vsftpd configuration issues

[Gabriel Paré-Olivier]

Hello everyone,

I'm trying to set up a ftp and I have some small problems with the advanced options. I've been searching for a solution for several hours, and I try to understand how everything is working. Maybe I'm doing something wrong. Here is what I've done so far (which is from this discussion) :

-Disable ftp from inetd; Services->Network->inetd Configure-> Uncheck ftp Enable, Submit, or use the cmd 'rcinetd disable ftp'

-You then have to make /etc/init.d/S63vsftpd executable in order to execute on boot (use 'rcvsftpd enable')

-Edit /etc/vsftpd.conf (see below)

-Save settings so changes will persist after reboot (or use 'loadsave_settings -sf')

-start standalone: 'rcvsftpd start'

For the vsftpd.conf, I started with the file prepared by Alt-F using SSL login and I've added few things at the end, just to see if it's working:

syslog_enable=yes

connect_from_port_20=yes

dirmessage_enable=yes

ls_recurse_enable=yes

write_enable=yes

local_enable=yes

#allow_writeable_chroot=no

secure_chroot_dir=/var/run/vsftpd

nopriv_user=ftp

pasv_min_port=30000

pasv_max_port=30100

ssl_tlsv1=yes

ssl_sslv2=no

ssl_sslv3=no

rsa_cert_file=/etc/ssl/certs/vsftpd.pem

no_anon_password=yes

allow_anon_ssl=yes

anon_mkdir_write_enable=yes

anon_other_write_enable=yes

anon_umask=0

anon_root=/mnt/md0/Public

#chroot_local_user=no

#allow_writeable_chroot=no

anonymous_enable=no

anon_upload_enable=no

ssl_enable=yes

force_local_logins_ssl=yes

force_local_data_ssl=yes

userlist_enable=yes

# new stuff

listen=yes

background=yes

allow_writeable_chroot=yes

chroot_local_user=yes

local_root=/mnt/md0/Users

As you can see, I'm just trying to lock the local user in the Users folder. When I try this, the listen and background commands are working, but not the chroot part. Hence, when I log in, I can go everywhere in the system folders. I've also tried other functions such as ftpd_banner and logging options without success (not displayed in this configuration file). Maybe my client is simply not displaying the banner so I'm just trying to make the chroot thing to work so I can go on with user specific parameters and so on.

Thank you,

Gab

P.S. Alt-F is a very nice work, I appreciate it a lot !

[João Cardoso]

I can't reproduce your report.

As you, I used the webUI to setup ftp, checking "restrict folders" and "Writable folders", then edited /etc/vsftpd.conf adding just

listen=yes

background=yes

No other changes, namely not using local_root:

listen=yes

background=yes

syslog_enable=yes

connect_from_port_20=yes

dirmessage_enable=yes

ls_recurse_enable=yes

write_enable=yes

local_enable=yes

secure_chroot_dir=/var/run/vsftpd

nopriv_user=ftp

pasv_min_port=30000

pasv_max_port=30100

ssl_tlsv1=yes

ssl_sslv2=no

ssl_sslv3=no

rsa_cert_file=/etc/ssl/certs/vsftpd.pem

no_anon_password=yes

allow_anon_ssl=yes

anon_mkdir_write_enable=yes

anon_other_write_enable=yes

anon_umask=0

anon_root=/mnt/sda3/Public

chroot_local_user=yes

allow_writeable_chroot=yes

anonymous_enable=yes

anon_upload_enable=yes

ssl_enable=yes

force_local_logins_ssl=no

force_local_data_ssl=no

userlist_enable=no

I then performed the rc stuff, and:

> ftp dns-325

Connected to dns-325.homenet.

220 (vsFTPd 3.0.2)

Name (dns-325:jcard): 

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

229 Entering Extended Passive Mode (|||30028|).

150 Here comes the directory listing.

-rw-rw-rw-    1 1000     100           610 Oct 28 14:16 Backup-rsync-ssh.txt

226 Directory send OK.

ftp> pwd

257 "/"

ftp> cd /mnt/md1/RW

550 Failed to change directory.

ftp> pwd

257 "/"

ftp> cd ..

