Maybe someone can throw in their two cents on this:
I installed vsftpd on my Ubuntu 10.04 server, and I set
local_enable=YES write_enable=YES
When I FTP to the server, I get prompted for a username and password, but it seems to just reject it and ask for username/password again. What else do I need to do? I just want one account to be able to FTP upload files to this server.
Kevin
By default it's probably set to anonymous logins only.
John
On Tue, Mar 22, 2011 at 12:27 PM, Kevin McGregor kevin.a.mcgregor@gmail.com wrote:
Maybe someone can throw in their two cents on this: I installed vsftpd on my Ubuntu 10.04 server, and I set
local_enable=YES write_enable=YES
When I FTP to the server, I get prompted for a username and password, but it seems to just reject it and ask for username/password again. What else do I need to do? I just want one account to be able to FTP upload files to this server. Kevin
Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
I know, I changed that.
On Tue, Mar 22, 2011 at 12:42 PM, John Lange john@johnlange.ca wrote:
By default it's probably set to anonymous logins only.
John
On Tue, Mar 22, 2011 at 12:27 PM, Kevin McGregor kevin.a.mcgregor@gmail.com wrote:
Maybe someone can throw in their two cents on this: I installed vsftpd on my Ubuntu 10.04 server, and I set
local_enable=YES write_enable=YES
When I FTP to the server, I get prompted for a username and password, but
it
seems to just reject it and ask for username/password again. What else do
I
need to do? I just want one account to be able to FTP upload files to
this
server. Kevin
Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
-- John Lange www.johnlange.ca
I should mention that the vsftp log file shows things like Tue Mar 22 12:32:32 2011 [pid 2] CONNECT: Client "192.168.99.86" Tue Mar 22 12:32:41 2011 [pid 1] [zaphod] FAIL LOGIN: Client "192.168.99.86"
So the connection is clearly being made, but I don't know what the authentication is doing. In /etc/pam.d/vsftp is # Standard behaviour for ftpd(8). auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
# Note: vsftpd handles anonymous logins on its own. Do not enable pam_ftp.so.
# Standard pam includes @include common-account @include common-session @include common-auth auth required pam_shells.so
On Tue, Mar 22, 2011 at 12:27 PM, Kevin McGregor <kevin.a.mcgregor@gmail.com
wrote:
Maybe someone can throw in their two cents on this:
I installed vsftpd on my Ubuntu 10.04 server, and I set
local_enable=YES write_enable=YES
When I FTP to the server, I get prompted for a username and password, but it seems to just reject it and ask for username/password again. What else do I need to do? I just want one account to be able to FTP upload files to this server.
Kevin
On 2011-03-22 Kevin McGregor wrote:
Maybe someone can throw in their two cents on this:
I installed vsftpd on my Ubuntu 10.04 server, and I set
local_enable=YES write_enable=YES
When I FTP to the server, I get prompted for a username and password, but it seems to just reject it and ask for username/password again. What else do I need to do? I just want one account to be able to FTP upload files to this server.
Ah, you're assuming it's easy. Vsftp config is for sure not that!
Here's my config: anonymous_enable=NO local_enable=YES write_enable=YES local_umask=0002 dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_file=/var/log/vsftpd.log xferlog_std_format=YES idle_session_timeout=3600 nopriv_user=ftp ascii_upload_enable=YES ascii_download_enable=YES ftpd_banner=This is a private system. Unauthorized use is strictly prohibited. Violators will prosecuted. pam_service_name=vsftpd userlist_enable=YES userlist_deny=NO userlist_file=/etc/vsftpd/user_list listen=YES tcp_wrappers=YES chroot_local_user=YES anon_max_rate=50000 local_max_rate=100000 anon_umask=0007 file_open_mode=0666 user_config_dir=/etc/vsftpd/userconfs
Then make a /etc/vsftpd/user_list and populate it with allowed user ids for login. One per line. Mine only has 2 entries (the more locked down the better).
Then make files, one per user allowed, the filename the same as the username in /etc/vsftpd/userconfs/. I have 1 line in each: local_root=/var/ftp/pub
Or wherever you want them to be able to access.
I already had put in local_enable=YES write_enable=YES
Then on a whim I took out auth required pam_shells.so
from /etc/vsftpd.conf, and then it started working. I guess it didn't like that /bin/bash was set as my shell in /etc/passwd and also in /etc/shells. Or something.
