Setting up internal FTP

English Network/Internet
1

Ok, I need to setup an internal ftp at work, in order to share some files. I have tried using pure-ftpd and vsftpd but I was unable to get it to work.

With vsftpd, I get it up first by going in yast and setting it up there, starting xinetd and of course, editing the default config file at /etc/vsftpd.conf. I want everyone to be able to type in ftp://86.55.181.116 and be able to see the files and write to that folder. They are using Win 7, I am on suse 12.3. Whenever they try to access the server, it prompts for login, and even if they check anonymous or not, the prompt appears again and again without letting them login.

For pure-ftpd, this did not work at all. I can not even start it. Tried editing the conf and running /usr/sbin/pure-config.pl /etc/pure-ftpd/pure-ftpd.conf but the console simply froze.

Any help is greatly appreciated. Thank You

2

UPDATE:

I now managed to get pure-ftpd up and running. Apparently after a reboot, running the start command again, the konsole still freezes, but closing the console and then trying to access the ftp works. The user’s can see the files. However in the /etc/pure-ftpd/pure-ftpd.conf I gave anonymous write permissions, but they cannot create new folder or paste files. Any ideas?

3

Append a ‘&’ to your command line, then the konsole shouldn’t freeze. Or press Alt+F2 and run it there…

The user’s can see the files. However in the /etc/pure-ftpd/pure-ftpd.conf I gave anonymous write permissions, but they cannot create new folder or paste files. Any ideas?

Does the parent folder (where your ftp share is located) have write permissions for the user pure-ftpd runs as?
Try to grant write permissions for all users on that folder.

4

UPDATE 2:

After a reboot it stopped working again. When i try to start it it shows

beliskner:/home/thor # /usr/sbin/pure-config.pl /etc/pure-ftpd/pure-ftpd.conf &
[1] 2772
beliskner:/home/thor # Running: /usr/sbin/pure-ftpd -A -b -c10 -C3 -z -D -e -fftp -H -I15 -lpam -L10000:8 -M -m4 -p30000:30100 -u40 -x -r -k99 -G -Z
Unable to start a standalone server: Address already in use

[1]+ Done /usr/sbin/pure-config.pl /etc/pure-ftpd/pure-ftpd.conf
beliskner:/home/thor #

And when someone tries to access the ftp it says “An error occurred opening that folder on the FTP Server. Make sure you have permission to access that folder. Details: The operation timed out”

I am now going to be a complete n00b, but what do you mean by user vftp runs as? If you are asking if my login user has access to the folder, the answer is yes I can read and write to it.

Here is my pure-ftpd.conf

############################################################

Configuration file for pure-ftpd wrappers

############################################################

If you want to run Pure-FTPd with this configuration

instead of command-line options, please run the

following command :

/usr/sbin/pure-config.pl /usr/etc/pure-ftpd.conf

Please don’t forget to have a look at documentation at

http://www.pureftpd.org/documentation.shtml for a complete list of

options.

Cage in every user in his home directory

ChrootEveryone yes

If the previous option is set to “no”, members of the following group

won’t be caged. Others will be. If you don’t want chroot()ing anyone,

just comment out ChrootEveryone and TrustedGID.

TrustedGID 100

Turn on compatibility hacks for broken clients

BrokenClientsCompatibility yes

Maximum number of simultaneous users

MaxClientsNumber 10

Fork in background

systemd users: you shall not change the value to yes unless you modify the

appropriate pure-ftpd.service

Daemonize no

Maximum number of sim clients with the same IP address

MaxClientsPerIP 3

If you want to log all client commands, set this to “yes”.

This directive can be duplicated to also log server responses.

VerboseLog no

Allow dot-files

AllowDotFiles yes

List dot-files even when the client doesn’t send “-a”.

DisplayDotFiles yes

Don’t allow authenticated users - have a public anonymous FTP only.

AnonymousOnly yes

Disallow anonymous connections. Only allow authenticated users.

NoAnonymous no

Syslog facility (auth, authpriv, daemon, ftp, security, user, local*)

The default facility is “ftp”. “none” disables logging.

