PDA

View Full Version : ftp password rejected


SirLancelot
21st April 2009, 12:25
I've installed ispconfig 3 as a Xen server through a hypervm ostemplate using debian lenny. Everything seens to function correctly (client creation, web site creation, webmail and stats) but when i create an ftp account the password gets rejected with error 530 when attempting to conect using FireFTP.
Ftp for the web site is enabled and Pureftpd is running as:-

netstat -ap | grep "*:ftp"

displays

tcp 0 0 *:ftp *:* LISTEN

There is nothing in the logs for Pureftp, and I have tried ftp in active and passive modes. Also I am using the correct login (client id + additional user name text) and I only used normal text characters for login and password.
Thanks for any help you can give with this.

till
21st April 2009, 20:31
Which Linuxdistribution?

SirLancelot
21st April 2009, 20:46
Sorry for not making it clear in my first post, hypervm with xen is installed on Centos 5 and the ispconfig domu is debian 5.

tebokkel
21st April 2009, 21:14
Can you login with FTP on localhost?

Paul

SirLancelot
21st April 2009, 22:14
Can you login with FTP on localhost?


Do I need to install an ftp client on the ispconfig server to do this?

tebokkel
21st April 2009, 22:21
Normally not, normally you have the command "ftp" readily available:

tebokkel@www1:~$ ftp localhost
Connected to localhost.
220 FTP Server ready.
Name (localhost:tebokkel): tebokkel
331 Password required for tebokkel.
Password:
230 User tebokkel logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

Paul

SirLancelot
21st April 2009, 22:28
I've tried that and I am getting:-

-bash: ftp: command not found.

I started with a basic install of debian 5 as the ispconfig server, will it "hurt" the setup if I install a ftp client?

Thanks

tebokkel
21st April 2009, 22:54
No, it won't.

Just do:
apt-get install ftp

as root and you're done.

Paul

SirLancelot
21st April 2009, 23:23
OK I've installed ftp and this is what I get:-

test:~# ftp localhost
Connected to localhost.localdomain.
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 22:16. Server port: 21.
220-This is a private system - No anonymous login
220 You will be disconnected after 15 minutes of inactivity.
Name (localhost:root): steve-ftp
331 User steve-ftp OK. Password required
Password:
530 Login authentication failed
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

I've definitely got an issue somewhere

tebokkel
22nd April 2009, 00:18
Now your FTP-log should show something, doesn't it?
Or else in /var/log/messages or /var/log/security?

Paul

SirLancelot
22nd April 2009, 00:35
/var/log/messages contains:-

Apr 21 22:15:26 test pure-ftpd: (?@localhost.localdomain) [INFO] New connection from localhost.localdomain
Apr 21 22:16:19 test pure-ftpd: (?@localhost.localdomain) [INFO] PAM_RHOST enabled. Getting the peer address
Apr 21 22:16:21 test pure-ftpd: (?@localhost.localdomain) [WARNING] Authentication failed for user [steve-ftp]

there is no /var/log/security or /var/log/pure-ftpd
I don't seem to have any ftp logs at all.

falko
22nd April 2009, 15:30
Did you try both active and passive transfers in your FTP client?

SirLancelot
22nd April 2009, 20:41
Did you try both active and passive transfers in your FTP client?

Yes, as mentioned in the first post.

Also I have tried passive from localhost with "-p" switch. I am not to familiar with command line ftp, so I am guessing that:-

"ftp localhost" will connect active

and

"ftp -p localhost" will connect passive

But which ever one I try still rejects the password.

till
23rd April 2009, 11:49
Please enaböe logging for mysql in the my.cnf file and then check which mysql queries get executed on ftp login and try these queries in phpmyadmin to see if they work.

