[ale] ftps with vsftpd pam openldap: one server fine, other not so fine

Brian W. Neu ale at advancedopen.com
Fri Feb 19 14:34:26 EST 2010 

I always hate finding some post about my same problem, but then not
finding the resolution.

This was a PAM issue.  Here's the /etc/pam.d/vsftpd that works(albeit
probably unclean) in Fedora 12/PAM 1.1 :

session    optional     pam_keyinit.so    force revoke
auth       required     pam_listfile.so item=user sense=deny
file=/etc/vsftpd/ftpusers onerr=succeed
auth       required     pam_shells.so
auth       sufficient   pam_ldap.so
auth       required     pam_unix.so
auth       required     pam_shells.so
account    sufficient   pam_ldap.so
account    required     pam_unix.so
password   sufficient   pam_ldap.so
password   required     pam_unix.so
session    include      system-auth
session optional pam_console.so



On 2/18/2010 11:00 AM, Brian W. Neu wrote:
> So my client has server2 at their office behind a firewall, with vsftpd
> configured for ftps (ftpes).  It works great to the openldap backend
> through pam.
>
> The remote server, server3, runs Shorewall and has a fully working slave
> openldap, and can authenticate through pam when disconnected from
> server2 (openvpn).  Filezilla throws this error when connecting to server3 :
>
> 22:27:23    Status:    Connection established, waiting for welcome
> message...
> 22:27:23    Response:    220 (vsFTPd 2.2.2)
> 22:27:23    Command:    AUTH TLS
> 22:27:23    Response:    234 Proceed with negotiation.
> 22:27:23    Status:    Initializing TLS...
> 22:27:23    Status:    Verifying certificate...
> 22:27:23    Command:    USER user1
> 22:27:23    Status:    TLS/SSL connection established.
> 22:27:23    Response:    331 Please specify the password.
> 22:27:23    Command:    PASS *********
> 22:27:23    Trace:    CTlsSocket::OnRead()
> 22:27:23    Trace:    CTlsSocket::Failure(-8, 10053)
> 22:27:23    Error:    GnuTLS error -8: A record packet with illegal
> version was received.
> 22:27:23    Error:    Could not connect to server
>
> NOTE:  SFTP (ssh ftp) works on server3
>
> I don't think GnuTLS is actually the problem, but here are the versions
> FileZilla client = GnuTLS 2.8.3.
> server3 = gnutls-2.8.5-1    (fedora 12)
> server2 = gnutls-2.6.6-1    (fedora 11)
>
> It might be a PAM issues since fedora 12 moved to PAM 1.1 and the same
> config file doesn't work.
> server3 /etc/pam.d/vsftpd
> auth       sufficient   pam_ldap.so
> auth       required     pam_unix.so
> account    sufficient   pam_ldap.so
> account    required     pam_unix.so
> password   sufficient   pam_ldap.so
> password   required     pam_unix.so
>
> server2 /etc/pam.d/vsftpd
> #%PAM-1.0
> auth        sufficient    pam_ldap.so
> auth        required      pam_unix2.so
> account     sufficient    pam_ldap.so
> account     required      pam_unix2.so
> password    sufficient    pam_ldap.so
> password    required      pam_unix2.so
>
>
> The only logging on the server that seems significant is from syslog
> (time not sync'd).  This seems to be an IPV6 thing though, and I can't
> figure out why it pops up twice with every ftps login:
> Feb 17 22:27:32 server3 kernel: lo: Disabled Privacy Extensions
> Feb 17 22:27:32 server3 kernel: lo: Disabled Privacy Extensions
>
> Shorewall is installed on server3 and logging all packet DROPs.  But the
> above localhost message is the only output.
>
>
> This is the server3 vsftpd log:
> 02:11:02    Trace:    CControlSocket::DoClose(64)
> 02:11:02    Trace:    CControlSocket::DoClose(64)
> 02:11:02    Status:    Connecting to 69.61.74.98:21...
> 02:11:02    Status:    Connection established, waiting for welcome
> message...
> 02:11:03    Trace:    CFtpControlSocket::OnReceive()
> 02:11:03    Response:    220 (vsFTPd 2.2.2)
> 02:11:03    Trace:    CFtpControlSocket::SendNextCommand()
> 02:11:03    Command:    AUTH TLS
> 02:11:03    Trace:    CFtpControlSocket::OnReceive()
> 02:11:03    Response:    234 Proceed with negotiation.
> 02:11:03    Status:    Initializing TLS...
> 02:11:03    Trace:    CTlsSocket::Handshake()
> 02:11:03    Trace:    CTlsSocket::ContinueHandshake()
> 02:11:03    Trace:    CTlsSocket::OnSend()
> 02:11:03    Trace:    CTlsSocket::OnRead()
> 02:11:03    Trace:    CTlsSocket::ContinueHandshake()
> 02:11:03    Trace:    CTlsSocket::OnRead()
> 02:11:03    Trace:    CTlsSocket::ContinueHandshake()
> 02:11:03    Trace:    CTlsSocket::OnRead()
> 02:11:03    Trace:    CTlsSocket::ContinueHandshake()
> 02:11:03    Trace:    Handshake successful
> 02:11:03    Trace:    Cipher: 3DES-CBC, MAC: SHA1
> 02:11:03    Status:    Verifying certificate...
> 02:11:03    Trace:    CFtpControlSocket::SendNextCommand()
> 02:11:03    Command:    USER user1
> 02:11:03    Status:    TLS/SSL connection established.
> 02:11:03    Trace:    CTlsSocket::OnRead()
> 02:11:03    Trace:    CFtpControlSocket::OnReceive()
> 02:11:03    Response:    331 Please specify the password.
> 02:11:03    Trace:    CFtpControlSocket::SendNextCommand()
> 02:11:03    Command:    PASS *********
> 02:11:03    Trace:    CTlsSocket::OnRead()
> 02:11:03    Trace:    CTlsSocket::Failure(-8, 10053)
> 02:11:03    Error:    GnuTLS error -8: A record packet with illegal
> version was received.
> 02:11:03    Trace:    CRealControlSocket::OnClose(10053)
> 02:11:03    Trace:    CControlSocket::DoClose(64)
> 02:11:03    Trace:    CFtpControlSocket::ResetOperation(66)
> 02:11:03    Trace:    CControlSocket::ResetOperation(66)
> 02:11:03    Error:    Could not connect to server
> 02:11:03    Trace:    CFileZillaEnginePrivate::ResetOperation(66)
>
>
>
> Any ideas?
>
> Thanks!
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>

More information about the Ale mailing list