Solved

Pure-FTPd authentication fail

Posted on 2012-04-04
7
3,396 Views
Last Modified: 2012-04-06
Hi expertos,

I have Ubuntu 10.4LTS server running for more than 1 year without problems.

On this server I have Pure-FTP-MySQL installed (pure-ftpd-common pure-ftpd-mysql) with explicit TLS and self-signed certificate. Works perfectly!
Starting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -A -p 10900:11999 -E -Y 2 -D -8 UTF-8 -u 1000 -O clf:/var/log/pure-ftpd/transfer.log -H -b -B

Open in new window


Now, from few days ago none of the users can login:
Status:	Resolving address of ftp.myserver.net
Status:	Connecting to 10.10.10.133:21...
Status:	Connection established, waiting for welcome message...
Response:	220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Response:	220-You are user number 1 of 50 allowed.
Response:	220-Local time is now 19:46. Server port: 21.
Response:	220-This is a private system - No anonymous login
Response:	220-IPv6 connections are also welcome on this server.
Response:	220 You will be disconnected after 15 minutes of inactivity.
Command:	AUTH TLS
Response:	234 AUTH TLS OK.
Status:	Initializing TLS...
Status:	Verifying certificate...
Command:	USER test
Status:	TLS/SSL connection established.
Response:	331 User test OK. Password required
Command:	PASS ******
Response:	530 Login authentication failed
Error:	Critical error
Error:	Could not connect to server

Open in new window


I haven't changed anything!
All what has been happening in the neighborhood was a test of new firewall, which I removed after testing and put old firewall back. All old settings preserved, actually nothing was changed.

I tried:
- removed pure-ftpd-mysql and pure-ftpd-common (preserved settings), and installed back, but NO AVAIL
- removed SSL cert and created new one, but NO AVAIL
- changed /etc/pure-ftpd/conf/TLS from 2 to 1 to allow also non-TLS connections...but still NO AVAIL (same error as above)
- bypassed firewall and tested from local LAN IP, with or without TLS, but NO AVAIL

Always the same message in  /var/log/messages :
Apr  4 19:41:42 ftp pure-ftpd: (?@10.10.10.125) [INFO] New connection from 10.10.10.125
Apr  4 19:41:42 ftp pure-ftpd: (?@10.10.10.125) [INFO] SSL/TLS: Enabled TLSv1/SSLv3 with DHE-RSA-AES128-SHA, 128 secret bits cipher
Apr  4 19:41:44 ftp pure-ftpd: (?@10.10.10.125) [INFO] PAM_RHOST enabled. Getting the peer address
Apr  4 19:41:50 ftp pure-ftpd: (?@10.10.10.125) [WARNING] Authentication failed for user [test]
Apr  4 19:41:50 ftp pure-ftpd: (?@10.10.10.125) [INFO] Logout.

Open in new window


I do not understand.
This is not Windows self-breaking OS, but stable Linux box.
Ideas welcome.
0
Comment
Question by:Andrej Pirman
  • 4
  • 3
7 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 37812175
Well to me it looks like the password for the user-id test has been changed.

Response:      331 User test OK. Password required
Command:      PASS ******
Response:      530 Login authentication failed
0
 
LVL 18

Author Comment

by:Andrej Pirman
ID: 37816494
Hmmm... I've tested with ALL existing and previously working users (20 of them) and nobody can connect.
So I created new user, test...with fres settings, fresh password...but still no go.
Nothing else in logs.

Any other idea?
Maybe some more in-deep logging?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 37816979
Could an IP address have changed?  Based on the message:

   PAM_RHOST enabled. Getting the peer address

Pure-FTPd is trying to get the client IP address to validate it against something.  If the IP address that is sees from the client changed, then it could be failing the connection because of that.
0
Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 37817288
You may also want to enable debug logging on the Pure-FTPd server to see that shows any more information.

You can follow these instructions (although it says Debian, it works for Ubuntu also).

http://www.faqforge.com/linux/controlpanels/ispconfig3/how-to-enable-debugging-in-pure-ftpd-on-debian-linux/
0
 
LVL 18

Author Comment

by:Andrej Pirman
ID: 37817605
Oh...bad pingo... :)
PROBLEM SOLVED

First, thanx giltjr for pointing me out to VerboseLog. Immediately I found this:
 postfix/proxymap[9609]: warning: connect to mysql server 127.0.0.1: Access denied for user ...

Open in new window

Oups...it must be mysql buggy...let's see.
Found out that pure-ftpd-mysql is using "ispconfig" user to connect to database (ok, it's my CP), and when I lookup privileges table in mysql, found "ispconfig" user to allow connections only from "localhost". Which is mostly OK, but some apps use 127.0.0.1 instead of localhost.
So I altered privileges of "ispconfig" user to allow connection from ANY host.

Removed VerboseLog, restarted pure-ftpd, restarted mysql...and we're back in business!
0
 
LVL 18

Author Closing Comment

by:Andrej Pirman
ID: 37817612
I decided to give you all the points, since you pushed me in the right way.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 37818032
Glad I could get you down the path to the solution.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
nagios alerts 3 33
Video Streaming 6 56
Linux Copy Command - All Files inc Directory 1 31
linux redhat 7.2 10 43
Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now