FTP wrapped in ssl or VSFTP Daemon?

inspiron_Droid · 03-14-2008, 01:44 PM

IMHO, I'd use sambva on the original machine where you want to store the home directories ant director A pointer on the Active Directory Server to the machine on the network upon which you wish to store the home directories, and onet he windows side point the users C:\Documentsand settings/username folders to the home folders for each user whic you have migrated to the lijux server via a script which is rum at boot on the ms client machiens.

richinsc · 03-14-2008, 01:57 PM

Okay I was able to get vstpd install with mysql database authentication. That all works good and dandy then I went to install and configure ssl support, and now I can login to system but but get denied after TLS/SSL Connection is Established.

Client FTP Log

Code:

Connection established, waiting for welcome message...
Response:	220 (vsFTPd 2.0.5)
Command:	AUTH TLS
Response:	234 Proceed with negotiation.
Status:	Initializing TLS...
Command:	USER testuser
Status:	Verifying certificate...
Status:	TLS/SSL connection established.
Response:	331 Please specify the password.
Command:	PASS ******
Error:	Disconnected from server
Error:	Could not connect to server
Status:	Waiting to retry...
Status:	Connecting to XXX.XXX.XXX.XXX:21...
Status:	Connection established, waiting for welcome message...
Response:	220 (vsFTPd 2.0.5)
Command:	AUTH TLS
Response:	234 Proceed with negotiation.
Status:	Initializing TLS...
Command:	USER testuser
Status:	Verifying certificate...
Status:	TLS/SSL connection established.
Response:	331 Please specify the password.
Command:	PASS ******
Error:	Disconnected from server
Error:	Could not connect to server
Status:	Waiting to retry...

Server Log File

Code:

Fri Mar 14 14:46:45 2008 [pid 28494] [testuser] OK LOGIN: Client "XXX.XXX.XXX.XXX"
Fri Mar 14 14:46:50 2008 [pid 28498] CONNECT: Client "XXX.XXX.XXX.XXX"
Fri Mar 14 14:46:50 2008 [pid 28497] [testuser] OK LOGIN: Client "XXX.XXX.XXX.XXX"
Fri Mar 14 14:52:25 2008 [pid 28503] CONNECT: Client "XXX.XXX.XXX.XXX"
Fri Mar 14 14:52:29 2008 [pid 28502] [testuser] OK LOGIN: Client "XXX.XXX.XXX.XXX"
Fri Mar 14 14:52:34 2008 [pid 28506] CONNECT: Client "XXX.XXX.XXX.XXX"
Fri Mar 14 14:52:34 2008 [pid 28505] [testuser] OK LOGIN: Client "XXX.XXX.XXX.XXX"
Fri Mar 14 14:53:02 2008 [pid 28512] CONNECT: Client "XXX.XXX.XXX.XXX"
Fri Mar 14 14:53:02 2008 [pid 28511] [testuser] OK LOGIN: Client "XXX.XXX.XXX.XXX"
Fri Mar 14 14:53:07 2008 [pid 28515] CONNECT: Client "XXX.XXX.XXX.XXX"
Fri Mar 14 14:53:07 2008 [pid 28514] [testuser] OK LOGIN: Client "XXX.XXX.XXX.XXX"

My Configuration file

Code:

listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
nopriv_user=vsftpd
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd
pam_service_name=vsftpd
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
guest_enable=NO
#guest_username=vsftpd
local_root=/home/vsftpd/$USER
user_sub_token=$USER
virtual_use_local_privs=YES
user_config_dir=/etc/vsftpd_user_conf

weisso5 · 03-14-2008, 02:41 PM

Which Client are you trying it with?

Also as a test try this in a web browser:

Code:

ftp://user:password@XXX.XXX.XXX.XXX

-weisso

jschiwal · 03-14-2008, 02:48 PM

Quote:

Originally Posted by linux-Hawk

IMHO, I'd use sambva on the original machine where you want to store the home directories ant director A pointer on the Active Directory Server to the machine on the network upon which you wish to store the home directories, and onet he windows side point the users C:\Documentsand settings/username folders to the home folders for each user whic you have migrated to the lijux server via a script which is rum at boot on the ms client machiens.

