Problems getting pure-ftpd working in 11.4

English Network/Internet
#21

naskie18 wrote:
> “martin_helm” Wrote:
>> Did you install the package yast2-ftp-server? Without it you will not
>> have
>> an ftp entry in yast.
> I originally did not install that. Now I have, and there is an ftp
> entry in yast, although there doesn’t seem to be anything useful in
> there. When I open it, I get a window which says that a TFTP server is
> enabled, and lists a boot image directory of “/srv/tftpboot”
>
So you installed the wrong package named yast2-tftp-server instead of yast2-
ftp-server which would have been the right one.


PC: oS 11.3 64 bit | Intel Core2 Quad Q8300@2.50GHz | KDE 4.6.3 | GeForce
9600 GT | 4GB Ram
Eee PC 1201n: oS 11.4 64 bit | Intel Atom 330@1.60GHz | KDE 4.6.0 | nVidia
ION | 3GB Ram

#22

On Sat May 28 2011 08:36 am, naskie18 wrote:

>
> venzkep;2344968 Wrote:
>>
>> What have you done to create users?
>>
>> Have you read: /usr/share/doc/packages/pure-ftpd/ ?
>>
> I have setup pure-ftpd according to the readme file in that folder.
> I’ve got two users setup right now, my username and a user _pure-ftpd.
> Both are members of the _pure-ftpd group, as well as the ftp group.
>
<snip>
naskie18;

Are these “virtual users”? If so does the following return the expected
values


su -
pure-pw show <user_name>
exit

This HowTo is “long in the tooth” but should still be helpful:
http://www.novell.com/coolsolutions/feature/11418.html

P. V.
“We’re all in this together, I’m pulling for you.” Red Green

#23

Doh. Apparently I need to increase the font size, I didn’t even see the t in there. Got the correct one installed now.

Have it set to only allow authenticated users, and that’s working in that I can’t login as anonymous anymore, however, I still can’t login as a real user. Using the information in the link you provided, I also created a virtual user, and can’t login as the virtual user, either.

For the virtual user, I get the following results to the pure-pw show command:


Login              : naskie
Password           : $2a$07$nj/mx4PeQAMNXJ21jAKZTuOmfNf45qQFvfh.Ve3/4zMVApT.hj1Xy
UID                : 1002 (ftpuser)
GID                : 1000 (ftpgroup)
Directory          : /windows/d/ftp/./
Full name          : 
Download bandwidth : 0 Kb (unlimited)
Upload   bandwidth : 0 Kb (unlimited)
Max files          : 0 (unlimited)
Max size           : 0 Mb (unlimited)
Ratio              : 0:0 (unlimited:unlimited)
Allowed local  IPs : 
Denied  local  IPs : 
Allowed client IPs : 
Denied  client IPs : 
Time restrictions  : 0000-0000 (unlimited)
Max sim sessions   : 0 (unlimited)
#24

Alright, I went back to 11.3, installed pure-ftpd and yast2-ftp-server, and everything worked fine. Then I upgraded to 11.4, and now it’s broken again.

If I set the authentication option to Anonymous, then I can login as anonymous and upload/download files in the default directory, but I can’t get to other directories, which is fine for anonymous, but I’m trying to get a login setup so that I can get to other directories, 'cuz being caged in the generic ftp directory isn’t real useful to me.

If I set the authentication to Authenticated users, I can’t login at all, it tells me that the username is OK, but I always get an error when it tries to validate the password. Also, it seems to be doing something funky which may or may not be related. When I have the authentication set to allow anonymous, the Min and Max port values for passive mode are 40000 and 40500, respectively. When I change the authentication setting to allow authenticated users only, the min port value stays at 40000, but the max port value changes to 1024. If I go to the “expert settings” page in the Yast ftp manager, it’ll give me an error when it notices this, saying that the max port has to be greater than the min port. Changing the max port back to 40500 has no effect on whether I can login, and changing the min port to 1024 also has no effect on whether I can login.

Any other thoughts on how to fix this?

#25

Please post the contents of your /etc/pure-ftpd/pure-ftpd.conf file

Thanks,
Hiatt

#26

Here it is:


############################################################
#                                                          #
#         Configuration file for pure-ftpd wrappers        #
#                                                          #
############################################################

# If you want to run Pure-FTPd with this configuration   
# instead of command-line options, please run the
# following command :
#
# /usr/sbin/pure-config.pl /usr/etc/pure-ftpd.conf
#
# Please don't forget to have a look at documentation at
# http://www.pureftpd.org/documentation.shtml for a complete list of
# options.

# Cage in every user in his home directory

ChrootEveryone NO



# If the previous option is set to "no", members of the following group
# won't be caged. Others will be. If you don't want chroot()ing anyone,
# just comment out ChrootEveryone and TrustedGID.

# TrustedGID                    100



# Turn on compatibility hacks for broken clients

BrokenClientsCompatibility no



# Maximum number of simultaneous users

MaxClientsNumber 10



# Fork in background

Daemonize YES



# Maximum number of sim clients with the same IP address

MaxClientsPerIP 3



# If you want to log all client commands, set this to "yes".
# This directive can be duplicated to also log server responses.

VerboseLog YES


# Allow dot-files
AllowDotFiles yes


# List dot-files even when the client doesn't send "-a".

DisplayDotFiles yes



# Don't allow authenticated users - have a public anonymous FTP only.

AnonymousOnly NO



# Disallow anonymous connections. Only allow authenticated users.

NoAnonymous NO



# Syslog facility (auth, authpriv, daemon, ftp, security, user, local*)
# The default facility is "ftp". "none" disables logging.

SyslogFacility ftp



# Display fortune cookies

# FortunesFile              /usr/share/fortune/zippy



# Don't resolve host names in log files. Logs are less verbose, but 
# it uses less bandwidth. Set this to "yes" on very busy servers or
# if you don't have a working DNS.

DontResolve yes



# Maximum idle time in minutes (default = 15 minutes)

MaxIdleTime 15



# LDAP configuration file (see README.LDAP)

# LDAPConfigFile                /etc/pure-ftpd/pureftpd-ldap.conf



# MySQL configuration file (see README.MySQL)

# MySQLConfigFile               /etc/pure-ftpd/pureftpd-mysql.conf


# Postgres configuration file (see README.PGSQL)

# PGSQLConfigFile               /etc/pure-ftpd/pureftpd-pgsql.conf


# PureDB user database (see README.Virtual-Users)

# PureDB                        /etc/pure-ftpd/pureftpd.pdb


# Path to pure-authd socket (see README.Authentication-Modules)

# ExtAuth                       /var/run/ftpd.sock



# If you want to enable PAM authentication, uncomment the following line

PAMAuthentication yes



# If you want simple Unix (/etc/passwd) authentication, uncomment this

# UnixAuthentication            yes



# Please note that LDAPConfigFile, MySQLConfigFile, PAMAuthentication and
# UnixAuthentication can be used only once, but they can be combined
# together. For instance, if you use MySQLConfigFile, then UnixAuthentication,
# the SQL server will be asked. If the SQL authentication fails because the
# user wasn't found, another try # will be done with /etc/passwd and
# /etc/shadow. If the SQL authentication fails because the password was wrong,
# the authentication chain stops here. Authentication methods are chained in
# the order they are given. 



# 'ls' recursion limits. The first argument is the maximum number of
# files to be displayed. The second one is the max subdirectories depth

LimitRecursion 10000 8



# Are anonymous users allowed to create new directories ?

AnonymousCanCreateDirs YES



# If the system is more loaded than the following value,
# anonymous users aren't allowed to download.

MaxLoad 4



# Force an IP address in PASV/EPSV/SPSV replies. - for NAT.
# Symbolic host names are also accepted for gateways with dynamic IP
# addresses.

# ForcePassiveIP                192.168.0.1



# Upload/download ratio for anonymous users.

# AnonymousRatio                1 10



# Upload/download ratio for all users.
# This directive superscedes the previous one.

# UserRatio                 1 10



# Disallow downloading of files owned by "ftp", ie.
# files that were uploaded but not validated by a local admin.

AntiWarez NO



# IP address/port to listen to (default=all IP and port 21).

# Bind                      127.0.0.1,21



# Maximum bandwidth for anonymous users in KB/s

# AnonymousBandwidth            8



# Maximum bandwidth for *all* users (including anonymous) in KB/s
# Use AnonymousBandwidth *or* UserBandwidth, both makes no sense.

# UserBandwidth             8



# File creation mask. <umask for files>:<umask for dirs> .
# 177:077 if you feel paranoid.

Umask 177:077



# Minimum UID for an authenticated user to log in.

MinUID 40



# Allow FXP transfers for authenticated users.

AllowUserFXP no



# Allow anonymous FXP for anonymous and non-anonymous users.

AllowAnonymousFXP no



# Users can't delete/write files beginning with a dot ('.')
# even if they own them. If TrustedGID is enabled, this group
# will have access to dot-files, though.

ProhibitDotFilesWrite yes



# Prohibit *reading* of files beginning with a dot (.history, .ssh...)

ProhibitDotFilesRead no



# Never overwrite files. When a file whoose name already exist is uploaded,
# it get automatically renamed to file.1, file.2, file.3, ...

AutoRename yes



# Disallow anonymous users to upload new files (no = upload is allowed)

AnonymousCantUpload NO



# Only connections to this specific IP address are allowed to be
# non-anonymous. You can use this directive to open several public IPs for
# anonymous FTP, and keep a private firewalled IP for remote administration.
# You can also only allow a non-routable local IP (like 10.x.x.x) to
# authenticate, and keep a public anon-only FTP server on another IP.

#TrustedIP                  10.1.1.1



# If you want to add the PID to every logged line, uncomment the following
# line.

#LogPID                     yes



# Create an additional log file with transfers logged in a Apache-like format :
# fw.c9x.org - jedi [13/Dec/1975:19:36:39] "GET /ftp/linux.tar.bz2" 200 21809338
# This log file can then be processed by www traffic analyzers.

# AltLog                     clf:/var/log/pureftpd.log



# Create an additional log file with transfers logged in a format optimized
# for statistic reports.

# AltLog                     stats:/var/log/pureftpd.log



# Create an additional log file with transfers logged in the standard W3C
# format (compatible with most commercial log analyzers)

# AltLog                     w3c:/var/log/pureftpd.log



# Disallow the CHMOD command. Users can't change perms of their files.

#NoChmod                     yes



# Allow users to resume and upload files, but *NOT* to delete them.

#KeepAllFiles                yes



# Automatically create home directories if they are missing

#CreateHomeDir               yes



# Enable virtual quotas. The first number is the max number of files.
# The second number is the max size of megabytes.
# So 1000:10 limits every user to 1000 files and 10 Mb.

#Quota                       1000:10



# If your pure-ftpd has been compiled with standalone support, you can change
# the location of the pid file. The default is /var/run/pure-ftpd.pid

#PIDFile                     /var/run/pure-ftpd.pid



# If your pure-ftpd has been compiled with pure-uploadscript support,
# this will make pure-ftpd write info about new uploads to
# /var/run/pure-ftpd.upload.pipe so pure-uploadscript can read it and
# spawn a script to handle the upload.

#CallUploadScript yes



# This option is useful with servers where anonymous upload is 
# allowed. As /var/ftp is in /var, it save some space and protect 
# the log files. When the partition is more that X percent full,
# new uploads are disallowed.

MaxDiskUsage 99



# Set to 'yes' if you don't want your users to rename files.

NoRename yes



# Be 'customer proof' : workaround against common customer mistakes like
# 'chmod 0 public_html', that are valid, but that could cause ignorant
# customers to lock their files, and then keep your technical support busy
# with silly issues. If you're sure all your users have some basic Unix
# knowledge, this feature is useless. If you're a hosting service, enable it.

CustomerProof yes
TLS 0
PassivePortRange 40000:40500



# Per-user concurrency limits. It will only work if the FTP server has
# been compiled with --with-peruserlimits (and this is the case on
# most binary distributions) .
# The format is : <max sessions per user>:<max anonymous sessions>
# For instance, 3:20 means that the same authenticated user can have 3 active
# sessions max. And there are 20 anonymous sessions max.

# PerUserLimits            3:20



# When a file is uploaded and there is already a previous version of the file
# with the same name, the old file will neither get removed nor truncated.
# Upload will take place in a temporary file and once the upload is complete,
# the switch to the new version will be atomic. For instance, when a large PHP
# script is being uploaded, the web server will still serve the old version and
# immediatly switch to the new one as soon as the full file will have been
# transfered. This option is incompatible with virtual quotas.

# NoTruncate               yes



# This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don't use SSL/TLS security mechanisms,
#     including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.

# TLS                      1



# Listen only to IPv4 addresses in standalone mode (ie. disable IPv6)
# By default, both IPv4 and IPv6 are enabled.

# IPV4Only                 yes



# Listen only to IPv6 addresses in standalone mode (ie. disable IPv4)
# By default, both IPv4 and IPv6 are enabled.

# IPV6Only                 yes

# UTF-8 support for file names (RFC 2640)
# Define charset of the server filesystem and optionnally the default charset
# for remote clients if they don't use UTF-8.
# Works only if pure-ftpd has been compiled with --with-rfc2640

# FileSystemCharset	big5
# ClientCharset		big5
#27

You have “PAMAuthentication” set to yes. This will allows FTP access to system accounts, is this what you want?
According to post #23 you have virtual users.

Are you you using PAM or virtual users?

Hiatt

#28

I don’t have any virtual users set up anymore, since the re-installation. I’d prefer to use the system accounts for FTP access instead, I just setup some virtual users in an attempt to follow that How To and see if I could get it working that way.

#29

Which system account(s) are you using?

Let’s also turn on debugging, this will involve editing the init script a little


vi /etc/init.d/pure-ftpd

Change the following line


startproc $FTPD_BIN $FTPD_ARGS

To this


startproc $FTPD_BIN -d $FTPD_ARGS

Then restart pure-ftpd


/etc/init.d/pure-ftpd restart

Then try logging in again, after the login fails please post the debug info that is in the /var/log/messages file.

Thanks,
Hiatt

#30

Hiatt, thanks for the help, I’ve got it working now. An acquaintance was back in town not too long ago and took a look at the config file, and he suggested commenting out the PAM authentication line and uncommenting the UNIX authentication line and using that, and this change allows me to login using the system accounts.

If there are any concerns with these changes to the config file, please let me know, as I’m obviously on unfamiliar ground here.

#31

Hi,
Try this:

  • Open Yast -> Software -> Software Management
  • Change the view to patterns
  • Scroll down to “Server Functions”
  • Enable “File Server” (you might want to unmark tftp on the right hand side as it is not safe)
  • Close and reopen Yast.
  • FTP Server should now appear under Network Services.

I use vsftpd and find it a much more manageable beast