On Tue, Mar 22, 2011 at 12:43 PM, Trevor Cordes trevor@tecnopolis.cawrote:
On 2011-03-22 Kevin McGregor wrote:
Maybe someone can throw in their two cents on this:
I installed vsftpd on my Ubuntu 10.04 server, and I set
local_enable=YES write_enable=YES
When I FTP to the server, I get prompted for a username and password, but it seems to just reject it and ask for username/password again. What else do I need to do? I just want one account to be able to FTP upload files to this server.
Ah, you're assuming it's easy. Vsftp config is for sure not that!
Here's my config: anonymous_enable=NO local_enable=YES write_enable=YES local_umask=0002 dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_file=/var/log/vsftpd.log xferlog_std_format=YES idle_session_timeout=3600 nopriv_user=ftp ascii_upload_enable=YES ascii_download_enable=YES ftpd_banner=This is a private system. Unauthorized use is strictly prohibited. Violators will prosecuted. pam_service_name=vsftpd userlist_enable=YES userlist_deny=NO userlist_file=/etc/vsftpd/user_list listen=YES tcp_wrappers=YES chroot_local_user=YES anon_max_rate=50000 local_max_rate=100000 anon_umask=0007 file_open_mode=0666 user_config_dir=/etc/vsftpd/userconfs
Then make a /etc/vsftpd/user_list and populate it with allowed user ids for login. One per line. Mine only has 2 entries (the more locked down the better).
Then make files, one per user allowed, the filename the same as the username in /etc/vsftpd/userconfs/. I have 1 line in each: local_root=/var/ftp/pub
Or wherever you want them to be able to access. _______________________________________________ Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
From shells(5)
NAME shells - pathnames of valid login shells
DESCRIPTION /etc/shells is a text file which contains the full pathnames of valid login shells. This file is consulted by chsh(1) and available to be queried by other programs.
Be aware that there are programs which consult this file to find out if a user is a normal user. E.g.: ftp daemons traditionally disallow access to users with shells not included in this file.
On Tue, Mar 22, 2011 at 1:14 PM, Kevin McGregor kevin.a.mcgregor@gmail.comwrote:
I already had put in local_enable=YES write_enable=YES
Then on a whim I took out auth required pam_shells.so
from /etc/vsftpd.conf, and then it started working. I guess it didn't like that /bin/bash was set as my shell in /etc/passwd and also in /etc/shells. Or something.
On Tue, Mar 22, 2011 at 12:43 PM, Trevor Cordes trevor@tecnopolis.cawrote:
On 2011-03-22 Kevin McGregor wrote:
Maybe someone can throw in their two cents on this:
I installed vsftpd on my Ubuntu 10.04 server, and I set
local_enable=YES write_enable=YES
When I FTP to the server, I get prompted for a username and password, but it seems to just reject it and ask for username/password again. What else do I need to do? I just want one account to be able to FTP upload files to this server.
Ah, you're assuming it's easy. Vsftp config is for sure not that!
Here's my config: anonymous_enable=NO local_enable=YES write_enable=YES local_umask=0002 dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_file=/var/log/vsftpd.log xferlog_std_format=YES idle_session_timeout=3600 nopriv_user=ftp ascii_upload_enable=YES ascii_download_enable=YES ftpd_banner=This is a private system. Unauthorized use is strictly prohibited. Violators will prosecuted. pam_service_name=vsftpd userlist_enable=YES userlist_deny=NO userlist_file=/etc/vsftpd/user_list listen=YES tcp_wrappers=YES chroot_local_user=YES anon_max_rate=50000 local_max_rate=100000 anon_umask=0007 file_open_mode=0666 user_config_dir=/etc/vsftpd/userconfs
Then make a /etc/vsftpd/user_list and populate it with allowed user ids for login. One per line. Mine only has 2 entries (the more locked down the better).
Then make files, one per user allowed, the filename the same as the username in /etc/vsftpd/userconfs/. I have 1 line in each: local_root=/var/ftp/pub
Or wherever you want them to be able to access. _______________________________________________ Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
Yeah, something sounds out of whack here. pam_shells should work correctly when your login shell IS in /etc/shells, and fail when it's not. Is there something in /etc/shells that's throwing it off, like a funny character or something? Is /etc/shells world-readable? (It is on my RHEL 5.5 clone (SL 5.5).) Maybe try putting the pam_shells.so line right after the pam_listfile.so line, as RHEL does, before the includes.
BTW, you did mean /etc/pam.d/vsftpd, not /etc/vsftpd.conf, where you removed the pam_shells.so line, right?
On 22/03/2011 1:16 PM, Sean Walberg wrote:
From shells(5)
NAME shells - pathnames of valid login shells
DESCRIPTION /etc/shells is a text file which contains the full pathnames of valid login shells. This file is consulted by chsh(1) and available to be queried by other programs.
