Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm running a box with Fedora Core 5. I have Apache, Mysql, Postfix, Dovecot, sshd, and Proftpd installed.
Mail is working as it should be.
Mysql is working.
SSH is working.
Apache appears to be, but I can't really test it because I can't get FTP access to the box.
The box lives behind a Cisco firewall, and I am having the same access problem regardless of how I attempt to access it. I have tried from out side the firewall by domain name and by IP. I have tried from behind the firewall by domain name, public IP and private IP. And I have even logged into the box via SSH and attempted to connect to localhost.
The problem appears to be during authentication of users who connect to the server. I am certain that I have entered the correct password. I am using the same password that I use for checking my email, and for SSH access, and it works fine in those instances.
Here's a few samples of connection attempts:
Accessing via public IP from outside of firewall:
Quote:
Connected to xxx.xxx.xxx.xxx.
220 ProFTPD 1.3.0a Server (ProFTPD Default Installation) [::ffff:192.168.0.210]
User (xxx.xxx.xxx.xxxnone)): lee
331 Password required for lee.
Password:
530 Login incorrect.
Login failed.
ftp>
Accessing via domain name either inside or outside the firewall.
Quote:
Connected to xxxxxxxxxxxx.
220 ProFTPD 1.3.0a Server (ProFTPD Default Installation) [::ffff:192.168.0.210]
User (xxxxxxxxxxxxxnone)): lee
331 Password required for lee.
Password:
530 Login incorrect.
Login failed.
ftp>
Accessing via localhost while SSH'd to the box.
Quote:
Connected to mail.alphaequipmentcompany.com.
220 ProFTPD 1.3.0a Server (ProFTPD Default Installation) [::ffff:127.0.0.1]
500 AUTH not understood
500 AUTH not understood
KERBEROS_V4 rejected as an authentication type
Name (localhost:lee): lee
331 Password required for lee.
Password:
530 Login incorrect.
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit
221 Goodbye.
Here's a sampling from the log file after several attempts to connect via FTP:
Quote:
May 31 03:40:55 mail proftpd: Deprecated pam_stack module called from service "proftpd"
May 31 03:40:55 mail proftpd: Deprecated pam_stack module called from service "proftpd"
May 31 03:40:55 mail proftpd: pam_unix(proftpd:session): session closed for user lee
May 31 03:40:55 mail proftpd[29493]: xxxxxxxxxx (::ffff:xxx.xxx.xxx.xxx[::ffff:xxx.xxx.xxx.xxx]) - FTP session closed.
May 31 10:44:48 mail proftpd: Deprecated pam_stack module called from service "proftpd"
May 31 10:44:48 mail last message repeated 2 times
May 31 10:44:48 mail proftpd: pam_unix(proftpd:session): session opened for user lee by (uid=0)
May 31 10:44:48 mail proftpd: Deprecated pam_stack module called from service "proftpd"
May 31 10:44:48 mail proftpd[15125]: xxxxxxxxxx (::ffff:192.168.0.213[::ffff:192.168.0.213]) - USER lee: Login successful.
May 31 10:44:48 mail proftpd[15125]: xxxxxxxxxx (::ffff:192.168.0.213[::ffff:192.168.0.213]) - notice: unable to use '~/' [resolved to '/home/lee/']: Permission denied
May 31 15:44:48 mail proftpd[15125]: xxxxxxxxxx (::ffff:192.168.0.213[::ffff:192.168.0.213]) - Preparing to chroot to directory '~/'
May 31 15:44:48 mail proftpd[15125]: xxxxxxxxxx (::ffff:192.168.0.213[::ffff:192.168.0.213]) - lee chroot("~/"): No such file or directory
May 31 15:44:48 mail proftpd[15125]: xxxxxxxxxx (::ffff:192.168.0.213[::ffff:192.168.0.213]) - error: unable to set default root directory
May 31 15:44:48 mail proftpd: Deprecated pam_stack module called from service "proftpd"
May 31 15:44:48 mail proftpd: Deprecated pam_stack module called from service "proftpd"
May 31 15:44:48 mail proftpd: pam_unix(proftpd:session): session closed for user lee
May 31 15:44:48 mail proftpd[15125]: xxxxxxxxxx (::ffff:192.168.0.213[::ffff:192.168.0.213]) - FTP session closed.
