Unable to connect through ftp on VSFTPD

English Network/Internet
#1

I am unable to connect new user accounts to vsftpd. I have a chroot_list file and a user_list stored in /etc/vsftpd.
I believe my vsftpd.conf file is formatted properly. Hopefully someone on here can spot what I am doing wrong.
I intend of having users be jailed to their home directories.

Thanks in advance
Cole


listen=YES
ftpd_banner=Aloha stranger!
write_enable=YES
connect_from_port_20=YES
dirmessage_enable=YES
use_localtime=NO
idle_session_timeout=600
data_connection_timeout=120
pam_service_name=vsftpd
anonymous_enable=YES
anon_upload_enable=NO
anon_mkdir_write_enable=YES
local_enable=YES
local_umask=022
userlist_enable=NO
userlist_deny=NO
userlist_file=/etc/vsftpd/user_list
xferlog_enable=YES
xferlog_std_format=YES
xferlog_file=/var/log/vsftpd/vsftpd.log
deny_email_enable=NO
banned_email_file=/etc/vsftpd/banned_emails
chroot_local_user=YES
chroot_list_enable=NO
chroot_list_file=/etc/vsftpd/chroot_list
local_root=
pasv_max_port=0
pasv_min_port=0
user_sub_token=
nopriv_user=nobody
secure_chroot_dir=/usr/share/empty
#2

On 2013-11-22 22:36, colbyshores wrote:
>
> I am unable to connect new user accounts to vsftpd. I have a
> chroot_list file and a user_list stored in /etc/vsftpd.
> I believe my vsftpd.conf file is formatted properly. Hopefully someone
> on here can spot what I am doing wrong.
> I intend of having users be jailed to their home directories.

Sorry, I don’t quite understand the problem description. What happens,
symptoms?


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

#3

I have user accounts created in puppet for example:


    user { "shoresc":
      ensure => present,
      gid => 49,
      uid => 221,
      shell => "/bin/false",
      home => "/home/ftpuser/somenfsshare/Edgecast",
      password => "Password1",
      require => Group"ftp"],
    }

And I install VSFTP through puppet and it installs properly here is my puppet code in fact.

  class { 'vsftpd':    version => '2.0.7-4.23.1',
    source_dir       => 'puppet:///modules/vsftpd',
    userlist_enable => false,
    local_enable => true,
    chroot_local_user => true,
    write_enable => true,
    chroot_list_enable => false,
    userlist_file => "/etc/vsftpd/user_list",
    template         => 'vsftpd/vsftpd.conf.erb',
    ftpd_banner      => 'Aloha stranger!',
  }

The problem is that once I try an connect it asks for the password however does not connect.
The FTP logs, in /var/logs/ do not tell me much at all. Just simply cant not connect.


Trying ::1...
ftp: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
220 Aloha stranger!
Name (localhost:ShoresC): shoresc
331 Please specify the password.
Password:
530 Login incorrect.
ftp: Login failed.

Puppet aside I try and add users manually through the machine directly and it still doesnt allow me to connect via those users.
Thanks in advance,
Cole

#4

On 2013-11-22 23:36, colbyshores wrote:
>
> I have user accounts created in puppet for example:

I’m sorry, I have no idea what puppet is.
I can try to help you with plain vsftpd and ftp client, but not with
puppet in the mix.


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

#5

Ok, I have simplified it rather than using puppet to create users I created a user named test from the command line.
The users home directory is created and used passwd to create his password. I have also simplified my vsftpd.conf file.


background=yes
listen=YES




# No anonymous login
anonymous_enable=NO
# Let local users login
# If you connect from the internet with local users, you should enable TLS/SSL/FTPS
local_enable=YES


# Write permissions
write_enable=YES

My intention is to log in using test and have them have read write access to their home folder. It is not working however. What changes would you suggest to allow that to happen?

Thanks in advance,
Colby Shores

#6

On 2013-11-25 18:06, colbyshores wrote:
>
> Ok, I have simplified it rather than using puppet to create users I
> created a user named test from the command line.
> The users home directory is created and used passwd to create his
> password. I have also simplified my vsftpd.conf file.
>
> Code:
> --------------------
>
> background=yes
> listen=YES
>
>
>
>
> # No anonymous login
> anonymous_enable=NO
> # Let local users login
> # If you connect from the internet with local users, you should enable TLS/SSL/FTPS
> local_enable=YES
>
>
> # Write permissions
> write_enable=YES
>
>
>
> --------------------
>
>
>
> My intention is to log in using test and have them have read write
> access to their home folder. It is not working however. What
> changes would you suggest to allow that to happen?

First, test that you can log in as that user via ssh, for instance. On
localhost will do. This is to verify that the user is defined correctly.

Then, you have enabled “listen”. openSUSE comes prepared for
“listen=NO”, so in order to do that you need changes (start up the
service, and disable “/etc/xinetd.d/vsftpd”.

