JPERKS1985
asked on
PureFTPD - 530 Login authentication failed
Im getting,
331 User testaccount OK. Password required
PASS xxxx
530 Login authentication failed
Disconnecting from site 127.0.0.1
I'm sure the password is correct and the directory exists. what could be the problem?
331 User testaccount OK. Password required
PASS xxxx
530 Login authentication failed
Disconnecting from site 127.0.0.1
I'm sure the password is correct and the directory exists. what could be the problem?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi JPERKS1985,
Your Pure-FTPd may not be configured to use PureDB as the authentication method. Here is something I found from a thread where people were having the exact problem you are having.
# sudo -s
# apt-get install pure-ftpd pureadmin
Create the user and group accounts:
# groupadd ftpgroup
# useradd -g ftpgroup -d /dev/null -s /etc ftpuser
# pure-pw useradd NAME -u ftpuser -d /DIRECTORY
Type in the password when prompted for the new user twice.
NAME and DIRECTORY can be whatever you want them to be.
Create the database and make sure that the pure-ftpd configuration strictly uses the pdb file for managing accounts:
# pure-pw mkdb
# ln -s /etc/pure-ftpd/conf/PureDB
# gedit /etc/pure-ftpd/conf/PAMAut
Change yes into no
Make sure that a backup file (.PAMAuthentication~) isn't created because it will create a conflict when trying to restart service. Using PAM can allow public access to administrative accounts using pure-ftpd, that's why I disable it within pure-ftpd. I prefer it off so I can strictly use virtual accounts maintained within the pdb file.
Finally it's time to enable the pdb file and yes you do have to stop the server in order to avoid errors stating that the port is already in use.
# /etc/init.d/pure-ftpd stop
# /usr/sbin/pure-ftpd -j -lpuredb:/etc/pure-ftpd/pu
# /etc/init.d/pure-ftpd start
http://ubuntuforums.org/archive/index.php/t-9936.html
Cheers,
Brian
Your Pure-FTPd may not be configured to use PureDB as the authentication method. Here is something I found from a thread where people were having the exact problem you are having.
# sudo -s
# apt-get install pure-ftpd pureadmin
Create the user and group accounts:
# groupadd ftpgroup
# useradd -g ftpgroup -d /dev/null -s /etc ftpuser
# pure-pw useradd NAME -u ftpuser -d /DIRECTORY
Type in the password when prompted for the new user twice.
NAME and DIRECTORY can be whatever you want them to be.
Create the database and make sure that the pure-ftpd configuration strictly uses the pdb file for managing accounts:
# pure-pw mkdb
# ln -s /etc/pure-ftpd/conf/PureDB
# gedit /etc/pure-ftpd/conf/PAMAut
Change yes into no
Make sure that a backup file (.PAMAuthentication~) isn't created because it will create a conflict when trying to restart service. Using PAM can allow public access to administrative accounts using pure-ftpd, that's why I disable it within pure-ftpd. I prefer it off so I can strictly use virtual accounts maintained within the pdb file.
Finally it's time to enable the pdb file and yes you do have to stop the server in order to avoid errors stating that the port is already in use.
# /etc/init.d/pure-ftpd stop
# /usr/sbin/pure-ftpd -j -lpuredb:/etc/pure-ftpd/pu
# /etc/init.d/pure-ftpd start
Cheers,
Brian
Have you checked /var/log/messages and/or /var/log/secure for possible errors? If PureFTPd is rejecting the user, it should be logging an error with a reason.
For security reasons, an FTP daemon will not (should not) reject any username. It should treat an invalid user the same as a valid user with a bad password. So just because it says "User testaccount OK", doesn't mean it's actually accepting the user; it may have already decided the user is NOT allowed, and is prompting for password anyways.
The reason for this is so that a remote attacker cannot determine which accounts are valid, and which aren't, thereby focusing their efforts on valid accounts. By treating valid and invalid accounts equally, an attacker can proceed to waste their time trying passwords for an invalid account.
My guess is that either the user is not recognized, or an attribute of the user is being rejected (e.g. assigned shell is not recognized as being valid). E.g. it could be PureFTPd is configured to only allow anonymous FTP logins, or is configured to use an internal database rather than /etc/passwd, etc.
For security reasons, an FTP daemon will not (should not) reject any username. It should treat an invalid user the same as a valid user with a bad password. So just because it says "User testaccount OK", doesn't mean it's actually accepting the user; it may have already decided the user is NOT allowed, and is prompting for password anyways.
The reason for this is so that a remote attacker cannot determine which accounts are valid, and which aren't, thereby focusing their efforts on valid accounts. By treating valid and invalid accounts equally, an attacker can proceed to waste their time trying passwords for an invalid account.
My guess is that either the user is not recognized, or an attribute of the user is being rejected (e.g. assigned shell is not recognized as being valid). E.g. it could be PureFTPd is configured to only allow anonymous FTP logins, or is configured to use an internal database rather than /etc/passwd, etc.
ASKER