[K12OSN] Help, please: can't get VSFTP to work

Tue Mar 21 22:06:04 UTC 2006

Ah, the old 'I want to use the same tool I've always used' customer.  This teacher's 
website is not on a publicly exposed box, right?  That is, this is just for internal 
use, right?  Otherwise, tell him it's like buying a sports car with the windows 
permanently rolled down, and parking it in a bad neighborhood: it's just asking to be 
compromised.

With that said--I've been in similar situations--is xinetd installed?  If you run 
'chkconfig --list xinetd' what do you get?  If nothing, try running 'rpm -qa |grep 
xinetd'; if that comes up empty, then xinetd isn't installed.  Then use yum to install 
it.  If it IS installed, try running 'service xinetd status' to see if it's running or 
not; run 'service xinetd start' if it isn't.  Once that's running, look in 
/etc/xinetd.d/ for a config file for vsftpd.  If there is a file there for it, look 
inside the file; most files placed in /etc/xinetd.d/ have a 'Disable = yes' setting by 
default, that you need to change to 'Disable = no', and then restart/reload xinetd.  HTH.

Petre

john wrote:
> Hi Petre,
> 
> I agree with you on all counts. Sadly, this box has to allow a teacher
> access via ftp because the teacher wants to manage his website via an
> OS9.x ver. of Pagemill which doesn't support sftp.
> 
> John
> 
> On 3/21/06, Petre Scheie <petre at maltzen.net> wrote:
>> Not to change the subject, but rather than fooling around with an FTP daemon, use ssh
>> instead.  It included the sftp daemon, and if you can ssh into the box, sftp should work
>> with no further configuration.  On the client side, assuming people are coming from
>> Windows, have them use WinSCP or FileZilla (although FileZilla has a bug that prevents
>> the DOS-to-Unix conversion of ASCII mode from working).  Plain FTP passes IDs and PWs in
>> clear text which is frowned upon for security reasons.
>>
>> Petre
>>
>> john wrote:
>>> Hi all,
>>>
>>> I haven't been able to get vsftp to run under FC4 and I was wondering
>>> if anyone had any clues for me or had had similar issues.
>>>
>>> I am trying to get it to run under xinet.d so that I can use
>>> tcpwrappers in order that VSFTP honor my hosts.allow hosts.deny files.
>>> The default rpm package for FC4 uses pam for authentication and I
>>> haven't made any alterations to /etc/pam/vsftpd.
>>>
>>> I assume that support for tcp_wrappers was built into the rpm package
>>> but I don't know how to check this, the binary has been stripped of
>>> comments.
>>>
>>> I don't have any way to start and stop xinetd as a service since its
>>> not linked from /etc/init.d/  can anyone set me straight here?
>>>
>>> When I do /etc/init.d/vsftpd start i get a message saying ok
>>> then when I do /etc/init.d/vsftpd status I get:
>>>
>>> /etc/init.d/vsftpd status
>>> vsftpd dead but subsys locked
>>>
>>> Your help is greatly appreciated.
>>>
>>>
>>>
>>>
>>>
>>> --------
>>>
>>>
>>> Here's my /etc/xinetd.d/vsftpd file
>>>
>>> default: on
>>> # description: The vsftpd FTP server serves FTP connections. It uses \
>>> # normal, unencrypted usernames and passwords for authentication.
>>> service ftp
>>> {
>>> disable = no
>>> socket_type = stream
>>> wait = no
>>> user = root
>>> server = /usr/sbin/vsftpd
>>> nice = 10
>>> }
>>>
>>> and here's my vsftpd.conf file
>>>
>>>
>>> # Allow anonymous FTP? (Beware - allowed by default if you comment this out).
>>> anonymous_enable=NO
>>> #
>>> # Uncomment this to allow local users to log in.
>>> local_enable=YES
>>> #
>>> # Uncomment this to enable any form of FTP write command.
>>> write_enable=YES
>>> #
>>> # Default umask for local users is 077. You may wish to change this to 022,
>>> # if your users expect that (022 is used by most other ftpd's)
>>> local_umask=022
>>> #
>>> # Uncomment this to allow the anonymous FTP user to upload files. This only
>>> # has an effect if the above global write enable is activated. Also, you will
>>> # obviously need to create a directory writable by the FTP user.
>>> #anon_upload_enable=YES
>>> #
>>> # Uncomment this if you want the anonymous FTP user to be able to create
>>> # new directories.
