ProFTPD authentication failure

44 posts / 0 new
Last post
#1 Tue, 06/23/2009 - 09:27
mikelawford

ProFTPD authentication failure

Hi there.

I am running webmin 1.470 and virtualmin Version 3.67. I recently realised that I had not configured my proftpd - and as this would not install via webmin I finally followed one of your forums and installed proftpd version 1.30.

This then allowed me full access to proftpd config via webmin and allowed me to telnet to port 21. As well as this a netstat -tanpu told me that port was open and listening. All good so far.

I then entered virtualmin and clicked one one of the virtual sites, and then added a new FTP user. But when I tried to login with the username I keep getting prompted for a password. I had created teh user with a password and so I entered this - but no matter what un/pw variations I try I keep getting blocked via my FTP client:

STATUS:> [2009/06/23 04:21:31 PM] Socket connected. Waiting for welcome message... [2009/06/23 04:21:32 PM] 220 FTP Server ready. STATUS:> [2009/06/23 04:21:32 PM] Connected. Authenticating... COMMAND:> [2009/06/23 04:21:32 PM] USER diankeftp.dianke [2009/06/23 04:21:32 PM] 331 Password required for diankeftp.dianke. COMMAND:> [2009/06/23 04:21:32 PM] PASS ***** [2009/06/23 04:21:35 PM] 530 Login incorrect. ERROR:> [2009/06/23 04:21:35 PM] Not logged in. STATUS:> [2009/06/23 04:21:36 PM] Connection closed.

Looking in /var/log/messages I see:

FTP session opened. PAM(diankeftp.dianke): Authentication failure.

Why is this not authenticating the pw - is there perhaps a path wrong in the config that I have missed (where do virtual hosts add FTP users and pw's)??

Any and all help is much appreciated!

Thu, 06/25/2009 - 09:32
andreychek

The FTP usernames and passwords are kept with the rest of the system users (in /etc/passwd and shadow by default).

It looks like it doesn't think the username or password is right -- you can verify those by going into Edit Mail and FTP Users, and click the username in question.

I'd verify that the username is spelled correctly in there, and you can also verify the password on that screen.

-Eric

Thu, 06/25/2009 - 09:44
mikelawford

Hi Eric - thanks for the reply.

Unfortunately thats not the solution - I have double and triple checked username and password combos by doing exactly what you suggest - it just wont authenticate!

I had a look in teh /etc/passwd file and I can see the user as well - the line looks like:

diankeftp.dianke:x:508:509:root:/home/dianke/public_html:/bin/false.

So still no luck??

Thanks, Mike

Thu, 06/25/2009 - 09:58
andreychek

Does /var/log/secure (or /var/log/auth.log) show any further info?

Is it just this user having trouble -- are other users able to log in via FTP?

-Eric

Thu, 06/25/2009 - 18:35
Joe
Joe's picture

I've occasionally seen third party ProFTPd packages with broken PAM configuration (or other issues). Where did you get your new ProFTPd version from? Our ProFTPd packages are known to work...many others are known to not work.

--

Check out the forum guidelines!

Fri, 06/26/2009 - 05:18
mikelawford

Thanks again for the comments!

Eric : Its all users that I create it's a problem with the full proftpd module....

I checked the /var/log/secure and see:

Jun 23 15:31:17 onduline proftpd: Deprecated pam_stack module called from service "proftpd" Jun 23 15:31:17 onduline unix_chkpwd[27305]: password check failed for user (diankeftp.dianke)

This may be beacuse as Joe says it is an incorrect version. The rpm I think I downloaded from a link in these forums - the rpm name is proftpd-1.3.0a-3.el4.i386.rpm. I have CentOS - can you provide a working FTP rpm that I can try? Also please let me know how I uninstall the non working rpm from webmin and re-install the new one.

Thanks!

Fri, 06/26/2009 - 08:03
andreychek

Howdy,

Well, ProFTP is normally installed along with the rest of Virtualmin if you use the install.sh script.

If you hadn't installed with the install.sh script, you can retrieve ProFTP from the Virtualmin software repository here:

http://software.virtualmin.com/gpl/centos/

Fri, 06/26/2009 - 08:11
mikelawford

Well somehow with us it wasnt or perhaps we made an error..

In any event how do I uninstall the incorrect proftpd version or do I not need to uninstall the old version?