250 Directory successfully changed.

ftp> pwd

257 "/"

ftp> ls

229 Entering Extended Passive Mode (|||30007|).

150 Here comes the directory listing.

-rw-rw-rw-    1 1000     100           610 Oct 28 14:16 Backup-rsync-ssh.txt

226 Directory send OK.

ftp> bye

221 Goodbye.

So, jailing is working fine for me (also for anonymous)

[Bela Bodo]

Hello everybody,

On Tuesday, November 5, 2013 8:26:35 PM UTC, Gabriel Parďż˝-Olivier wrote:
> ssl_enable=yes
> force_local_logins_ssl=yes
> force_local_data_ssl=yes
> userlist_enable=yes
>
> # new stuff
> listen=yes
> background=yes
> allow_writeable_chroot=yes
> chroot_local_user=yes
> local_root=/mnt/md0/Users

I also faced to this situation (FileZilla with sFTP). After several
hours of browsing it seems to be a bug (I expect so). I have found pages
with special csript, but to test them is beyond my linux knowledge.

> I've also tried other functions such as ftpd_banner and logging
> options without success (not displayed in this configuration file).

I have found it works sometimes. Once when I logged in, and later when I
came back to my home directory through the given (.message file
included) directory. Later I have fed up...

Bela

[João Cardoso]

On Thursday, November 7, 2013 12:13:45 AM UTC, nosmoking wrote:

Hello everybody,

On Tuesday, November 5, 2013 8:26:35 PM UTC, Gabriel Parďż˝-Olivier wrote:
> ssl_enable=yes
> force_local_logins_ssl=yes
> force_local_data_ssl=yes
> userlist_enable=yes
>
> # new stuff
> listen=yes
> background=yes
> allow_writeable_chroot=yes
> chroot_local_user=yes
> local_root=/mnt/md0/Users

I also faced to this situation (FileZilla with sFTP).

sftp has nothing to do with vsftpd. sftp uses ssh, and the vsftpd configuration file is ignored. This has already been discussed under another topic.

vsftpd only manages plain ftp and ftps connections.

If you want to see what protocol your client is using, you can do a 'ps' or 'top' on the box with an active connection; if you see that the 'sftp-server' process is serving the connection, then sftp is being used. 

when a client uses sftp, a ssh connection is made to dropbear (the sshd server in Alt-F), dropbear notices that it is a sftp connection and launches sftp-server (an openssh component) to handle the connection.

Yes, I know, it's confusing, but it is not Alt-F fault or design

 

After several
hours of browsing it seems to be a bug (I expect so). I have found pages
with special csript, but to test them is beyond my linux knowledge.

> I've also tried other functions such as ftpd_banner and logging
> options without success (not displayed in this configuration file).
I have found it works sometimes. Once when I logged in, and later when I
came back to my home directory through the given (.message file
included) directory. Later I have fed up...

As sftp-server does not even knows what vsftpd.conf is, it is ignored. sftp is not ftp.

Bela

[Gabriel Paré-Olivier]

Thank you everyone for your fast and complete answers. I clearly had to understand that ftp and sftp were two completely different things.

Ok, now the problem I have, and I'm sure someone had it before, is that I get this message:

500 OOPS: vsftpd: refusing to run with writable root inside chroot()

I've searched a lot about this problem, but without any success. I'm using the exact same configuration file as the one proposed by João Cardoso. It is not even asking for the user and password. As soon as I try to connect, I get the error.

Any hint, someone ?

Thank you again,

Gabriel

[Bela Bodo]

Hi Joao,

sftp has nothing to do with vsftpd. sftp uses ssh, and the vsftpd configuration file is ignored. This has already been discussed under another topic.

vsftpd only manages plain ftp and ftps connections.

If you want to see what protocol your client is using, you can do a 'ps' or 'top' on the box with an active connection; if you see that the 'sftp-server' process is serving the connection, then sftp is being used.ďż˝

when a client uses sftp, a ssh connection is made to dropbear (the sshd server in Alt-F), dropbear notices that it is a sftp connection and launches sftp-server (an openssh component) to handle the connection.

