Bug 191147

Summary: after FC4 upgrade to FC5 vsftpd does not handle login properly.
Product: [Fedora] Fedora Reporter: Karlis Kisis <spam>
Component: vsftpdAssignee: Radek Vokál <rvokal>
Status: CLOSED RAWHIDE QA Contact: Mike McLean <mikem>
Severity: medium Docs Contact:
Priority: medium    
Version: 5Keywords: FutureFeature
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 2.0.5-1 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-07-12 13:37:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Karlis Kisis 2006-05-09 08:12:44 UTC
Description of problem:

I was using vsftpd on Fedora Core 4 (vsftpd-2.0.3-1.i386.rpm) and I configured
it with no anonymous access, however, Internet Explorer gave a login prompt
whenever I opened ftp://myserver in the browser and that was convenient way for
my users to enter username and password. So the result was: no anonymous access,
but IE prompted for username and password. When I upgraded to Fedore Core 5
(vsftpd-2.0.4-1.2.i386.rpm) this feature/tweak does not work anymore and I don't
get login prompt.

Fedora Core 4 vs Fedora Core 5. On FC4 all works fine.. when IE connects as
anonymous and is denied, a login prompt for username and password pops up. On
any FC5 it does not. I'm lost. maybe because pam.d config has changed a bit?

Here is my vsftpd config identical on all machines:
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
chroot_local_user=YES
pam_service_name=vsftpd
userlist_enable=YES
listen=YES
tcp_wrappers=YES
(the rest is default)

Pam config on FC4:
#%PAM-1.0
auth       required     pam_listfile.so item=user sense=allow
file=/etc/vsftpd/ftpusers onerr=fail
auth       required     pam_stack.so service=system-auth
auth       required     pam_shells.so
account    required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth

Pam config on FC5:
#%PAM-1.0
auth       required     pam_listfile.so item=user sense=allow
file=/etc/vsftpd/ftpusers onerr=fail
auth       required     pam_shells.so
auth       include      system-auth
account    include      system-auth
session    include      system-auth
session    required     pam_loginuid.so

Best regards,
Piccolo 


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Radek Vokál 2006-05-09 08:19:45 UTC
Is SELinux turned on? If so, you have to allow anonymous connections. 

Comment 2 Karlis Kisis 2006-05-09 08:25:31 UTC
SELinux is disabled. Anonymous works if enabled in vsftpd.conf but thats not the
issue. The issue is that browsers after receiving denial for anonymous login do
not prompt for username and password as before. 

Comment 3 Radek Vokál 2006-05-11 08:43:04 UTC
Aha, my first answer was too quick, sorry for that. The change you mention
happened with vsftpd 2.0.4 (see the very first line in ChangeLog). I don't know
the exact background of this change, you might want to ask upstream maintainer,
but I personally like this solution. It respects the way command line ftp client
is working, eg. it the old version, you've never seen the result why anonymous
login was rejected. Now the correct error message 530 defined by FTP protocol is
shown up. There might be a solution for this, new configuration option. I'll
store this bug as enhacement and look at it later on... 

Comment 4 Radek Vokál 2006-07-12 13:37:06 UTC
Can you please retest this bug against vsftpd-2.0.5. According to 2.0.5
Changelog it should be fixed now (
ftp://vsftpd.beasts.org/users/cevans/untar/vsftpd-2.0.5/Changelog )