Hello list!!
I am trying to setup very simple authentication for proftpd under centos 5.6. But for some reason it isn't working and I was hoping to get some advice into how to resolve the issue.
Machine info: [code] [root@VIRTCENT07:~] #cat /etc/redhat-release CentOS release 5.6 (Final)
[root@VIRTCENT07:~] #uname -a Linux VIRTCENT07 2.6.18-238.el5xen #1 SMP Thu Jan 13 17:49:40 EST 2011 i686 i686 i386 GNU/Linux [/code]
Proftpd version [code] ProFTPD Version 1.3.3e [/code]
When I try to log into FTP authentication fails even tho the password is typed correctly
[code] [root@VIRTCENT07:~] #/usr/bin/ftp localhost Connected to localhost (127.0.0.1). 220 FTP Server ready. Name (localhost:root): bluethundr 331 Password required for bluethundr Password: 530 Login incorrect. Login failed. Remote system type is UNIX. Using binary mode to transfer files. [/code]
I've enabled the ExtendedLogs option in the config and this is what I saw as a result [code] 127.0.0.1 UNKNOWN nobody [12/Aug/2011:11:45:00 -0400] "USER bluethundr" 331 - 127.0.0.1 UNKNOWN nobody [12/Aug/2011:11:45:04 -0400] "PASS (hidden)" 530 - 127.0.0.1 UNKNOWN nobody [12/Aug/2011:11:45:04 -0400] "SYST" 215 - [/code]
The user account is stored in LDAP
[code] [root@VIRTCENT07:~] #getent passwd | grep bluethundr bluethundr:*:1001:1002:That Guy:/home/bluethundr:/bin/bash [/code]
The proftpd user runs the 'nobody' account [code] User nobody Group nobody [/code]
Which is also stored in LDAP [code] [root@VIRTCENT07:~] #getent passwd | grep nobody nobody:x:99:99:Nobody:/:/sbin/nologin [/code]
The user that ProFTPd runs as is using a valid shell
[code] [root@VIRTCENT07:~] #cat /etc/shells /bin/sh /bin/bash /sbin/nologin /bin/tcsh /bin/csh /bin/ksh [/code]
And this is what my entire ProFTPd config file is looking like
[code] # This is the ProFTPD configuration file # # See: http://www.proftpd.org/docs/directives/linked/by-name.html
# Server Config - config used for anything outside a <VirtualHost> or <Global> context # See: http://www.proftpd.org/docs/howto/Vhost.html
ServerName "ProFTPD server" ServerIdent on "FTP Server ready." ServerAdmin root@localhost DefaultServer on
# Cause every FTP user except adm to be chrooted into their home directory # Aliasing /etc/security/pam_env.conf into the chroot allows pam_env to # work at session-end time (http://bugzilla.redhat.com/477120) VRootEngine on DefaultRoot ~ !adm VRootAlias etc/security/pam_env.conf /etc/security/pam_env.conf
# Use pam to authenticate (default) and be authoritative AuthPAMConfig proftpd AuthOrder mod_auth_pam.c* mod_auth_unix.c # If you use NIS/YP/LDAP you may need to disable PersistentPasswd PersistentPasswd off
# Don't do reverse DNS lookups (hangs on DNS problems) UseReverseDNS off
# Set the user and group that the server runs as User nobody Group nobody
# To prevent DoS attacks, set the maximum number of child processes # to 20. If you need to allow more than 20 concurrent connections # at once, simply increase this value. Note that this ONLY works # in standalone mode; in inetd mode you should use an inetd server # that allows you to limit maximum number of processes per service # (such as xinetd) MaxInstances 20
# Disable sendfile by default since it breaks displaying the download speeds in # ftptop and ftpwho UseSendfile