Debian11/pureftp 530 Login authentication failed

Bonjour, sur une Debian 11 avec pure-ftp toute fraiche impossible de loguer un utilisateur avec filezila.

pure-ftpd.conf:

# grep -E -v '^(#|;|$|[ ]*#)' /etc/pure-ftpd/pure-ftpd.conf 
ChrootEveryone               yes
BrokenClientsCompatibility   no
MaxClientsNumber             50
Daemonize                    yes
MaxClientsPerIP              8
VerboseLog                   yes
DisplayDotFiles              yes
AnonymousOnly                no
NoAnonymous                  no
SyslogFacility               ftp
DontResolve                  yes
MaxIdleTime                  15
LimitRecursion               10000 8
AnonymousCanCreateDirs       no
MaxLoad                      4
AntiWarez                    yes
Umask                        133:022
MinUID                       100
AllowUserFXP                 no
AllowAnonymousFXP            no
ProhibitDotFilesWrite        no
ProhibitDotFilesRead         no
AutoRename                   no
AnonymousCantUpload          no
MaxDiskUsage                   99
CustomerProof                yes

logs filezila:

Status :	Connexion à ser.ver.i.p:21...
Status :	Connexion établie, attente du message d'accueil...
Réponse :	220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Réponse :	220-You are user number 1 of 50 allowed.
Réponse :	220-Local time is now 10:40. Server port: 21.
Réponse :	220-This is a private system - No anonymous login
Réponse :	220 You will be disconnected after 15 minutes of inactivity.
Commande :	AUTH TLS
Réponse :	234 AUTH TLS OK.
Status :	Initialisation de TLS...
Status :	Vérification du certificat...
Status :	Connexion TLS établie.
Commande :	USER myuser
Réponse :	331 User myuser OK. Password required
Commande :	PASS ********
Réponse :	530 Login authentication failed
Erreur :	Erreur critique : Impossible d'établir une connexion au serveur

J’ai parcouru tous les forums sur le sujet sans succès. Merci pour votre support

Bonjour,
Comment sont définis les paramètres d’authentification (PAM, base pureftpd-db etc???) ?
Comment sont dé"finis les droits utilisateurs?
ceci est un site fedora mais c’est applicable pour les paramètres je pense: PureFTPD : Installation et configuration — Wiki Fedora-Fr

Voici le fichier de config complet:

$ cat /etc/pure-ftpd/pure-ftpd.conf

############################################################
#                                                          #
#             Configuration file for pure-ftpd             #
#                                                          #
############################################################

# If you want to run Pure-FTPd with this configuration
# instead of command-line options, please run the
# following command :
#
# ${exec_prefix}/sbin/sbin/pure-ftpd /etc/pure-ftpd/pure-ftpd.conf
#
# Online documentation:
# https://www.pureftpd.org/project/pure-ftpd/doc


# Restrict users to their home directory

ChrootEveryone               yes



# If the previous option is set to "no", members of the following group
# won't be restricted. Others will be. If you don't want chroot()ing anyone,
# just comment out ChrootEveryone and TrustedGID.

# TrustedGID                   100



# Turn on compatibility hacks for broken clients

BrokenClientsCompatibility   no



# Maximum number of simultaneous users

MaxClientsNumber             50



# Run as a background process

Daemonize                    yes



# Maximum number of simultaneous clients with the same IP address

MaxClientsPerIP              8



# If you want to log all client commands, set this to "yes".
# This directive can be specified twice to also log server responses.

VerboseLog                   yes



# List dot-files even when the client doesn't send "-a".

DisplayDotFiles              yes



# Disallow authenticated users - Act only as a public FTP server.

AnonymousOnly                no



# Disallow anonymous connections. Only accept authenticated users.

NoAnonymous                  no



# Syslog facility (auth, authpriv, daemon, ftp, security, user, local*)
# The default facility is "ftp". "none" disables logging.

SyslogFacility               ftp



# Display fortune cookies

# FortunesFile                 /usr/share/fortune/zippy



# Don't resolve host names in log files. Recommended unless you trust
# reverse host names, and don't care about DNS resolution being possibly slow.

DontResolve                  yes



# Maximum idle time in minutes (default = 15 minutes)

MaxIdleTime                  15



# LDAP configuration file (see README.LDAP)

# LDAPConfigFile               /etc/pureftpd-ldap.conf



# MySQL configuration file (see README.MySQL)

# MySQLConfigFile              /etc/pureftpd-mysql.conf


# PostgreSQL configuration file (see README.PGSQL)

# PGSQLConfigFile              /etc/pureftpd-pgsql.conf


# PureDB user database (see README.Virtual-Users)

# PureDB                       /etc/pureftpd.pdb


# Path to pure-authd socket (see README.Authentication-Modules)

# ExtAuth                      /var/run/ftpd.sock



# If you want to enable PAM authentication, uncomment the following line

# PAMAuthentication            yes



# If you want simple Unix (/etc/passwd) authentication, uncomment this

# UnixAuthentication           yes



# Please note that LDAPConfigFile, MySQLConfigFile, PAMAuthentication and
# UnixAuthentication can be used specified once, but can be combined
# together. For instance, if you use MySQLConfigFile, then UnixAuthentication,
# the SQL server will be used first. If the SQL authentication fails because the
# user wasn't found, a new attempt will be done using system authentication.
# If the SQL authentication fails because the password didn't match, the
# authentication chain stops here. Authentication methods are chained in
# the order they are given.



# 'ls' recursion limits. The first argument is the maximum number of
# files to be displayed. The second one is the max subdirectories depth.

LimitRecursion               10000 8



# Are anonymous users allowed to create new directories?

AnonymousCanCreateDirs       no



# If the system load is greater than the given value, anonymous users
# aren't allowed to download.

MaxLoad                      4



# Port range for passive connections - keep it as broad as possible.

#PassivePortRange             30000 50000



# Force an IP address in PASV/EPSV/SPSV replies. - for NAT.
# Symbolic host names are also accepted for gateways with dynamic IP
# addresses.

# ForcePassiveIP               192.168.0.1
# ForcePassiveIP                35.180.58.190



# Upload/download ratio for anonymous users.

# AnonymousRatio               1 10



# Upload/download ratio for all users.
# This directive supersedes the previous one.

# UserRatio                    1 10



# Disallow downloads of files owned by the "ftp" system user;
# files that were uploaded but not validated by a local admin.

AntiWarez                    yes



# IP address/port to listen to (default=all IP addresses, port 21).

# Bind                         127.0.0.1,21



# Maximum bandwidth for anonymous users in KB/s

# AnonymousBandwidth           8



# Maximum bandwidth for *all* users (including anonymous) in KB/s
# Use AnonymousBandwidth *or* UserBandwidth, not both.

# UserBandwidth                8



# File creation mask. <umask for files>:<umask for dirs> .
# 177:077 if you feel paranoid.

Umask                        133:022



# Minimum UID for an authenticated user to log in.
# For example, a value of 100 prevents all users whose user id is below
# 100 from logging in. If you want "root" to be able to log in, use 0.

MinUID                       100



# Allow FXP transfers for authenticated users.

AllowUserFXP                 no



# Allow anonymous FXP for anonymous and non-anonymous users.

AllowAnonymousFXP            no



# Users can't delete/write files starting with a dot ('.')
# even if they own them. But if TrustedGID is enabled, that group
# will exceptionally have access to dot-files.

ProhibitDotFilesWrite        no



# Prohibit *reading* of files starting with a dot (.history, .ssh...)

ProhibitDotFilesRead         no



# Don't overwrite files. When a file whose name already exist is uploaded,
# it gets automatically renamed to file.1, file.2, file.3, ...

AutoRename                   no



# Prevent anonymous users from uploading new files (no = upload is allowed)

AnonymousCantUpload          no



# Only connections to this specific IP address are allowed to be
# non-anonymous. You can use this directive to open several public IPs for
# anonymous FTP, and keep a private firewalled IP for remote administration.
# You can also only allow a non-routable local IP (such as 10.x.x.x) for
# authenticated users, and run a public anon-only FTP server on another IP.

# TrustedIP                    10.1.1.1



# To add the PID to log entries, uncomment the following line.

# LogPID                       yes



# Create an additional log file with transfers logged in a Apache-like format :
# fw.c9x.org - jedi [13/Apr/2017:19:36:39] "GET /ftp/linux.tar.bz2" 200 21809338
# This log file can then be processed by common HTTP traffic analyzers.

