymous_enable=yes)
anon_root=/usr/share/empty
anon_upload_enable=no
allow_writeable_chroot=YES
guest_enable=YES
guest_username=virtual
user_config_dir=/etc/vsftpd_user_conf
pam_service_name=vsftpd
# userlist works fine (tested with userlist_deny yes/no)
userlist_enable=YES
userlist_file=/etc/vsftpd.user_list
listen=YES
pasv_enable=YES
pasv_min_port=40000
pasv_max_port=40500
listen_port=990
rsa_cert_file=/etc/ssl/private/vsftpd20200204.pem
ssl_enable=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=YES
debug_ssl=YES
xferlog_enable=YES
vsftpd_log_file=/var/log/vsftpd.log
log_ftp_protocol=yes
This what I get when trying to connect:
~> curl --ftp-ssl --insecure --user NIEDE localhost:990 -v
Enter host password for user 'NIEDE':
* Rebuilt URL to: localhost:990/
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 990 (#0)
* Server auth using Basic with user 'NIEDE'
> GET / HTTP/1.1
> Host: localhost:990
> Authorization: Basic TklFREU6T0xLSkg=
> User-Agent: curl/7.60.0
> Accept: */*
>
220 "experimental FTP service on EPC353"
530 Please login with USER and PASS.
530 Please login with USER and PASS.
530 Please login with USER and PASS.
530 Please login with USER and PASS.
530 Please login with USER and PASS.
(It then doesn’t respond to any command and I used Ctrl-C to return to bash.)
/var/log/vsftpd.log shows
Thu Jun 18 09:41:51 2020 [pid 21996] CONNECT: Client "127.0.0.1"
Thu Jun 18 09:41:51 2020 [pid 21996] FTP response: Client "127.0.0.1", "220 "experimental FTP service on EPC353""
Thu Jun 18 09:41:51 2020 [pid 21996] FTP command: Client "127.0.0.1", "GET / HTTP/1.1"
Thu Jun 18 09:41:51 2020 [pid 21996] FTP response: Client "127.0.0.1", "530 Please login with USER and PASS."
Thu Jun 18 09:41:51 2020 [pid 21996] FTP command: Client "127.0.0.1", "HOST: localhost:990"
Thu Jun 18 09:41:51 2020 [pid 21996] FTP response: Client "127.0.0.1", "530 Please login with USER and PASS."
Thu Jun 18 09:41:51 2020 [pid 21996] FTP command: Client "127.0.0.1", "AUTHORIZATION: Basic TklFREU6T0xLSkg="
Thu Jun 18 09:41:51 2020 [pid 21996] FTP response: Client "127.0.0.1", "530 Please login with USER and PASS."
Thu Jun 18 09:41:51 2020 [pid 21996] FTP command: Client "127.0.0.1", "USER-AGENT: curl/7.60.0"
Thu Jun 18 09:41:51 2020 [pid 21996] FTP response: Client "127.0.0.1", "530 Please login with USER and PASS."
Thu Jun 18 09:41:51 2020 [pid 21996] FTP command: Client "127.0.0.1", "ACCEPT: */*"
Thu Jun 18 09:41:51 2020 [pid 21996] FTP response: Client "127.0.0.1", "530 Please login with USER and PASS."
Thu Jun 18 09:41:51 2020 [pid 21996] FTP command: Client "127.0.0.1"
Thu Jun 18 09:42:00 2020 vsftpd [pid 21995]: "" from "127.0.0.1": priv_sock_get_cmd
I have switched off the firewall during the tests to avoid problems in that area.
The (self-made) certificate is a valid x509 certificate (verified with
and got this after entering password, setting debug to 20 and ls:
Password:
---- Resolving host address...
---- 1 address found: 127.0.0.1
lftp NIEDE@localhost:~> debug 20
lftp NIEDE@localhost:~> ls
FileCopy(0x55f03203e210) enters state INITIAL
FileCopy(0x55f03203e210) enters state DO_COPY
---- dns cache hit
---- attempt number 1 (max_retries=1000)
---- Connecting to localhost (127.0.0.1) port 990
**** SSL_connect: wrong version number
---- Closing control socket
ls: Fatal error: SSL_connect: wrong version number
lftp NIEDE@localhost:~>
/var/log/vsftpd.log says:
Thu Jun 18 13:32:21 2020 [pid 22877] FTP response: Client "127.0.0.1", "220 "experimental FTP service on EPC353""
Thu Jun 18 13:32:21 2020 [pid 22877] FTP command: Client "127.0.0.1", "???????????Z?7?????PX?4?=?>???T?B?*#???RT????8?,?0?????????+?/???$?(?K?#?'?G?"