I am using CentOS 5.2 so will be using proftpd-1.3.0a-3.el4.i386.rpm - which is exactly what I installed the first time????

Fri, 06/26/2009 - 10:41 (Reply to #8)
Joe
Joe's picture

I am using CentOS 5.2 so will be using proftpd-1.3.0a-3.el4.i386.rpm - which is exactly what I installed the first time????

You have a third party repository configured that we have no control over. Maybe it works, maybe it doesn't. We don't know, and we can't do anything about it, even if it is broken. ;-)

Edit: Oops. Actually, that is our package. Sorry. It should work. ;-)

2nd Edit for clarity: We usually build our packages with a "vm" in the version string, but in the case of straight rebuilds from EPEL we use the normal version string, so I'll know (and others can know) that it's a straight rebuild of the EPEL package with no changes.

--

Check out the forum guidelines!

Fri, 06/26/2009 - 08:55
andreychek

Yeah, if you used the install.sh, and didn't get ProFTP, something went awry along the way :-)

Hmm, I'm inclined to think at that point that reinstalling ProFTP won't help -- but if you just want to verify you have that straight, you could try:

rpm -Uvh --replacepkgs proftpd-1.3.0a-3.el4.i386.rpm

Mon, 06/29/2009 - 06:49
mikelawford

Hi - thanks for the feedback.

just to be be sure I reinstalled the correct version to check if that was where the error crept in:

rpm -Uvh --replacepkgs proftpd-1.3.0a-3.el4.i386.rpm warning: proftpd-1.3.0a-3.el4.i386.rpm: Header V3 DSA signature: NOKEY, key ID a0bdbcf9 Preparing... ########################################### [100%] 1:proftpd ########################################### [100%]

When I tried again I get the same error. Looking at logs I see:

Deprecated pam_stack module called from service "proftpd"

USER diankeftp.dianke (Login failed): Incorrect password.

I even tried changing the password - its not that.

So what now? I need a working FTP client but cannot reinstall the whole server - i will be here forever reconfiguring...

???

Mon, 06/29/2009 - 16:18 (Reply to #11)
andreychek

What do you get when you type these two commands:

  1. grep -i pam /etc/proftpd

  2. cat /etc/pam.d/proftpd

Tue, 06/30/2009 - 04:40 (Reply to #12)
mikelawford

Here you go:

grep -i pam /etc/proftpd grep: /etc/proftpd: No such file or directory

cat /etc/pam.d/proftpd
#%PAM-1.0
auth       required     pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth       required     pam_stack.so service=system-auth
auth       required     pam_shells.so
account    required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
Tue, 07/07/2009 - 04:51 (Reply to #13)
mikelawford

Hi guys - I posted my output - does this shed any light on this as I need to find a resolution one way or another?

Sun, 08/16/2009 - 21:06
DonPeek

I did a yum reinstall proftpd and watch it get it from the VM server.. and a pam reinstall

Still the same issue.. I am running Centos 5.3 ...

Don Peek

Mon, 08/17/2009 - 08:23
mikelawford

Nope - this was never reesolved. If you find out how please do let me know. I keep hitting blanks!

Mon, 08/17/2009 - 09:23
sfbob

I have had similar problems on several machines. I believe (meaning I have not verified) it is related to some perl updates. Here's what I did and roughly where it happened:

  1. Build CentOS 5.2 box
  2. yum -y update yum (to get fastest mirror)
  3. yum -y update (brings machine to CentOS 5.3)
  4. wget virtualmin GPL install.sh
  5. run install.sh
  6. run virtualmin updates, brings webmin to 1.480 and virtualmin to 3.72
  7. create bogus domain (to catch invalid http requests, separate topic)
  8. create real domain

At this time I have a working box and proftpd works fine.

Then I wanted to install TWiki and updated perl. I believe something in this list caused proftpd to break.