I don't think the users are running Windows clients.

richinsc · 03-14-2008, 02:56 PM

Working with FileZilla and also tried FireFTP (Firefox SSL FTP Extension) When I try login regular in browser as you say I get the following mesg which is what I want because I want to force ssl. Mesg is "530 Non-anonymous sessions must use encryption". I expected this msg.

richinsc · 03-14-2008, 03:11 PM

Well I have changed out my configuration and am now using vsftp over ssl for simplicity's sake and enabled mysql authentication so they don't require local accounts.

richinsc · 03-14-2008, 03:55 PM

It's possible it may be my firewall blocking the SSL. If so any suggestions? What ports do I need to allow besides 21?

weisso5 · 03-14-2008, 04:00 PM

SSH - 22
FTP - 21
FTPS - 989/990
HTTPS - 443
LDAP/LDAPs - 389/636

What kind of firewall do you have?

-weisso

richinsc · 03-14-2008, 04:01 PM

Custom iptables

Currently allow all connections regardless of port for test machine and still can't log in.

weisso5 · 03-14-2008, 04:05 PM

basic iptables rules:

# accept all from localhost
-A INPUT -s 127.0.0.1 -j ACCEPT

# accept all previously established connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# ssh
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

# ftp / webserver related
-A INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

# Windows / Samba
-A INPUT -p tcp -m state --state NEW -m tcp --dport 137:139 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 426 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT

richinsc · 03-14-2008, 04:09 PM

Currently allowing this for my test machine to work.. Just to try and trouble shoot.

iptables -A INPUT -s xxx.xxx.xxx.xxx -j ACCEPT
iptables -A OUTPUT -d xxx.xxx.xxx.xxx -j ACCEPT

This should allow anything from my test machine but I am still not able to connect...

I set the following to no and still couldn't get to connect

force_local_data_ssl=NO
force_local_logins_ssl=NO

Still unable to connect... It has to do with something at SSL level.

richinsc · 03-14-2008, 04:24 PM

Now a weird issue. If I disable SSL I can't even get connection and says that can't find the user. I think something more changed when enabled ssl. Going to recheck connection to db... Any way I can monitor DB connections and transactions as their happening?

This is what I get after disabling SSL

Code:

tatus:	Connection established, waiting for welcome message...
Response:	220 (vsFTPd 2.0.5)
Command:	USER testuser
Response:	331 Please specify the password.
Command:	PASS ******
Response:	500 OOPS: cannot locate user entry:testuser
Error:	Could not connect to server

richinsc · 03-17-2008, 07:25 AM

Sorry to have to bump this thread, but I am still working on the issue and in need of assistance.

weisso5 · 03-17-2008, 09:49 AM

Hello,

The error you posted clearly says:

Quote:

Response: 500 OOPS: cannot locate user entry:testuser

meaning you are using a not valid user.

Repost your vstfpd config.

Roll back to when you got it to work with FileZilla, and let's try a few things.

1. Make sure all services are running.
2. use NMAP on another station to determine if the correct ports are open
3. Try and login using an FTP client, make sure you use correct user and password
4. Check the logs for specific errors, not client side errors.

-weisso

richinsc · 03-17-2008, 10:09 AM

weisso5,

I only get the following when I disable SSL,

Code:

Status:	Resolving IP-Address for dragon
Status:	Connecting to 10.4.10.114:21...
Status:	Connection established, waiting for welcome message...
Response:	220-Test Banner
Response:	220 
Command:	USER testuser
Response:	331 Please specify the password.
Command:	PASS ******
Response:	500 OOPS: cannot locate user entry:testuser
Error:	Could not connect to server

To disable SSL I edit /etc/vsftpd.conf and comment out SSL parts as shown below...