May 31 10:52:54 mail proftpd[15302]: xxxxxxxxxx (::ffff:192.168.0.213[::ffff:192.168.0.213]) - USER lee (Login failed): Incorrect password.
May 31 10:52:54 mail proftpd[15302]: xxxxxxxxxx (::ffff:192.168.0.213[::ffff:192.168.0.213]) - mod_delay/0.5: delaying for 3504159 usecs
May 31 10:53:12 mail proftpd[15302]: xxxxxxxxxx (::ffff:192.168.0.213[::ffff:192.168.0.213]) - mod_delay/0.5: delaying for 319 usecs
May 31 10:53:14 mail proftpd[15302]: xxxxxxxxxx (::ffff:192.168.0.213[::ffff:192.168.0.213]) - no such user 'alpha'
May 31 10:53:14 mail proftpd[15302]: xxxxxxxxxx (::ffff:192.168.0.213[::ffff:192.168.0.213]) - USER alpha: no such user found from ::ffff:192.168.0.213 [::ffff:192.168.0.213] to ::ffff:192.168.0.210:21
May 31 10:53:14 mail proftpd[15302]: xxxxxxxxxx (::ffff:192.168.0.213[::ffff:192.168.0.213]) - mod_delay/0.5: delaying for 3505587 usecs
May 31 10:53:25 mail proftpd[15302]: xxxxxxxxxx (::ffff:192.168.0.213[::ffff:192.168.0.213]) - PAM(lee): Authentication failure.
May 31 10:53:25 mail proftpd[15302]: xxxxxxxxxx (::ffff:192.168.0.213[::ffff:192.168.0.213]) - USER lee (Login failed): Incorrect password.
May 31 10:53:25 mail proftpd[15302]: xxxxxxxxxx (::ffff:192.168.0.213[::ffff:192.168.0.213]) - Maximum login attempts (3) exceeded
May 31 10:53:25 mail proftpd[15302]: xxxxxxxxxx (::ffff:192.168.0.213[::ffff:192.168.0.213]) - FTP session closed.
May 31 10:53:58 mail proftpd[15307]: xxxxxxxxxx (::ffff:192.168.0.213[::ffff:192.168.0.213]) - USER lee (Login failed): Incorrect password.
May 31 10:54:34 mail proftpd[15307]: xxxxxxxxxx (::ffff:192.168.0.213[::ffff:192.168.0.213]) - FTP session closed.
May 31 13:01:55 mail proftpd[17503]: xxxxxxxxxx (xxx.xxx.xxx.xxx[::ffff:xxx.xxx.xxx.xxx]) - USER lee (Login failed): Incorrect t password.
May 31 18:44:36 mail proftpd[21081]: xxxxxxxxxx (::ffff:192.168.0.213[::ffff:192.168.0.213]) - mod_delay/0.5: delaying for 5554444 usecs
May 31 18:44:46 mail proftpd[21081]: xxxxxxxxxx (::ffff:192.168.0.213[::ffff:192.168.0.213]) - FTP session closed.
May 31 18:46:18 mail proftpd[21122]: xxxxxxxxxx (xxxxxxxxxx[::ffff:127.0.0.1]) - USER lee (Login failed): Incorrect password.
May 31 18:46:18 mail proftpd[21122]: xxxxxxxxxx (xxxxxxxxxx[::ffff:127.0.0.1]) - mod_delay/0.5: delaying for 318658 usecs
May 31 18:46:22 mail proftpd[21122]: xxxxxxxxxx (xxxxxxxxxx[::ffff:127.0.0.1]) - FTP session closed.
