[ale] ftps with vsftpd pam openldap: one server fine, other not so fine

Brian W. Neu ale at advancedopen.com
Thu Feb 18 11:00:43 EST 2010 

So my client has server2 at their office behind a firewall, with vsftpd
configured for ftps (ftpes).  It works great to the openldap backend
through pam.

The remote server, server3, runs Shorewall and has a fully working slave
openldap, and can authenticate through pam when disconnected from
server2 (openvpn).  Filezilla throws this error when connecting to server3 :

22:27:23    Status:    Connection established, waiting for welcome
message...
22:27:23    Response:    220 (vsFTPd 2.2.2)
22:27:23    Command:    AUTH TLS
22:27:23    Response:    234 Proceed with negotiation.
22:27:23    Status:    Initializing TLS...
22:27:23    Status:    Verifying certificate...
22:27:23    Command:    USER user1
22:27:23    Status:    TLS/SSL connection established.
22:27:23    Response:    331 Please specify the password.
22:27:23    Command:    PASS *********
22:27:23    Trace:    CTlsSocket::OnRead()
22:27:23    Trace:    CTlsSocket::Failure(-8, 10053)
22:27:23    Error:    GnuTLS error -8: A record packet with illegal
version was received.
22:27:23    Error:    Could not connect to server

NOTE:  SFTP (ssh ftp) works on server3

I don't think GnuTLS is actually the problem, but here are the versions
FileZilla client = GnuTLS 2.8.3.
server3 = gnutls-2.8.5-1    (fedora 12)
server2 = gnutls-2.6.6-1    (fedora 11)

It might be a PAM issues since fedora 12 moved to PAM 1.1 and the same
config file doesn't work.
server3 /etc/pam.d/vsftpd
auth       sufficient   pam_ldap.so
auth       required     pam_unix.so
account    sufficient   pam_ldap.so
account    required     pam_unix.so
password   sufficient   pam_ldap.so
password   required     pam_unix.so

server2 /etc/pam.d/vsftpd
#%PAM-1.0
auth        sufficient    pam_ldap.so
auth        required      pam_unix2.so
account     sufficient    pam_ldap.so
account     required      pam_unix2.so
password    sufficient    pam_ldap.so
password    required      pam_unix2.so


The only logging on the server that seems significant is from syslog
(time not sync'd).  This seems to be an IPV6 thing though, and I can't
figure out why it pops up twice with every ftps login:
Feb 17 22:27:32 server3 kernel: lo: Disabled Privacy Extensions
Feb 17 22:27:32 server3 kernel: lo: Disabled Privacy Extensions

Shorewall is installed on server3 and logging all packet DROPs.  But the
above localhost message is the only output.


This is the server3 vsftpd log:
02:11:02    Trace:    CControlSocket::DoClose(64)
02:11:02    Trace:    CControlSocket::DoClose(64)
02:11:02    Status:    Connecting to 69.61.74.98:21...
02:11:02    Status:    Connection established, waiting for welcome
message...
02:11:03    Trace:    CFtpControlSocket::OnReceive()
02:11:03    Response:    220 (vsFTPd 2.2.2)
02:11:03    Trace:    CFtpControlSocket::SendNextCommand()
02:11:03    Command:    AUTH TLS
02:11:03    Trace:    CFtpControlSocket::OnReceive()
02:11:03    Response:    234 Proceed with negotiation.
02:11:03    Status:    Initializing TLS...
02:11:03    Trace:    CTlsSocket::Handshake()
02:11:03    Trace:    CTlsSocket::ContinueHandshake()
02:11:03    Trace:    CTlsSocket::OnSend()
02:11:03    Trace:    CTlsSocket::OnRead()
02:11:03    Trace:    CTlsSocket::ContinueHandshake()
02:11:03    Trace:    CTlsSocket::OnRead()
02:11:03    Trace:    CTlsSocket::ContinueHandshake()
02:11:03    Trace:    CTlsSocket::OnRead()
02:11:03    Trace:    CTlsSocket::ContinueHandshake()
02:11:03    Trace:    Handshake successful
02:11:03    Trace:    Cipher: 3DES-CBC, MAC: SHA1
02:11:03    Status:    Verifying certificate...
02:11:03    Trace:    CFtpControlSocket::SendNextCommand()
02:11:03    Command:    USER user1
02:11:03    Status:    TLS/SSL connection established.
02:11:03    Trace:    CTlsSocket::OnRead()
02:11:03    Trace:    CFtpControlSocket::OnReceive()
02:11:03    Response:    331 Please specify the password.
02:11:03    Trace:    CFtpControlSocket::SendNextCommand()
02:11:03    Command:    PASS *********
02:11:03    Trace:    CTlsSocket::OnRead()
02:11:03    Trace:    CTlsSocket::Failure(-8, 10053)
02:11:03    Error:    GnuTLS error -8: A record packet with illegal
version was received.
02:11:03    Trace:    CRealControlSocket::OnClose(10053)
02:11:03    Trace:    CControlSocket::DoClose(64)
02:11:03    Trace:    CFtpControlSocket::ResetOperation(66)
02:11:03    Trace:    CControlSocket::ResetOperation(66)
02:11:03    Error:    Could not connect to server
02:11:03    Trace:    CFileZillaEnginePrivate::ResetOperation(66)



Any ideas?

Thanks!

More information about the Ale mailing list