Hello list!!
I am trying to setup very simple authentication for proftpd under centos 5.6.
But for some reason it isn't working and I was hoping to get some advice
into how to resolve the issue.
Machine info:
[code]
[root at VIRTCENT07:~] #cat /etc/redhat-release
CentOS release 5.6 (Final)
[root at VIRTCENT07:~] #uname -a
Linux VIRTCENT07 2.6.18-238.el5xen #1 SMP Thu Jan 13 17:49:40 EST 2011 i686 i686
i386 GNU/Linux
[/code]
Proftpd version
[code]
ProFTPD Version 1.3.3e
[/code]
When I try to log into FTP authentication fails even tho the password is typed
correctly
[code]
[root at VIRTCENT07:~] #/usr/bin/ftp localhost
Connected to localhost (127.0.0.1).
220 FTP Server ready.
Name (localhost:root): bluethundr
331 Password required for bluethundr
Password:
530 Login incorrect.
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.
[/code]
I've enabled the ExtendedLogs option in the config and this is what I saw as
a result
[code]
127.0.0.1 UNKNOWN nobody [12/Aug/2011:11:45:00 -0400] "USER
bluethundr" 331 -
127.0.0.1 UNKNOWN nobody [12/Aug/2011:11:45:04 -0400] "PASS (hidden)"
530 -
127.0.0.1 UNKNOWN nobody [12/Aug/2011:11:45:04 -0400] "SYST" 215 -
[/code]
The user account is stored in LDAP
[code]
[root at VIRTCENT07:~] #getent passwd | grep bluethundr
bluethundr:*:1001:1002:That Guy:/home/bluethundr:/bin/bash
[/code]
The proftpd user runs the 'nobody' account
[code]
User nobody
Group nobody
[/code]
Which is also stored in LDAP
[code]
[root at VIRTCENT07:~] #getent passwd | grep nobody
nobody:x:99:99:Nobody:/:/sbin/nologin
[/code]
The user that ProFTPd runs as is using a valid shell
[code]
[root at VIRTCENT07:~] #cat /etc/shells
/bin/sh
/bin/bash
/sbin/nologin
/bin/tcsh
/bin/csh
/bin/ksh
[/code]
And this is what my entire ProFTPd config file is looking like
[code]
# This is the ProFTPD configuration file
#
# See: http://www.proftpd.org/docs/directives/linked/by-name.html
# Server Config - config used for anything outside a <VirtualHost> or
<Global> context
# See: http://www.proftpd.org/docs/howto/Vhost.html
ServerName "ProFTPD server"
ServerIdent on "FTP Server ready."
ServerAdmin root at localhost
DefaultServer on
# Cause every FTP user except adm to be chrooted into their home directory
# Aliasing /etc/security/pam_env.conf into the chroot allows pam_env to
# work at session-end time (http://bugzilla.redhat.com/477120)
VRootEngine on
DefaultRoot ~ !adm
VRootAlias etc/security/pam_env.conf /etc/security/pam_env.conf
# Use pam to authenticate (default) and be authoritative
AuthPAMConfig proftpd
AuthOrder mod_auth_pam.c* mod_auth_unix.c
# If you use NIS/YP/LDAP you may need to disable PersistentPasswd
PersistentPasswd off
# Don't do reverse DNS lookups (hangs on DNS problems)
UseReverseDNS off
# Set the user and group that the server runs as
User nobody
Group nobody
# To prevent DoS attacks, set the maximum number of child processes
# to 20. If you need to allow more than 20 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode; in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 20
# Disable sendfile by default since it breaks displaying the download speeds in
# ftptop and ftpwho
UseSendfile off
# Define the log formats
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"