SyslogFacility ftp

Display fortune cookies

FortunesFile /usr/share/fortune/zippy

Don’t resolve host names in log files. Logs are less verbose, but

it uses less bandwidth. Set this to “yes” on very busy servers or

if you don’t have a working DNS.

DontResolve yes

Maximum idle time in minutes (default = 15 minutes)

MaxIdleTime 15

LDAP configuration file (see README.LDAP)

LDAPConfigFile /etc/pure-ftpd/pureftpd-ldap.conf

MySQL configuration file (see README.MySQL)

MySQLConfigFile /etc/pure-ftpd/pureftpd-mysql.conf

Postgres configuration file (see README.PGSQL)

PGSQLConfigFile /etc/pure-ftpd/pureftpd-pgsql.conf

PureDB user database (see README.Virtual-Users)

PureDB /etc/pure-ftpd/pureftpd.pdb

Path to pure-authd socket (see README.Authentication-Modules)

ExtAuth /var/run/ftpd.sock

If you want to enable PAM authentication, uncomment the following line

PAMAuthentication yes

If you want simple Unix (/etc/passwd) authentication, uncomment this

UnixAuthentication yes

Please note that LDAPConfigFile, MySQLConfigFile, PAMAuthentication and

UnixAuthentication can be used only once, but they can be combined

together. For instance, if you use MySQLConfigFile, then UnixAuthentication,

the SQL server will be asked. If the SQL authentication fails because the

user wasn’t found, another try # will be done with /etc/passwd and

/etc/shadow. If the SQL authentication fails because the password was wrong,

the authentication chain stops here. Authentication methods are chained in

the order they are given.

‘ls’ recursion limits. The first argument is the maximum number of

files to be displayed. The second one is the max subdirectories depth

LimitRecursion 10000 8

Are anonymous users allowed to create new directories ?

AnonymousCanCreateDirs yes

If the system is more loaded than the following value,

anonymous users aren’t allowed to download.

MaxLoad 4

Port range for passive connections replies. - for firewalling.

PassivePortRange 30000 30100

Force an IP address in PASV/EPSV/SPSV replies. - for NAT.

Symbolic host names are also accepted for gateways with dynamic IP

addresses.

ForcePassiveIP 192.168.0.1

Upload/download ratio for anonymous users.

AnonymousRatio 1 10

Upload/download ratio for all users.

This directive superscedes the previous one.

UserRatio 1 10

Disallow downloading of files owned by “ftp”, ie.

files that were uploaded but not validated by a local admin.

AntiWarez no

IP address/port to listen to (default=all IP and port 21).

Bind 127.0.0.1,21

Maximum bandwidth for anonymous users in KB/s

AnonymousBandwidth 8

Maximum bandwidth for all users (including anonymous) in KB/s

Use AnonymousBandwidth or UserBandwidth, both makes no sense.

UserBandwidth 8

File creation mask. <umask for files>:<umask for dirs> .

177:077 if you feel paranoid.

Note: on SUSE systems umask is overrided by pam_umask inherited from

/etc/pam.d/common-session. In case the system-wide default does not

fit you, you can either

1.) add line ‘session optional pam_umask.so umask=$value’ into

/etc/pam.d/pure-ftpd, so all changes in common-session will apply

for pure-ftpd as well, but config file will be still ignored

2.) replace the line ‘session include common-session’ in

/etc/pam.d/pure-ftpd by the content of /etc/pam.d/common-session,

remove the line ‘session optional pam_umask.so’ and uncomment the

line below

#Umask 177:077

Minimum UID for an authenticated user to log in.

MinUID 40

Allow FXP transfers for authenticated users.

AllowUserFXP no

Allow anonymous FXP for anonymous and non-anonymous users.

AllowAnonymousFXP no

Users can’t delete/write files beginning with a dot (’.’)

even if they own them. If TrustedGID is enabled, this group

will have access to dot-files, though.

ProhibitDotFilesWrite yes

Prohibit reading of files beginning with a dot (.history, .ssh…)

ProhibitDotFilesRead no

Never overwrite files. When a file whose name already exist is uploaded,

it get automatically renamed to file.1, file.2, file.3, …

AutoRename yes

Disallow anonymous users to upload new files (no = upload is allowed)

AnonymousCantUpload no

Only connections to this specific IP address are allowed to be

non-anonymous. You can use this directive to open several public IPs for

anonymous FTP, and keep a private firewalled IP for remote administration.