Here is the proftpd.conf file:
Quote:
# This is the ProFTPD configuration file
# $Id: proftpd.conf,v 1.1 2004/02/26 17:54:30 thias Exp $
ServerName "ProFTPD server"
ServerIdent on "FTP Server ready."
ServerAdmin root@localhost
ServerType standalone
#ServerType inetd
DefaultServer on
AccessGrantMsg "User %u logged in."
#DisplayConnect /etc/ftpissue
#DisplayLogin /etc/ftpmotd
#DisplayGoAway /etc/ftpgoaway
DeferWelcome off
# Use this to excude users from the chroot
DefaultRoot ~
# Use pam to authenticate (default) and be authoritative
AuthPAMConfig proftpd
AuthOrder mod_auth_pam.c* mod_auth_unix.c
# Do not perform ident nor DNS lookups (hangs when the port is filtered)
IdentLookups off
UseReverseDNS off
# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022
# Default to show dot files in directory listings
ListOptions "-a"
# See Configuration.html for these (here are the default values)
#MultilineRFC2228 off
#RootLogin off
#LoginPasswordPrompt on
#MaxLoginAttempts 3
#MaxClientsPerHost none
#AllowForeignAddress off # For FXP
# Allow to resume not only the downloads but the uploads too
AllowRetrieveRestart on
AllowStoreRestart on
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 20
# Set the user and group that the server normally runs at.
User nobody
Group nobody
# Disable sendfile by default since it breaks displaying the download speeds in
# ftptop and ftpwho
UseSendfile no
# This is where we want to put the pid file
ScoreboardFile /var/run/proftpd.score
# Normally, we want users to do a few things.
<Global>
AllowOverwrite yes
<Limit ALL SITE_CHMOD>
AllowAll
</Limit>
RequireValidShell on
RootLogin off
DeferWelcome off
ServerIdent on
</Global>
# TLS
# Explained at http://www.castaglia.org/proftpd/modules/mod_tls.html
#TLSEngine on
#TLSRequired on
#TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem
#TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem
#TLSCipherSuite ALL:!ADH:!DES
#TLSOptions NoCertRequest
#TLSVerifyClient off
##TLSRenegotiate ctrl 3600 data 512000 required off timeout 300
#TLSLog /var/log/proftpd/tls.log
# SQL authentication Dynamic Shared Object (DSO) loading
# See README.DSO and howto/DSO.html for more details.
#<IfModule mod_dso.c>
# LoadModule mod_sql.c
# LoadModule mod_sql_mysql.c
# LoadModule mod_sql_postgres.c
#</IfModule>
# A basic anonymous configuration, with an upload directory.
#<Anonymous ~ftp>
# User ftp
# Group ftp
# AccessGrantMsg "Anonymous login ok, restrictions apply."
#
# # We want clients to be able to login with "anonymous" as well as "ftp"
# UserAlias anonymous ftp
#
# # Limit the maximum number of anonymous logins
# MaxClients 10 "Sorry, max %m users -- try again later"
#
# # Put the user into /pub right after login
# #DefaultChdir /pub
#
# # We want 'welcome.msg' displayed at login, '.message' displayed in
# # each newly chdired directory and tell users to read README* files.
# DisplayLogin /welcome.msg
# DisplayFirstChdir .message
# DisplayReadme README*
#
# # Some more cosmetic and not vital stuff
# DirFakeUser on ftp
# DirFakeGroup on ftp
#
# # Limit WRITE everywhere in the anonymous chroot
# <Limit WRITE SITE_CHMOD>
# DenyAll
# </Limit>
#
# # An upload directory that allows storing files but not retrieving
# # or creating directories.
# <Directory uploads/*>
# AllowOverwrite no
# <Limit READ>
# DenyAll
# </Limit>
#
# <Limit STOR>
# AllowAll
# </Limit>
# </Directory>
#
# # Don't write anonymous accesses to the system wtmp file (good idea!)
# WtmpLog off
#
# # Logging for the anonymous transfers
# ExtendedLog /var/log/proftpd/access.log WRITE,READ default
# ExtendedLog /var/log/proftpd/auth.log AUTH auth
#
#</Anonymous>
I have tried everything that I can think of to get it to work. I have copied the .conf from another box that runs Red Hat 9 and an older version of Proftpd that works, and it still reports the same error.
