vsftpd any password work for local users
5,162
My vsftpd works correctly and doesn't allow any random password to be used. Here is the output of my configuration files.
# cat /etc/vsftpd.conf | grep -ve "^#.*"
listen=YES
anonymous_enable=NO
write_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/private/vsftpd.pem
local_enable=YES
# cat /etc/pam.d/vsftpd | grep -ve "^#.*"
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
@include common-account
@include common-session
@include common-auth
auth required pam_shells.so
Hopefully that helps.
Related videos on Youtube
Comments
-
Matthieu almost 2 years
My setup of vsftpd allows for local users to login using their usual passwords and another set of users to login through a passwd file.
The problem I have now is that when using a local user's login, then any password is being accepted and can let the user login (the logins using the passwd file are ok).
Here is the vsftpd.conf:
$ cat /etc/vsftpd.conf | grep -v ^# listen=YES anonymous_enable=NO local_enable=YES write_enable=YES local_umask=066 anon_umask=066 dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES chroot_local_user=YES chmod_enable=YES chroot_list_enable=YES secure_chroot_dir=/var/run/vsftpd pam_service_name=vsftpd rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key virtual_use_local_privs=YES user_sub_token=$USER local_root=/home/ftp/$USER guest_enable=YES guest_username=ftp
And the /etc/pam.d/vsftpd file:
$ cat vsftpd | grep -v ^# auth sufficient /lib/security/pam_pwdfile.so pwdfile /home/ftp/passwd auth required pam_shells.so account required pam_permit.so
Not sure if there is any other relevant file I should post (?)
-
Matthieu over 11 yearsDo you need to have all the users listed in /etc/ftpusers? or if the user already has a Unix account on that machine it is able to use it to login?
-
HelpyHelperton over 11 yearsThe file /etc/ftpusers is an exclusion list. You want to keep users out of there if they need to login. I use my regular account credentials to login via ftp, just as I would locally on the machine.
-
Matthieu over 11 yearsSo I found the right solution, that I need to replace pam_shells.so with pam_unix.so... from what I can find, pam_shells only check that the account exists, it does not really match the password (?)
-
HelpyHelperton over 11 yearsI believe that is the purpose of the @include files (/etc/pam.d/common-*)
-
Matthieu over 11 yearsI'll try that...