My current config is this:


Telcontar:~ # cat /etc/vsftpd.conf | egrep -v "^:space:]]*$|^#"
write_enable=YES
dirmessage_enable=YES
nopriv_user=ftpsecure
ftpd_banner="Welcome!"
local_enable=YES
anonymous_enable=YES
anon_world_readable_only=YES
syslog_enable=YES
xferlog_enable=YES
setproctitle_enable=YES
connect_from_port_20=YES
idle_session_timeout=600
ascii_upload_enable=YES
pam_service_name=vsftpd
listen=NO
ssl_enable=NO
pasv_min_port=30000
pasv_max_port=30100
Telcontar:~ #


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

#7

Thank you for your quick response. I went ahead and set it up using virtual users instead. It appears that our company’s ldap configuration was interfering with the machine’s accounts. The next challenge I have encountered has been the password file for the virtual users. I know I can utilize htpasswd2 -m to create a password file however it is vital since I am administrating several machines in our organization that the password be in clear text. Do you or anyone else know if that is possible using the pam_pwdfile module for authentication?
Best Regards,
Cole

#8

On 2013-11-26 22:56, colbyshores wrote:
>
> Thank you for your quick response. I went ahead and set it up using
> virtual users instead. It appears that our company’s ldap configuration
> was interfering with the machine’s accounts. The next challenge I have
> encountered has been the password file for the virtual users. I know I
> can utilize htpasswd2 -m to create a password file however it is vital
> since I am administrating several machines in our organization that the
> password be in clear text. Do you or anyone else know if that is
> possible using the pam_pwdfile module for authentication?

No, sorry, learning how pam works is something I have pending.


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

#9

In case anyone encountered this. I got creative with my puppet module and created a couple of functions to accomplish the creation/deletion of virtual user accounts within puppet.
This works :slight_smile: Hopefully, anyone else who utilizes LDAP and Puppet will benefit from it.

Here are my functions:


define ftpuser_init{
  exec { "remove_existing_users":
     command => "rm /etc/vsftpd/users/*;  rm /etc/vsftpd/chroot_list; rm /etc/vsftpd/passwd; rm /etc/vsftpd/user_list"
  }
  package { 'pam_pwdfile':
     provider => 'rpm',
     ensure => installed,
     source => "http://install.companyreposity.com/repo/RCE/SLES11-SP1-Pool/sle-11-x86_64/rpm/x86_64/pam_pwdfile-0.99-9026.1.x86_64.rpm"
  }


  file { "/etc/vsftpd/"]:
    ensure => "directory",
  }


  file { "/etc/pam.d/vsftp_local_and_virtual":
    ensure => 'present',
    owner => 'root',
    group => 'root',
    mode => 0644,
    source => "puppet:///ftp/vsftpd_local_and_virtual"
  }


  exec { "password_file":
     require => exec"remove_existing_users"],
     command => "touch /etc/vsftpd/passwd"
  }
}



define ftpuser ( $username, $password, $homefolder){
  user { $username:
     ensure => 'present',
  }
  exec{ "htpasswd_$username":
    command => "htpasswd2 -b /etc/vsftpd/passwd ${username} ${password}",
  }
  exec{ "chroot_list_$username":
    require => exec"htpasswd_$username"],
    command => "echo ${username} >> /etc/vsftpd/chroot_list",
  }
  exec{ "user_list_$username":
    require => exec"chroot_list_$username"],
    command => "echo ${username} >> /etc/vsftpd/user_list",
  }
  exec { "profile_$username":
     require => exec"user_list_$username"],
     command => "touch /etc/vsftpd/users/${username}",
  }
  exec { "guest_username_$username":
    require => exec"profile_$username"],
    command => "echo guest_username=$username >> /etc/vsftpd/users/$username",
  }
  exec { "local_root_$username":
    require => exec"guest_username_$username"],
    command => "echo local_root=$homefolder >> /etc/vsftpd/users/$username",
  }
}

ftp_userinit is called before the users are initiated. This allows puppet to clear out the users that are there and start fresh. An example of how to call this would be something like this:


class ftp::users{
  #initiate the pam module, clear unused user accounts
  ftpuser_init{ 'init': }






######################################################
#   FTP USER ACCOUNTS ARE DEFINED HERE!              #
######################################################


  ftpuser{ 'someuser1':
    require => ftpuser_init'init'],
    homefolder => "/home/ftpuser/ftp.user1directory.com",
    username => "someuser1",
    password => "someusers1pass",
  }


  ftpuser{ 'someuser2':
    require => ftpuser_init'init'],
    homefolder => "/home/ftpuser/ftp.user2directory.com",
    username => "someuser2",
    password => "someusers2pass",
  }
}

Granted this assumes you have vsftp installed via puppet and your user config files within /etc/vsftp/users
I hope this is helpful for anyone else looking at a way to deploy new ftp users without relying solely on individual system security.