Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

VSFTPD no password

Posted on 2006-04-28
20
Medium Priority
?
2,971 Views
Last Modified: 2011-09-20
Hi

How do you make VSFTPD accepting a blank password? I have a user "Free" with no password assigned, but i cant login with this user because there is no password...
0
Comment
Question by:Shaohs
  • 11
  • 9
20 Comments
 
LVL 7

Expert Comment

by:wnross
ID: 16562296
Anonymous logins require no password, so you could use that.  If you are simply trying to copy files
without entering a password (for scripting or automation purposes), use scp and authorized keys.

Cheers,
-Bill
0
 
LVL 7

Expert Comment

by:wnross
ID: 16562303
PS: Name the "Anonymous" user "Free"
0
 

Author Comment

by:Shaohs
ID: 16562799
But i dont want anonymous access. If i turn it on all browsers just login with anonymous. When a user login they must be prompted for a user and pass... except user "free"
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 7

Expert Comment

by:wnross
ID: 16564936
Ok, well nothing in a standard vsftpd setup precludes what you want, are you sure that "free" has a blank password?

Check /etc/shadow
free:*:12934::::::  <-- account no-password
free:!!:12934::::::  <-- account locked
free::12934::::::  <-- account blank password

The default for an account created with no password is for it to be locked.

Cheers,
-Bill
0
 

Author Comment

by:Shaohs
ID: 16567531
free::13264:::::: is what was in my /etc/shadow

Well, lets drop the "free" user, if its not possible.

Can i make VSFTPD prompting for user/pass even if anonymous access is enabled? It seem if i enable it internet explorer choose anonymous access by default without prompting for anything. Anonymous should only be a login without password.
0
 
LVL 7

Expert Comment

by:wnross
ID: 16569362
It does work, but you will still be prompted for a password

---------------------- BEGIN SESSION --------------------
[root@streams1 root]# useradd free
[root@streams1 root]# passwd -u free
Unlocking password for user free.
passwd: Unsafe operation (use -f to force).
[root@streams1 root]# passwd -u -f free
Unlocking password for user free.
passwd: Success.
[root@streams1 root]# ftp localhost
Connected to localhost.localdomain.
220 Welcome to FTFConnect FTP service.
530 Please login with USER and PASS.
Name: free
331 Please specify the password.
Password:                                                   <-- I just hit ENTER here
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
------------------------ END SESSION --------------------
And yes, you can have anonymous access AND user access, just enable anonymous and try it out.

Cheers,
-Bill
0
 

Author Comment

by:Shaohs
ID: 16571306
Hmmm ... didnt seem to work. Im running Debian Sarge 3.1.

----------
mailgate:~# userdel free
mailgate:~# useradd free
mailgate:~# passwd -u free
Password changed.
mailgate:~# passwd -u -f free
passwd: invalid option -- f
usage: passwd [-f|-s] [name]
       passwd [-x max] [-n min] [-w warn] [-i inact] name
       passwd {-l|-u|-d|-S|-e} name
mailgate:~# ftp localhost
Connected to localhost.localdomain.
220 (vsFTPd 2.0.3)
Name (localhost:root): free
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp> quit
221 Goodbye.
----------

Seem it cant unlock the password...
0
 
LVL 7

Expert Comment

by:wnross
ID: 16573637
Can you log in as a regular user? And do you have the files /etc/vsftpd.ftpusers or /etc/vsftpd.user_list
These are access control lists, their presence affects who can log in

Check vsftpd.conf for userlist_deny=YES, its the default
if userlist_deny=no, then only people in /etc/vsftpd.user_list are allowed to log in
Also check
local_enable=yes

Cheers,
-Bill
0
 

Author Comment

by:Shaohs
ID: 16575141
there is no /etc/vsftpd.user_list or /etc/vsftpd.ftpusers
userlist_deny=no is not present, so default setting is active
local_enable=yes is present

i have no problem login in as other users. ordinary users with passwords logs right in, but user "free" with no password cannot...
0
 
LVL 7

Expert Comment

by:wnross
ID: 16575336
Hmmm...lets check to see if everything actually works,

1) Try to ssh in with account "free"
2) Use ftp from a windows box or a machine with a different OS from your current one

- the version of the FTP client you are using could be interfering with normal operations

Sorry if you tried this already, oh, I' m really curious about the ssh results
(Try to just login at the desktop as well)

Cheers,
-Bill
0
 

Author Comment

by:Shaohs
ID: 16578764
Ssh didnt work either.

