Problem mit FTP Usern

[Prespawn]

Hi,
ich habe auf meinem Rootserver proFTPd installiert doch habe ein Problem mit den FTP-Benutzern...

Betriebssystem: Debian 3.1 sarge

proFTPd.conf:

Code:

#
# /etc/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes reload proftpd after modifications.
#

ServerName "Debian"
ServerType standalone
DeferWelcome off

DefaultRoot ~

MultilineRFC2228 on
DefaultServer on
ShowSymlinks on

TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200

DisplayLogin                    welcome.msg
DisplayFirstChdir               .message
ListOptions                "-l"

DenyFilter \*.*/

# Uncomment this if you are using NIS or LDAP to retrieve passwords:
PersistentPasswd on

# Uncomment this if you would use TLS module:
#TLSEngine on

# Uncomment this if you would use quota module:
#Quotas on

# Uncomment this if you would use ratio module:
#Ratios on

# Port 21 is the standard FTP port.
Port 21

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30

# Set the user and group that the server normally runs at.
User nobody
Group nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022  022
# Normally, we want files to be overwriteable.
AllowOverwrite on

# Delay engine reduces impact of the so-called Timing Attack described in
# http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
# It is on by default.
#DelayEngine off

# A basic anonymous configuration, no upload directories.

# <Anonymous ~ftp>
#   User ftp
#   Group nogroup
#   # We want clients to be able to login with "anonymous" as well as "ftp"
#   UserAlias anonymous ftp
#   # Cosmetic changes, all files belongs to ftp user
#   DirFakeUser on ftp
#   DirFakeGroup on ftp
#
#   RequireValidShell off
#
#   # Limit the maximum number of anonymous logins
#   MaxClients 10
#
#   # We want 'welcome.msg' displayed at login, and '.message' displayed
#   # in each newly chdired directory.
#   DisplayLogin welcome.msg
#   DisplayFirstChdir .message
#
#   # Limit WRITE everywhere in the anonymous chroot
#   <Directory *>
#     <Limit WRITE>
#       DenyAll
#     </Limit>
#   </Directory>
#
#   # Uncomment this if you're brave.
#   # <Directory incoming>
#   #   # Umask 022 is a good standard umask to prevent new files and dirs
#   #   # (second parm) from being group and world writable.
#   #   Umask 022  022
#   #            <Limit READ WRITE>
#   #            DenyAll
#   #            </Limit>
#   #            <Limit STOR>
#   #            AllowAll
#   #            </Limit>
#   # </Directory>
#
# </Anonymous>

Nun zu meinem Problem...

Wenn ich einen user erstelle und ihm Zugriff auf "/bin/false" gebe, dann kann er sich nicht per FTP einloggen sondern bekommt "530 Login incorrect."! Wenn ich ihm aber Zugriff auf "/bin/bash" gebe, kann er sich mühelos einloggen! Kann mir einer bei dem Problem behilflich sein?

Greetz,
Prespawn

[VolGas]

Hi,

die Lösung ist ganz einfach: "RequireValidShell off"
in die proftpd.conf, den ProFTPD neu starten - fertig!

mfg.
  VolGas

[Prespawn]

Hi,
hab es gerade ausprobiert und den Zugriff auf "/bin/false" gegeben.... kommt aber immernoch "530 Login incorrect."

PS: Ich betone, dass die Userdaten richtig geschrieben sind!!

Greetz,
Prespawn

[VolGas]

-gelöscht-

[Prespawn]

#
# /etc/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes reload proftpd after modifications.
#

ServerName         "Debian"
ServerType         standalone
DeferWelcome         off

DefaultRoot ~
RequireValidShell off

MultilineRFC2228      on
DefaultServer         on
ShowSymlinks         on

TimeoutNoTransfer      600
TimeoutStalled         600
TimeoutIdle         1200

DisplayLogin                    welcome.msg
DisplayFirstChdir               .message
ListOptions                   "-l"

DenyFilter         \*.*/

# Uncomment this if you are using NIS or LDAP to retrieve passwords:
PersistentPasswd      on

# Uncomment this if you would use TLS module:
#TLSEngine          on

# Uncomment this if you would use quota module:
#Quotas            on

# Uncomment this if you would use ratio module:
#Ratios            on

# Port 21 is the standard FTP port.
Port            21

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances         30

# Set the user and group that the server normally runs at.
User            nobody
Group            nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask            022  022
# Normally, we want files to be overwriteable.
AllowOverwrite         on

# Delay engine reduces impact of the so-called Timing Attack described in
# http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
# It is on by default.
#DelayEngine          off

[VolGas]

Das ist merkwürdig.
Ich weiß nicht, ob es funktionieren wird, aber versuche es doch einmal:

• deaktiviere "PersistentPasswd on"
• re-aktiviere "DelayEngine off"

Desweiteren könntest Du noch "IdentLookups off" und "UseReverseDNS off"
Deiner proftpd.conf hinzufügen. Nicht vergessen den Server neu zu starten.

