vsftpd ver 2.0.4 FTPES works but upgrade to ver 2.3.2 it does not
Intro: System intel atom with 4 gb ram, O/S SLES 10 sp3 x64. Installed for base server with gui. (No firewall, no appamour, no printers,Static IP.)
using the local network with winxp "user workstation" and no xp firewall.NB most config done via scp or putty from workstation.
Installed vsftpd from yast ( version 2.0.4) Edit vsftpd.conf file for pam authorisation from db database file, and no anonymous logins allowed. Config File available if required. Works fine.
Then I created ssl certificate, edited config file tested from filezilla ok. Moved users to own directories and created user config files to override main config file. Seems perfect.
BUT a big issue exists using fireftp 1.0.10. It takes minutes to show a directory listing. "BING" search reveals an issue wrt vsftpd versions less than 2.0.7. So its upgrade time.
As I can not find a RPM thats acceptable to sles I decide to go bang upto date and build from source 2.3.2.
ISSUE_1: ( working as root...yes i know !) my install is obviously missing gcc and some pam pre-requisites.
answer=> install from yast and sles source dvd.
ISSUE_2: compile FAILS. seems the script that is supposed to "find" the requisite libraries assumes that a 64bit distribution won't have 32bit libs. Wrong ! So I used linux's find to ensure the correct libraries were present and available.
Potential danger point --> I edited the script vsf_findlibs.sh and changed 2 lines
code:
locate_library /lib/libpam.so.0 && echo "/lib/libpam.so.0";
to:-
locate_library /lib/libpam.so.0 && echo "/lib64/libpam.so.0";
as well as
if locate_library /lib/libcap.so.1; then echo "/lib/libcap.so.1";
to:-
if locate_library /lib/libcap.so.1; then echo "/lib64/libcap.so.1";
endcode
Then it compiled ok and then appeared to run okay. (I moved it to /usr/sbin)
EXCEPT when I attempt to run vsftpd now I can no longer make FTPES connections neither filzilla or FireFTP work. It appears they all disconnect immediately after sending password.
IN an attempt to get better diagnostics I installed CuteFTP 8.3. It says Can't read from control socket. Socket error = #10054 vsftpd immediately after the password has been sent.
(I temporarily reverted to the NON ssl config file and that works fine for simple ftp.)
I trie dadding various commands to the config file, like:-
listen address, pasv_address, ssl_sslv2=no, ssl_sslv3=no, require_ssl_reuse=no,debug_ssl=yes, connect_from_port_20=yes
or connect_from_port_20=yes
none of these had any positive effect i.e. still fails.
...except many were illegal when i backported to version 2.0.4. (BTW remove the illegal commands, and restart vsftpd v2.0.4 still WORKS.
16 hours of reading forums only revealed 2 similar incidents ( though on different software revisions) but NO REPLIES.
my inclination is that I messed up the compile some how. (gcc=4.1.2)
btw ldd says:-
code:
ldd ./vsftpd
linux-vdso.so.1 => (0x00007fff7b7ff000)
libpam.so.0 => /lib64/libpam.so.0 (0x00002ae52f52c000)
libdl.so.2 => /lib64/libdl.so.2 (0x00002ae52f637000)
libnsl.so.1 => /lib64/libnsl.so.1 (0x00002ae52f73b000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00002ae52f852000)
libcap.so.1 => /lib64/libcap.so.1 (0x00002ae52f966000)
libssl.so.0.9.8 => /usr/lib64/libssl.so.0.9.8 (0x00002ae52fa69000)
libcrypto.so.0.9.8 => /usr/lib64/libcrypto.so.0.9.8 (0x00002ae52fbb0000)
libc.so.6 => /lib64/libc.so.6 (0x00002ae52fe13000)
libaudit.so.0 => /lib64/libaudit.so.0 (0x00002ae530053000)
/lib64/ld-linux-x86-64.so.2 (0x00002ae52f410000)
endcode
1) Any comments on my bodge to the .sh file greatfully accepted, perhaps someone could tell me how to do this properly.
2) Is the compilation I did actualy viable ?
3) I am making the following assumptions ( nieve?)
a) If the cerificate is ok in 2.0.4 its ok in 2.3.2
b) If PAM works for 2.0.4 the its ok for 2.3.2
c) 2.3.2 doesn't break 2.0.4 config file (vsftpd.conf)
d) I didn't miss something really stupid.
4) Any advice welcomed, its got me beat, and unfortunately I cannot remove the ftp requirement, only attempt to make it vagely secure.
ps This is my very first post, so I have tried to keep it short, simple and to the point. I probably failed, but thanks for reading
|