You can also only allow a non-routable local IP (like 10.x.x.x) to

authenticate, and keep a public anon-only FTP server on another IP.

#TrustedIP 10.1.1.1

If you want to add the PID to every logged line, uncomment the following

line.

#LogPID yes

Create an additional log file with transfers logged in a Apache-like format :

fw.c9x.org - jedi [13/Dec/1975:19:36:39] “GET /ftp/linux.tar.bz2” 200 21809338

This log file can then be processed by www traffic analyzers.

AltLog clf:/var/log/pureftpd.log

Create an additional log file with transfers logged in a format optimized

for statistic reports.

AltLog stats:/var/log/pureftpd.log

Create an additional log file with transfers logged in the standard W3C

format (compatible with most commercial log analyzers)

AltLog w3c:/var/log/pureftpd.log

Disallow the CHMOD command. Users can’t change perms of their files.

#NoChmod yes

Allow users to resume and upload files, but NOT to delete them.

#KeepAllFiles yes

Automatically create home directories if they are missing

#CreateHomeDir yes

Enable virtual quotas. The first number is the max number of files.

The second number is the max size of megabytes.

So 1000:10 limits every user to 1000 files and 10 Mb.

#Quota 1000:10

If your pure-ftpd has been compiled with standalone support, you can change

the location of the pid file. The default is /var/run/pure-ftpd.pid

#PIDFile /var/run/pure-ftpd.pid

If your pure-ftpd has been compiled with pure-uploadscript support,

this will make pure-ftpd write info about new uploads to

/var/run/pure-ftpd.upload.pipe so pure-uploadscript can read it and

spawn a script to handle the upload.

Don’t enable this option if you don’t actually use pure-uploadscript.

#CallUploadScript yes

This option is useful with servers where anonymous upload is

allowed. As /var/ftp is in /var, it save some space and protect

the log files. When the partition is more that X percent full,

new uploads are disallowed.

MaxDiskUsage 99

Set to ‘yes’ if you don’t want your users to rename files.

NoRename yes

Be ‘customer proof’ : workaround against common customer mistakes like

‘chmod 0 public_html’, that are valid, but that could cause ignorant

customers to lock their files, and then keep your technical support busy

with silly issues. If you’re sure all your users have some basic Unix

knowledge, this feature is useless. If you’re a hosting service, enable it.

CustomerProof yes

Per-user concurrency limits. It will only work if the FTP server has

been compiled with --with-peruserlimits (and this is the case on

most binary distributions) .

The format is : <max sessions per user>:<max anonymous sessions>

For instance, 3:20 means that the same authenticated user can have 3 active

sessions max. And there are 20 anonymous sessions max.

PerUserLimits 3:20

When a file is uploaded and there is already a previous version of the file

with the same name, the old file will neither get removed nor truncated.

Upload will take place in a temporary file and once the upload is complete,

the switch to the new version will be atomic. For instance, when a large PHP

script is being uploaded, the web server will still serve the old version and

immediatly switch to the new one as soon as the full file will have been

transfered. This option is incompatible with virtual quotas.

NoTruncate yes

This option can accept three values :

0 : disable SSL/TLS encryption layer (default).

1 : accept both traditional and encrypted sessions.

2 : refuse connections that don’t use SSL/TLS security mechanisms,

including anonymous sessions.

Do not uncomment this blindly. Be sure that :

1) Your server has been compiled with SSL/TLS support (–with-tls),

2) A valid certificate is in place,

3) Only compatible clients will log in.

TLS 1

List of ciphers that will be accepted for SSL/TLS connections

Prefix with -S: in order to totally disable SSL but not TLS.

TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3

Listen only to IPv4 addresses in standalone mode (ie. disable IPv6)

By default, both IPv4 and IPv6 are enabled.

IPV4Only yes

Listen only to IPv6 addresses in standalone mode (ie. disable IPv4)

By default, both IPv4 and IPv6 are enabled.

IPV6Only yes

UTF-8 support for file names (RFC 2640)

Define charset of the server filesystem and optionnally the default charset

for remote clients if they don’t use UTF-8.