off
# Define the log formats LogFormat default "%h %l %u %t "%r" %s %b" LogFormat auth "%v [%P] %h %t "%r" %s"
# Dynamic Shared Object (DSO) loading # See README.DSO and howto/DSO.html for more details # # General database support (http://www.proftpd.org/docs/contrib/mod_sql.html) # LoadModule mod_sql.c # # Support for base-64 or hex encoded MD5 and SHA1 passwords from SQL tables # (contrib/mod_sql_passwd.html) # LoadModule mod_sql_passwd.c # # Mysql support (requires proftpd-mysql package) # (http://www.proftpd.org/docs/contrib/mod_sql.html) # LoadModule mod_sql_mysql.c # # Postgresql support (requires proftpd-postgresql package) # (http://www.proftpd.org/docs/contrib/mod_sql.html) # LoadModule mod_sql_postgres.c # # Quota support (http://www.proftpd.org/docs/contrib/mod_quotatab.html) # LoadModule mod_quotatab.c # # File-specific "driver" for storing quota table information in files # (http://www.proftpd.org/docs/contrib/mod_quotatab_file.html) # LoadModule mod_quotatab_file.c # # SQL database "driver" for storing quota table information in SQL tables # (http://www.proftpd.org/docs/contrib/mod_quotatab_sql.html) # LoadModule mod_quotatab_sql.c # # LDAP support (requires proftpd-ldap package) # (http://www.proftpd.org/docs/directives/linked/config_ref_mod_ldap.html) # LoadModule mod_ldap.c # # LDAP quota support (requires proftpd-ldap package) # (http://www.proftpd.org/docs/contrib/mod_quotatab_ldap.html) # LoadModule mod_quotatab_ldap.c # # Support for authenticating users using the RADIUS protocol # (http://www.proftpd.org/docs/contrib/mod_radius.html) # LoadModule mod_radius.c # # Retrieve quota limit table information from a RADIUS server # (http://www.proftpd.org/docs/contrib/mod_quotatab_radius.html) # LoadModule mod_quotatab_radius.c # # Administrative control actions for the ftpdctl program # (http://www.proftpd.org/docs/contrib/mod_ctrls_admin.html) # LoadModule mod_ctrls_admin.c # # Execute external programs or scripts at various points in the process # of handling FTP commands # (http://www.castaglia.org/proftpd/modules/mod_exec.html) # LoadModule mod_exec.c # # Support for POSIX ACLs # (http://www.proftpd.org/docs/modules/mod_facl.html) # LoadModule mod_facl.c # # Support for using the GeoIP library to look up geographical information on # the connecting client and using that to set access controls for the server # (http://www.castaglia.org/proftpd/modules/mod_geoip.html) # LoadModule mod_geoip.c # # Configure server availability based on system load # (http://www.proftpd.org/docs/contrib/mod_load.html) # LoadModule mod_load.c # # Limit downloads to a multiple of upload volume (see README.ratio) # LoadModule mod_ratio.c # # Rewrite FTP commands sent by clients on-the-fly, # using regular expression matching and substitution # (http://www.proftpd.org/docs/contrib/mod_rewrite.html) # LoadModule mod_rewrite.c # # Support for the SSH2, SFTP, and SCP protocols, for secure file transfer over # an SSH2 connection (http://www.castaglia.org/proftpd/modules/mod_sftp.html) # LoadModule mod_sftp.c # # Use PAM to provide a 'keyboard-interactive' SSH2 authentication method for # mod_sftp (http://www.castaglia.org/proftpd/modules/mod_sftp_pam.html) # LoadModule mod_sftp_pam.c # # Use SQL (via mod_sql) for looking up authorized SSH2 