Be aware that there are programs which consult this file to findout if a user is a normal user. E.g.: ftp daemons traditionally disallow access to users with shells not included in this file.
On Tue, Mar 22, 2011 at 1:14 PM, Kevin McGregor <kevin.a.mcgregor@gmail.com mailto:kevin.a.mcgregor@gmail.com> wrote:
I already had put in local_enable=YES write_enable=YES Then on a whim I took out auth required pam_shells.so from /etc/vsftpd.conf, and then it started working. I guess it didn't like that /bin/bash was set as my shell in /etc/passwd and also in /etc/shells. Or something.
Oops, yes, /etc/pam.d/vsftpd.
On Tue, Mar 22, 2011 at 1:55 PM, Gilles Detillieux < grdetil@scrc.umanitoba.ca> wrote:
Yeah, something sounds out of whack here. pam_shells should work correctly when your login shell IS in /etc/shells, and fail when it's not. Is there something in /etc/shells that's throwing it off, like a funny character or something? Is /etc/shells world-readable? (It is on my RHEL 5.5 clone (SL 5.5).) Maybe try putting the pam_shells.so line right after the pam_listfile.so line, as RHEL does, before the includes.
BTW, you did mean /etc/pam.d/vsftpd, not /etc/vsftpd.conf, where you removed the pam_shells.so line, right?
On 22/03/2011 1:16 PM, Sean Walberg wrote:
From shells(5)
NAME shells - pathnames of valid login shells
DESCRIPTION /etc/shells is a text file which contains the full pathnames of valid login shells. This file is consulted by chsh(1) and available to be queried by other programs.
Be aware that there are programs which consult this file to findout if a user is a normal user. E.g.: ftp daemons traditionally disallow access to users with shells not included in this file.
On Tue, Mar 22, 2011 at 1:14 PM, Kevin McGregor <kevin.a.mcgregor@gmail.com mailto:kevin.a.mcgregor@gmail.com> wrote:
I already had put in local_enable=YES write_enable=YES Then on a whim I took out auth required pam_shells.so from /etc/vsftpd.conf, and then it started working. I guess it didn't like that /bin/bash was set as my shell in /etc/passwd and also in /etc/shells. Or something.-- Gilles R. Detillieux E-mail: grdetil@scrc.umanitoba.ca Spinal Cord Research Centre WWW: http://www.scrc.umanitoba.ca/ Dept. Physiology, U. of Manitoba Winnipeg, MB R3E 0J9 (Canada) _______________________________________________ Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
Also check your userlist_* options in vsftpd.conf. If userlist_enable is YES, then make sure the login name you're using isn't in the user_list file (or is if userlist_deny=NO). You may want to check the PAM configuration as well, as it can add another layer, and another allow/deny list as it does on RHEL systems.
You could also enable the dual_log_enable and syslog_enable options, as this may give you a bit more feedback in your logs to help get to the bottom of this.
If all else fails, install/enable sshd and switch from FTP to SFTP. ;-)
Gilles
On 22/03/2011 12:27 PM, Kevin McGregor wrote:
Maybe someone can throw in their two cents on this:
I installed vsftpd on my Ubuntu 10.04 server, and I set
local_enable=YES write_enable=YES
When I FTP to the server, I get prompted for a username and password, but it seems to just reject it and ask for username/password again. What else do I need to do? I just want one account to be able to FTP upload files to this server.
Kevin
Thanks for the suggestion, Gilles. Alas, getting Security at the City to allow SSH out is like pulling teeth from a very hungry crocodile -- I'd like to avoid both. I'd totally prefer SSH, but it's not an option.
On Tue, Mar 22, 2011 at 12:51 PM, Gilles Detillieux < grdetil@scrc.umanitoba.ca> wrote:
Also check your userlist_* options in vsftpd.conf. If userlist_enable is YES, then make sure the login name you're using isn't in the user_list file (or is if userlist_deny=NO). You may want to check the PAM configuration as well, as it can add another layer, and another allow/deny list as it does on RHEL systems.
You could also enable the dual_log_enable and syslog_enable options, as this may give you a bit more feedback in your logs to help get to the bottom of this.
If all else fails, install/enable sshd and switch from FTP to SFTP. ;-)
Gilles
On 22/03/2011 12:27 PM, Kevin McGregor wrote:
Maybe someone can throw in their two cents on this:
I installed vsftpd on my Ubuntu 10.04 server, and I set
local_enable=YES write_enable=YES
When I FTP to the server, I get prompted for a username and password, but it seems to just reject it and ask for username/password again. What else do I need to do? I just want one account to be able to FTP upload files to this server.