# Dynamic Shared Object (DSO) loading
# See README.DSO and howto/DSO.html for more details
#
# General database support (http://www.proftpd.org/docs/contrib/mod_sql.html)
# LoadModule mod_sql.c
#
# Support for base-64 or hex encoded MD5 and SHA1 passwords from SQL tables
# (contrib/mod_sql_passwd.html)
# LoadModule mod_sql_passwd.c
#
# Mysql support (requires proftpd-mysql package)
# (http://www.proftpd.org/docs/contrib/mod_sql.html)
# LoadModule mod_sql_mysql.c
#
# Postgresql support (requires proftpd-postgresql package)
# (http://www.proftpd.org/docs/contrib/mod_sql.html)
# LoadModule mod_sql_postgres.c
#
# Quota support (http://www.proftpd.org/docs/contrib/mod_quotatab.html)
# LoadModule mod_quotatab.c
#
# File-specific "driver" for storing quota table information in files
# (http://www.proftpd.org/docs/contrib/mod_quotatab_file.html)
# LoadModule mod_quotatab_file.c
#
# SQL database "driver" for storing quota table information in SQL
tables
# (http://www.proftpd.org/docs/contrib/mod_quotatab_sql.html)
# LoadModule mod_quotatab_sql.c
#
# LDAP support (requires proftpd-ldap package)
# (http://www.proftpd.org/docs/directives/linked/config_ref_mod_ldap.html)
# LoadModule mod_ldap.c
#
# LDAP quota support (requires proftpd-ldap package)
# (http://www.proftpd.org/docs/contrib/mod_quotatab_ldap.html)
# LoadModule mod_quotatab_ldap.c
#
# Support for authenticating users using the RADIUS protocol
# (http://www.proftpd.org/docs/contrib/mod_radius.html)
# LoadModule mod_radius.c
#
# Retrieve quota limit table information from a RADIUS server
# (http://www.proftpd.org/docs/contrib/mod_quotatab_radius.html)
# LoadModule mod_quotatab_radius.c
#
# Administrative control actions for the ftpdctl program
# (http://www.proftpd.org/docs/contrib/mod_ctrls_admin.html)
# LoadModule mod_ctrls_admin.c
#
# Execute external programs or scripts at various points in the process
# of handling FTP commands
# (http://www.castaglia.org/proftpd/modules/mod_exec.html)
# LoadModule mod_exec.c
#
# Support for POSIX ACLs
# (http://www.proftpd.org/docs/modules/mod_facl.html)
# LoadModule mod_facl.c
#
# Support for using the GeoIP library to look up geographical information on
# the connecting client and using that to set access controls for the server
# (http://www.castaglia.org/proftpd/modules/mod_geoip.html)
# LoadModule mod_geoip.c
#
# Configure server availability based on system load
# (http://www.proftpd.org/docs/contrib/mod_load.html)
# LoadModule mod_load.c
#
# Limit downloads to a multiple of upload volume (see README.ratio)
# LoadModule mod_ratio.c
#
# Rewrite FTP commands sent by clients on-the-fly,
# using regular expression matching and substitution
# (http://www.proftpd.org/docs/contrib/mod_rewrite.html)
# LoadModule mod_rewrite.c
#
# Support for the SSH2, SFTP, and SCP protocols, for secure file transfer over
# an SSH2 connection (http://www.castaglia.org/proftpd/modules/mod_sftp.html)
# LoadModule mod_sftp.c
#
# Use PAM to provide a 'keyboard-interactive' SSH2 authentication method
for
# mod_sftp (http://www.castaglia.org/proftpd/modules/mod_sftp_pam.html)
# LoadModule mod_sftp_pam.c
#
# Use SQL (via mod_sql) for looking up authorized SSH2 public keys for user
# and host based authentication
# (http://www.castaglia.org/proftpd/modules/mod_sftp_sql.html)
# LoadModule mod_sftp_sql.c
#
# Provide data transfer rate "shaping" across the entire server
# (http://www.castaglia.org/proftpd/modules/mod_shaper.html)
# LoadModule mod_shaper.c
#
# Support for miscellaneous SITE commands such as SITE MKDIR, SITE SYMLINK,
# and SITE UTIME (http://www.proftpd.org/docs/contrib/mod_site_misc.html)
# LoadModule mod_site_misc.c
#
# Provide an external SSL session cache using shared memory
# (contrib/mod_tls_shmcache.html)
# LoadModule mod_tls_shmcache.c
#
# Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny
# files, for IP-based access control
# (http://www.proftpd.org/docs/contrib/mod_wrap.html)
# LoadModule mod_wrap.c
#
# Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny
# files, as well as SQL-based access rules, for IP-based access control
# (http://www.proftpd.org/docs/contrib/mod_wrap2.html)
# LoadModule mod_wrap2.c
#
# Support module for mod_wrap2 that handles access rules stored in specially
# formatted files on disk
# (http://www.proftpd.org/docs/contrib/mod_wrap2_file.html)
# LoadModule mod_wrap2_file.c
#
# Support module for mod_wrap2 that handles access rules stored in SQL
# database tables (http://www.proftpd.org/docs/contrib/mod_wrap2_sql.html)
# LoadModule mod_wrap2_sql.c
#
# Provide a flexible way of specifying that certain configuration directives
# only apply to certain sessions, based on credentials such as connection
# class, user, or group membership
# (http://www.proftpd.org/docs/contrib/mod_ifsession.html)
# LoadModule mod_ifsession.c
# TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html)
<IfDefine TLS>
TLSEngine on
TLSRequired on
TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem
TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem
TLSCipherSuite ALL:!ADH:!DES
TLSOptions NoCertRequest
TLSVerifyClient off
#TLSRenegotiate ctrl 3600 data 512000 required off timeout 300
TLSLog /var/log/proftpd/tls.log
<IfModule mod_tls_shmcache.c>
TLSSessionCache shm:/file=/var/run/proftpd/sesscache
</IfModule>
</IfDefine>
# Dynamic ban lists (http://www.proftpd.org/docs/contrib/mod_ban.html)
# Enable this with PROFTPD_OPTIONS=-DDYNAMIC_BAN_LISTS in /etc/sysconfig/proftpd
<IfDefine DYNAMIC_BAN_LISTS>
LoadModule mod_ban.c
BanEngine on
BanLog /var/log/proftpd/ban.log
BanTable /var/run/proftpd/ban.tab
# If the same client reaches the MaxLoginAttempts limit 2 times
# within 10 minutes, automatically add a ban for that client that
# will expire after one hour.
BanOnEvent MaxLoginAttempts 2/00:10:00 01:00:00
# Allow the FTP admin to manually add/remove bans
BanControlsACLs all allow user ftpadm
</IfDefine>
# Global Config - config common to Server Config and all virtual hosts
# See: http://www.proftpd.org/docs/howto/Vhost.html
<Global>
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable
Umask 022
# Allow users to overwrite files and change permissions
AllowOverwrite yes
<Limit ALL SITE_CHMOD>
AllowAll
</Limit>
</Global>
# A basic anonymous configuration, with an upload directory
# Enable this with PROFTPD_OPTIONS=-DANONYMOUS_FTP in /etc/sysconfig/proftpd
<IfDefine ANONYMOUS_FTP>
<Anonymous ~ftp>
User ftp
Group ftp
AccessGrantMsg "Anonymous login ok, restrictions apply."
# We want clients to be able to login with "anonymous" as well as
"ftp"
UserAlias anonymous ftp
# Limit the maximum number of anonymous logins
MaxClients 10 "Sorry, max %m users -- try again later"
# Put the user into /pub right after login
#DefaultChdir /pub
# We want 'welcome.msg' displayed at login, '.message'
displayed in
# each newly chdired directory and tell users to read README* files.
DisplayLogin /welcome.msg
DisplayChdir .message
DisplayReadme README*
# Cosmetic option to make all files appear to be owned by user
"ftp"