public keys for user # and host based authentication # (http://www.castaglia.org/proftpd/modules/mod_sftp_sql.html) # LoadModule mod_sftp_sql.c # # Provide data transfer rate "shaping" across the entire server # (http://www.castaglia.org/proftpd/modules/mod_shaper.html) # LoadModule mod_shaper.c # # Support for miscellaneous SITE commands such as SITE MKDIR, SITE SYMLINK, # and SITE UTIME (http://www.proftpd.org/docs/contrib/mod_site_misc.html) # LoadModule mod_site_misc.c # # Provide an external SSL session cache using shared memory # (contrib/mod_tls_shmcache.html) # LoadModule mod_tls_shmcache.c # # Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny # files, for IP-based access control # (http://www.proftpd.org/docs/contrib/mod_wrap.html) # LoadModule mod_wrap.c # # Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny # files, as well as SQL-based access rules, for IP-based access control # (http://www.proftpd.org/docs/contrib/mod_wrap2.html) # LoadModule mod_wrap2.c # # Support module for mod_wrap2 that handles access rules stored in specially # formatted files on disk # (http://www.proftpd.org/docs/contrib/mod_wrap2_file.html) # LoadModule mod_wrap2_file.c # # Support module for mod_wrap2 that handles access rules stored in SQL # database tables (http://www.proftpd.org/docs/contrib/mod_wrap2_sql.html) # LoadModule mod_wrap2_sql.c # # Provide a flexible way of specifying that certain configuration directives # only apply to certain sessions, based on credentials such as connection # class, user, or group membership # (http://www.proftpd.org/docs/contrib/mod_ifsession.html) # LoadModule mod_ifsession.c
# TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html) <IfDefine TLS> TLSEngine on TLSRequired on TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem TLSCipherSuite ALL:!ADH:!DES TLSOptions NoCertRequest TLSVerifyClient off #TLSRenegotiate ctrl 3600 data 512000 required off timeout 300 TLSLog /var/log/proftpd/tls.log <IfModule mod_tls_shmcache.c> TLSSessionCache shm:/file=/var/run/proftpd/sesscache </IfModule> </IfDefine>
# Dynamic ban lists (http://www.proftpd.org/docs/contrib/mod_ban.html) # Enable this with PROFTPD_OPTIONS=-DDYNAMIC_BAN_LISTS in /etc/sysconfig/proftpd <IfDefine DYNAMIC_BAN_LISTS> LoadModule mod_ban.c BanEngine on BanLog /var/log/proftpd/ban.log BanTable /var/run/proftpd/ban.tab
# If the same client reaches the MaxLoginAttempts limit 2 times # within 10 minutes, automatically add a ban for that client that # will expire after one hour. BanOnEvent MaxLoginAttempts 2/00:10:00 01:00:00
# Allow the FTP admin to manually add/remove bans BanControlsACLs all allow user ftpadm </IfDefine>
# Global Config - config common to Server Config and all virtual hosts # See: http://www.proftpd.org/docs/howto/Vhost.html <Global>
# Umask 022 is a good standard umask to prevent new dirs and files # from being group and world writable Umask 022
# Allow users to overwrite files and change permissions AllowOverwrite yes <Limit ALL SITE_CHMOD> AllowAll </Limit>
</Global>
# A basic anonymous configuration, with an upload directory # Enable this with PROFTPD_OPTIONS=-DANONYMOUS_FTP in /etc/sysconfig/proftpd <IfDefine ANONYMOUS_FTP> <Anonymous ~ftp> User ftp Group ftp AccessGrantMsg "Anonymous login ok, restrictions apply."
# We want clients to be able to login with "anonymous" as well as "ftp" UserAlias anonymous ftp
# Limit the maximum number of anonymous logins MaxClients 10 "Sorry, max %m users -- try again later"
# Put the user into /pub right after login #DefaultChdir /pub
# We want 'welcome.msg' displayed at login, '.message' displayed in # each newly chdired directory and tell users to read README* files. DisplayLogin /welcome.msg DisplayChdir .message DisplayReadme README*
# Cosmetic option to make all files appear to be owned by user "ftp" DirFakeUser on ftp DirFakeGroup on ftp
# Limit WRITE everywhere in the anonymous chroot <Limit WRITE SITE_CHMOD> DenyAll </Limit>
# An upload directory that allows storing files but not retrieving # or creating directories. <Directory uploads/*> AllowOverwrite no <Limit READ> DenyAll </Limit>
<Limit STOR> AllowAll </Limit> </Directory>
# Don't write anonymous accesses to the system wtmp file (good idea!) WtmpLog off
# Logging for the anonymous transfers ExtendedLog /var/log/proftpd/access.log WRITE,READ default ExtendedLog /var/log/proftpd/auth.log AUTH auth
</Anonymous> </IfDefine> [/code]
I have also tried raising the debug level to 10
[code] DebugLevel 10 SystemLog /var/log/proftpd/proftpd.log
And this was the info I saw in the log file:
Aug 12 15:13:48 VIRTCENT07 proftpd[9959] 192.168.1.29: ProFTPD 1.3.3e (maint) (built Thu Apr 7 2011 14:41:56 UTC) standalone mode STARTUP Aug 12 15:13:53 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): AuthOrder in effect, resetting auth module order Aug 12 15:13:53 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): connected - local : 127.0.0.1:21 Aug 12 15:13:53 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): connected - remote : 127.0.0.1:40875 Aug 12 15:13:53 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): FTP session opened. Aug 12 15:13:55 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching PRE_CMD command 'USER bluethundr' to mod_tls Aug 12 15:13:55 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching PRE_CMD command 'USER bluethundr' to mod_core Aug 12 15:13:55 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching PRE_CMD command 'USER bluethundr' to mod_core Aug 12 15:13:55 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching PRE_CMD command 'USER bluethundr' to mod_delay Aug 12 15:13:55 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching PRE_CMD command 'USER bluethundr' to mod_auth Aug 12 15:13:55 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching CMD command 'USER bluethundr' to mod_auth Aug 12 15:13:55 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching POST_CMD command 'USER bluethundr' to mod_delay Aug 12 15:13:55 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching LOG_CMD command 'USER bluethundr' to mod_log Aug 12 15:13:57 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching PRE_CMD command 'PASS (hidden)' to mod_tls Aug 12 15:13:57 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching PRE_CMD command 'PASS (hidden)' to mod_core Aug 12 15:13:57 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching PRE_CMD command 'PASS (hidden)' to mod_core Aug 12 15:13:57 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching PRE_CMD command 'PASS (hidden)' to mod_vroot Aug 12 15:13:57 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): mod_vroot/0.8.5: vroot registered Aug 12 15:13:57 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching PRE_CMD command 'PASS (hidden)' to mod_delay Aug 12 15:13:57 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching PRE_CMD command 'PASS (hidden)' to mod_auth Aug 12 15:13:57 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching CMD command 'PASS (hidden)' to mod_auth Aug 12 15:13:57 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): retrieved UID 1001 for user 'bluethundr' Aug 12 15:13:57 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): retrieved group IDs: 1002, 500 Aug 12 15:13:57 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): retrieved group name: bluethundr Aug 12 15:13:57 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): ROOT PRIVS at mod_auth_pam.c:312 Aug 12 15:13:58 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): RELINQUISH PRIVS at mod_auth_pam.c:482 Aug 12 15:13:58 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): USER bluethundr (Login failed): Incorrect password. Aug 12 15:13:58 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching POST_CMD_ERR command 'PASS (hidden)' to mod_vroot Aug 12 15:13:58 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): mod_vroot/0.8.5: vroot unregistered Aug 12 15:13:58 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching POST_CMD_ERR command 'PASS (hidden)' to mod_delay Aug 12 15:13:58 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching LOG_CMD_ERR command 'PASS (hidden)' to mod_log Aug 12 15:13:58 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching LOG_CMD_ERR command 'PASS (hidden)' to mod_auth Aug 12 15:13:58 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching PRE_CMD command 'SYST' to mod_tls Aug 12 15:13:58 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching PRE_CMD command 'SYST' to mod_core Aug 12 15:13:58 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching PRE_CMD command 'SYST' to mod_core Aug 12 15:13:58 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching CMD command 'SYST' to mod_core Aug 12 15:13:58 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching LOG_CMD command 'SYST' to mod_log [/code]
I was able to generate some additional debugging information. not sure how much this helps, but here ya go..
