Unix/Linux Go Back    


Red Hat Red Hat is the world's leading open source technology solutions provider with offerings including Red Hat Enterprise Linux (RHEL), Fedora, open source applications, security and systems management, virtualization, and Services Oriented Architecture (SOA) solutions.

Does vsftpd support user subcommand?

Red Hat


Reply    
 
Thread Tools Search this Thread Display Modes
    #1  
Old Unix and Linux 2 Weeks Ago
bestard bestard is offline
Registered User
 
Join Date: Jan 2017
Last Activity: 14 September 2017, 9:29 PM EDT
Posts: 20
Thanks: 6
Thanked 4 Times in 3 Posts
Does vsftpd support user subcommand?

I'm wondering if vsftpd supports user subcommand?
I found I can't switch user after ftp login.
Maybe someone can give me a certain answer.

I always got the message as below,

Quote:
mastest.user1{~ }% ftp mastest
Connected to mastest (172.26.80.149).
220 (vsFTPd 2.2.2)
Name (mastest:user1): user1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> user user2
530 Can't change to another user.
Login failed.
I enabled log_ftp_protocol=YES and checked the vsftpd.log,
it didn't help much actually. The log file only showed the following message.

Quote:
Thu Aug 31 12:10:03 2017 [pid 12581] FTP response: Client "172.26.80.149", "220 (vsFTPd 2.2.2)"
Thu Aug 31 12:10:05 2017 [pid 12581] FTP command: Client "172.26.80.149", "USER user1"
Thu Aug 31 12:10:05 2017 [pid 12581] [user1] FTP response: Client "172.26.80.149", "331 Please specify the password."
Thu Aug 31 12:10:07 2017 [pid 12581] [user1] FTP command: Client "172.26.80.149", "PASS <password>"
Thu Aug 31 12:10:07 2017 [pid 12580] [user1] OK LOGIN: Client "172.26.80.149"
Thu Aug 31 12:10:07 2017 [pid 12582] [user1] FTP response: Client "172.26.80.149", "230 Login successful."
Thu Aug 31 12:10:07 2017 [pid 12582] [user1] FTP command: Client "172.26.80.149", "SYST"
Thu Aug 31 12:10:07 2017 [pid 12582] [user1] FTP response: Client "172.26.80.149", "215 UNIX Type: L8"
Thu Aug 31 12:10:16 2017 [pid 12582] [user1] FTP command: Client "172.26.80.149", "USER user2"
Thu Aug 31 12:10:16 2017 [pid 12582] [user1] FTP response: Client "172.26.80.149", "530 Can't change to another user."
I didn't change many default settings of vsftpd.conf, however, it may be worth of taking a look.


Code:
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=NO
ascii_upload_enable=YES
ascii_download_enable=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
use_localtime=YES
log_ftp_protocol=YES

How can I do to switch users after ftp login using vsftpd?
Hope someone can gives me suggestions. Thanks.
Sponsored Links
    #2  
Old Unix and Linux 2 Weeks Ago
jim mcnamara jim mcnamara is offline Forum Staff  
...@...
 
Join Date: Feb 2004
Last Activity: 19 September 2017, 10:39 PM EDT
Location: NM
Posts: 11,178
Thanks: 559
Thanked 1,093 Times in 1,009 Posts
pam_service_name is what you need to check - pam is an (usually) optional authorization control mechanism. And it clearly supports user change and is blocked as a possible security issue.

You did not specify your OS, but RH used to have /etc/pam.d/vsftpd that you can modify. I do not know if that is still correct or not - probably not. Just be sure to keep a backup.

Last edited by jim mcnamara; 2 Weeks Ago at 05:52 AM..
Sponsored Links
    #3  
Old Unix and Linux 2 Weeks Ago
bestard bestard is offline
Registered User
 
Join Date: Jan 2017
Last Activity: 14 September 2017, 9:29 PM EDT
Posts: 20
Thanks: 6
Thanked 4 Times in 3 Posts
Quote:
Originally Posted by jim mcnamara View Post
pam_service_name is what you need to check - pam is an (usually) optional authorization control mechanism. And it clearly supports user change and is blocked as a possible security issue.

You did not specify your OS, but RH used to have /etc/pam.d/vsftpd that you can modify. I do not know if that is still correct or not - probably not. Just be sure to keep a backup.
Thank you for response.
I've tried vsftpd on both RHEL 6.5 and RHEL 5.7, they all had the same issue. I did check pam_service_name, but I had no clue how to fine tune it. Would you please give me some suggestions?

Forgot to mention that the vsftpd version is,
vsftpd-2.0.5-21.el5 for RHEL 5
vsftpd-2.2.2-11.el6_4.1.x86_64 for RHEL 6


Code:
[root@mastest pam.d]# more /etc/pam.d/vsftpd
--
#%PAM-1.0
session    optional     pam_keyinit.so    force revoke
auth       required     pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth       required     pam_shells.so
auth       include      password-auth
account    include      password-auth
session    required     pam_loginuid.so
session    include      password-auth

[root@mastest pam.d]# more /etc/vsftpd/ftpusers 
# Users that are not allowed to login via ftp
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody

    #4  
Old Unix and Linux 2 Weeks Ago
Corona688 Corona688 is offline Forum Staff  
Mead Rotor
 
Join Date: Aug 2005
Last Activity: 19 September 2017, 5:41 PM EDT
Location: Saskatchewan
Posts: 22,391
Thanks: 1,126
Thanked 4,230 Times in 3,911 Posts
Do not mess with PAM unless you are in easy driving distance of the system, have a rescue CD and the technical know-how to fix it by hand. Even then, give it a couple of second thoughts. The risks of altering PAM are very high. You can easily render your system unbootable, un-login-able, or open security holes you could only discover by accident (or intentional intrusion).