Works only if pure-ftpd has been compiled with --with-rfc2640

FileSystemCharset big5

ClientCharset big5

And I apologize for the n00b questions, but it is the first time I try to setup ftp under linux.

5

Apparently it already gets started during boot.
Could you please show the output of:

systemctl status pure-ftpd.service

That service calls “/usr/sbin/pure-config.pl /etc/pure-ftpd/pure-ftpd.conf” so it should just work for you (as you call just the same to start it).
You can start/stop it with “sudo systemctl start pure-ftpd.service” or “sudo systemctl stop pure-ftpd.service”.
You can enable/disable the automatic start at boot with “sudo systemctl enable pure-ftpd.service” or “sudo disable pure-ftpd.service”

I am now going to be a complete n00b, but what do you mean by user vftp runs as? If you are asking if my login user has access to the folder, the answer is yes I can read and write to it.

If pureftp is started as system service it runs as a different user, not you.
Also the ftp users that want to connect have to have access to that folder, not only you.
So check that the permissions are set to rwxrwxrwx for now, then everybody should have access.

As I don’t have any experience with pure-ftpd myself, I can’t tell you which directory pure-ftpd uses by default for anonymous access, sorry. (and there’s nothing about that in the config you posted).

6

for some whatever reason after a second reboot, the service did not start automatically. I was able to start it manually and again the users can access the files. The folder path is not in the config file for some reason. I was only able to set that with yast and i have no ideea where yast-ftp keeps it’s config file. Where do i set the rwx permissions?

7

According to the pure-ftpd documentation, you have to have a user “ftp” on your system for anonymous access.
The anonymous dir is then the home directory of that user (on openSUSE this normally is /srv/ftp/).

So please check if the user “ftp” does exist:

grep ftp /etc/passwd

This should also show its home directory as second field starting from the end.

Then check the permissions of that homedir:

ls -ld /srv/ftp

If they are not rwxrwxrwx, try to set it to that:

sudo chmod a=rwx /srv/ftp
8

beliskner:/home/thor # grep ftp /etc/passwd
ftp:x:40:49:FTP account:/windows/D/Lab:/bin/bash
ftpsecure:x:488:65534:Secure FTP User:/var/lib/empty:/bin/false
tftp:x:495:494:TFTP account:/srv/tftpboot:/bin/false
beliskner:/home/thor # ls -ld /srv/ftp
drwxrwxrwx 2 root root 4096 Jan 26 17:22 /srv/ftp
beliskner:/home/thor # ls -ld /windows/D/Lab
drwxrwxr-x 1 root users 8192 Jun 21 15:53 /windows/D/Lab
beliskner:/home/thor # sudo chmod a=rwx /srv/ftp
beliskner:/home/thor # sudo chmod a=rwx /windows/D/Lab
beliskner:/home/thor # ls -ld /windows/D/Lab
drwxrwxr-x 1 root users 8192 Jun 21 15:53 /windows/D/Lab
beliskner:/home/thor # ls -ld /srv/ftp
drwxrwxrwx 2 root root 4096 Jan 26 17:22 /srv/ftp
beliskner:/home/thor #

This is what I got. As for the home directory, I am not certain what to make of this. Also, from what I understand, pure-ftpd, can use the same folder for both read and write permissions. The way I had this setup rpeviously, was like, users accessed ftp://ipaddress and the folder for that was D:\lab. Users could read and write to that. This is what I am trying to achieve here.
I should probably mention that the path that shows up there the “/windows/D/Lab” is a NTFS partition. I’ve tried changing the permissions for that folder, however it doesn’t appear to work, nor from the console or from konqueror.

Also, thank you for your help. It is greatly appreciated. :slight_smile:

9

I have just tried
beliskner:/home/thor # sudo systemctl stop pure-ftpd.service
beliskner:/home/thor # sudo systemctl start pure-ftpd.service
beliskner:/home/thor # sudo systemctl stop pure-ftpd.service
beliskner:/home/thor # sudo systemctl start pure-ftpd.service
beliskner:/home/thor #

I modified something in the config file and wanted it to take effect. However, from what I can see they don’t work. If i stop it, everyone can still access it, if i start it, nothing changes.