Thu Jun 18 13:32:21 2020 [pid 22877] FTP response: Client "127.0.0.1", "530 Please login with USER and PASS."
Thu Jun 18 13:32:21 2020 [pid 22877] FTP command: Client "127.0.0.1", "???9?????3?????=?<?5?/?????T?????????LOCALHOST?????????"
Thu Jun 18 13:32:21 2020 [pid 22877] FTP response: Client "127.0.0.1", "530 Please login with USER and PASS."
Thu Jun 18 13:32:21 2020 [pid 22877] FTP command: Client "127.0.0.1", "
"
Thu Jun 18 13:32:21 2020 [pid 22877] FTP response: Client "127.0.0.1", "530 Please login with USER and PASS."
Thu Jun 18 13:32:21 2020 vsftpd [pid 22877]: "" from "127.0.0.1": vsf_sysutil_recv_peekThu Jun 18 13:32:21 2020 vsftpd [pid 22876]: "" from "127.0.0.1": priv_sock_get_cmd
If you want to set up a very simple ftp server, you can use the YaST module
zypper in yast2-ftp-server
For practically any other configuration, because there are so many combinations of security, authentication and User options, I generally rely on the package’s included documentation.
For vsftpd, There are a number of documentation and example files in the following location on your system
/usr/share/doc/packages/vsftpd/
Also, be aware that the localhost interface is different than your LAN network interface… You’ll probably want to test on that, not localhost.
Thank you for your suggestions.
The vsftpd server runs for at least 8 years now, and well, except for one thing: it uses FTP and I want to change it to FTPS.
I will test over LAN and not on localhost, and see if that helps.
Your client talks HTTP not FTP, what do you expect? Garbage in, garbage out.
What is missing/wrong in my configuration?
Your another client talks implicit SSL (and we have no way to know what is inside encrypted stream as it is not visible. We can just hope this time it is FTP and not HTTP client). You either need to configure you client to use explicit SSL or configure vsftpd to use implicit SSL (but then you won’t be able to use plain text connection at all). See implicit_ssl vstfpd option.
I’d have to see more of the logfile to see what is happening.
A client can request anything, it doesn’t necessarily mean that the response will be successful (ie I don’t see a 200 code for the http GET)
There are a number of steps to analyze in an FTP session…
Some generalities…
The client will specify preferences for the proposed FTP session
The server will respond with whatever is actually configured to be supported
There is a difference between initial authentication/authorization, and then the main FTP session itself when data is exchanged using teh agreed upon session attributes.
There is a big difference between TLS and SSL, TLS is becoming more common for http while I haven’t seen FTP the same for FTP.
To decrease the chance of unexpected variables, use an FTP client that’s fully configurable and least options.
This generally means a command line ftp client is better than for example a web browser or FTP manager like Filezilla.
Here are the minimal changes to enable explicit SSL in vsftpd:
bor@leap15:~> sudo diff -up /etc/vsftpd.conf.orig /etc/vsftpd.conf
--- /etc/vsftpd.conf.orig 2018-12-17 22:45:05.000000000 +0300
+++ /etc/vsftpd.conf 2020-06-20 16:01:38.822105478 +0300
@@ -191,9 +191,11 @@ listen_ipv6=YES
# Set "ssl_enable=YES" to enable SSL support and configure the location of
# your local certificate (RSA, DSA, or both). Note that vsftpd won't start
# if either of the "xxx_cert_file" options sets a path that doesn't exist.
-ssl_enable=NO
-rsa_cert_file=
+ssl_enable=YES
+rsa_cert_file=/home/bor/cert.pem
+rsa_private_key_file=/home/bor/key.pem
dsa_cert_file=
+seccomp_sandbox=NO
#
# Limit passive ports to this range to assis firewalling
pasv_min_port=30000
bor@leap15:~>
I used lftp from Leap 15.1 and it tries to use SSL by default at least for control connection; if you are using self-signed certificate you need to disable certificate validation, globally or per-host:
I appplied the minimal changes to the configuration
ftpd_banner="experimental FTPS server on EPC353"
dirmessage_enable=YES
hide_ids=YES
chmod_enable=NO
cmds_denied=RMD
# local_enable needs to be yes for virtual users
local_enable=yes
local_umask=066
anonymous_enable=NO
# next line ensures that anon-user can't see/get anything (in case of anonymous_enable=yes)
anon_root=/usr/share/empty
anon_upload_enable=no
allow_writeable_chroot=YES
guest_enable=YES
guest_username=virtual
user_config_dir=/etc/vsftpd_user_conf
pam_service_name=vsftpd
# userlist works fine (tested with userlist_deny yes/no)
userlist_enable=YES
userlist_file=/etc/vsftpd.user_list
listen=YES
pasv_enable=YES
pasv_min_port=40000
pasv_max_port=40500
# FTPS part
listen_port=990
rsa_cert_file=/etc/ssl/private/vsftpd20200204.pem
rsa_private_key_file=/etc/ssl/private/vsftpd20200204.pem
dsa_cert_file=
ssl_enable=YES
seccomp_sandbox=NO
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=YES
debug_ssl=YES
xferlog_enable=YES
vsftpd_log_file=/var/log/vsftpd.log
log_ftp_protocol=yes
restarted the service and set ssl:verify-certificate to false in bash
,used command
lftp -u NIEDE ftps://localhost:990
,entered password and entered debug 20, ls and exit:
Password:
lftp NIEDE@localhost:~> debug 20
lftp NIEDE@localhost:~> ls
FileCopy(0x565210206e10) enters state INITIAL
FileCopy(0x565210206e10) enters state DO_COPY
---- dns cache hit
---- attempt number 1 (max_retries=1000)
---- Connecting to localhost (127.0.0.1) port 990
**** SSL_connect: wrong version number
---- Closing control socket
ls: Fatal error: SSL_connect: wrong version number
The log shows:
Mon Jun 22 10:08:29 2020 [pid 31276] CONNECT: Client "127.0.0.1"
Mon Jun 22 10:08:29 2020 [pid 31276] FTP response: Client "127.0.0.1", "220 "experimental FTPS server on EPC353""
Mon Jun 22 10:08:29 2020 [pid 31276] FTP command: Client "127.0.0.1", "??????????????DE???"
Mon Jun 22 10:08:29 2020 [pid 31276] FTP response: Client "127.0.0.1", "530 Please login with USER and PASS."
Mon Jun 22 10:08:29 2020 vsftpd [pid 31276]: "" from "127.0.0.1": ftp_write
When I enter an incorrect password, the behaviour is the same.
Your connection is failing during the initialization stage.
I think you’re posting your server side log. You should also inspect your client-side log and compare entries to verify the client is seeing exactly the same thing or reports something slightly different perhaps with additional info.
You can try enabling anonymous and guest during setup just to get something to work, eliminating possible causes related to your User accounts.
From your server-side log, it appears that your User credentials are being rejected or not understood. Many possible causes including wrong credentials, encrypted/decrypted incorrectly.
I assume that this FTP was tested without SSL and found working first before adding SSL?
Although I don’t recommend testing or using the localhost/127.0.0.1 interface, it appears to be responding to your test so you can continue but be aware that when you finally succeed in fixing your problems, you may still have problems on your LAN interface which would mean having to troubleshoot all over again… Assuming you actually want to use your FTP server for machine to machine connections which likely makes sense.
Yes, I have posted the server-side log (vsftpd.log). TBH, I don’t know how to find client-side logs.
You can try enabling anonymous and guest during setup just to get something to work, eliminating possible causes related to your User accounts.
From your server-side log, it appears that your User credentials are being rejected or not understood. Many possible causes including wrong credentials, encrypted/decrypted incorrectly.
I assume that this FTP was tested without SSL and found working first before adding SSL?
Yes, this FTP server has been tested without SSL, in that case both ftp and lftp respond as expected.
The config then contains
Although I don’t recommend testing or using the localhost/127.0.0.1 interface, it appears to be responding to your test so you can continue but be aware that when you finally succeed in fixing your problems, you may still have problems on your LAN interface which would mean having to troubleshoot all over again… Assuming you actually want to use your FTP server for machine to machine connections which likely makes sense.
I haven’t been able to set up another machine with Leap 15.1 and without firewall for testing. That’s why I still work with localhost.
Both ftp and lftp respond as expected with SSL in your case. You told lftp to use implicit SSL (FTPS scheme) and did not tell (or even explicitly prohibited) vsftpd to expect implicit SSL.