# AltLog                       clf:/var/log/pureftpd.log



# Create an additional log file with transfers logged in a format optimized
# for statistic reports.

# AltLog                       stats:/var/log/pureftpd.log



# Create an additional log file with transfers logged in the standard W3C
# format (compatible with many HTTP log analyzers)

# AltLog                       w3c:/var/log/pureftpd.log



# Disallow the CHMOD command. Users cannot change perms of their own files.

# NoChmod                      yes



# Allow users to resume/upload files, but *NOT* to delete them.

# KeepAllFiles                 yes



# Automatically create home directories if they are missing

# CreateHomeDir                yes



# Enable virtual quotas. The first value is the max number of files.
# The second value is the maximum size, in megabytes.
# So 1000:10 limits every user to 1000 files and 10 MB.

# Quota                        1000:10



# If your pure-ftpd has been compiled with standalone support, you can change
# the location of the pid file. The default is /var/run/pure-ftpd.pid

# PIDFile                      /var/run/pure-ftpd.pid



# If your pure-ftpd has been compiled with pure-uploadscript support,
# this will make pure-ftpd write info about new uploads to
# /var/run/pure-ftpd.upload.pipe so pure-uploadscript can read it and
# spawn a script to handle the upload.
# Don't enable this option if you don't actually use pure-uploadscript.

# CallUploadScript             yes



# This option is useful on servers where anonymous upload is
# allowed. When the partition is more that percententage full,
# new uploads are disallowed.

MaxDiskUsage                   99



# Set to 'yes' to prevent users from renaming files.

# NoRename                     yes



# Be 'customer proof': forbids common customer mistakes such as
# 'chmod 0 public_html', that are valid, but can cause customers to
# unintentionally shoot themselves in the foot.

CustomerProof                yes



# Per-user concurrency limits. Will only work if the FTP server has
# been compiled with --with-peruserlimits.
# Format is: <max sessions per user>:<max anonymous sessions>
# For example, 3:20 means that an authenticated user can have up to 3 active
# sessions, and that up to 20 anonymous sessions are allowed.

# PerUserLimits                3:20



# When a file is uploaded and there was already a previous version of the file
# with the same name, the old file will neither get removed nor truncated.
# The file will be stored under a temporary name and once the upload is
# complete, it will be atomically renamed. For example, when a large PHP
# script is being uploaded, the web server will keep serving the old version and
# later switch to the new one as soon as the full file will have been
# transferred. This option is incompatible with virtual quotas.

# NoTruncate                   yes



# This option accepts three values:
# 0: disable SSL/TLS encryption layer (default).
# 1: accept both cleartext and encrypted sessions.
# 2: refuse connections that don't use the TLS security mechanism,
#    including anonymous sessions.
# Do _not_ uncomment this blindly. Double check that:
# 1) The server has been compiled with TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.

# TLS                          1


# Cipher suite for TLS sessions.
# The default suite is secure and setting this property is usually
# only required to *lower* the security to cope with legacy clients.
# Prefix with -C: in order to require valid client certificates.
# If -C: is used, make sure that clients' public keys are present on
# the server.

# TLSCipherSuite               HIGH



# Certificate file, for TLS
# The certificate itself and the keys can be bundled into the same
# file or split into two files.
# CertFile is for a cert+key bundle, CertFileAndKey for separate files.
# Use only one of these.

# CertFile                     /etc/ssl/private/pure-ftpd.pem
# CertFileAndKey               "/etc/pure-ftpd.pem" "/etc/pure-ftpd.key"



# Unix socket of the external certificate handler, for TLS

# ExtCert                      /var/run/ftpd-certs.sock


# Listen only to IPv4 addresses in standalone mode (ie. disable IPv6)
# By default, both IPv4 and IPv6 are enabled.

# IPV4Only                     yes



# Listen only to IPv6 addresses in standalone mode (i.e. disable IPv4)
# By default, both IPv4 and IPv6 are enabled.

# IPV6Only                     yes

Quels droits utilisateurs ?