Is it possible it is not set to start as a system service? And if yes, how do I set it as a system service?

]Edit:

Sorry, I just noticed you asked for this previously.
beliskner:/home/thor # systemctl status pure-ftpd.service
pure-ftpd.service - Pure-FTPd FTP server
Loaded: loaded (/usr/lib/systemd/system/pure-ftpd.service; disabled)
Active: inactive (dead)
CGroup: name=systemd:/system/pure-ftpd.service

Jun 21 17:50:15 beliskner.site systemd[1]: Stopped Pure-FTPd FTP server.
Jun 21 17:50:27 beliskner.site systemd[1]: Starting Pure-FTPd FTP server…
Jun 21 17:50:27 beliskner.site systemd[1]: Started Pure-FTPd FTP server.
Jun 21 17:50:27 beliskner.site pure-config.pl[3562]: Running: /usr/sbin/pure-ftpd -A -b -c10 -C3 -z -D -e -fftp -H -I15 -lpam -L1000… -G -Z
Jun 21 17:50:27 beliskner.site pure-config.pl[3562]: Unable to start a standalone server: Address already in use
Jun 21 17:50:40 beliskner.site systemd[1]: Stopped Pure-FTPd FTP server.
Jun 21 17:50:59 beliskner.site systemd[1]: Starting Pure-FTPd FTP server…
Jun 21 17:50:59 beliskner.site systemd[1]: Started Pure-FTPd FTP server.
Jun 21 17:50:59 beliskner.site pure-config.pl[3576]: Running: /usr/sbin/pure-ftpd -A -b -c10 -C3 -z -D -e -fftp -H -I15 -lpam -L1000… -G -Z
Jun 21 17:50:59 beliskner.site pure-config.pl[3576]: Unable to start a standalone server: Address already in use
beliskner:/home/thor #

10

Alright, I got it. The issue was with the home folder path which was set on that NTFS windows partition. For some reason it could not set the permissions right. I went in YAST and changed the home folder to /srv/ftp and it works great now.

I will try to see if I can make it run automatically at start-up, but other than that it’s perfect.
Thank you for your help mate. :slight_smile:

11

Yeah, right. You would have to change the mount options for the NTFS partition in that case.
Or perhaps if you run pure-ftpd as system service it has the permissions to access it.

I will try to see if I can make it run automatically at start-up, but other than that it’s perfect.
Thank you for your help mate. :slight_smile:

As I said:

sudo systemctl enable pure-ftpd.service

should enable automatic start at boot.

If it doesn’t work, use “systemctl status pure-ftpd.service” to check why.

12

Sorry, overlooked some of your questions, which I still would like to answer:

I guess you have already started it before by your “/usr/sbin/pure-config.pl /etc/pure-ftpd/pure-ftpd.conf” line. (Your output of “systemctl status pure-ftpd.service” would confirm that)
Of course then the service can’t start because pure-ftpd is already running. You have to kill it first or try directly after a new boot without starting it before.
“sudo systemctl start pure-ftpd” and “sudo stop pure-ftpd” should work then. (you can omit the “.service” since 12.3)

That’s the home directory of the ftp user, that’s what pure-ftpd uses for anonymous access.
The grep should show /srv/ftp there now on your system.

But don’t try to change that directly in /etc/passwd! Use YaST for that, or “usermod”…

13

It all worked wonders. Thank you :slight_smile:

14

Hi,

I am facing a problem with SSH Connect to SUSE Linux Enterprise 11 using python and paramiko module for sftp.

Objective is to do a file transfer using python,

Copying code here-

host = "88.88.43.22"
port = 22
transport = paramiko.Transport(host,port)
user = "Administrator"
pwd = "ca$hc0w"
transport.connect(username=user,password=pwd)

on the last step, i get ERROR paramiko.SSHException: Incompatible ssh server <no acceptable ciphers>

This is not with Redhat enterprise or Ubuntu
Getting no idea, what is the issue here.

15

You’ll want to ask your SLES related questions at: http://forums.suse.com

16

Right.
And it seems to be a completely different problem as the one discussed in this thread anyway.
So you should have created a new thread rather than ask your question in this one, that’s been solved over a year ago. :wink: