ProFTPD authentication failure

I had a server that proftpd stop working.. and Another user has found a way to recreate the problem.

https://www.virtualmin.com/node/10231

Could we get some help.. To look at my server you need to turn of vsftpd to turn on proftpd, I have set remote access on for support for a few days .. Or you could try and recreate as he has done, or ask him for access..
Thanks Don

Status: 
Active

Comments

ssh is block by linux firewall, you may need to add your IP to iptables for shell access..

Sure, I can login and take a look - my IP is 98.210.100.7.

What is your system's IP?

69.24.141.196 and I have open your IP for ssh...

Thanks..
Don

Are you using LDAP to store users on this system?

I have seen issues in the past where ProFTPd doesn't want to authenticate using LDAP, but have been unable to resolve them .. it feels like some internal error in ProFTPd.

If vsftpd works for you, it is actually quite safe to use it ..

Sorry no... Not even 100% sure what LDAP is needed or used for ?

I did a yum uninstall and reinstall of proftpd before I had you to look and that did not fix it.. and PAM ..

Yes I know vsftpd well, I used it before I started using virtualim .. It is safe and that is not the issue...

One good thing, I don't feel like as stupid now.. :-)
the other user has a way recreate it, that may be a clue..

Thanks Don.. (you still have assess if you want to look some more :-) ... Thanks AGAIN

Sorry, I was wrong about LDAP .. it isn't actually being used.

If you like, I can switch your system back to proftpd and take another look?

Please .. I assume you can /etc/init.d/vsftpd stop and restart if you don't get proftpd going.. Thanks Don

Ok, I re-enabled proftpd and was able to get authentication working by commenting out the following line in /etc/proftpd.conf

AuthOrder                      mod_auth_unix.c mod_auth_pam.c*

Let me know if it works OK for you ..

That Works for me..

I have no real idea why it was there, I assume it some default.. [ so | or } why is has changed from the default working, but it back and that is what matters...

Thanks Don

Yeah, that's part of the default proftpd config .. oddly, it usually works fine.

Automatically closed -- issue fixed for 2 weeks with no activity.

Hi guys. I have this exact problem. I commented out teh line :

AuthOrder mod_auth_pam.c* mod_auth_unix.c

But still no luck. My logs show 'no such user' and :

Deprecated pam_stack module called from service "proftpd" Sep 21 13:28:33 onduline unix_chkpwd[12561]: password check failed for user (dianke)

Any ideas?

mikelawford - did you restart proftpd after making this change?

Yeah course I did!

No change at all....

Also, check that in proftpd.conf the AuthPAMConfig directive is set to a PAM service that has a file under /etc/pam.d .

Yip that seems to check out as well. /etc/proftpd.conf looks like:

Use pam to authenticate (default) and be authoritative

AuthPAMConfig proftpd

AuthOrder mod_auth_pam.c* mod_auth_unix.c

There is a file called proftpd in /etc/pam.d/.

So what next?

What does the /etc/pam.d/proftpd file contain on your system?

It should have the same contents as other files under /etc/pam.d .. typically something like :

#%PAM-1.0
session    optional     pam_keyinit.so    force revoke
auth       required     pam_shells.so
auth       include      system-auth
account    include      system-auth
session    include      system-auth
session    required     pam_loginuid.so
#%PAM-1.0
auth       required     pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth       required     pam_stack.so service=system-auth
auth       required     pam_shells.so
account    required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth

This is the file from the system referred to in the #8 post here... (After the fix..)

Yeah it looks OK as follows:

#%PAM-1.0 auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed auth required pam_stack.so service=system-auth auth required pam_shells.so account required pam_stack.so service=system-auth session required pam_stack.so service=system-auth

Can u see any errors? If not - can you also log into my server and check this please? How should I enable remote SSH for your IP?

OK im happy to do this but the instructions make no sense.

"On the System Information page, click on the optional Virtualmin packages link." My system info page has no links - except upgrade webmin (which doesnt work in any event). It just shows the webmin info and version number - 1.470.