I have also attempted to copy the pam.d file from the other box and it still doesn't work.
Ok, I made the recommended changes and here is the result:
Quote:
Connected to xxxxxxxx.
220 FTP Server ready.
User (xxxxxxxxnone)): lee
331 Password required for lee.
Password:
530 Login incorrect.
Login failed.
ftp>
And here is the error log entries:
Quote:
Jun 1 06:58:24 mail proftpd[17493]: xxxxxx - ProFTPD killed (signal 15)
Jun 1 06:58:24 mail proftpd[17493]: xxxxxx - ProFTPD 1.3.0a standalone mode SHUTDOWN
Jun 1 06:58:25 mail proftpd[26820]: xxxxxx - error setting IPV6_V6ONLY: Protocol not available
Jun 1 06:58:25 mail proftpd[26820]: xxxxxx - ProFTPD 1.3.0a (stable) (built Tue Feb 6 06:12:11 EST 2007) standalone mode STARTUP
Jun 1 06:58:38 mail proftpd[26822]: xxxxxx (::ffff:xxx.xxx.xxx.xxx[::ffff:xxx.xxx.xxx.xxx]) - FTP session opened.
Jun 1 06:58:44 mail proftpd[26822]: xxxxxx (::ffff:xxx.xxx.xxx.xxx[::ffff:xxx.xxx.xxx.xxx]) - PAM(lee): Module is unknown.
I have another, different box that runs RH9 and a slightly older version of ProFTPD and it works perfectly. I have to move the services from that RH9 box to this FC5 box. That's what's prompted all this work. I have even tried copying the pam.d enty from the other box to the FC5 box, but I notice some modules listed on the RH9 box that aren't on the FC5 box. I also tried copying the ProFTPD config to the FC5 box and it doesn't that work either. I tried this seperately (first the ProFTPD config copy, then when that didn't work I went back to the original FC5 config, and tried the pam.d entry, then returned to the original pam.d entry).
To use PAM with proftpd you need to make sure name of the service defined by you in the AuthPAMconfig exists. For that check your /etc/pam.d directory for a file named proftpd that has a content similar with:
I guess you must've checked it, but if not... -Are the access permission set properly? (the ftp-user must have read access in the folder that proftp tries to open. Your error message may suggest this.) If proftpd cannot open the right directory, it will deny login. I know that from experience :-)
(::ffff:192.168.0.213[::ffff:192.168.0.213]) - notice: unable to use '~/' [resolved to '/home/lee/']: Permission denied
# If this is enabled, anonymous logins will fail because the 'ftp' user does
# not have a "valid" shell, as listed in /etc/shells.
#
# If you enable this, it is recommended that you do *not* give the 'ftp'
# user a real shell. Instead, give the 'ftp' user /bin/false for a shell and
# add /bin/false to /etc/shells.
#auth required /lib/security/pam_shells.so
The FC5 bos does NOT have /lib/security/pam_pwdb.so for some reason, I presume that it's not required for the version of PAM included with FC5?
Also, please forgive this stupid question, but if the user/group that the server runs as needs read access to the user's home folder, then why is it that I can log into the RH9 box with my home folder set to 0700? I set the permissions on my home folder to 0755, as the others are set, and it still fails.