I tried connect to the FTP via a internet explorer, but it didnt work either with "free".
0
 
LVL 7

Expert Comment

by:wnross
ID: 16579209
> Ssh didnt work either.

Aha!  There is something in your OS which may be blocking

Check your PAM setup, Here's mine, yours may differ, but note that in the sections
auth and password I have the token "nullok"

This token allows the use of an account when its "official" password is blank

/etc/pam.d/system-auth
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so

password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so


Don't copy and paste this: use it as a reference

Cheers,
-Bill
0
 

Author Comment

by:Shaohs
ID: 16583181
i dont have a /etc/pam.d/system-auth but i have:
/etc/pam.d/common-account
/etc/pam.d/common-auth
/etc/pam.d/common-password
/etc/pam.d/common-session
/etc/pam.d/vsftpd

I'll post the files

/etc/pam.d/common-account -----------------------------
account required        pam_unix.so

/etc/pam.d/common-auth -----------------------------
auth    required        pam_unix.so nullok_secure

/etc/pam.d/common-password --------------------------
password   required   pam_unix.so nullok obscure min=4 max=8 md5

/etc/pam.d/common-session ---------------------------
session required        pam_unix.so

/etc/pam.d/vsftpd -------------------------------
auth    required        pam_listfile.so item=user sense=deny file=/etc/ftpusers$

@include common-account
@include common-session

@include common-auth
auth    required        pam_shells.so

-------------
Where do i put the nullok line?




0
 
LVL 7

Expert Comment

by:wnross
ID: 16589422
Change
/etc/pam.d/common-auth -----------------------------
auth    required        pam_unix.so nullok_secure

to
/etc/pam.d/common-auth -----------------------------
auth    required        pam_unix.so nullok

That should just about do it.

Test with ssh again, then if that works, go up to ftp.

Finally usermod -s /sbin/nologin free
to disable shell access for free (but still allow ftp)
0
 

Author Comment

by:Shaohs
ID: 16593296
After these changes i cant login with SSH as "free" anymore.

When i connect to the ftpserver an trype "free" as user, it asks for a password where i just press Enter.
Then i get this

500 OOPS: priv_sock_get_result
Login failed.
421 Service not available, remote server has closed connection
0
 
LVL 7

Expert Comment

by:wnross
ID: 16601945
> After these changes i cant login with SSH as "free" anymore.
Unless I misunderstood, you never could log in as  "free"

Do A
usermod -s /bin/bash free
0
 

Author Comment

by:Shaohs
ID: 16602821
I did the 'usermod -s /bin/bash free' command and was able to login again. I tried reboot the machine, just for the fun :-)

But the ftp server says the same error:

shaoh@shaoh:~$ ftp xxx.xxx.xxx.xx2 xxxx1
Connected to xxx.xxx.xxx.xx2.
220 (vsFTPd 2.0.3)
Name (xxx.xxx.xxx.xx2:shaoh): free
331 Please specify the password.
Password:                                  <--- just pressed Enter here
500 OOPS: priv_sock_get_result
Login failed.
421 Service not available, remote server has closed connection
ftp>

If i login with SFTP to the SSH port, with 'free' it logs me right in, without even askin a password.
0
 
LVL 7

Accepted Solution

by:
wnross earned 2000 total points
ID: 16602878
Ok, so we've got working accounts, lets go over pam and vsftpd

In vsftpd double check for
/etc/vsftpd/vsftpd.conf
-------------------------------
pam_service_name=vsftpd


In PAM make the following change
/etc/pam.d/vsftpd
-------------------------------
# auth    required        pam_listfile.so item=user sense=deny file=/etc/ftpusers$
auth    required        pam_listfile.so item=user sense=deny file=/etc/ftpusers$ onerr=succeed
@include common-account
@include common-session
@include common-auth
auth    required        pam_shells.so

Hang in there, we've almost got it
Cheers,
-Bill
0
 

Author Comment

by:Shaohs
ID: 16608073
Weee!! it's working!

Thank you for your help, and patience... :-)

0
 
LVL 7

Expert Comment

by:wnross
ID: 16608095
No problem, thanks for the points
-Bill
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses
Course of the Month20 days, 20 hours left to enroll

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question