Code:

# cat /etc/vsftpd.conf
listen=YES
ftpd_banner=Authorized Users Only! All others will be prosecuted to the full extent of the Law!
banner_file=/home/vsftpd/welcome.banner
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
nopriv_user=vsftpd
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd
pam_service_name=vsftpd
#ssl_enable=YES
#allow_anon_ssl=NO
#force_local_data_ssl=YES
#force_local_logins_ssl=YES
#ssl_tlsv1=YES
#ssl_sslv2=NO
#ssl_sslv3=NO
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
guest_enable=NO
#guest_username=vsftpd
local_root=/home/vsftpd/$USER
user_sub_token=$USER
virtual_use_local_privs=YES
user_config_dir=/etc/vsftpd_user_conf

When I enable SSL I get the following message

Code:

Status:	Resolving IP-Address for dragon
Status:	Connecting to 10.4.10.114:21...
Status:	Connection established, waiting for welcome message...
Response:	220-Test Banner
Response:	220 
Command:	AUTH TLS
Response:	234 Proceed with negotiation.
Status:	Initializing TLS...
Command:	USER testuser
Status:	Verifying certificate...
Status:	TLS/SSL connection established.
Response:	331 Please specify the password.
Command:	PASS ******
Error:	Disconnected from server
Error:	Could not connect to server
Status:	Waiting to retry...

This is the vsftpd file changes that give the result above

Code:

# cat /etc/vsftpd.conf
listen=YES
ftpd_banner=Authorized Users Only! All others will be prosecuted to the full extent of the Law!
banner_file=/home/vsftpd/welcome.banner
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
nopriv_user=vsftpd
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd
pam_service_name=vsftpd
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
guest_enable=NO
#guest_username=vsftpd
local_root=/home/vsftpd/$USER
user_sub_token=$USER
virtual_use_local_privs=YES
user_config_dir=/etc/vsftpd_user_conf

The following is my pam.d file for MySQL and vsftp

Code:

# cat /etc/pam.d/vsftpd
auth required pam_mysql.so user=vsftpd passwd=hidden host=localhost db=vsftpd table=accounts usercolumn=username passwdcolumn=pass crypt=0
account required pam_mysql.so user=vsftpd passwd=hidden host=localhost db=vsftpd table=accounts usercolumn=username passwdcolumn=pass crypt=0

I have tried setting crypt to both 0 and 2.. 0 being no encryption, plain text and 2 being encrypted password.

Regardless of the message from FileZilla the vsftpd log always states

Code:

# tail -f /var/log/vsftpd.log
Mon Mar 17 09:28:56 2008 [pid 28017] CONNECT: Client "10.4.10.21"
Mon Mar 17 09:29:00 2008 [pid 28016] [testuser] OK LOGIN: Client "10.4.10.21"
Mon Mar 17 09:34:19 2008 [pid 28065] CONNECT: Client "10.4.10.21"
Mon Mar 17 09:34:19 2008 [pid 28064] [testuser] OK LOGIN: Client "10.4.10.21"
Mon Mar 17 10:07:26 2008 [pid 28944] CONNECT: Client "10.4.10.21"
Mon Mar 17 10:07:26 2008 [pid 28943] [testuser] OK LOGIN: Client "10.4.10.21"
Mon Mar 17 10:59:30 2008 [pid 28993] CONNECT: Client "10.4.10.21"
Mon Mar 17 10:59:30 2008 [pid 28992] [testuser] OK LOGIN: Client "10.4.10.21"
Mon Mar 17 10:59:35 2008 [pid 28996] CONNECT: Client "10.4.10.21"
Mon Mar 17 10:59:35 2008 [pid 28995] [testuser] OK LOGIN: Client "10.4.10.21"

Of course I am still unable to login I am storing the home folders over a samba share of course but I doubt that would affect anything. Let me know what you think I will be refreshing the thread constantly looking for your reply.