Am 20.09.2016 um 22:11 schrieb Marc Chamberlin:
On 9/20/2016 11:51 AM, Admin Beckspaced wrote:
Am 20.09.2016 um 20:17 schrieb Marc Chamberlin:
On 9/20/2016 9:40 AM, Admin Beckspaced wrote:
Am 20.09.2016 um 01:48 schrieb Marc Chamberlin:
Hello - I am trying to configure the vsftpd server to use SSL on an openSuSE 42.1 (Leap) and running into troubles. I have the basic server running just fine, no firewall issues or anything like that. But when I configure vsftpd to enable SSL I get the following cryptic error messages -
bigbang: rcvsftpd restart bigbang: rcvsftpd status vsftpd.service - Vsftpd ftp daemon Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; enabled) Active: failed (Result: exit-code) since Mon 2016-09-19 15:04:25 PDT; 5s ago Process: 27223 ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf (code=exited, status=2) Main PID: 27223 (code=exited, status=2)
Sep 19 15:04:24 bigbang systemd[1]: Starting Vsftpd ftp daemon... Sep 19 15:04:24 bigbang systemd[1]: Started Vsftpd ftp daemon. Sep 19 15:04:25 bigbang systemd[1]: vsftpd.service: main process exited, code=exited, status=2/INVALIDARGUMENT Sep 19 15:04:25 bigbang systemd[1]: Unit vsftpd.service entered failed state.
Who knows what the "INVALIDARGUMENT" is, my examination of log files reveal nothing, nor do GOOGLE searches. (I did find others having this problem as well, but no solutions.)
The parts of the vsftpd.conf file that are relevant to SSL configuration is:
ssl_enable=YES debug_ssl=YES allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO rsa_cert_file=/etc/ssl/private/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.pem
I am pretty sure I created the certificate and private key files correctly, following the instructions at:
https://www.unixmen.com/how-to-setup-ftp-server-on-opensuse-42-1/
The only possible hint I have found is in the FAQs for the vsftpd server which says -
Q) Does vsftpd support SSL / TLS based encryption? A) Yes, as of v2.0.0, this is supported for the control and data connections (hurrah). You need a build of vsftpd with this support enabled, and then you need to activate the ssl_enable setting. NOTE there are security considerations with this support. Please make sure to read the ssl_enable section in the vsftpd.conf.5 man page thoroughly before using.
I don't know how to determine whether the version of vsftpd released with opensuse42.1 was built with support for SSL/TLS or not, I would assume so... but consider me asking? Was it? Does anyone know if the vsftpd server is seriously broken as far as using SSL/TLS? If so, any recommendation on using a different server?
Thanks in advance for any and all helpful replies... Marc...
hello marc,
to check if your vsftpd has SSL support build in you can run the following command:
ldd /usr/sbin/vsftpd | grep ssl
perhaps fist check where your vsftpd is via
which vsftpd
perhaps this might help?
greetings becki
Thanks Becki for your response, this is what I got and it looks like vsftpd was built with support for SSL/TLS if I am reading this right.. So I am still in the dark as to why vsftpd is not working when I enable SSL for it...
bigbang:/etc ldd /usr/sbin/vsftpd | grep ssl libssl.so.1.0.0 => /lib64/libssl.so.1.0.0 (0x00007fa5be3e0000) bigbang:/etc # which vsftpd /usr/sbin/vsftpd
Marc...
hello marc,
i think you said it works without SSL/TLS?
then there's something wrong with your SSL/TLS setup. i had a look at your tutorial -> https://www.unixmen.com/how-to-setup-ftp-server-on-opensuse-42-1/
perhaps there's an error in the tutorial as the cert & private key both point to the same file?
rsa_cert_file=/etc/ssl/private/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.pem
in my setups i used to have 2 different files, a private key and a certificate. your SSL/TLS setup both points to the same file?
sudo openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
have a look in the other tutorial i used before ... http://www.thatsgeeky.com/2011/01/configuring-vsftpd-to-use-tls/
here the command creates 2 different files ... a private key and a certificate
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/www.domain.com.key -out /etc/pki/tls/certs/www.domain.com.pem
i think that's your problem ...
follow the steps in the tutorial above and create new certificates and see what happens?
thanks & greetings becki
Thanks again Becki, I gave it a shot but still no joy! I followed the steps in the tutorial that you pointed me to for creating two separate files as best as I could. Didn't fully understand the part about chaining certificates but did manage to create the separate key and pem files. After re-configuring the vsftpd.conf file to use them, I still get the same error message about an invalidargument when I restart the vsftpd server. I am guessing that you and others are also running vsftpd under openSuSE 42.1 without problems? Got any more ideas?