Here's the latest bit from /var/log/messages:
Quote:
Jun 1 11:45:01 mail proftpd[26820]: xxxxxxxxx - ProFTPD killed (signal 15)
Jun 1 11:45:01 mail proftpd[26820]: xxxxxxxxx - ProFTPD 1.3.0a standalone mode SHUTDOWN
Jun 1 11:45:01 mail proftpd[30295]: xxxxxxxxx - error setting IPV6_V6ONLY: Protocol not available
Jun 1 11:45:01 mail proftpd[30295]: xxxxxxxxx - ProFTPD 1.3.0a (stable) (built Tue Feb 6 06:12:11 EST 2007) standalone mode STARTUP
Jun 1 11:55:01 mail proftpd[30455]: xxxxxxxxx (::ffff:xxx.xxx.xxx.xxx[::ffff:xxx.xxx.xxx.xxx]) - FTP session opened.
Jun 1 11:55:06 mail kernel: audit(1180716906.478:2174): avc: denied { getattr } for pid=30455 comm="proftpd" name="home" dev=dm-0 ino=8216737 scontext=system_u:system_r:ftpd_t:s0 tcontext=system_ubject_r:home_root_t:s0 tclass=dir
Jun 1 11:55:06 mail kernel: audit(1180716906.482:2175): avc: denied { getattr } for pid=30455 comm="proftpd" name="home" dev=dm-0 ino=8216737 scontext=system_u:system_r:ftpd_t:s0 tcontext=system_ubject_r:home_root_t:s0 tclass=dir
Jun 1 11:55:24 mail proftpd[30474]: xxxxxxxxx (::ffff:xxx.xxx.xxx.xxx[::ffff:xxx.xxx.xxx.xxx]) - FTP session opened.
Jun 1 11:55:36 mail proftpd[30474]: xxxxxxxxx (::ffff:xxx.xxx.xxx.xxx1[::ffff:xxx.xxx.xxx.xxx]) - PAM(lee): Authentication failure.
and from /var/log/secure:
Jun 1 11:55:06 mail proftpd: pam_unix(proftpd:session): session opened for user lee by (uid=0)
Jun 1 11:55:06 mail proftpd: Deprecated pam_stack module called from service "proftpd"
Jun 1 11:55:06 mail proftpd[30455]: xxxxxxxxxxxx(::ffff:xxx.xxx.xxx.xxx[::ffff:xxx.xxx.xxx.xxx]) - USER lee: Login successful.
Jun 1 11:55:06 mail proftpd[30455]: xxxxxxxxxxxx (::ffff:xxx.xxx.xxx.xxx[::ffff:xxx.xxx.xxx.xxx]) - notice: unable to use '~/' [resolved to '/home/lee/']: Permission denied
Jun 1 16:55:06 mail proftpd[30455]: xxxxxxxxxxxx (::ffff:xxx.xxx.xxx.xxx[::ffff:xxx.xxx.xxx.xxx]) - Preparing to chroot to directory '~/'
Jun 1 16:55:06 mail proftpd[30455]: xxxxxxxxxxxx (::ffff:xxx.xxx.xxx.xxx[::ffff:xxx.xxx.xxx.xxx]) - lee chroot("~/"): No such file or directory
Jun 1 16:55:06 mail proftpd[30455]: xxxxxxxxxxxx (::ffff:xxx.xxx.xxx.xxx[::ffff:xxx.xxx.xxx.xxx]) - error: unable to set default root directory
Jun 1 16:55:06 mail proftpd: Deprecated pam_stack module called from service "proftpd"
Jun 1 16:55:06 mail proftpd: Deprecated pam_stack module called from service "proftpd"
Jun 1 16:55:06 mail proftpd: pam_unix(proftpd:session): session closed for user lee
Jun 1 16:55:06 mail proftpd[30455]: xxxxxxxxxxxx (::ffff:xxx.xxx.xxx.xxx[::ffff:xxx.xxx.xxx.xxx]) - FTP session closed.
What do I need to do now? It looks like it can't resolve '~/' to be my home folder properly, and that is causing it to be unable to chroot to my home folder. What can I do to fix this?