DirFakeUser on ftp
DirFakeGroup on ftp
# Limit WRITE everywhere in the anonymous chroot
<Limit WRITE SITE_CHMOD>
DenyAll
</Limit>
# An upload directory that allows storing files but not retrieving
# or creating directories.
<Directory uploads/*>
AllowOverwrite no
<Limit READ>
DenyAll
</Limit>
<Limit STOR>
AllowAll
</Limit>
</Directory>
# Don't write anonymous accesses to the system wtmp file (good idea!)
WtmpLog off
# Logging for the anonymous transfers
ExtendedLog /var/log/proftpd/access.log WRITE,READ default
ExtendedLog /var/log/proftpd/auth.log AUTH auth
</Anonymous>
</IfDefine>
[/code]
I have also tried raising the debug level to 10
[code]
DebugLevel 10
SystemLog /var/log/proftpd/proftpd.log
And this was the info I saw in the log file:
Aug 12 15:13:48 VIRTCENT07 proftpd[9959] 192.168.1.29: ProFTPD 1.3.3e (maint)
(built Thu Apr 7 2011 14:41:56 UTC) standalone mode STARTUP
Aug 12 15:13:53 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]):
AuthOrder in effect, resetting auth module order
Aug 12 15:13:53 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]):
connected - local : 127.0.0.1:21
Aug 12 15:13:53 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]):
connected - remote : 127.0.0.1:40875
Aug 12 15:13:53 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]):
FTP session opened.
Aug 12 15:13:55 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]):
dispatching PRE_CMD command 'USER bluethundr' to mod_tls
Aug 12 15:13:55 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]):
dispatching PRE_CMD command 'USER bluethundr' to mod_core
Aug 12 15:13:55 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]):
dispatching PRE_CMD command 'USER bluethundr' to mod_core
Aug 12 15:13:55 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]):
dispatching PRE_CMD command 'USER bluethundr' to mod_delay
Aug 12 15:13:55 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]):
dispatching PRE_CMD command 'USER bluethundr' to mod_auth
Aug 12 15:13:55 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]):
dispatching CMD command 'USER bluethundr' to mod_auth
Aug 12 15:13:55 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]):
dispatching POST_CMD command 'USER bluethundr' to mod_delay
Aug 12 15:13:55 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]):
dispatching LOG_CMD command 'USER bluethundr' to mod_log
Aug 12 15:13:57 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]):
dispatching PRE_CMD command 'PASS (hidden)' to mod_tls
Aug 12 15:13:57 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]):
dispatching PRE_CMD command 'PASS (hidden)' to mod_core
Aug 12 15:13:57 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]):
dispatching PRE_CMD command 'PASS (hidden)' to mod_core
Aug 12 15:13:57 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]):
dispatching PRE_CMD command 'PASS (hidden)' to mod_vroot
Aug 12 15:13:57 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]):
mod_vroot/0.8.5: vroot registered
Aug 12 15:13:57 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]):
dispatching PRE_CMD command 'PASS (hidden)' to mod_delay
Aug 12 15:13:57 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]):
dispatching PRE_CMD command 'PASS (hidden)' to mod_auth
Aug 12 15:13:57 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]):
dispatching CMD command 'PASS (hidden)' to mod_auth
Aug 12 15:13:57 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]):
retrieved UID 1001 for user 'bluethundr'
Aug 12 15:13:57 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]):
retrieved group IDs: 1002, 500
Aug 12 15:13:57 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]):
retrieved group name: bluethundr
Aug 12 15:13:57 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]):
ROOT PRIVS at mod_auth_pam.c:312
Aug 12 15:13:58 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]):
RELINQUISH PRIVS at mod_auth_pam.c:482
Aug 12 15:13:58 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]):
USER bluethundr (Login failed): Incorrect password.
