Shaohs
asked on
VSFTPD no password
Hi
How do you make VSFTPD accepting a blank password? I have a user "Free" with no password assigned, but i cant login with this user because there is no password...
How do you make VSFTPD accepting a blank password? I have a user "Free" with no password assigned, but i cant login with this user because there is no password...
PS: Name the "Anonymous" user "Free"
ASKER
But i dont want anonymous access. If i turn it on all browsers just login with anonymous. When a user login they must be prompted for a user and pass... except user "free"
Ok, well nothing in a standard vsftpd setup precludes what you want, are you sure that "free" has a blank password?
Check /etc/shadow
free:*:12934:::::: <-- account no-password
free:!!:12934:::::: <-- account locked
free::12934:::::: <-- account blank password
The default for an account created with no password is for it to be locked.
Cheers,
-Bill
Check /etc/shadow
free:*:12934:::::: <-- account no-password
free:!!:12934:::::: <-- account locked
free::12934:::::: <-- account blank password
The default for an account created with no password is for it to be locked.
Cheers,
-Bill
ASKER
free::13264:::::: is what was in my /etc/shadow
Well, lets drop the "free" user, if its not possible.
Can i make VSFTPD prompting for user/pass even if anonymous access is enabled? It seem if i enable it internet explorer choose anonymous access by default without prompting for anything. Anonymous should only be a login without password.
Well, lets drop the "free" user, if its not possible.
Can i make VSFTPD prompting for user/pass even if anonymous access is enabled? It seem if i enable it internet explorer choose anonymous access by default without prompting for anything. Anonymous should only be a login without password.
It does work, but you will still be prompted for a password
---------------------- BEGIN SESSION --------------------
[root@streams1 root]# useradd free
[root@streams1 root]# passwd -u free
Unlocking password for user free.
passwd: Unsafe operation (use -f to force).
[root@streams1 root]# passwd -u -f free
Unlocking password for user free.
passwd: Success.
[root@streams1 root]# ftp localhost
Connected to localhost.localdomain.
220 Welcome to FTFConnect FTP service.
530 Please login with USER and PASS.
Name: free
331 Please specify the password.
Password: <-- I just hit ENTER here
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
------------------------ END SESSION --------------------
And yes, you can have anonymous access AND user access, just enable anonymous and try it out.
Cheers,
-Bill
---------------------- BEGIN SESSION --------------------
[root@streams1 root]# useradd free
[root@streams1 root]# passwd -u free
Unlocking password for user free.
passwd: Unsafe operation (use -f to force).
[root@streams1 root]# passwd -u -f free
Unlocking password for user free.
passwd: Success.
[root@streams1 root]# ftp localhost
Connected to localhost.localdomain.
220 Welcome to FTFConnect FTP service.
530 Please login with USER and PASS.
Name: free
331 Please specify the password.
Password: <-- I just hit ENTER here
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
------------------------ END SESSION --------------------
And yes, you can have anonymous access AND user access, just enable anonymous and try it out.
Cheers,
-Bill
ASKER
Hmmm ... didnt seem to work. Im running Debian Sarge 3.1.
----------
mailgate:~# userdel free
mailgate:~# useradd free
mailgate:~# passwd -u free
Password changed.
mailgate:~# passwd -u -f free
passwd: invalid option -- f
usage: passwd [-f|-s] [name]
passwd [-x max] [-n min] [-w warn] [-i inact] name
passwd {-l|-u|-d|-S|-e} name
mailgate:~# ftp localhost
Connected to localhost.localdomain.
220 (vsFTPd 2.0.3)
Name (localhost:root): free
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp> quit
221 Goodbye.
----------
Seem it cant unlock the password...
----------
mailgate:~# userdel free
mailgate:~# useradd free
mailgate:~# passwd -u free
Password changed.
mailgate:~# passwd -u -f free
passwd: invalid option -- f
usage: passwd [-f|-s] [name]
passwd [-x max] [-n min] [-w warn] [-i inact] name
passwd {-l|-u|-d|-S|-e} name
mailgate:~# ftp localhost
Connected to localhost.localdomain.