Marc...
hello marc, actually i used to run vsftpd on my opensuse box but as i no longer got any clients using FTP service i switched to WINSCP via SSH. this way i don't need to run a FTP server on my suse box ... to further debug the issue ... i would comment out all SSL/TLS config settings and restart vsftpd then enable each SSL/TLS config setting one by one to see which one throws the error? also ... check permission on the cert & private key file. as far as i remember they need to be 400 / 600 so only root can read / write it ... on my suse 13.1 its 0400 also ... did you setup a password on the cert / private key? normally you should not! as it would require vsftpd to enter the password which it can't! another thing that comes up in my mind ... check for typos in the config file? something little stupid as a comma , could mess up your config file i will copy my last working vsftpd config file below which was running on a opensuse 13.1 without any problems. also ... do you start vsftpd as standalone or via inetd? best of luck & greetings becki VSFTPD CONFIG # Example config file /etc/vsftpd.conf # # The default compiled in settings are fairly paranoid. This sample file # loosens things up a bit, to make the ftp daemon more usable. # Please see vsftpd.conf.5 for all compiled in defaults. # # If you do not change anything here you will have a minimum setup for an # anonymus FTP server. # # READ THIS: This example file is NOT an exhaustive list of vsftpd options. # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's # capabilities. # # ################ # General Settings # ################ # # Uncomment this to enable any form of FTP write command. write_enable=YES # # Activate directory messages - messages given to remote users when they # go into a certain directory. dirmessage_enable=YES # # It is recommended that you define on your system a unique user which the # ftp server can use as a totally isolated and unprivileged user. nopriv_user=ftpsecure # # You may fully customise the login banner string: ftpd_banner=Welcome to FTP service. # # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option, so there is a strong case for enabling it. #ls_recurse_enable=YES # # You may specify a file of disallowed anonymous e-mail addresses. Apparently # useful for combatting certain DoS attacks. #deny_email_enable=YES # (default follows) #banned_email_file=/etc/vsftpd.banned_emails # # If enabled, all user and group information in # directory listings will be displayed as "ftp". #hide_ids=YES # # ####################### # Local FTP user Settings # ####################### # # Uncomment this to allow local users to log in. local_enable=YES # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) local_umask=022 # # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). chroot_local_user=YES #chroot_list_enable=YES # (default follows) #chroot_list_file=/etc/vsftpd.chroot_list # # Performs chroot with original (non-root) credentials. This is usefull on nfs with squash_root, # where root becomes nobody and would need -x access. #allow_root_squashed_chroot=YES # # The maximum data transfer rate permitted, in bytes per second, for # local authenticated users. The default is 0 (unlimited). #local_max_rate=7200 # # ########################## # Anonymus FTP user Settings # ########################## # # Allow anonymous FTP? (Beware - allowed by default if you comment this out). anonymous_enable=NO # # The maximum data transfer rate permitted, in bytes per second, for anonymous # authenticated users. The default is 0 (unlimited). #anon_max_rate=7200 # # Anonymous users will only be allowed to download files which are # world readable. anon_world_readable_only=YES # # Default umask for anonymus users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) #anon_umask=022 # # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. #anon_upload_enable=YES # # Uncomment this if you want the anonymous FTP user to be able to create # new directories. #anon_mkdir_write_enable=YES # # Uncomment this to enable anonymus FTP users to perform other write operations # like deletion and renaming. #anon_other_write_enable=YES # # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not # recommended! #chown_uploads=YES #chown_username=whoever # # ############ # Log Settings # ############ # # Log to the syslog daemon instead of using an logfile. syslog_enable=NO # # Uncomment this to log all FTP requests and responses. log_ftp_protocol=YES # # Activate logging of uploads/downloads. #xferlog_enable=YES