1 |
My vsftpd server won't let users with accounts connect. This used to |
2 |
work, and the only thing I can think of after checking the docs is that |
3 |
pam got upgraded. Here is my info: |
4 |
|
5 |
baby pam.d # emerge --info |
6 |
Portage 2.1.3.16 (hardened/x86/2.6, gcc-4.1.1, glibc-2.6.1-r0, |
7 |
2.6.19-hardened-r6 i686) |
8 |
================================================================= |
9 |
System uname: 2.6.19-hardened-r6 i686 AMD Duron(tm) Processor |
10 |
Timestamp of tree: Sun, 04 Nov 2007 12:00:01 +0000 |
11 |
distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) |
12 |
[disabled] |
13 |
app-shells/bash: 3.2_p17 |
14 |
dev-java/java-config: 1.3.7, 2.1.2-r1 |
15 |
dev-lang/python: 2.4.4-r6 |
16 |
dev-python/pycrypto: 2.0.1-r6 |
17 |
sys-apps/baselayout: 1.12.9-r2 |
18 |
sys-apps/sandbox: 1.2.18.1-r2 |
19 |
sys-devel/autoconf: 2.13, 2.61-r1 |
20 |
sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, |
21 |
1.10 |
22 |
sys-devel/binutils: 2.18-r1 |
23 |
sys-devel/gcc-config: 1.3.16 |
24 |
sys-devel/libtool: 1.5.24 |
25 |
virtual/os-headers: 2.6.22-r2 |
26 |
ACCEPT_KEYWORDS="x86" |
27 |
CBUILD="i686-pc-linux-gnu" |
28 |
CFLAGS="-O2 -march=i686 -pipe" |
29 |
CHOST="i686-pc-linux-gnu" |
30 |
CONFIG_PROTECT="/etc /var/bind" |
31 |
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d" |
32 |
CXXFLAGS="-O2 -march=i686 -pipe" |
33 |
DISTDIR="/usr/portage/distfiles" |
34 |
FEATURES="distlocks metadata-transfer sandbox sfperms strict |
35 |
unmerge-orphans userfetch" |
36 |
GENTOO_MIRRORS="http://distfiles.gentoo.org |
37 |
http://distro.ibiblio.org/pub/linux/distributions/gentoo" |
38 |
LINGUAS="en fr es" |
39 |
MAKEOPTS="-j9" |
40 |
PKGDIR="/usr/portage-packages/baby" |
41 |
PORTAGE_RSYNC_EXTRA_OPTS="--human-readable" |
42 |
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times |
43 |
--compress --force --whole-file --delete --delete-after --stats |
44 |
--timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages |
45 |
--filter=H_**/files/digest-*" |
46 |
PORTAGE_TMPDIR="/var/tmp" |
47 |
PORTDIR="/usr/portage" |
48 |
PORTDIR_OVERLAY="/usr/local/portage /usr/local/portage/bscharpf" |
49 |
SYNC="rsync://rsync.gentoo.org/gentoo-portage" |
50 |
USE="apache2 apm bash-completion berkdb bind-mysql cli cracklib crypt |
51 |
cups dhcp doc encode examples exim foomaticdb fortran gdbm geoip gif gpm |
52 |
gstreamer hal hardened imap imlib innodb ithreads java jpeg kerberos |
53 |
libclamav libg++ libwww midi mikmod mmx mode-owner mpm-leader mysql |
54 |
ncurses nls nptl nptlonly oav offensive pam pcre perl perlsuid pic png |
55 |
ppds python readline ruby samba search session slp spell ssl syslog tcpd |
56 |
tetex threads truetype unicode urandom usb virus-scan x86 xml xorg |
57 |
zaptel zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x |
58 |
ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 |
59 |
hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx |
60 |
via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare |
61 |
dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter |
62 |
mulaw multi null plug rate route share shm softvol" ELIBC="glibc" |
63 |
INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz |
64 |
cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en fr |
65 |
es" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev |
66 |
glint i128 i740 i810 imstt mach64 mga neomagic nsc nv r128 radeon |
67 |
rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident |
68 |
tseng v4l vesa vga via vmware voodoo" |
69 |
Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, |
70 |
LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS |
71 |
|
72 |
|
73 |
baby pam.d # emerge -pv vsftpd |
74 |
|
75 |
These are the packages that would be merged, in order: |
76 |
|
77 |
Calculating dependencies... done! |
78 |
[ebuild R ] net-ftp/vsftpd-2.0.5-r3 USE="pam ssl tcpd -caps |
79 |
-logrotate (-selinux) -xinetd" 0 kB |
80 |
|
81 |
Total: 1 package (1 reinstall), Size of downloads: 0 kB |
82 |
|
83 |
|
84 |
baby pam.d # cat /etc/vsftpd/vsftpd.conf |
85 |
# |
86 |
# Example vsftpd config file |
87 |
# |
88 |
# See man 5 vsftpd.conf for more information. |
89 |
# |
90 |
# $Header: /var/cvsroot/gentoo-x86/net-ftp/vsftpd/files/vsftpd.conf,v |
91 |
1.3 2004/07/18 03:56:09 dragonheart Exp $ |
92 |
|
93 |
# Allow anonymous FTP? |
94 |
anonymous_enable=YES |
95 |
|
96 |
# Uncomment this to allow local users to log in. |
97 |
local_enable=YES |
98 |
|
99 |
# Uncomment this to enable any form of FTP write command. |
100 |
write_enable=YES |
101 |
|
102 |
# Default umask for local users is 077. You may wish to change this to |
103 |
022, |
104 |
# if your users expect that (022 is used by most other ftpd's) |
105 |
local_umask=022 |
106 |
|
107 |
# Uncomment this to allow the anonymous FTP user to upload files. This |
108 |
only |
109 |
# has an effect if the above global write enable is activated. Also, you |
110 |
will |
111 |
