emerge -u world broke VSFTPd (Urgent!)

[zeroclip]

Hi.

I did a emerge sync && emerge -u world today. and vsftpd stopped working. When i do a connect to the site i get this:

---> FEAT
<--- 211-Features:
<--- AUTH SSL
<--- AUTH TLS
<--- EPRT
<--- EPSV
<--- MDTM
<--- PASV
<--- PBSZ
<--- PROT
<--- REST STREAM
<--- SIZE
<--- TVFS
<--- 211 End
---> AUTH TLS
<--- 234 Proceed with negotiation.
---> USER ggnet
Certificate depth: 0; subject: /C=NO/ST=Some-State/O=Internet Widgits Pty Ltd; issuer: /C=NO/ST=Some-State/O=Internet Widgits Pty Ltd
WARNING: Certificate verification: self signed certificate
<--- 331 Please specify the password.
---> PASS *****
**** SSL read: wrong version number
---- Closing control socket
ls: Fatal error: SSL read: wrong version number

Wait! there is more! without SSL i get this:

---> FEAT
<--- 211-Features:
<--- AUTH SSL
<--- AUTH TLS
<--- EPRT
<--- EPSV
<--- MDTM
<--- PASV
<--- PBSZ
<--- PROT
<--- REST STREAM
<--- SIZE
<--- TVFS
<--- 211 End
---> USER ggnet
<--- 331 Please specify the password.
---> PASS *****
<--- 500 OOPS: priv_sock_get_result
---> PWD
**** Peer closed connection
---- Closing control socket
ls: Login failed: 500 OOPS: priv_sock_get_result

Please tell me what i did! I've never seen the second error before. The First one is only a minor problem as most of my users do not use SSL.

Thanks!

[zeroclip]

Hi again.

The problem is somehow releated to pam and pam_userdb.so. If i use system-auth instead of userdb it works fine. But i don't want all those virtual users in my local passwd. Please advise.

[Jylppy]

Hello, I have the same problem. pam-0.78 update broke vsftpd virtual users' login. No solution found yet.

-J

[Norick]

I have same problem... Has anybody found solution yet?

Thanks

[bratwurst]

Tried to

Code: Select all

emerge unmerge db
emerge pam (installed db 4.2)
emerge db

Problem remains....
It's hard to debug, too since the logs don't really help

Tried to google...not much help

Anyone ???

[Jazz]

ok same problem here.. any ideas ?
thanx

[fdamstra]

ok same problem here.. any ideas ?
thanx

This hasn't been resolved? Eek... Ran into this problem today. All my virtual users are broken.

Does anybody know the cause?

Update:
I found this bug, and apparently people have been running into this for quite some time, though I'm still not sure what causes it. I followed the "solution" in comment 16, then unmerged db, and reemerged the specific versions of db and pam that the author had, and it is working again.

However, I'm not very happy running an outdated version of PAM. Does anybody have a fix for the newer versions?

[svf]

heya...

im using the /etc/pam.d/vsftpd from the vsftpd-2.0.2 package and it works

i dont use virtual users.. but ran actually into the same ssl prob

Code: Select all

cat /etc/pam.d/vsftpd
#%PAM-1.0
# $Header: /var/cvsroot/gentoo-x86/net-ftp/vsftpd/files/vsftpd.pam,v 1.5 2005/06/07 23:04:57 uberlord Exp $
auth     required   pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth     required   pam_stack.so service=system-auth
auth     required   pam_shells.so
account  required   pam_stack.so service=system-auth
session  required   pam_stack.so service=system-auth

hth

[bdismay]

Not sure if this will help anyone, but I had troubles connecting to vsftpd after upgrading baselayout this morning. I do not use virtual users, but had set up system accounts for each user. Each user account had been specified the shell /bin/false. After upgrading baselayout the /etc/shells file was overwritten with a new one that did not have /bin/false as a valid shell. Adding /bin/false to /etc/shells fixed my problems.

[Raffi]

I've tried various things to fix this problem, but I can't seem to get virtual users working again.

Has anyone gotten virtual users working with vsftpd-2.0.3-r1 and pam-0.78-r2?

[UberLord]

Has anyone gotten virtual users working with vsftpd-2.0.3-r1 and pam-0.78-r2?

I'm the new maintainer for vsftpd and I opened the original bug. It's not a vsftpd problem, but a pam problem.
I do use virtual users, but they are LDAP and not db. Basically.any virtual that is not pam_userdb based works

[Raffi]

Good to know. So any change the userdb stuff will get fixed soon? Barring that, any chance there is a howto for other types of virtual users?

