Vsftpd j'y arrive presque :D

Dr_I · Février 21, 2016, 2:27am

Bien le bonjour messieurs et dames,

Je suis une fois de plus coincé dans mon periple.

J’essaye tant bien que mal, d’installer un serveur VSFTPd sécurisé grâce à une connexion SSL.

Jusque là tout vas bien, sauf que maintenant, si mes users tentent de se logger sur ce dit serveur avec un client FTP tel que fillezilla, ils ont le message suivant:

Erreur :	GnuTLS error -8: A record packet with illegal version was received.
Erreur :	Impossible d'établir une connexion au serveur

Donc je vais faire un tour sur le serveur histoire de regarder les logs, et la j’ai le souci suivant:

Sous vsftpd.log, J’ai bien mon user authentifié:

Wed Jun  1 09:11:33 2011 [pid 2] CONNECT: Client "XX.XXX.XXX.XXX"
Wed Jun  1 09:11:33 2011 [pid 2] FTP response: Client "XX.XXX.XXX.XXX", "220 Welcome to FTP service."
Wed Jun  1 09:11:33 2011 [pid 2] FTP command: Client "XX.XXX.XXX.XXX", "AUTH TLS"
Wed Jun  1 09:11:33 2011 [pid 2] FTP response: Client "XX.XXX.XXX.XXX", "234 Proceed with negotiation."
Wed Jun  1 09:11:33 2011 [pid 2] FTP command: Client "XX.XXX.XXX.XXX", "USER testusr"
Wed Jun  1 09:11:33 2011 [pid 2] [testusr] FTP response: Client "XX.XXX.XXX.XXX", "331 Please specify the password."
Wed Jun  1 09:11:33 2011 [pid 2] [testusr] FTP command: Client "XX.XXX.XXX.XXX", "PASS <password>"
Wed Jun  1 09:11:33 2011 [pid 1] [testusr] OK LOGIN: Client "XX.XXX.XXX.XXX"

MEME sous PAM tout est bon:

Jun  1 11:00:34 PRDFTP01 vsftpd: pam_unix(vsftpd:account): could not identify user (from getpwnam(testusr))
Jun  1 11:00:34 PRDFTP01 vsftpd: pam_mysql - option verbose is set to "1"
Jun  1 11:00:34 PRDFTP01 vsftpd: pam_mysql - option user is set to "vsftpdauth"
Jun  1 11:00:34 PRDFTP01 vsftpd: pam_mysql - option passwd is set to "secret"
Jun  1 11:00:34 PRDFTP01 vsftpd: pam_mysql - option host is set to "127.0.0.1"
Jun  1 11:00:34 PRDFTP01 vsftpd: pam_mysql - option db is set to "vsftpd"
Jun  1 11:00:34 PRDFTP01 vsftpd: pam_mysql - option table is set to "users"
Jun  1 11:00:34 PRDFTP01 vsftpd: pam_mysql - option usercolumn is set to "login"
Jun  1 11:00:34 PRDFTP01 vsftpd: pam_mysql - option passwdcolumn is set to "password"
Jun  1 11:00:34 PRDFTP01 vsftpd: pam_mysql - option crypt is set to "4"
Jun  1 11:00:34 PRDFTP01 vsftpd: pam_mysql - option where is set to "users.active=1"
Jun  1 11:00:34 PRDFTP01 vsftpd: pam_mysql - option sqllog is set to "yes"
Jun  1 11:00:34 PRDFTP01 vsftpd: pam_mysql - option logtable is set to "log"
Jun  1 11:00:34 PRDFTP01 vsftpd: pam_mysql - option logmsgcolumn is set to "message"
Jun  1 11:00:34 PRDFTP01 vsftpd: pam_mysql - option logusercolumn is set to "login"
Jun  1 11:00:34 PRDFTP01 vsftpd: pam_mysql - option logpidcolumn is set to "pid"
Jun  1 11:00:34 PRDFTP01 vsftpd: pam_mysql - option loghostcolumn is set to "host"
Jun  1 11:00:34 PRDFTP01 vsftpd: pam_mysql - option logtimecolumn is set to "time"
Jun  1 11:00:34 PRDFTP01 vsftpd: pam_mysql - pam_mysql_close_db() called.
Jun  1 11:00:34 PRDFTP01 vsftpd: pam_mysql - pam_sm_acct_mgmt() called.
Jun  1 11:00:34 PRDFTP01 vsftpd: pam_mysql - pam_mysql_open_db() called.
Jun  1 11:00:34 PRDFTP01 vsftpd: pam_mysql - pam_mysql_open_db() returning 0.
Jun  1 11:00:34 PRDFTP01 vsftpd: pam_mysql - pam_mysql_query_user_stat() called.
Jun  1 11:00:34 PRDFTP01 vsftpd: pam_mysql - pam_mysql_format_string() called
Jun  1 11:00:34 PRDFTP01 vsftpd: pam_mysql - pam_mysql_quick_escape() called.
Jun  1 11:00:34 PRDFTP01 vsftpd: pam_mysql - SELECT 0, password FROM users WHERE login = 'testusr' AND (users.active=1)
Jun  1 11:00:34 PRDFTP01 vsftpd: pam_mysql - pam_mysql_query_user_stat() returning 0.
Jun  1 11:00:34 PRDFTP01 vsftpd: pam_mysql - pam_mysql_sql_log() called.
Jun  1 11:00:34 PRDFTP01 vsftpd: pam_mysql - pam_mysql_format_string() called
Jun  1 11:00:34 PRDFTP01 vsftpd: pam_mysql - pam_mysql_quick_escape() called.
Jun  1 11:00:34 PRDFTP01 vsftpd: pam_mysql - pam_mysql_quick_escape() called.
Jun  1 11:00:34 PRDFTP01 vsftpd: pam_mysql - pam_mysql_quick_escape() called.
Jun  1 11:00:34 PRDFTP01 vsftpd: pam_mysql - INSERT INTO log (message, login, host, pid, time) VALUES ('QUERYING SUCCESS', 'testusr', 'XX.XXX.XX.XXX', '1', NOW())
Jun  1 11:00:34 PRDFTP01 vsftpd: pam_mysql - pam_mysql_sql_log() returning 0.
Jun  1 11:00:34 PRDFTP01 vsftpd: pam_mysql - pam_sm_acct_mgmt() returning 0.
Jun  1 11:00:34 PRDFTP01 vsftpd: pam_mysql - pam_mysql_release_ctx() called.
Jun  1 11:00:34 PRDFTP01 vsftpd: pam_mysql - pam_mysql_destroy_ctx() called.
Jun  1 11:00:34 PRDFTP01 vsftpd: pam_mysql - pam_mysql_close_db() called.