[code] - using TCP receive buffer size of 87380 bytes - using TCP send buffer size of 16384 bytes - testing Unix domain socket using S_ISFIFO - testing Unix domain socket using S_ISSOCK - using S_ISSOCK macro for Unix domain socket detection - mod_tls/2.4.2: using OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 - retrieved UID 99 for user 'nobody' - retrieved GID 99 for group 'nobody' - using TCP receive buffer size of 87380 bytes - using TCP send buffer size of 16384 bytes - testing Unix domain socket using S_ISFIFO - testing Unix domain socket using S_ISSOCK - using S_ISSOCK macro for Unix domain socket detection - mod_tls/2.4.2: using OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 - retrieved UID 99 for user 'nobody' - retrieved GID 99 for group 'nobody' - <IfDefine>: skipping 'TLS' section at line 178 - <IfDefine>: skipping 'DYNAMIC_BAN_LISTS' section at line 195 - <IfDefine>: skipping 'ANONYMOUS_FTP' section at line 228 - UseReverseDNS off, returning IP address instead of DNS name 192.168.1.29 - 192.168.1.29 - Config for ProFTPD server: 192.168.1.29 - ServerIdent 192.168.1.29 - DefaultServer 192.168.1.29 - VRootEngine 192.168.1.29 - DefaultRoot 192.168.1.29 - VRootAlias 192.168.1.29 - AuthPAMConfig 192.168.1.29 - AuthOrder 192.168.1.29 - UserID 192.168.1.29 - UserName 192.168.1.29 - GroupID 192.168.1.29 - GroupName 192.168.1.29 - UseSendfile 192.168.1.29 - DebugLevel 192.168.1.29 - ExtendedLog 192.168.1.29 - Limit 192.168.1.29 - AllowAll 192.168.1.29 - Umask 192.168.1.29 - AllowOverwrite 192.168.1.29 - ROOT PRIVS at mod_delay.c:354 192.168.1.29 - RELINQUISH PRIVS at mod_delay.c:359 192.168.1.29 - ROOT PRIVS at mod_ctrls.c:1139 192.168.1.29 - RELINQUISH PRIVS at mod_ctrls.c:1141 192.168.1.29 - mod_lang/0.9: binding to text domain 'proftpd' using locale path '/usr/share/locale' 192.168.1.29 - mod_lang/0.9: using locale files in '/usr/share/locale' 192.168.1.29 - mod_lang/0.9: added the following supported languages: zh_CN, bg_BG, ja_JP, en_US, ru_RU, zh_TW, ko_KR, fr_FR, it_IT 192.168.1.29 - retrieved group ID: 99 192.168.1.29 - setting group ID: 99 192.168.1.29 - SETUP PRIVS at main.c:3131 192.168.1.29 - ROOT PRIVS at main.c:2153 192.168.1.29 - RELINQUISH PRIVS at main.c:2160 192.168.1.29 - ROOT PRIVS at main.c:2488 192.168.1.29 - deleting existing scoreboard '/var/run/proftpd/proftpd.scoreboard' I was hoping someone out there might be able to recognize what the problem may be and have some suggestions that might help resolve the issue.[/code]
thanks in advance!!
tim
I am trying to setup very simple authentication for proftpd under centos 5.6. But for some reason it isn't working and I was hoping to get some advice into how to resolve the issue.
<snip>
What about SELinux? Is it enabled? If so, are there any messages in /var/log/audit/audit.log
What do you see in /var/log/secure?
Can this user log in through ssh/any other service?
Barry