Had similar issues with ProFTPd 1.3.0a and after many hours of struggle and frustration I finally gave up and switched to file transfer over ssh: scp or fish/kde on linux and winscp or even smb over ssh on windoze.
That's just it though, I don't have the luxury of just giving up on FTP. I have to move the web sites from the RH9 box which is having problems to the FC5 box. And that means that I need FTP access to the box.
Should I try to step back to an older version of the daemon?
Have you tried what i told you in the previous post? Make the proftpd file in /etc/pam.d look like the one below
Quote:
Originally Posted by digitalnerds
To use PAM with proftpd you need to make sure name of the service defined by you in the AuthPAMconfig exists. For that check your /etc/pam.d directory for a file named proftpd that has a content similar with:
Believe it or not, I decided to give it another try today and it works. Can't explain what's changed. Here is my config file; be warned though that I use slackware linux and so all configs are done through conf files direclty. Also, I don't use PAM auth.
Code:
MasqueradeAddress your.hostname.net
PassivePorts 65510 65520
ServerName "ProFTPD Default Installation"
ServerType inetd
DefaultServer on
Port 21
Umask 022
MaxInstances 30
User nobody
Group nogroup
SystemLog /var/log/proftpd.log
TransferLog /var/log/xferlog
<Directory /*>
AllowOverwrite on
</Directory>
<Anonymous ~ftp>
RequireValidShell off
User ftp
Group ftp
UserAlias anonymous ftp
MaxClients 50
DisplayLogin welcome.msg
DisplayFirstChdir .message
<Limit WRITE>
DenyAll
</Limit>
</Anonymous>
I just tried your offering for the pamd.d and it still does not work.
Here's the entries from the security log:
Quote:
Jun 2 14:51:34 mail proftpd: pam_unix(proftpd:session): session opened for user lee by (uid=0)
Jun 2 14:51:34 mail proftpd[8977]: myhost (::ffff:myip[::ffff:myip]) - USER lee: Login successful.
Jun 2 14:51:34 mail proftpd[8977]: myhost (::ffff:myip[::ffff:myip]) - notice: unable to use '~/' [resolved to '/home/lee/']: Permission denied
Jun 2 19:51:34 mail proftpd[8977]: myhost (::ffff:myip[::ffff:myip]) - Preparing to chroot to directory '~/'
Jun 2 19:51:34 mail proftpd[8977]: myhost (::ffff:myip[::ffff:myip]) - lee chroot("~/"): No such file or directory
Jun 2 19:51:34 mail proftpd[8977]: myhost (::ffff:myip[::ffff:myip]) - error: unable to set default root directory
Jun 2 19:51:34 mail proftpd: pam_unix(proftpd:session): session closed for user lee
Jun 2 19:51:34 mail proftpd[8977]: myhost (::ffff:myip[::ffff:myip]) - FTP session closed.
I don't understand why it's having problems with the ~/ folder and chrooting it.
is there any particulary reason to use it in "standalone" ?
I had problems using it in that mode, since i didn't had ftp that justify that, i'm using it in "inetd" mode.
I'm currently using debian 4.0, but in the past with other linux's, was more or less the same, no problems at all.
Can you verify in the firewall, if the port 20 is blocked ?
If i'm not mistaken, you can have authentication problems if the port 20 is blocked.
In this link, --> http://ubuntuguide.org/wiki/Ubuntu:Feisty , you can find some useful information regarding proftpd, please do the search using proftp as the search key.
I just tried your offering for the pamd.d and it still does not work.
Here's the entries from the security log:
I don't understand why it's having problems with the ~/ folder and chrooting it.
Well as far as i can see now you get a login successful while at the beginning the user was not recognized.
"USER lee: Login successful."
Now the problem with ~/ (home dir) might be a permissions problem since the error you get it's pretty much self explanatory "notice: unable to use '~/' [resolved to '/home/lee/']: Permission denied " Can you please show us the output of ls -la in your /home directory?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
none)): lee
bject_r:home_root_t:s0 tclass=dir