# obviously need to create a directory writable by the FTP user. |
112 |
#anon_upload_enable=YES |
113 |
|
114 |
# Uncomment this if you want the anonymous FTP user to be able to create |
115 |
# new directories. |
116 |
#anon_mkdir_write_enable=YES |
117 |
|
118 |
# Activate directory messages - messages given to remote users when they |
119 |
# go into a certain directory. |
120 |
dirmessage_enable=YES |
121 |
|
122 |
# Make sure PORT transfer connections originate from port 20 (ftp-data). |
123 |
connect_from_port_20=YES |
124 |
|
125 |
# If you want, you can arrange for uploaded anonymous files to be owned |
126 |
by |
127 |
# a different user. Note! Using "root" for uploaded files is not |
128 |
# recommended! |
129 |
#chown_uploads=YES |
130 |
#chown_username=whoever |
131 |
|
132 |
# Activate logging of uploads/downloads. |
133 |
xferlog_enable=YES |
134 |
|
135 |
# If you want, you can have your log file in standard ftpd xferlog |
136 |
format |
137 |
#xferlog_std_format=YES |
138 |
|
139 |
# You may override where the log file goes if you like. The default is |
140 |
shown |
141 |
# below. |
142 |
xferlog_file=/var/log/vsftpd/vsftpd.log |
143 |
|
144 |
# You may change the default value for timing out an idle session. |
145 |
idle_session_timeout=12000 |
146 |
|
147 |
# You may change the default value for timing out a data connection. |
148 |
data_connection_timeout=24000 |
149 |
|
150 |
# It is recommended that you define on your system a unique user which |
151 |
the |
152 |
# ftp server can use as a totally isolated and unprivileged user. |
153 |
nopriv_user=nobody |
154 |
|
155 |
# Enable this and the server will recognise asynchronous ABOR requests. |
156 |
Not |
157 |
# recommended for security (the code is non-trivial). Not enabling it, |
158 |
# however, may confuse older FTP clients. |
159 |
#async_abor_enable=YES |
160 |
|
161 |
# By default the server will pretend to allow ASCII mode but in fact |
162 |
ignore |
163 |
# the request. Turn on the below options to have the server actually do |
164 |
ASCII |
165 |
# mangling on files when in ASCII mode. |
166 |
# Beware that turning on ascii_download_enable enables malicious remote |
167 |
parties |
168 |
# to consume your I/O resources, by issuing the command "SIZE /big/file" |
169 |
in |
170 |
# ASCII mode. |
171 |
# These ASCII options are split into upload and download because you may |
172 |
wish |
173 |
# to enable ASCII uploads (to prevent uploaded scripts etc. from |
174 |
breaking), |
175 |
# without the DoS risk of SIZE and ASCII downloads. ASCII mangling |
176 |
should be |
177 |
# on the client anyway.. |
178 |
#ascii_upload_enable=YES |
179 |
#ascii_download_enable=YES |
180 |
|
181 |
# You may fully customise the login banner string: |
182 |
ftpd_banner=Welcome to baby.espersunited.com FTP service. |
183 |
|
184 |
# You may specify a file of disallowed anonymous e-mail addresses. |
185 |
Apparently |
186 |
# useful for combatting certain DoS attacks. |
187 |
#deny_email_enable=YES |
188 |
# (default follows) |
189 |
#banned_email_file=/etc/vsftpd/vsftpd.banned_emails |
190 |
|
191 |
# You may specify an explicit list of local users to chroot() to their |
192 |
home |
193 |
# directory. If chroot_local_user is YES, then this list becomes a list |
194 |
of |
195 |
# users to NOT chroot(). |
196 |
#chroot_list_enable=YES |
197 |
# (default follows) |
198 |
#chroot_list_file=/etc/vsftpd/vsftpd.chroot_list |
199 |
|
200 |
# You may activate the "-R" option to the builtin ls. This is disabled |
201 |
by |
202 |
# default to avoid remote users being able to cause excessive I/O on |
203 |
large |
204 |
# sites. However, some broken FTP clients such as "ncftp" and "mirror" |
205 |
assume |
206 |
# the presence of the "-R" option, so there is a strong case for |
207 |
enabling it. |
208 |
#ls_recurse_enable=YES |
209 |
|
210 |
pasv_promiscuous=YES |
211 |
listen=YES |
212 |
|
213 |
|
214 |
baby pam.d # cat ftp |
215 |
# Provided by ftpbase (dont remove this line!) |
216 |
# Standard pam.d file for ftp service packages. |
217 |
# |
218 |
$Header: /var/cvsroot/gentoo-x86/net-ftp/ftpbase/files/ftp-pamd-include,v 1.1 2005/06/28 14:52:26 uberlord Exp $ |
219 |
|
220 |
auth required pam_listfile.so item=user sense=deny |
221 |
file=/etc/ftpusers onerr=succeed |
222 |
auth include system-auth |
223 |
|
224 |
# If this is enabled, anonymous logins will fail because the 'ftp' user |
225 |
does |
226 |
# not have a "valid" shell, as listed in /etc/shells. |
227 |
# |
228 |
# If you enable this, it is recommended that you do *not* give the 'ftp' |
229 |
# user a real shell. Instead, give the 'ftp' user /bin/false for a shell |
230 |
and |
231 |
# add /bin/false to /etc/shells. |
232 |
# auth required pam_shells.so |
233 |
|
234 |
account include system-auth |
235 |
|
236 |
session include system-auth |
237 |
|
238 |
|
239 |
Is all this correct? Is there something I'm missing? Please help! |
240 |
|
241 |
|
242 |
|
243 |
-- |
244 |
gentoo-user@g.o mailing list |