Thanks.

[UberLord]

Good to know. So any change the userdb stuff will get fixed soon?

Soon? Probably not.
If you're using nptl,disabling it may help.

Barring that, any chance there is a howto for other types of virtual users?

What kinda of backend do you want
LDAP? Postgres? MySQL? something else?

Basically, take your pick. Most daemons - including vsftpd - have PAM support - and PAM works with LDAP, Postgres, etc etc - just not userdb files. Heh

[Raffi]

The ftp server has mysql in use and has postgres available. Either of those would work for me.

[traal]

Hi,

I had the exact same problem, with vsftpd complaining about "priv_sock_get_result" due to the PAM problem. After googling for a bit, and reading the PAM documentation, I figured out how the pam_pwdfile.so module can also be used for virtual users. It uses a file in the same format as Apache's .htpasswd files, with lines of "username:password_crypt", so it's very simple to maintain, compared to cumbersome Berkeley DB files.

Right now, pam_pwdfile is masked, so:

Code: Select all

echo sys-auth/pam_pwdfile >> /etc/portage/package.keywords
emerge -tva pam_pwdfile

Previously, vsftpd used the file /etc/pam.d/vsftpd, but that changed, so nowadays it uses /etc/pam.d/ftp by default. If you want the old behaviour (I did!), you need to update your vsftpd.conf:

Code: Select all

echo pam_service_name=vsftpd >> /etc/vsftpd/vsftpd.conf

Next, you need to change your /etc/pam.d/vsftpd file. Notice that the "account" facility is not available from pam_pwdfile.so, so just use the regular pam_permit.so to let any account in, provided that they know their password. (The account facility is intended for temporarily disabling accounts, among other things.) Change your /etc/pam.d/vsftpd to look like this:

Code: Select all

auth    required pam_pwdfile.so pwdfile /etc/vsftpd/passwd_ftp
account required pam_permit.so

Now, all you need to do is simply to put lines of the form "username:password_crypt" into the /etc/vsftpd/passwd_ftp file!

I came up with a short Perl script to create md5 password hashes. Put this into /etc/vsftpd/filter.pl:

Code: Select all

#! /usr/bin/perl -w
use strict;

# filter "user:cleartext" lines into "user:md5_crypted"
# probably requires glibc

while (<>) {
    chomp;
    (my $user, my $pass) = split /:/, $_, 2;
    my $crypt = crypt $pass, '$1$' . gensalt(8);
    print "$user:$crypt\n";
}

sub gensalt {
    my $count = shift;
    my @salt = ('.', '/', 0 .. 9, 'A' .. 'Z', 'a' .. 'z');
    my $s;
    $s .= $salt[rand @salt] for (1 .. $count);
    return $s;
}

Remember to:

Code: Select all

chmod +x /etc/vsftpd/filter.pl

Now, try something like:

Code: Select all

cd /etc/vsftpd
touch cleartext
chmod go= cleartext
echo john:secret >> cleartext
./filter cleartext > passwd_ftp

...And that's it! Suddenly john can log in with the password "secret". If you want to simplify this even further, create a Makefile. Remember that the indented lines in a Makefile must be tab characters, not eight spaces!

Code: Select all

# /etc/vsftpd/Makefile
passwd_ftp: cleartext
        touch $@
        chmod 600 $@
        ./filter.pl $< >$@

This way, if you want to update your virtual users, simply:

Code: Select all

cd /etc/vsftpd
vi cleartext
make

Hope this was helpful.

[Raffi]

Very helpful, thanks. I will give it a try as soon as I get back from vacation.

[codine]

Worked for me thank you much!

[b.walla]

Thanks traal, you rock hard.

[stevodestructo]

Hi,
Hope this was helpful.

Thanks bunches man... this did the trick

[Jylppy]

[poco]

Thanks

[fdamstra]

Well, this pam_userdb problem has been troubling me for months and months. Converting to a different auth mechanism wasn't (isn't) a very good option for me as there's a management system built around the current system.

Anyhow, the solution is actually easy. In your /etc/pam.d/vsftpd or /etc/pam.d/ftp (whichever you use), add "crypt=hash" to the end of the auth and account lines. For instance, mine looks like this:

Code: Select all

auth required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd.passwd crypt=hash
account required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd.passwd crypt=hash

Hope that helps somebody out.

[Saibei]

This looks to be exactly what I wish to do!

However, I can't for the life of me get it to work... can someone post an example vsftpd.conf?