Bug 922298
| Summary: | Logged-in user can't work with FTPS protocol | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Matthew Saltzman <mjs> | ||||||||||
| Component: | vsftpd | Assignee: | Jiri Skala <jskala> | ||||||||||
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||||
| Severity: | unspecified | Docs Contact: | |||||||||||
| Priority: | unspecified | ||||||||||||
| Version: | 18 | CC: | aglotov, jskala, jsynacek, nagy.martin | ||||||||||
| Target Milestone: | --- | Flags: | jskala:
needinfo?
|
||||||||||
| Target Release: | --- | ||||||||||||
| Hardware: | Unspecified | ||||||||||||
| OS: | Unspecified | ||||||||||||
| Whiteboard: | |||||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||||
| Doc Text: | Story Points: | --- | |||||||||||
| Clone Of: | Environment: | ||||||||||||
| Last Closed: | 2013-04-27 08:10:21 UTC | Type: | Bug | ||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||
| Documentation: | --- | CRM: | |||||||||||
| Verified Versions: | Category: | --- | |||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
| Embargoed: | |||||||||||||
| Attachments: |
|
||||||||||||
|
Description
Matthew Saltzman
2013-03-16 04:13:52 UTC
Anonymous user can ls just fine. Hi, this works for me, I'm not able to reproduce it. Please, could you provide me following logs? A. output of $ lftp -d -u mjs jeeves B. if there is no clear root cause from previous output then please CHANGE temporary password of the user mjs and then do following steps: 1. # ps -FC vsftpd ; get the pid of process that has PPID=1 2. # strace -f -o <logname> -p <vsftpd_pid> 3. $ lftp -u mjs jeeves, ----> ls, stop and quit 4. stop strace and send me the log file Finally you can restore original password. The one will be contained in the log file so this is a reason of temporary change. Thanks, Jiri Created attachment 718095 [details]
Normal ftp from client side (lftp)
Created attachment 718096 [details]
Secure ftp from the client side (lftp)
Created attachment 718097 [details]
Normal ftp from server side (strace)
Created attachment 718099 [details]
Secure ftp from the server side (strace)
Attached logs from both sides (different sessions on the client side and the server side, but the same actions in all four cases)--passwords and some filenames edited out. The secure session on the client side fails to connect for the listing exchange with a socket error. It uses a data port in quite a different range from the normal session. That was the only difference on the client side. Wasn't sure what to look for on the server side. Hi, it works for me when the packet filtering is switched off or correctly configured. So I suppose your troubles are issued by packet filtering. You can verify it switching off packet filtering. Then you should extend your configuration following way: /etc/vsftpd/vsftpd.conf: pasv_min_port=40000 pasv_max_port=40100 /etc/sysconfig/iptables (of courese if you use INPUT chain directly or adjust): -A INPUT -p tcp -m state --state NEW --dport 40000:40100 -j ACCEPT service vsftpd restart service iptables restart The example is for RHEL-6. So you will replace 'service ...' by 'systemctl ...' and packet filtering depends on usage iptables/firewalld. Let me know if it works when packet filtering is switched off. Best regards Jiri Yes, that works. It would be nice if this were documented someplace where it would be encountered when setting up vsftpd. One question: why does it work without the firewall setting for anonymous users? That is one reason I didn't think to suspect the firewall. Thanks. > It would be nice if this were documented someplace where it would be encountered when setting up vsftpd. There is a little remark (I agree a bit unclear) in vsftpd.conf man page: pasv_max_port The maximum port to allocate for PASV style data connections. Can be used to specify a narrow port range to assist firewalling. as well as here https://docs.fedoraproject.org/en-US/Fedora/16/html/System_Administrators_Guide/s2-ftp-vsftpd-conf.html You are right this should be improved. > why does it work without the firewall setting for anonymous users? The anonymous doesn't work too when the packet filtering isn't set correctly. I guess it works for you because your's anonymous connection doesn't use ssl. Try using lftp with following setting: set ftp:ssl-allow-anonymous yes set ftp:ssl-protect-data yes Closing this bug. |