Avec quel user t’identifies-tu ? un user du système ? alors peut-être activer :

# If you want simple Unix (/etc/passwd) authentication, uncomment this

# UnixAuthentication           yes

Non j’utilise un utilisateur virtuel créé par

useradd -g ftpgroup -d /dev/null -s /usr/sbin/nologin utilisateur

J’ai essayé Pam et Unix Authentication yes

Question :
J’ai # TLS 1, option par défaut qui devrait accepter les connexions plaintext mais quand je me connecte en FTP simple j’obtiens:
« 21-Sorry, cleartext sessions and weak ciphers are not accepted on this server. »
Y-t-il un autre paramètre à définir pour ouvrir les conexions non sécurisées plaintext ?

Contexte ok.

Mais aucune méthode d’authentification n’est spécifié dans ce fichier de configuration revois ton installation, tu as manqué des étapes si tu as suivi un tutoriel

Bien entendu ainsi qu’un login automatique sans mots de passe et une grosse flèche PAR ICI.

1 J'aime

Je m’aperçois qu’il y a 2 méthodes de conf possible: le fichier /etc/pure-ftpd/pure-ftpd.conf et le dossier /etc/pure-ftpd/conf

Comment savoir lequel est utilisé ?

Que je mette TLS (est ce ce que vous appelez méthode d’authentification ?) à 1 par l’une ou l’autre méthode, le serveur me revoie toujours
« 421-Sorry, cleartext sessions and weak ciphers are not accepted on this server »
quand j’essaie de connecter en clair.

Regarde ton unit systemd, elle appel le binaire avec le fichier de conf pris en compte.

Es-tu sûr de modifier le bon fichier de configuration du coup :innocent:

Non ça c’est le fait d’encrypter la transmission avec justement un cypher définie quelque part (ou par défaut si pas défini) qui ne doit pas être suffisamment fort.

J’avais regardé la chose que voici sans pouvoir décrypter:

$ cat /etc/init.d/pure-ftpd
#! /bin/sh
### BEGIN INIT INFO
# Provides:          pure-ftpd
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Should-Start:      slapd mysql postgresql-8.3 postgresql-8.4
# Should-Stop:       slapd mysql postgresql-8.3 postgresql-8.4
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
### END INIT INFO
#
# pure-ftpd     starts and stops the pure-ftpd ftp daemon
#
# Copyright 2002-2011 by Stefan Hornburg (Racke) <racke@linuxia.de>

PATH=/sbin:/bin:/usr/sbin:/usr/bin
NAME=pure-ftpd
DESC="ftp server"
: ${SSDAEMONLOGOPTS:="--quiet"}
UPLOADDAEMON=/usr/sbin/pure-uploadscript
UDNAME=pure-uploadscript
UDDESC="ftp upload handler"
WRAPPER=/usr/sbin/pure-ftpd-wrapper

# load LSB init-functions to get status_of_proc helper
. /lib/lsb/init-functions

PIDFILE=/var/run/pure-ftpd/pure-ftpd.pid

# try to figure with suffix this script is called,
# $0 might be a symlink pointing to this script
if [ -h $0 ]; then
        ME=`/bin/readlink $0`
else 
        ME=$0
fi

SUFFIX=`basename $ME | sed -ne 's/^pure-ftpd-\(.*\)/\1/p'`
if [ "$SUFFIX" ] ; then
        DAEMON=/usr/sbin/pure-ftpd-$SUFFIX
else
        DAEMON=/usr/sbin/pure-ftpd
fi

export STANDALONE_OR_INETD=inetd
export VIRTUALCHROOT=
test -r /etc/default/pure-ftpd-common && . /etc/default/pure-ftpd-common

if [ "$VIRTUALCHROOT" = "true" ]; then
        if [ "$SUFFIX" ]; then
                SUFFIX="$SUFFIX-virtualchroot"
        else
                SUFFIX="virtualchroot"
        fi
fi

test -x $DAEMON || exit 0
test -x $WRAPPER || exit 0

set -e

if [ ! -e `dirname $PIDFILE` ];then
       mkdir `dirname $PIDFILE`
fi

start_uploadscript() {
        if [ "$UPLOADSCRIPT" -a "$STANDALONE_OR_INETD" != inetd ] && \
                egrep -i '^[    ]*(yes|1|on)[   ]*' /etc/pure-ftpd/conf/CallUploadScript > /dev/null 2>&1
        then
                UOPTS=""
                test "$UPLOADUID" && UOPTS="$UOPTS -u $UPLOADUID"
                test "$UPLOADGID" && UOPTS="$UOPTS -g $UPLOADGID"
                echo -n "$1 $UDDESC: "
                start-stop-daemon --start $SSDAEMONLOGOPTS --oknodo \
                        --exec $UPLOADDAEMON -- -r "$UPLOADSCRIPT" -B $UOPTS
                echo "$UDNAME."