Kevin
-- Gilles R. Detillieux E-mail: grdetil@scrc.umanitoba.ca Spinal Cord Research Centre WWW: http://www.scrc.umanitoba.ca/ Dept. Physiology, U. of Manitoba Winnipeg, MB R3E 0J9 (Canada) _______________________________________________ Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
Hmm. So Security would prefer the use of protocols that send passwords as plain text, rather than encrypted??? Would these crocodiles happen to live next door to a zeeba?
On 22/03/2011 1:17 PM, Kevin McGregor wrote:
Thanks for the suggestion, Gilles. Alas, getting Security at the City to allow SSH out is like pulling teeth from a very hungry crocodile -- I'd like to avoid both. I'd totally prefer SSH, but it's not an option.
On Tue, Mar 22, 2011 at 12:51 PM, Gilles Detillieux <grdetil@scrc.umanitoba.ca mailto:grdetil@scrc.umanitoba.ca> wrote:
Also check your userlist_* options in vsftpd.conf. If userlist_enable is YES, then make sure the login name you're using isn't in the user_list file (or is if userlist_deny=NO). You may want to check the PAM configuration as well, as it can add another layer, and another allow/deny list as it does on RHEL systems. You could also enable the dual_log_enable and syslog_enable options, as this may give you a bit more feedback in your logs to help get to the bottom of this. If all else fails, install/enable sshd and switch from FTP to SFTP. ;-) Gilles On 22/03/2011 12:27 PM, Kevin McGregor wrote: > Maybe someone can throw in their two cents on this: > > I installed vsftpd on my Ubuntu 10.04 server, and I set > > local_enable=YES > write_enable=YES > > When I FTP to the server, I get prompted for a username and password, > but it seems to just reject it and ask for username/password again. What > else do I need to do? I just want one account to be able to FTP upload > files to this server. > > Kevin
SSH also allows tunnels to be created both ways over the same channel. And since it's encrypted, nobody would know that's going on. That scares me a lot more than usernames and passwords being exposed. That can be mitigated by protecting the payload. Or maybe the two parties have a VPN. Or maybe the value of the information is inconsequential.
I don't know what went into their decision and what security concerns they have, but I wouldn't immediately discount their security team based on that decision alone. As Bruce Schneier said, "If you think encryption will solve your problem, you don't understand your problem and you don't understand encryption."
Sean
On Tue, Mar 22, 2011 at 1:44 PM, Gilles Detillieux < grdetil@scrc.umanitoba.ca> wrote:
Hmm. So Security would prefer the use of protocols that send passwords as plain text, rather than encrypted??? Would these crocodiles happen to live next door to a zeeba?
On 22/03/2011 1:17 PM, Kevin McGregor wrote:
Thanks for the suggestion, Gilles. Alas, getting Security at the City to allow SSH out is like pulling teeth from a very hungry crocodile -- I'd like to avoid both. I'd totally prefer SSH, but it's not an option.
On Tue, Mar 22, 2011 at 12:51 PM, Gilles Detillieux <grdetil@scrc.umanitoba.ca mailto:grdetil@scrc.umanitoba.ca> wrote:
Also check your userlist_* options in vsftpd.conf. Ifuserlist_enable
is YES, then make sure the login name you're using isn't in the user_list file (or is if userlist_deny=NO). You may want to checkthe
PAM configuration as well, as it can add another layer, and another allow/deny list as it does on RHEL systems. You could also enable the dual_log_enable and syslog_enable options,as
this may give you a bit more feedback in your logs to help get to the bottom of this. If all else fails, install/enable sshd and switch from FTP to SFTP.;-)
Gilles On 22/03/2011 12:27 PM, Kevin McGregor wrote: > Maybe someone can throw in their two cents on this: > > I installed vsftpd on my Ubuntu 10.04 server, and I set > > local_enable=YES > write_enable=YES > > When I FTP to the server, I get prompted for a username andpassword,
> but it seems to just reject it and ask for username/password again. What > else do I need to do? I just want one account to be able to FTP upload > files to this server. > > Kevin-- Gilles R. Detillieux E-mail: grdetil@scrc.umanitoba.ca Spinal Cord Research Centre WWW: http://www.scrc.umanitoba.ca/ Dept. Physiology, U. of Manitoba Winnipeg, MB R3E 0J9 (Canada) _______________________________________________ Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
-
Gilles Detillieux -
John Lange -
Kevin McGregor -
Sean Walberg -
Trevor Cordes