I was continuously checking processes, and I was very surprised when a ssh login launched sftp. Thanks to your e-mail, it is now clear.

Yes, I know, it's confusing, but it is not Alt-F fault or design

Exactly, it is confusing.

...but it is not Alt-F fault or design

Maybe my letter is mistakable, sorry about it! I have never thought Alt-F is faulty or bad design!

As sftp-server does not even knows what vsftpd.conf is, it is ignored.�sftp is not ftp.

Clear!

Bela

[João Cardoso]

On Thursday, November 7, 2013 1:35:40 PM UTC, nosmoking wrote:

Hi Joao,

sftp has nothing to do with vsftpd. sftp uses ssh, and the vsftpd configuration file is ignored. This has already been discussed under another topic.

vsftpd only manages plain ftp and ftps connections.

If you want to see what protocol your client is using, you can do a 'ps' or 'top' on the box with an active connection; if you see that the 'sftp-server' process is serving the connection, then sftp is being used.ďż˝

when a client uses sftp, a ssh connection is made to dropbear (the sshd server in Alt-F), dropbear notices that it is a sftp connection and launches sftp-server (an openssh component) to handle the connection.

I was continuously checking processes, and I was very surprised when a ssh login launched sftp. Thanks to your e-mail, it is now clear.

Yes, I know, it's confusing, but it is not Alt-F fault or design

Exactly, it is confusing.

And to further complicate things, ftps, which is handled by vsftpd, can be either "implict" or "explicit", depending on how (which port) the initial connection is made.

For RC4, inetd also handles implicit ftps, by having

ftps    stream  tcp     nowait  root    /usr/sbin/vsftpd        vsftpd -oimplicit_ssl=yes

in /etc/inetd.conf

This means that inetd is also listening on port 990:

# grep ftps /etc/services 

ftps    990/tcp         # ftp protocol, control, over TLS/SSL

ftps    990/udp         # ftp protocol, control, over TLS/SSL

The advantage of ftps over sftp is that it can encrypt only the password, passing the data un-encrypted, being thus much faster than sftp.

Don't ask me what MS-win clients supports ftps.

Regarding the vsftpd package:

https://groups.google.com/d/msg/alt-f/ud1EzxnGrnw/OtucqM_TZMAJ

[Bela Bodo]

2013.11.07. 15:20, João Cardoso wrote:

And to further complicate things, ftps, which is handled by vsftpd, can be either "implict" or "explicit", depending on how (which port) the initial connection is made.

For RC4, inetd also handles implicit ftps, by having

ftps � �stream �tcp � � nowait �root � �/usr/sbin/vsftpd � � � �vsftpd -oimplicit_ssl=yes

in /etc/inetd.conf

This means that inetd is also listening on port 990:

# grep ftps /etc/servicesďż˝

ftps � �990/tcp � � � � # ftp protocol, control, over TLS/SSL

ftps � �990/udp � � � � # ftp protocol, control, over TLS/SSL

The advantage of ftps over sftp is that it can encrypt only the password, passing the data un-encrypted, being thus much faster than sftp.

It would be nice! I am going to use my server seldom, however speed and security is important for me.

Don't ask me what MS-win clients supports ftps.

I use Windows and Mac as well, and FileZilla is really a good choice for booth platform.

Regarding the vsftpd package:

https://groups.google.com/d/msg/alt-f/ud1EzxnGrnw/OtucqM_TZMAJ

Many thanks!

��� Bela

[Gabriel Paré-Olivier]

I solved my problem with the 500 OOPS: vsftpd: refusing to run with writable root inside chroot() error. Even with allow_writeable_chroot=yes and chroot_local_user=no, you have to remove the write permissions of the secure_chroot_dir.

Confusing, a little. Maybe obvious for everyone.

Thanks again,

Gab

Le mardi 5 novembre 2013 12:26:35 UTC-8, Gabriel Paré-Olivier a écrit :