220 (vsFTPd 2.0.3)
Name (localhost:root): free
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp> quit
221 Goodbye.
----------
Seem it cant unlock the password...
Can you log in as a regular user? And do you have the files /etc/vsftpd.ftpusers or /etc/vsftpd.user_list
These are access control lists, their presence affects who can log in
Check vsftpd.conf for userlist_deny=YES, its the default
if userlist_deny=no, then only people in /etc/vsftpd.user_list are allowed to log in
Also check
local_enable=yes
Cheers,
-Bill
These are access control lists, their presence affects who can log in
Check vsftpd.conf for userlist_deny=YES, its the default
if userlist_deny=no, then only people in /etc/vsftpd.user_list are allowed to log in
Also check
local_enable=yes
Cheers,
-Bill
ASKER
there is no /etc/vsftpd.user_list or /etc/vsftpd.ftpusers
userlist_deny=no is not present, so default setting is active
local_enable=yes is present
i have no problem login in as other users. ordinary users with passwords logs right in, but user "free" with no password cannot...
userlist_deny=no is not present, so default setting is active
local_enable=yes is present
i have no problem login in as other users. ordinary users with passwords logs right in, but user "free" with no password cannot...
Hmmm...lets check to see if everything actually works,
1) Try to ssh in with account "free"
2) Use ftp from a windows box or a machine with a different OS from your current one
- the version of the FTP client you are using could be interfering with normal operations
Sorry if you tried this already, oh, I' m really curious about the ssh results
(Try to just login at the desktop as well)
Cheers,
-Bill
1) Try to ssh in with account "free"
2) Use ftp from a windows box or a machine with a different OS from your current one
- the version of the FTP client you are using could be interfering with normal operations
Sorry if you tried this already, oh, I' m really curious about the ssh results
(Try to just login at the desktop as well)
Cheers,
-Bill
ASKER
Ssh didnt work either.
I tried connect to the FTP via a internet explorer, but it didnt work either with "free".
I tried connect to the FTP via a internet explorer, but it didnt work either with "free".
> Ssh didnt work either.
Aha! There is something in your OS which may be blocking
Check your PAM setup, Here's mine, yours may differ, but note that in the sections
auth and password I have the token "nullok"
This token allows the use of an account when its "official" password is blank
/etc/pam.d/system-auth
auth required /lib/security/$ISA/pam_env .so
auth sufficient /lib/security/$ISA/pam_uni x.so likeauth nullok
auth required /lib/security/$ISA/pam_den y.so
account required /lib/security/$ISA/pam_uni x.so
password required /lib/security/$ISA/pam_cra cklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_uni x.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/pam_den y.so
session required /lib/security/$ISA/pam_lim its.so
session required /lib/security/$ISA/pam_uni x.so
Don't copy and paste this: use it as a reference
Cheers,
-Bill
Aha! There is something in your OS which may be blocking
Check your PAM setup, Here's mine, yours may differ, but note that in the sections
auth and password I have the token "nullok"
This token allows the use of an account when its "official" password is blank
/etc/pam.d/system-auth
auth required /lib/security/$ISA/pam_env
auth sufficient /lib/security/$ISA/pam_uni
auth required /lib/security/$ISA/pam_den
account required /lib/security/$ISA/pam_uni
password required /lib/security/$ISA/pam_cra
password sufficient /lib/security/$ISA/pam_uni
password required /lib/security/$ISA/pam_den
session required /lib/security/$ISA/pam_lim
session required /lib/security/$ISA/pam_uni
Don't copy and paste this: use it as a reference
Cheers,
-Bill
ASKER
i dont have a /etc/pam.d/system-auth but i have:
/etc/pam.d/common-account
/etc/pam.d/common-auth
/etc/pam.d/common-password
/etc/pam.d/common-session
/etc/pam.d/vsftpd
I'll post the files
/etc/pam.d/common-account -------------------------- ---
account required pam_unix.so
/etc/pam.d/common-auth -------------------------- ---
auth required pam_unix.so nullok_secure
/etc/pam.d/common-password --------------------------
password required pam_unix.so nullok obscure min=4 max=8 md5
/etc/pam.d/common-session -------------------------- -
session required pam_unix.so
/etc/pam.d/vsftpd -------------------------- -----
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers$
@include common-account
@include common-session
@include common-auth
auth required pam_shells.so
-------------
Where do i put the nullok line?