Wenn das nicht funktionieren sollte, dann starte im Debugmodus,
versuche Dich einzuloggen und poste hier den Debug-Output davon.

mfg.
  VolGas

[Prespawn]

Hi,
hat nicht funktioniert... hier ist die ausgabe vom Debugmodus:

Code:

R21816:~# proftpd -d 9
 - mod_tls/2.0.7: using OpenSSL 0.9.7e 25 Oct 2004
 - parsing '/etc/proftpd.conf' configuration
 - FS: using system open()
 - FS: using system read()
 - dispatching directive 'ServerName' to module mod_core
 - dispatching directive 'ServerType' to module mod_core
 - dispatching directive 'DeferWelcome' to module mod_core
 - dispatching directive 'DefaultRoot' to module mod_auth
 - dispatching directive 'RequireValidShell' to module mod_auth
 - dispatching directive 'MultilineRFC2228' to module mod_core
 - dispatching directive 'DefaultServer' to module mod_core
 - dispatching directive 'ShowSymlinks' to module mod_ls
 - dispatching directive 'TimeoutNoTransfer' to module mod_xfer
 - dispatching directive 'TimeoutStalled' to module mod_xfer
 - dispatching directive 'TimeoutIdle' to module mod_core
 - dispatching directive 'IdentLookups' to module mod_core
 - dispatching directive 'UseReverseDNS' to module mod_core
 - dispatching directive 'DisplayLogin' to module mod_core
 - dispatching directive 'DisplayFirstChdir' to module mod_core
 - dispatching directive 'ListOptions' to module mod_ls
 - dispatching directive 'DenyFilter' to module mod_core
 - Compiling deny regex '\*.*/'.
 - Allocated deny regex at location 0x8118c88.
 - dispatching directive 'PersistentPasswd' to module mod_auth_unix
 - dispatching directive 'TLSEngine' to module mod_tls
 - dispatching directive 'Port' to module mod_core
 - FS: using system read()
 - dispatching directive 'MaxInstances' to module mod_core
 - dispatching directive 'User' to module mod_core
 - dispatching auth request "getpwnam" to module mod_radius
 - dispatching auth request "getpwnam" to module mod_auth_file
 - dispatching auth request "getpwnam" to module mod_auth_unix
 - dispatching directive 'Group' to module mod_core
 - dispatching auth request "getgrnam" to module mod_radius
 - dispatching auth request "getgrnam" to module mod_auth_file
 - dispatching auth request "getgrnam" to module mod_auth_unix
 - dispatching directive 'Umask' to module mod_core
 - dispatching directive 'AllowOverwrite' to module mod_xfer
 - dispatching directive 'DelayEngine' to module mod_delay
 - FS: using system read()
 - FS: using system close()
R21816 -
R21816 - Config for Debian:
R21816 - DeferWelcome
R21816 - DefaultRoot
R21816 - RequireValidShell
R21816 - DefaultServer
R21816 - ShowSymlinks
R21816 - TimeoutNoTransfer
R21816 - TimeoutStalled
R21816 - TimeoutIdle
R21816 - IdentLookups
R21816 - DisplayLogin
R21816 - DisplayFirstChdir
R21816 - ListOptions
R21816 - DenyFilter
R21816 - TLSEngine
R21816 - UserID
R21816 - UserName
R21816 - GroupID
R21816 - GroupName
R21816 - Umask
R21816 - DirUmask
R21816 - AllowOverwrite
R21816 - DelayEngine
R21816 - Bind
R21816 - ROOT PRIVS at ../../../modules/mod_delay.c:295
R21816 - FS: using system open()
R21816 - RELINQUISH PRIVS at ../../../modules/mod_delay.c:297
R21816 - FS: using system fstat()
R21816 - FS: using system close()
R21816 - dispatching auth request "getgroups" to module mod_radius
R21816 - dispatching auth request "getgroups" to module mod_auth_file
R21816 - dispatching auth request "getgroups" to module mod_auth_unix
R21816 - SETUP PRIVS at ../../../src/main.c:2736
R21816 - ROOT PRIVS at ../../../src/main.c:1970
R21816 - RELINQUISH PRIVS at ../../../src/main.c:1977
R21816:~#

[VolGas]

Das ist nicht das, was ich haben wollte - damit kann ich nichts anfangen.
Den ganzen Output brauche ich nicht, nur den des Login-Versuchs -
und den kann ich hier nicht sehen.

Was Du noch in Deine proftpd.conf reinschreiben könntest: "AuthOrder mod_auth_unix.c"

Starte den vollen Debug-Modus mit "proftpd -n -d9", verwerfe die Ausgabe
bis dahin, versuche Dich per FTP einzuloggen und was dann im Debug-Modus
ausgegeben wurde, bitte hier posten.

mfg.
  VolGas

[Prespawn]

Hi,
also entweder bin ich blöd, oder da stimmt was nich... hab den debug mit deinem befehl gestartet und dann versucht mich einzuloggen... natürlich ging des nicht... jedoch kam da nix mit dem debug, sondern der hat mit die log ausgegeben und mich dann wieder in ne neue kommandozeile gesetzt... habe dann nochmal deinen befehl ausgeführt, doch es kam genau dasselbe wie vorher...

greetz
Prespawn