  1. webmin > system > software packages > install gcc
  2. in shell perl -MCPAN -e script, answer geographic prompts and exit
  3. webmin > others > perl modules >> suggested modules
    4 modules not installed, install one at a time, I think order is 4 3 1 2, Authen::PAM gave me a lot of trouble with prerequisites, got past that
    Note: updating along the way did result in a mix of perl CPAN updates and yum updates, observed by some to be a bad mix
  4. installed application package (TWiki) that required perl
  5. identified and installed additional perl modules required by the package
  6. started working with the package and otherwise left the update process
  7. went to ftp something to the site and got access denied
  8. checked logs and found authorization message referred to above

Since I'm not a heavy ftp user, this could wait. But I've broken 3 machines this way.
Patient: It hurts when I do this
Doctor: Well, don't do that

Repositories for both yum and perl / CPAN are only what is installed by default, nothing special added.

If I get time, I will try to recreate and identify at what step in the process the proftpd breaks.

Fri, 12/25/2009 - 13:50 (Reply to #17)
sfbob

Other than normal module updates as recommended by the System Information screen, I have not done any research or worked on this.

FTP is now working. Answers to questions like Who? What? When? Where? Why? and How? are not available at this time.

Tue, 08/18/2009 - 08:44
mikelawford

OK so we think its because of Perl updates. Either way it doesnt work anymore.... Can anyone provide a solution?

Tue, 08/18/2009 - 10:25
DonPeek

I have 2 system each with hundreds and hundreds sites, The systems are as close to mirrors as I can keep.. For issues like this..

I did a compare from system to system and could not an answer after hours..

So now I have one system running vsftpd when I gave up on proftpd and the other still running proftpd...

So -- I got a temp fix... Give up and wait

Don

Don Peek

Wed, 08/19/2009 - 07:40
mikelawford

Ok so should I install vsftpd? Is there a quick way (like via webmin or yum) to do so?

Wed, 08/19/2009 - 09:56
DonPeek

If you must.. . Yum can install vsftpd but it is not shown in the virtualmin status and is is not controlled by the control panel.. But I have 536 website on that server and I HAD to have a running FTP and as I could not find the problem, you do what you have to do... It was not that hard to config, the hardest part was coming up with a users like for the chroot. if you need help with that contact me off the list ...

I am still waiting.. and will check if all the updates.. One it may just start working.. You never know..

Don Peek Admin@coastlandtech.com

Don Peek

Mon, 08/24/2009 - 05:34
mikelawford

Well I have to have a working FTP program?!

Is there any alternative FTP programs that do work with Virtualmins interface that I could easily install?

Mon, 08/24/2009 - 07:53
DonPeek

At times I do... I can not say it is a virtualmin problem.. A new fresh install of everything on a new server would work I am sure. Until someone of my 500 sites must have install something like your TWiki and broke it.. My other one is working.. STILL

I had no clue what broke it and to work on it I have to stop my running FPT program to mess with it.

I hope now you have a way it can be recreated someone may find a way to get it fixed.

Thanks Don

Don Peek

Mon, 08/24/2009 - 08:31
mikelawford

Ok so until someone finds a fix for this there is no ways that I can run FTP from within virtualmin? I have to install something via yum like vsftpd......?

Mon, 08/24/2009 - 08:48
DonPeek

I just did http://www.virtualmin.com/node/11187 and who knows if you do also, we could get something looked at this...

Now, looking at it may have done it wrong, I did a bug report, maybe you should do it as a support request. But the one other time I have a issue they help a lot..

Don

Don Peek

Tue, 08/25/2009 - 15:19
DonPeek

These guys are good. !! .

You can check out what they did for me and see if that helps you.. http://www.virtualmin.com/node/11187

Thanks Don

Don Peek

Mon, 09/21/2009 - 06:59
mikelawford

OK I tried commenting out that line and restarting teh proftpd service. Still no luck. As per my reply:

I commented out teh line :

AuthOrder mod_auth_pam.c* mod_auth_unix.c

But still no luck. My logs show 'no such user' and :

Deprecated pam_stack module called from service "proftpd" Sep 21 13:28:33 onduline unix_chkpwd[12561]: password check failed for user (dianke)

Any ideas?

Mon, 09/21/2009 - 10:30
DonPeek

Have you tried to changed the order of that line.. make unix one first ??
Don

Don Peek

Wed, 09/23/2009 - 07:00
mikelawford

Well we are commenting out the line, Don. So it doesnt even get read....

Wed, 09/23/2009 - 14:28
DonPeek

I assumed you would uncomment it to try that.. I may try uncommenting the line and testing them one at a time.. I would believe that would both be some default or the line would not be used or needed to change something.. Swap order try one and then the other..