/etc/pam.d/common-account
/etc/pam.d/common-auth
/etc/pam.d/common-password
/etc/pam.d/common-session
/etc/pam.d/vsftpd
I'll post the files
/etc/pam.d/common-account --------------------------
account required pam_unix.so
/etc/pam.d/common-auth --------------------------
auth required pam_unix.so nullok_secure
/etc/pam.d/common-password
password required pam_unix.so nullok obscure min=4 max=8 md5
/etc/pam.d/common-session --------------------------
session required pam_unix.so
/etc/pam.d/vsftpd --------------------------
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers$
@include common-account
@include common-session
@include common-auth
auth required pam_shells.so
-------------
Where do i put the nullok line?
Change
/etc/pam.d/common-auth -------------------------- ---
auth required pam_unix.so nullok_secure
to
/etc/pam.d/common-auth -------------------------- ---
auth required pam_unix.so nullok
That should just about do it.
Test with ssh again, then if that works, go up to ftp.
Finally usermod -s /sbin/nologin free
to disable shell access for free (but still allow ftp)
/etc/pam.d/common-auth --------------------------
auth required pam_unix.so nullok_secure
to
/etc/pam.d/common-auth --------------------------
auth required pam_unix.so nullok
That should just about do it.
Test with ssh again, then if that works, go up to ftp.
Finally usermod -s /sbin/nologin free
to disable shell access for free (but still allow ftp)
ASKER
After these changes i cant login with SSH as "free" anymore.
When i connect to the ftpserver an trype "free" as user, it asks for a password where i just press Enter.
Then i get this
500 OOPS: priv_sock_get_result
Login failed.
421 Service not available, remote server has closed connection
When i connect to the ftpserver an trype "free" as user, it asks for a password where i just press Enter.
Then i get this
500 OOPS: priv_sock_get_result
Login failed.
421 Service not available, remote server has closed connection
> After these changes i cant login with SSH as "free" anymore.
Unless I misunderstood, you never could log in as "free"
Do A
usermod -s /bin/bash free
Unless I misunderstood, you never could log in as "free"
Do A
usermod -s /bin/bash free
ASKER
I did the 'usermod -s /bin/bash free' command and was able to login again. I tried reboot the machine, just for the fun :-)
But the ftp server says the same error:
shaoh@shaoh:~$ ftp xxx.xxx.xxx.xx2 xxxx1
Connected to xxx.xxx.xxx.xx2.
220 (vsFTPd 2.0.3)
Name (xxx.xxx.xxx.xx2:shaoh): free
331 Please specify the password.
Password: <--- just pressed Enter here
500 OOPS: priv_sock_get_result
Login failed.
421 Service not available, remote server has closed connection
ftp>
If i login with SFTP to the SSH port, with 'free' it logs me right in, without even askin a password.
But the ftp server says the same error:
shaoh@shaoh:~$ ftp xxx.xxx.xxx.xx2 xxxx1
Connected to xxx.xxx.xxx.xx2.
220 (vsFTPd 2.0.3)
Name (xxx.xxx.xxx.xx2:shaoh): free
331 Please specify the password.
Password: <--- just pressed Enter here
500 OOPS: priv_sock_get_result
Login failed.
421 Service not available, remote server has closed connection
ftp>
If i login with SFTP to the SSH port, with 'free' it logs me right in, without even askin a password.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Weee!! it's working!
Thank you for your help, and patience... :-)
Thank you for your help, and patience... :-)
No problem, thanks for the points
-Bill
-Bill
without entering a password (for scripting or automation purposes), use scp and authorized keys.
Cheers,
-Bill