Projects / vsftpd / Comments

Comments for vsftpd

17 Nov 2009 20:55 cevans

@markhobley: The issue described is not a "security flaw", despite various misinformation on the internet about the issue.
The whole point of the feature is to kick out the FTP client _before_ it sends a password. This idea goes way, way back and was typically used to list accounts such as "root" where you didn't want a plain text password for that account to ever go over the wire!
If you don't like the feature, don't use it. If you want to deny a given user always, after the password check, use a PAM module.

15 Nov 2009 19:56 markhobley

Re: vsftpd contains a security flaw, which causes the system to skip asking for a password
if the username is invalid, when the system is configured to use an explicit userlist.

A user has suggested that vsftpd-not-whitelisted users never get
passed to pam, so all the pam configuration in the world won't do
anything until you disable the vsftpd userlist.

I would rather not disable the username whitelisting to work around this.

IDoes anyone know how to fix this so that we could incorporate a configuration option as to whether or not to abort after username is entered, or to reverse the polarity of the userlist_deny switch in this context, so that userlist_deny=NO asks for a password, but userlist_deny=YES aborts without a password?

I would be happy to make this change on a local fork (but I need some guidance on this)
if the fix will not get implemented upstream. I am interested in hearing from anyone who knows
their way around this code sufficiently to make the fix.

22 Jul 2009 09:23 igardais

IPv6 passive issue ?
Hi,
I have an issue when a client, connected through IPv6, request a PASV session.
vsftpd replies with :
227 Entering Passive Mode (0,0,0,0,xx,yy)
and consequent connections fails because of the 0,0,0,0 IP.
Is it possible to add a 'pasv_address6' just like for IPv4 ?
Ionel

21 Jul 2009 20:20 markhobley

By default, vsftpd contains a security flaw, which causes the system to skip asking for a password
if the username is invalid, when the system is configured to use an explicit userlist.

http://securitytracker.com/id?1008628

Apparently a workaround for this is to configure pam to prompt for a password, even though the username is
invalid. I am interested in hearing from anyone who knows how to reconfigure pam, to cause the system to prompt
for a password, without disabling the facility to use an explicit userlist, or from anyone that can send me
a patched fork of this package with the vulnerability fixed.

markhobley at yahoo dot co dot uk

18 Jul 2009 15:27 markhobley

I am looking to configure pam to workaround the username mining vulnerability when vsftpd is used with an explicit userlist (ie userlist_enable=YES and userlist_deny=NO).

http://securitytracker.com/id?1008628

Apparently the vulnerability can be also be addressed by making a change to the pam configuration, so that the system asks for both a username and password before failing with an invalid login, rather than immediately failing on an invalid username. Unfortunately to date, I have not found anyone that knows how to make such a change. I am interested in hearing from anyone who knows how to fix this markhobley at yahoo dot co dot uk.

29 May 2009 22:12 cevans

@seronseron: fixed in v2.1.2, which I'm just telling Freshmeat about. Sorry about that.

04 May 2009 10:48 seronseron

"421 Data timeout. Reconnect. Sorry." when clients download large files that reach the data_connection_timeout limit, (i.e. no transfer stalling). This is with version 2.1.0 and Cyberduck 3.2 client using SSL connection in PASV mode. I've set require_ssl_reuse=NO because Cyberduck 3.2 doesn't know how to reuse sessions. How can this be fixed?

06 Jan 2009 21:08 kdapaah

Re: Enabling SSL breaks chroot_local_user Jail... vsftpd-2.0.4
I don't think this is an issue with WinSCP. I'm having the same problem using sftp from a MacBook; unless the sftp client actually uses SSH. Is this the case?

Does anyone have this working? vsftpd+ssl+chroot

> Found the problem... was using the wrong

> client!

> I was using WinSCP - which was talking

> to SSH and not vsftpd!! (i.e could still

> connect when vsftpd was not running).

>

> My last post was unfair on vsftpd.

> Please disregard.

> Belated post to help others who've

> fallen into the same trap (I found lots

> of posts on the net - but no solutions.

> PEBKAC! Problem exists between keyboard

> and chair).

>

> Apologies - Colin

17 Jul 2007 09:47 zoonalex

Enable virtual and local users on a PAM file
I just want to know if it's possible to enable virtual and local users on a PAM file.

My vsftpd.conf:

-----------------------------------------------------------

anonymous_enable=NO

local_enable=YES

write_enable=YES

local_umask=022

anon_upload_enable=NO

dirmessage_enable=YES

xferlog_enable=YES

connect_from_port_20=YES

chroot_list_enable=NO

chroot_list_file=/etc/vsftpd.chroot_list

userlist_deny=NO

userlist_enable=YES

userlist_file=/etc/vsftpd.userlist_file

guest_enable=YES

guest_username=virtual

pam_service_name=ftp

use_localtime=YES

user_config_dir=/etc/vsftpd_user_conf

-----------------------------------------------------------

I know there are different PAM files for virtual users and local users. I tried to

merge this files without success. But when I tried this new PAM file I was able to login with local and virtual users.

-----------------------------------------------------------

#%PAM-1.0

auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed

auth sufficient /lib/security/pam_userdb.so db=/etc/vsftpd_login

auth required /lib/security/pam_unix.so shadow nullok

auth required /lib/security/pam_shells.so

account required /lib/security/pam_unix.so

account sufficient /lib/security/pam_userdb.so db=/etc/vsftpd_login

session required /lib/security/pam_unix.so

-----------------------------------------------------------

The drawback was that local users where logged as virtual users and not into their home directories.

Is there a way to correct this drawback?

Sorry for my english.

05 Jul 2007 18:27 kvnsg

Re: Help: 425 Failed to establish connection.
Hai, all!

I was using FreeBSD v 6.1 and 2 days before i installed vsftpd v2.0.4.

I was running stand alone mode..
and here is my configuration file

listen=YES

max_per_ip=4

max_clients=200

connect_from_port_20=YES

pasv_enable=YES

pasv_min_port=30000

pasv_max_port=70000

write_enable=YES

download_enable=YES

one_process_model=YES

hide_ids=YES


ascii_upload_enable=YES

ascii_download_enable=YES

async_abor_enable=YES

idle_session_timeout=120

data_connection_timeout=300

accept_timeout=60

connect_timeout=60


ls_recurse_enable=NO

dirmessage_enable=YES


anonymous_enable=YES

no_anon_password=YES

anon_upload_enable=NO

anon_mkdir_write_enable=NO

anon_other_write_enable=NO

anon_world_readable_only=YES

#anon_max_rate=50000

anon_umask=022

when i tried to connect from my computer, it's worked and i could access my ftp. But when i use another computer on my LAN, i got this messages

Name (xxx.xxx.xxx.xxx:SG): anonymous

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

227 Entering Passive Mode (xxx,xxx,xxx,xxx,159,41)

ftp: connect: Connection timed out



and when i use mozilla firefox to open my ftp
i got an error message.. 425. FAILED TO ESTABLISH CONNECTION
.
I'm really confused about it... But sometime after reboot my ftp server, i could access it from other computer. but sometime, i can't..

Thanks for help...

Screenshot

Project Spotlight

ReciJournal

An open, cross-platform journaling program.

Screenshot

Project Spotlight

Veusz

A scientific plotting package.