pourtant, pour moi tout est bon au niveau de pam, dont voici le fichier de conf pour VSFTPd:

auth sufficient pam_unix.so
account sufficient pam_unix.so

auth required /lib64/security/pam_mysql.so verbose=0 user=vsftpdauth passwd=secret host=127.0.0.1 db=vsftpd table=users usercolumn=login passwdcolumn=password crypt=4 where=users.active=1 sqllog=yes logtable=log logmsgcolumn=message logusercolumn=login logpidcolumn=pid loghostcolumn=host logtimecolumn=time

account required /lib64/security/pam_mysql.so verbose=0 user=vsftpdauth passwd=secret host=127.0.0.1 db=vsftpd table=users usercolumn=login passwdcolumn=password crypt=4 where=users.active=1 sqllog=yes logtable=log logmsgcolumn=message logusercolumn=login logpidcolumn=pid loghostcolumn=host logtimecolumn=time

Pour completer un peu la chose, voici mon fichier vsftpd.conf:

# Listen any IPV4 Requests.
listen=YES
listen_port=21

# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO

# Uncomment this to allow local users to log in.
local_enable=YES

# Default User Folder.
user_sub_token=$USER
local_root=/srv/services/ftp-data/users_home/$USER

# Uncomment this to enable any form of FTP write command.
write_enable=NO

# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022

# Virtual Users activation:
guest_enable=YES
guest_username=vsftpd
#userlist_enable=YES

# Virtual Users Configuration File:
user_config_dir=/srv/services/ftp-data/users_config/user_configs

# Virtual Users List:
#userlist_file=/srv/services/ftp-data/users_config/user_list

# Virtual Users Allowed/Denied:
#userlist_deny=YES

# Virtual Users Local Rights:
virtual_use_local_privs=YES

# Maximum data transfer rate permitted:
local_max_rate=20480

# Maximum clients at a time:
max_clients=20

# Maximum clients from the same IP:
max_per_ip=2

# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES

# If enabled, vsftpd will display directory listings with the time
# in  your  local  time  zone.  The default is to display GMT. The
# times returned by the MDTM FTP command are also affected by this
# option.
use_localtime=YES

# Activate logging of uploads/downloads.
xferlog_enable=YES

# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES

# Where the logs are store
log_ftp_protocol=YES

# You may change the default value for timing out an idle session.
idle_session_timeout=120

# You may change the default value for timing out a data connection.
data_connection_timeout=120

# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
nopriv_user=vsftpd

# You may fully customise the login banner string:
ftpd_banner=Welcome to FTP service.

# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails

# You may restrict local users to their home directories.  See the FAQ for
# the possible risks in this before using chroot_local_user or
# chroot_list_enable below.
chroot_local_user=YES

# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd.chroot_list
#
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES

# Debian customization
#
# Some of vsftpd's settings don't fit the Debian filesystem layout by
# default.  These settings are more Debian-friendly.
#
# This option should be the name of a directory which is empty.  Also, the
# directory should not be writable by the ftp user. This directory is used
# as a secure chroot() jail at times vsftpd does not require filesystem
# access.
secure_chroot_dir=/var/run/vsftpd/empty

# This string is the name of the PAM service vsftpd will use.
pam_service_name=vsftpd

# SSL Options Configuration:
ssl_enable=YES
#allow_anon_ssl=NO
#force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES

# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
rsa_cert_file=/srv/services/ftp-data/private_config/certificat.pem
rsa_private_key_file=/srv/services/ftp-data/private_config/privatekey.pem

Je précise que le dossier de l’utilisateur est bien créer par mes soins dans /srv/services/ftp-data/users_home/$USERNAME

Mon user vsftpd est un user system sans mot de passe, sans home sans autorisation de login
il fait partie du groupe system nommé vsftpd.

Tous les dossier sous /srv/services/ftp-data sont chowner par: chown -R root:root avec des privileges en mode 755.

Bref, je suis confus comme on dit, et si quelqu’un peux m’aider à résoudre ce souci, je suis preneur.

Si ça peux aider, je suis sous DEBIAN SQUEEZE 6.0.0 / MYSQL 5.1 / VSFTPd 2.3.2-3

Dr_I · Février 21, 2016, 2:27am

Bon, je me répond à moi même:

Le problème est tout con, si vous créez un user vsftpd en tant que System mais sans home-directory, ça vas pas se passer correctement car l’utilisateur vsftpd est l’utilisateur qui sert de base au service vsftpd.

Du coup, pas de home-directory, pas de login, vue que vsftpd ne peux pas mettre en jail le user virtuel.

Voili voilou.

Problème tout con, mais la réponse du client FTP n’est pas franchement logique.