There is also a ref to "Open the System Settings link on the left menu, and click on Support Login Privileges." There is a system settings tab but there is no support login within there?

What am I doing wrong?

Are you logged in a root? The system information page should have a line like :

Package updates There are 15 optional Virtualmin packages that you can install

Yip definately logged in as root. When I click on the system information page (second option above logout on the LHS) it shows me the same details as when I login - i.e. all my system information (time, system uptime, memory diskspace etc). The only functions are buttons to update the OS (really dont want to do that) and upgrade webmin - which throws an error "Failed to upgrade from www.webmin.com : Missing Location header".

I even tried with yum (yum install wbm-virtualmin-support) and get an error saying "No package wbm-virtualmin-support available. Nothing to do"

So where to from here....

It sounds like you aren't actually using the Virtualmin theme, which is odd as the installer sets that up by default. Go to Webmin -> Change Language and Theme, and select the "Virtualmin Framed Theme", then click "Save".

Then logout and login in, and re-check the System Information page.

ha - no change im afraid. The theme is set as default to Global theme (Blue Framed Theme). This is the correct one? I have a choice of old webmin, Caldera or MSC linux?

Next suggestion...

Tried that alreoady - as per my abve post in #23 "I even tried with yum (yum install wbm-virtualmin-support) and get an error saying "No package wbm-virtualmin-support available. Nothing to do"

Going to 'https://yourserver:10000/virtualmin-support/' just brings me to the standard login page?

So again - where to from here?

Thanks Jamie. U got mail...

Ok, I logged in, and found the following issues :

1) You weren't running the Virtualmin theme or the latest version of Webmin, so I upgraded them

2) The support module isn't available as this isn't a Virtualmin Pro install..

However, proftpd is still unabled to accept logins .. because users can't access /home

Are you running SElinux there?

Thanks for having a look and running the upgrades. Would you recommend that next time we rather install just Virtualmin then? I thought that installing Webmin would be better as it includes Virtualmin?

Nope not running SElinux. Its just a basic CentOS install with Webmain on top of it - pretty straight forward.

So why would access to /home be blocked?

The best way to install Virtualmin is to run it's install script, which brings in Webmin and a number of other dependencies. This is only really suited to a fresh system though.

Regarding selinux, you can check if it is enabled with the selinuxenabled command, as documented at http://linux.die.net/man/8/selinuxenabled

To turn it off , edit /etc/sysconfig/selinux and change the SELINUX= line to SELINUX=disabled , then reboot.

Cant seem to get the selinuxenabled command to work though - script keeps returning nothing and not a 1 or a 0 as it does.

But SELinux must be installed then as when I edit the file '/etc/sysconfig/selinux' I see the line :

SELINUX=enforcing

I can set this to disabled if you like but am not keen to do this long term - are their security risks? Are you saying that FTP will only work with SELinux disabled?

Feel free to test it if you wish.

Thanks, Mike

I'd recommend disabling selinux support, as it provides a level of security that most people really don't need. And it appears to be incompatible with proftpd, which I can't really do much about ..

Ok I have disabled it. Does that make any difference?

Thanks for your help thus far.

Nope - same thing. Logging into the IP with username 'diankeftp.dianke' and the listed password. Still bombs same as it did....

I will login again and take another look ..

Ok, it should be working now .. there were two issues :

1) /etc/pam.d/proftpd didn't match the rest of the system , so I copied /etc/pam.d/sshd 2) The user had a shell of /bin/false, but that wasn't in /etc/shells. This is now fixed.

Awesome thanks - confirmed its fine again now. Can I set SSELinux back to on?

Give it a try .. I'm not sure if it will break ProFTPd though, as it seemed to cause problems before.

Hi,

Test all fixes of the thread. None works.

Except install vsftpd, stop proftpd, edit vsftp config file (disable anonymous login and set firewall ports for passive mode), add firewall rules for passive mode and start vsftpd. And now, ftp login works with an user login set with Virtualmin.

Regards, Raphaël Pautasso

There seems to be some proftpd bug that prevents it from working with ldap properly. Oddly, vsftpd works fine..