>>> #anon_mkdir_write_enable=YES
>>> #
>>> # Activate directory messages - messages given to remote users when they
>>> # go into a certain directory.
>>> dirmessage_enable=YES
>>> #
>>> # Activate logging of uploads/downloads.
>>> xferlog_enable=YES
>>> #
>>> # Make sure PORT transfer connections originate from port 20 (ftp-data).
>>> connect_from_port_20=YES
>>> #
>>> # If you want, you can arrange for uploaded anonymous files to be owned by
>>> # a different user. Note! Using "root" for uploaded files is not
>>> # recommended!
>>> #chown_uploads=YES
>>> #chown_username=whoever
>>> #
>>> # You may override where the log file goes if you like. The default is shown
>>> # below.
>>> #xferlog_file=/var/log/vsftpd.log
>>> #
>>> # If you want, you can have your log file in standard ftpd xferlog format
>>> xferlog_std_format=YES
>>> #
>>> # You may change the default value for timing out an idle session.
>>> #idle_session_timeout=600
>>> #
>>> # You may change the default value for timing out a data connection.
>>> #data_connection_timeout=120
>>> #
>>> # It is recommended that you define on your system a unique user which the
>>> # ftp server can use as a totally isolated and unprivileged user.
>>> #nopriv_user=ftpsecure
>>> #
>>> # Enable this and the server will recognise asynchronous ABOR requests. Not
>>> # recommended for security (the code is non-trivial). Not enabling it,
>>> # however, may confuse older FTP clients.
>>> #async_abor_enable=YES
>>> #
>>> # By default the server will pretend to allow ASCII mode but in fact ignore
>>> # the request. Turn on the below options to have the server actually do ASCII
>>> # mangling on files when in ASCII mode.
>>> # Beware that turning on ascii_download_enable enables malicious remote parties
>>> # to consume your I/O resources, by issuing the command "SIZE /big/file" in
>>> # ASCII mode.
>>> # These ASCII options are split into upload and download because you may wish
>>> # to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
>>> # without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be
>>> # on the client anyway..
>>> #ascii_upload_enable=YES
>>> #ascii_download_enable=YES
>>> #
>>> # You may fully customise the login banner string:
>>> ftpd_banner=Welcome to VISD FTP service.
>>> #
>>> # You may specify a file of disallowed anonymous e-mail addresses. Apparently
>>> # useful for combatting certain DoS attacks.
>>> #deny_email_enable=YES
>>> # (default follows)
>>> #banned_email_file=/etc/vsftpd/banned_emails
>>> #
>>> # You may specify an explicit list of local users to chroot() to their home
>>> # directory. If chroot_local_user is YES, then this list becomes a list of
>>> # users to NOT chroot().
>>> #chroot_list_enable=YES
>>> # (default follows)
>>> #chroot_list_file=/etc/vsftpd/chroot_list
>>> #
>>> # You may activate the "-R" option to the builtin ls. This is disabled by
>>> # default to avoid remote users being able to cause excessive I/O on large
>>> # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
>>> # the presence of the "-R" option, so there is a strong case for enabling it.
>>> #ls_recurse_enable=YES
>>>
>>> pam_service_name=vsftpd
>>> userlist_enable=YES
>>> #enable for standalone mode
>>> #listen=YES
>>> tcp_wrappers=YES
>>>
>>>
>>> Here's my /etc/pam.d/vsftpd file
>>>
>>> [root at localhost ~]# cat /etc/pam.d/vsftpd
>>> #%PAM-1.0
>>> auth       required     pam_listfile.so item=user sense=deny
>>> file=/etc/vsftpd/ftpusers onerr=succeed
>>> auth       required     pam_stack.so service=system-auth
>>> auth       required     pam_shells.so
>>> account    required     pam_stack.so service=system-auth
>>> session    required     pam_stack.so service=system-auth
>>>
>>> _______________________________________________
>>> K12OSN mailing list
>>> K12OSN at redhat.com
>>> https://www.redhat.com/mailman/listinfo/k12osn
>>> For more info see <http://www.k12os.org>
>>>
>> _______________________________________________
>> K12OSN mailing list
>> K12OSN at redhat.com
>> https://www.redhat.com/mailman/listinfo/k12osn
>> For more info see <http://www.k12os.org>
>>
> 
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
> 