Aug 12 15:13:58 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]):
dispatching POST_CMD_ERR command 'PASS (hidden)' to mod_vroot
Aug 12 15:13:58 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]):
mod_vroot/0.8.5: vroot unregistered
Aug 12 15:13:58 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]):
dispatching POST_CMD_ERR command 'PASS (hidden)' to mod_delay
Aug 12 15:13:58 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]):
dispatching LOG_CMD_ERR command 'PASS (hidden)' to mod_log
Aug 12 15:13:58 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]):
dispatching LOG_CMD_ERR command 'PASS (hidden)' to mod_auth
Aug 12 15:13:58 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]):
dispatching PRE_CMD command 'SYST' to mod_tls
Aug 12 15:13:58 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]):
dispatching PRE_CMD command 'SYST' to mod_core
Aug 12 15:13:58 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]):
dispatching PRE_CMD command 'SYST' to mod_core
Aug 12 15:13:58 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]):
dispatching CMD command 'SYST' to mod_core
Aug 12 15:13:58 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]):
dispatching LOG_CMD command 'SYST' to mod_log
[/code]
I was able to generate some additional debugging information. not sure how much
this helps, but here ya go..
[code]
- using TCP receive buffer size of 87380 bytes
- using TCP send buffer size of 16384 bytes
- testing Unix domain socket using S_ISFIFO
- testing Unix domain socket using S_ISSOCK
- using S_ISSOCK macro for Unix domain socket detection
- mod_tls/2.4.2: using OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
- retrieved UID 99 for user 'nobody'
- retrieved GID 99 for group 'nobody'
- using TCP receive buffer size of 87380 bytes
- using TCP send buffer size of 16384 bytes
- testing Unix domain socket using S_ISFIFO
- testing Unix domain socket using S_ISSOCK
- using S_ISSOCK macro for Unix domain socket detection
- mod_tls/2.4.2: using OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
- retrieved UID 99 for user 'nobody'
- retrieved GID 99 for group 'nobody'
- <IfDefine>: skipping 'TLS' section at line 178
- <IfDefine>: skipping 'DYNAMIC_BAN_LISTS' section at line 195
- <IfDefine>: skipping 'ANONYMOUS_FTP' section at line 228
- UseReverseDNS off, returning IP address instead of DNS name
192.168.1.29 -
192.168.1.29 - Config for ProFTPD server:
192.168.1.29 - ServerIdent
192.168.1.29 - DefaultServer
192.168.1.29 - VRootEngine
192.168.1.29 - DefaultRoot
192.168.1.29 - VRootAlias
192.168.1.29 - AuthPAMConfig
192.168.1.29 - AuthOrder
192.168.1.29 - UserID
192.168.1.29 - UserName
192.168.1.29 - GroupID
192.168.1.29 - GroupName
192.168.1.29 - UseSendfile
192.168.1.29 - DebugLevel
192.168.1.29 - ExtendedLog
192.168.1.29 - Limit
192.168.1.29 - AllowAll
192.168.1.29 - Umask
192.168.1.29 - AllowOverwrite
192.168.1.29 - ROOT PRIVS at mod_delay.c:354
192.168.1.29 - RELINQUISH PRIVS at mod_delay.c:359
192.168.1.29 - ROOT PRIVS at mod_ctrls.c:1139
192.168.1.29 - RELINQUISH PRIVS at mod_ctrls.c:1141
192.168.1.29 - mod_lang/0.9: binding to text domain 'proftpd' using
locale path '/usr/share/locale'
192.168.1.29 - mod_lang/0.9: using locale files in '/usr/share/locale'
192.168.1.29 - mod_lang/0.9: added the following supported languages: zh_CN,
bg_BG, ja_JP, en_US, ru_RU, zh_TW, ko_KR, fr_FR, it_IT
192.168.1.29 - retrieved group ID: 99
192.168.1.29 - setting group ID: 99
192.168.1.29 - SETUP PRIVS at main.c:3131
192.168.1.29 - ROOT PRIVS at main.c:2153
192.168.1.29 - RELINQUISH PRIVS at main.c:2160
192.168.1.29 - ROOT PRIVS at main.c:2488
192.168.1.29 - deleting existing scoreboard
'/var/run/proftpd/proftpd.scoreboard'
I was hoping someone out there might be able to recognize what the problem may
be and have some suggestions that might help resolve the issue.[/code]
thanks in advance!!
tim