Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Recently I've set up vsftpd, everything's running fine, however I was asked to allow the ftp connections also, as I was informed that it wasn't working at all.
So I ftp'd to 127.0.0.1 and got:
Connected to 127.0.0.1 (127.0.0.1).
And it's sitting there, doing nothing. No 200, no nothing. I have to Ctrl+Z out of it. The process is getting created but that's it. I've created new users, changed paths, tried so many thing I lost count. I can't even diagnose what's happening, because nothing is being written to the logs (except for sftp.log, which is for sftp and doesn't help me in any way).
I've adjusted sebools (ftpd_use_nfs, ftpd_full_access, use_nfs_home_dirs) but then I've just switched it to permissive so I could narrow down what's the culprit, so SELinux can be taken out from the equation.
Xfer.log, vsftpd.log and sftp.log are all in the same path (nfs). Homedirs are on a separate nfs. Permissions are set so the jail would work properly. Socket for each user is created to get info about the connections.
Here are my configs:
sshd_config
Code:
Subsystem sftp internal-sftp -f LOCAL3 -l VERBOSE
Match Group root
PubkeyAuthentication yes
Match Group ftpusers
AllowTCPForwarding no
AuthorizedKeysFile .ssh/authorized_keys
Banner none
ChrootDirectory /sftp_path/chroot_%u/
ForceCommand internal-sftp -f LOCAL3 -l VERBOSE
PubkeyAuthentication yes
PubkeyAcceptedKeyTypes=+ssh-dss
Match User *,!root,!emm
Banner /etc/sftp_banner_nosftp
ForceCommand /bin/false
rsyslog.conf
Code:
$AddUnixListenSocket /sftp_path/chroot_username ## a lot of those, one per user
local3.* /var/log/log_archive/servername/sftp.log
OpenSSH provides SFTP support, so vsftpd has nothing to do with that. If SFTP is working fine, then you can (and should) uninstall vsftpd from the system. By the way, your SSH server configuration file seems misconfigured to allow DSA keys. That line ought to be removed. If there are still any DSA keys floating around in 2021, they should be found and replaced with Ed25519 if possible. If compatability with legacy systems is required then RSA is another option but, either way, DSA should be removed and replaced.
What problem were you trying to solve that FTP even came up in conversation?
sftp and ftp are entirely different protocols..
If sftp is working then you don’t need ftp at all IMO
…
(Turbocapitalist and I are apparently both awake in the middle of the night)
The thing is, I was asked to allow some users to use ftp service too. Rumor has it that it's due to some old APIs that support only ftp transfers and I'm in no position to question that, unfortunately.
It's internal server, so I'm not concerned about security issues and the like.
DSA keys are allowed because there are RHEL6 jumphosts connecting to that server (management). Until the transition finishes, it'll remain as it is.
I agree and I'm not happy with the way it is set up now but I just play the hand I was dealt.
Turning to the merits - I might've provided too much info, granted. In short - when I try to ftp to that server, I get the said "connected to [IP]" and it stops at that. Right now I'm clueless how to troubleshoot/diagnose that.
DSA keys are allowed because there are RHEL6 jumphosts connecting to that server (management).
That's when you use the RSA keys. :/
Anyway, about FTP, there are darn few legitimate uses for it these days and setting it up remains a great pain. Maybe SFTP was meant but "FTP" was said by mistake. That does happen occasionally. Since most projects have deployed SFTP support long ago, I wonder which programs still claim to need FTP?
However, all that aside, there is one important clarifying question: Which distro is this FTP server (vsftpd) going to be installed on? Please, include the version. That determines where the log files will be and whether SELinux is involved.
The thing is, I cannot change the keys just like that. They have to remain the same. Hence the workaround.
Quote:
Originally Posted by Turbocapitalist
Maybe SFTP was meant but "FTP" was said by mistake.
Unfortunately no. They even dropped some screencaps where it can be seen that on previous server (running on RH6) ftp connection was used and while sftp works fine, ftp does not.
Quote:
Originally Posted by Turbocapitalist
However, all that aside, there is one important clarifying question: Which distro is this FTP server (vsftpd) going to be installed on? Please, include the version. That determines where the log files will be and whether SELinux is involved.
RHEL 8.3
vsftpd 3.0.3-32
As I've mentioned in the original post, SELinux has been set to permissive. Should the ftp start working fine, I'll deal with policies and any other things later.
Okay, for anyone interested, I started from scratch and it looks like that if the path for either vsftpd log or xferlog are on an NFS (v3), everything will hang upon login as I've described.
Setting rights to 777 and overall messing with the filesystem doesn't change a thing here. No matter what I did, I couldn't make it work.
In the end, I went for storing the logs in the /var/log and making links to those on an NFS so that logrotate will do its job daily and I'll have archival logs stored on the NFS.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.