Why do you need to change users after an FTP login? Why not login as the user you wanted to login as in the first place?

Why do you need to use FTP at all?

Explain your problem in more detail and we can probably find better solutions.
Sponsored Links
    #5  
Old Unix and Linux 2 Weeks Ago
bestard bestard is offline
Registered User
 
Join Date: Jan 2017
Last Activity: 14 September 2017, 9:29 PM EDT
Posts: 20
Thanks: 6
Thanked 4 Times in 3 Posts
Quote:
Originally Posted by Corona688 View Post
Do not mess with PAM unless you are in easy driving distance of the system, have a rescue CD and the technical know-how to fix it by hand. Even then, give it a couple of second thoughts. The risks of altering PAM are very high. You can easily render your system unbootable, un-login-able, or open security holes you could only discover by accident (or intentional intrusion).

Why do you need to change users after an FTP login? Why not login as the user you wanted to login as in the first place?

Why do you need to use FTP at all?

Explain your problem in more detail and we can probably find better solutions.
Thank you for reminding.
I don't have intention to alter or replace PAM actually,
I'm just thinking if any variables can be added/adjusted into vsftpd PAM file to solve USER command issue. Altering the PAM file is not necessary for me.
If there are other ways to solve the issue, that would be fine.

We have some in-house utilities worked among different domains.
Those utilities are served to users.
A user can run programs and upload data to a partially public account.

The program generates a ftp script including changing the user's account
to the public account "design" and then run the script to upload data.
The program designer uses .netrc to avoid inputing passwords
It's a little bit complicated to explain the designer's needs in detail.
I got a part of the designer's codes as below,


Code:
# upload database to the "design" account
# the "design" account is an public account with 755 permission.
if(!(-e $HOME/.netrc)) then
        echo machine host login design password password >> $HOME/.netrc
        chmod 600 $HOME/.netrc
else if("`grep design $HOME/.netrc`" == "") then
        echo machine host login design password password >> $HOME/.netrc
endif

echo ftp host \> ftp.log \<\<\! > cts.ftp
echo user design password >> cts.ftp
echo mkdir $argv[1] >> cts.ftp
echo cd $argv[1] >> cts.ftp
echo bi >> cts.ftp
echo put ${cid}_cts.zip >> cts.ftp
echo bye >> cts.ftp
echo \! >> cts.ftp

chmod 700 cts.ftp
cts.ftp
rm -f cts.ftp

I know it's an outdated coding style since using .netrc is risky and unsafe. There are some history backgrounds out there.
We just focus on solving the issue.

Any suggestion would be appreciated. Thanks.

Last edited by bestard; 2 Weeks Ago at 02:02 AM..
Sponsored Links
    #6  
Old Unix and Linux 1 Week Ago
bestard bestard is offline
Registered User
 
Join Date: Jan 2017
Last Activity: 14 September 2017, 9:29 PM EDT
Posts: 20
Thanks: 6
Thanked 4 Times in 3 Posts
nobody's here?

Well, I found my workaround. the "ftp" command has the "-n" argument to supress using .netrc for auto-login.
That allows us to ftp connecting first and then decide login ID.
We can capitalize on this to solve our issue.

I don't know if there has better solution.
So, I may keep this post opening for a while.
The Following User Says Thank You to bestard For This Useful Post:
Corona688 (1 Week Ago)
Sponsored Links
    #7  
Old Unix and Linux 1 Week Ago
Corona688 Corona688 is offline Forum Staff  
Mead Rotor
 
Join Date: Aug 2005
Last Activity: 19 September 2017, 5:41 PM EDT
Location: Saskatchewan
Posts: 22,391
Thanks: 1,126
Thanked 4,230 Times in 3,911 Posts
That looks to me like a far better solution than playing with your PAM settings. There's just too much security risk in letting users play games with their logins after login.
Sponsored Links
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Linux More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
Does vsftpd support user access with client certificate with priv/pub key + vsftpd certificate? gogogo UNIX for Advanced & Expert Users 4 02-22-2016 07:51 AM
Read Only user in Vsftpd treds UNIX for Dummies Questions & Answers 1 02-12-2015 06:19 AM
vsftpd with ssl support on rhel5 64 bit arumon Red Hat 0 02-08-2010 02:55 PM
VSFTPD - User or IP based SSL encryption? mokachoka UNIX for Dummies Questions & Answers 0 10-07-2009 04:12 AM
500 OOPS: vsftpd: cannot locate user specified in 'ftp_username':ftp thomn8r Linux 0 06-16-2009 10:17 AM



All times are GMT -4. The time now is 07:05 AM.