xferlog_enable=YES # # You may override where the log file goes if you like. The default is shown # below. # vsftpd_log_file=/var/log/vsftpd.log # # If you want, you can have your log file in standard ftpd xferlog format. # Note that the default log file location is /var/log/xferlog in this case. #xferlog_std_format=YES xferlog_std_format=NO # # You may override where the log file goes if you like. The default is shown # below. xferlog_file=/var/log/vsftpd.log # # Enable this to have booth logfiles. Standard xferlog and vsftpd's own style log. #dual_log_enable=YES # # Uncomment this to enable session status information in the system process listing. #setproctitle_enable=YES # # ################# # Transfer Settings # ################# # # Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES # # You may change the default value for timing out an idle session. #idle_session_timeout=600 # # You may change the default value for timing out a data connection. #data_connection_timeout=120 # # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. #async_abor_enable=YES # # By default the server will pretend to allow ASCII mode but in fact ignore # the request. Turn on the below options to have the server actually do ASCII # mangling on files when in ASCII mode. # Beware that on some FTP servers, ASCII support allows a denial of service # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd # predicted this attack and has always been safe, reporting the size of the # raw file. # ASCII mangling is a horrible feature of the protocol. ascii_upload_enable=YES #ascii_download_enable=YES # # Set to NO if you want to disallow the PASV method of obtaining a data # connection. #pasv_enable=NO # # PAM setting. Do NOT change this unless you know what you do! pam_service_name=vsftpd # # When "listen" directive is enabled, vsftpd runs in standalone mode and # listens on IPv4 sockets. This directive cannot be used in conjunction # with the listen_ipv6 directive. listen=YES # # This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6 # sockets, you must run two copies of vsftpd with two configuration files. # Make sure, that one of the listen options is commented !! listen_ipv6=NO # # Set to ssl_enable=YES if you want to enable SSL ssl_enable=YES # # Limit passive ports to this range to assis firewalling pasv_min_port=30000 pasv_max_port=30100 ### security features that are incompatible with some other settings. ### # isolate_network ensures the vsftpd subprocess is started in own network # namespace (see CLONE_NEWNET in clone(2)). It however disables the # authentication methods needs the network access (LDAP, NIS, ...). #isolate_network=NO # seccomp_sanbox add an aditional security layer limiting the number of a # syscalls can be performed via vsftpd. However it might happen that a # whitelist don't allow a legitimate call (usually indirectly triggered by # third-party library like pam, or openssl) and the process is being killed by kernel. # # Therefor if your server dies on common situations (file download, upload), # uncomment following line and don't forget to open bug at # https://bugzilla.novell.com seccomp_sandbox=NO #choose what you like, if you accept anon-connections # you may want to enable this #allow_anon_ssl=NO #choose what you like, # it's a matter of performance i guess force_local_data_ssl=YES #choose what you like force_local_logins_ssl=YES #you should at least enable this if you enable ssl... #TLSv1 ssl_tlsv1=YES #choose what you like #SSLv2 ssl_sslv2=NO #choose what you like #SSLv3 ssl_sslv3=NO #give the correct path to your currently generated *.pem file rsa_cert_file=/etc/ssl/certs/vsftpd-mycert.pem #the *.pem file contains both the key and cert rsa_private_key_file=/etc/ssl/certs/vsftpd-mykey.key #If activated, files and directories starting with . will be shown in directory listings even if the "a" flag was not used by the client. #This override excludes the "." and ".." entries.. force_dot_files=YES #The number of seconds to pause prior to reporting a failed login. delay_failed_login=30 #After this many login failures, the session is killed. max_login_fails=3 #If set to yes, all SSL data connections are required to exhibit SSL session reuse (which proves that they know the same master secret as the control channel). #Although this is a secure default, it may break many FTP clients, so you may want to disable it. require_ssl_reuse=YES #debug_ssl=YES ssl_ciphers=HIGH -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org