Okay, seriously, ftp login does NOT work!

9 posts / 0 new
Last post
#1 Thu, 12/08/2005 - 04:37
HarryZink

Okay, seriously, ftp login does NOT work!

When trying sftp, I get 'write error'.

Any other ftp variant fails.

How can I login? (Yes, all of these users have ftp access on)

Harry

Thu, 12/08/2005 - 16:31
Joe
Joe's picture

Hey Harry,

Couple of things to check:

ProFTPd is not started by default in the current installer (d'oh! I'm fixing that right now), so make sure it is running:

/etc/init.d/proftpd start

Or use the Webmin Bootup and Shutdown module to fire up the service now and make sure it is configured to start on boot.

The other thing that can cause trouble is the firewall on the server. Passive connections require more than just port 20/21. They also need one or more high ports (ports 1024:65535), and will appear to connect but then fail with possibly senseless errors if those ports are blocked.

Once it is running on my test systems and the firewall is out of the way, I'm able to use standard FTP and SFTP to connect. SFTP is a bit confusing in its own right because there are two types of "SFTP" which are mutually exclusive. One is FTP over SSH2 which doesn't use the FTP protocol or server at all, while the other is an actual FTP protocol which negotiates a TLS connection. The popular UNIX ftp client calls the former (FTP over SSH) sftp, and the latter (TLS negotiated FTP) ftps. An added bonus that some clients support is called fish (by lftp, anyway) and it is an ftp-style interface to a standard ssh connection. Confused yet? The relevant standards have agreed on ftps as the name of the TLS-encrypted FTP protocol, but many FTP clients still incorrectly call this sftp.

ftps (TLS negotiated FTP, which many clients call SFTP) is not working in the stock Virtualmin installation, but it looks like we just need to change the configuration file to make it work. Unfortunately, it requires a TLS cert and key file, and we'd like to share the cert/key with Apache, Webmin, Usermin, Dovecot...which is actually a problem that needs to be solved in a general way within the GUI and the installer. Fedora has a nice /etc/pki directory for keys and certs, which is really a great idea, but we have to be generic across all of the other systems which don't have this central location. Life is hard. ;-)

Also worth noting, one customer had some configuration problems, I think due to a pre-existing ProFTPd package installed from another source but it might also have come about from a cPanel migration (it's hard to tell what's going on as there were so many weird issues on the system in question), which didn't have PAM setup correctly. It would always fail to login, because ProFTPd was trying to configure with a non-existent file. This showed up very clearly in the /var/log/messages, though, so checking there is a good start.

Also be sure /bin/false is in your /etc/shells file. This should be added during installation, but if something went wrong during installation and it wasn't caught by the error detection stuff (still broken in places, but getting better) you might have a mostly working system, but missing this one vital component for FTP to work.

--

Check out the forum guidelines!

Fri, 12/30/2005 - 00:23
AdamHolt

Heres the message I get on suse 10.0

"Executing /etc/init.d/proftpd restart ..

/etc/init.d/proftpd: line 19: /etc/rc.d/init.d/functions: No such file or directory"

What do I have to do to fix it, because when I try to ftp to one of my servers setup with a user to ftp in with, I get as far as

"connecting to mydomain.com
COnnected with mydomain.com waiting for welcome message
disconnected from server
unable to connect!"

Fri, 12/30/2005 - 00:58
HarryZink

The solution to MY problem has a solution, however it may be a quick hack (but hey, it restores FTP functionality, so that works for me)

On Fedora 4 and CentOS you have to create the file /etc/pam.d/ftp with the following contents in it:

-----------snip------------------
#%PAM-1.0
auth required pam_unix.so nullok
account required pam_unix.so
session required pam_unix.so
-----------snip------------------

(clearly, do not copy the ---snip--- part)

If you have an /etc/pam.d/ftp file, comment out the present content, or delete it, and replace it with the above.

Restart proftpd (/etc/rc.d/init.d/proftpd restart), and you're good to go.

Harry

Thu, 01/19/2006 - 23:17 (Reply to #4)
HarryZink

This no longer works since the last round of updates.

Fri, 12/30/2005 - 12:07
ChrisBlackwell

haven't read thru your post properly harold so u might have covered this, but when i had ftp login issues its because the user has no shell, check the users shell in the Users and Groups module. Should be /bin/false for ftp users

Fri, 12/30/2005 - 13:19
KevinRauth

Harald,

I run SuSE 10.0 and had the same problem with the failure noted. I fixed this by changing the /etc/pam.d/ftp file as follows:
____________________________________________________________
#%PAM-1.0
auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
#auth required /lib/security/pam_pwdb.so shadow nullok
auth required /lib/security/pam_unix.so nullok

# If this is enabled, anonymous logins will fail because the 'ftp' user does
# not have a "valid" shell, as listed in /etc/shells.
#
# If you enable this, it is recommended that you do *not* give the 'ftp'
# user a real shell. Instead, give the 'ftp' user /bin/false for a shell and
# add /bin/false to /etc/shells.
#auth required /lib/security/pam_shells.so

#account required /lib/security/pam_pwdb.so
#session required /lib/security/pam_pwdb.so

account required /lib/security/pam_unix.so
session required /lib/security/pam_unix.so

____________________________________________________________

See bug # 189 for more information.

Fri, 01/20/2006 - 16:36
Joe
Joe's picture

Hi Harald,

I've rolled out a proftpd package update for CentOS/RHEL on x86_64 that fixes this issue for that architecture. I don't think this is an issue on i386 versions, but I could be wrong about 3.x (I've tested 4.x and confirmed it working). I'm firing up my CentOS 3.6 on i386 now to see if the problem exists there.

--

Check out the forum guidelines!

Fri, 12/08/2006 - 21:20
DonAnthony

Can anyone tell me how to configure CuteFTP V6 to login via "SFTP"?

For example my domain (not the real name),
mysubdomain.mainhost.com

has to be accessed by going to site (not the real name),
admin.mainhost.com

then I enter my userID & PW, at this point I get to the admin panel where I control my account.

Anyone get CuteFTP working on this?

Topic locked