        fi
}

case "$1" in
  start)
        test "$STANDALONE_OR_INETD" = standalone || exit 0
        echo -n "Starting $DESC: "
        start-stop-daemon --start $SSDAEMONLOGOPTS --pidfile "$PIDFILE" \
                --exec $WRAPPER -- $SUFFIX
        start_uploadscript Starting
        ;;
  stop)
        echo -n "Stopping $DESC: "
        start-stop-daemon --stop $SSDAEMONLOGOPTS --oknodo \
                --pidfile "$PIDFILE"
        start-stop-daemon --stop $SSDAEMONLOGOPTS --oknodo --exec $UPLOADDAEMON
        echo "$NAME."
        ;;
  restart|force-reload)
        test "$STANDALONE_OR_INETD" = standalone || exit 0
        echo -n "Restarting $DESC: "
        start-stop-daemon --stop $SSDAEMONLOGOPTS --oknodo \
                --pidfile "$PIDFILE"
        start-stop-daemon --stop $SSDAEMONLOGOPTS --oknodo --exec $UPLOADDAEMON
        sleep 1
        start-stop-daemon --start $SSDAEMONLOGOPTS --pidfile "$PIDFILE" \
                --exec $WRAPPER -- $SUFFIX
        start_uploadscript Restarting
        ;;
  status)
        status_of_proc -p /var/run/pure-ftpd/pure-ftpd.pid $DAEMON $NAME && exit 0 || exit $?
        ;;
  *)
        N=/etc/init.d/$NAME
        echo "Usage: $N {start|stop|restart|force-reload|status}" >&2
        exit 1
        ;;
esac

exit 0

Un moyen simple de décrypter quel conf est utilisée ?

C’est un script d’init pas une unité systemd, j’en conclue que tu n’utilise pas systemd pour gérer ton ftp, je pense passer mon tour car ça deviens nébuleux de suivre ce qu’il a été fait et comment normalement cela devrais fonctionner.

$ systemctl cat pure-ftpd
# /run/systemd/generator.late/pure-ftpd.service
# Automatically generated by systemd-sysv-generator

[Unit]
Documentation=man:systemd-sysv-generator(8)
SourcePath=/etc/init.d/pure-ftpd
Before=multi-user.target
Before=multi-user.target
Before=multi-user.target
Before=graphical.target
After=remote-fs.target
After=slapd.service
After=mysql.service
After=postgresql-8.3.service
After=postgresql-8.4.service

[Service]
Type=forking
Restart=no
TimeoutSec=5min
IgnoreSIGPIPE=no
KillMode=process
GuessMainPID=no
RemainAfterExit=yes
SuccessExitStatus=5 6
ExecStart=/etc/init.d/pure-ftpd start
ExecStop=/etc/init.d/pure-ftpd stop

Je vois toujours pas quelle conf est utilisée.
Ca a été installé d’après Debian 11 Bullseye : Pure-FTPd : Install : Server World

Bonjour,

Ce n’est pas un utilisateur virtuel mais un utilisateur standard memebre du groupe ftpgroup, qui ne peut pas se connecter (/usr/sbin/nologin) et qui n’as pas de dossier personnel (/dev/null).
Cela devrait donc fonctionner avec Unix Authentication yes (valeur par défaut) et le mot de passe créé avec la commande passwd utilisateur.

Au passage le dossier personnel de cet utilisateur devrait être son dossier ftp (/srv/ftp/utilisateur par exemple) pour être en cohérence avec : ChrootEveryone yes

D’après la doc officielle de pure-ftpd les utilisateurs virtuels sont créés par la commande spécifique pure-pw

J’ai refait l’install selon PureFTPd : serveur FTP / Wiki / Debian-facile et ça marche maintenant.
Merci à tous pour votre aide.