We are still assuming that some perl program has changed one of the modules that deals with PAM so getting proftp to use one that had not been changed is what seems like we are doing.. Still guessing.. that is..

Then when all else fails install vsftp and put in a help ticket..
Don ..

Don Peek

Fri, 09/25/2009 - 09:13
mikelawford

Thanks for your suggestions, Don. But that still doesnt solve anything....

I still see:

[root@onduline pam.d]# cat /etc/pam.d/proftpd

%PAM-1.0

auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed auth required pam_stack.so service=system-auth auth required pam_shells.so account required pam_stack.so service=system-auth session required pam_stack.so service=system-auth

And when I check /var/log/secure I still get incorrect password. Just cant get this to work.

Next suggestion??

Tue, 11/17/2009 - 19:05
jimmymarbles

I had the same problem and I finally figured it out.

In Webmin, go to Users and Groups

Click the newly created user

Change their shell from /bin/false to /bin/sh.

Cheers!

Tue, 11/17/2009 - 22:29
DonPeek

I will not use /bin/sh I have hundreds of users and I don't trust any anyone with sh... but me from my IP..

but .... /sbin/nologin is what is in my /etc/passwd and some /dev/null

And seem like that is the setting in the "Custom Shell" has something to do with it.. I not sure where you set the defualt so you don't need to do it all the time.. Don.

Don Peek

Fri, 12/25/2009 - 13:52
MarkThomas

I, too, have had difficulties with ProFTPD and CentOS. Some time ago, I ran into this article on setting CentOS up with a different Virtual Server manager. Notice the part about ProFTPD. It appears from the article that CentOS has no ProFTPD package of its own.

(LInk: http://www.howtoforge.org/perfect-server-centos-5.3-i386-ispconfig-2-p6)

I've tried configuring multiple servers as shown in the article. ProFTPD works when I make things myself as shown. It seems that when I yum update, though, things go nutty on me. Right now, I have the same problems on a fresh install of Virtualmin that the rest of you have. I'm using CentOS 5.4. Right now, I'm tempted to try removing the current version of ProFTPD and then build one ... to see if that works.

  • Mark
Fri, 12/25/2009 - 20:14 (Reply to #35)
MarkThomas

It may be the way I'm doing it. But I'm getting a bit fed up with CentOS. Time for a breather.

Sat, 12/26/2009 - 04:15
ronald
ronald's picture

centos has vsftp not proftp. There is nothing wrong with centos.
normally centos and proftp work fine togethere after using the install.sh on a minimal OS installation.

Following the ispconfig tutorial may not be your best option as it is a different panel.

Sat, 12/26/2009 - 08:55
MarkThomas

I've been using install.sh since Fedora Core 6.

Sat, 12/26/2009 - 08:56
MarkThomas

If I cannot make it work, I will look at any resource I can find.

Wed, 07/14/2010 - 12:58
edwinzhang

I met the same problem before.

The reason is simple: SELinx

SELinux is preventing the ftp daemon from reading users home directories (/home)

The fix is simple:

login as root, then

setsebool -P ftp_home_dir 1
Thu, 02/10/2011 - 01:30
chasedoggy
chasedoggy's picture

K - I tried everything I could read about this and finally found a solution. So, I hope this works for all of you who are having the same issue.

I added the following line to the /etc/proftpd.conf file:

<Limit EPSV PASV>
DenyAll
</Limit>

I'm using CentOS 5.5 Virtualmin... 3.83.gpl GPL Webmin: 1.530 ProFTPd version 1.32

It was found in the following article:

http://ubuntuforums.org/showthread.php?s=ddb0180d796638d614729e93bedde0c1&t=220071&page=2

Thank you Ryan... you were a big help.

Thu, 02/10/2011 - 12:23
helpmin

please see my answer to your duplicate posting at http://www.virtualmin.com/node/11212#comment-76284

Sat, 04/28/2012 - 04:09
Anturaju93

This happen to me now when i updated proftpd to a new version from RPMFORGE. Now i can`t login to ftp anymore. How can i remove the new version and install the old one back?

Sat, 04/28/2012 - 11:24
Anturaju93

To fix it i did yum downgrade proftpd then i replaced /etc/proftpd.conf with proftpd.conf.rpmnew

Topic locked