SirLancelot
23rd April 2009, 20:48
This is what is contained in mysql.log:-

090423 19:35:40 72 Connect ispconfig@localhost on dbispconfig
72 Query set autocommit=0
72 Query SELECT password FROM ftp_user WHERE active = 'y' AND server_id = '1' AND username="steve-ftp"
72 Query SELECT uid FROM ftp_user WHERE active = 'y' AND server_id = '1' AND username="steve-ftp"
72 Query SELECT gid FROM ftp_user WHERE active = 'y' AND server_id = '1' AND username="steve-ftp"
72 Query SELECT dir FROM ftp_user WHERE active = 'y' AND server_id = '1' AND username="steve-ftp"
72 Query COMMIT
72 Quit
090423 19:36:01 73 Connect ispconfig@localhost on
73 Init DB dbispconfig
73 Query SELECT updated, config FROM server WHERE server_id = 1
73 Init DB dbispconfig
73 Query SELECT count(server_id) as number from sys_datalog WHERE datalog_id > 48 AND (server_id = 1 OR server_id = 0)
73 Quit
090423 19:36:09 74 Connect ispconfig@localhost on dbispconfig
74 Query set autocommit=0
74 Query SELECT password FROM ftp_user WHERE active = 'y' AND server_id = '1' AND username="steve-ftp"
74 Query SELECT uid FROM ftp_user WHERE active = 'y' AND server_id = '1' AND username="steve-ftp"
74 Query SELECT gid FROM ftp_user WHERE active = 'y' AND server_id = '1' AND username="steve-ftp"
74 Query SELECT dir FROM ftp_user WHERE active = 'y' AND server_id = '1' AND username="steve-ftp"
74 Query COMMIT


I think we are getting somewhere as when I run the queries I am getting:-

Error

SQL query: Documentation

SELECT PASSWORD FROM ftp_user
WHERE active = 'y'
AND server_id = '1'
AND username = "steve-ftp"
LIMIT 0 , 30

MySQL said: Documentation
#1046 - No database selected

both attempts to connect were from the command line as localhost. the first attempt was in active mode and the second attempt was in passive mode. I'm not sure if I am reading it corretly but does it look by the log that both attempts apear to be in active mode? Also no database selected error?
I'm begining to wonder if there is an issue with running xen through hypervm for ISPconfig 3 as this is the 5'th ispconfig sever that I have built and the FTP issue is always the same.
Many thanks for any assitance with this as it has got me confused.

falko
24th April 2009, 16:37
I think we are getting somewhere as when I run the queries I am getting:-

Error

SQL query: Documentation

SELECT PASSWORD FROM ftp_user
WHERE active = 'y'
AND server_id = '1'
AND username = "steve-ftp"
LIMIT 0 , 30

MySQL said: Documentation
#1046 - No database selected

When you run the queries manually, you must first select the right database:
USE database; (replace database with the database name).

SirLancelot
24th April 2009, 18:12
When you run the queries manually, you must first select the right database:
USE database; (replace database with the database name).

Oops! My apologies.

OK I ran:-

USE dbispconfig; set autocommit=0; SELECT password FROM ftp_user WHERE active = 'y' AND server_id = '1' AND username="steve-ftp"; SELECT uid FROM ftp_user WHERE active = 'y' AND server_id = '1' AND username="steve-ftp"; SELECT gid FROM ftp_user WHERE active = 'y' AND server_id = '1' AND username="steve-ftp"; SELECT dir FROM ftp_user WHERE active = 'y' AND server_id = '1' AND username="steve-ftp"; COMMIT

This is the result:-

USE dbispconfig;# MySQL returned an empty result set (i.e. zero rows).
SET AUTOCOMMIT =0;# MySQL returned an empty result set (i.e. zero rows).
SELECT PASSWORD FROM ftp_user
WHERE active = 'y'
AND server_id = '1'
AND username = "steve-ftp";# Rows: 1
SELECT uid
FROM ftp_user
WHERE active = 'y'
AND server_id = '1'
AND username = "steve-ftp";# Rows: 1
SELECT gid
FROM ftp_user
WHERE active = 'y'
AND server_id = '1'
AND username = "steve-ftp";# Rows: 1
SELECT dir
FROM ftp_user
WHERE active = 'y'
AND server_id = '1'
AND username = "steve-ftp";# Rows: 1
COMMIT # MySQL returned an empty result set (i.e. zero rows).

Mysql seems to think the database is empty?
But the user and password are there in the table ftp_user.

till
24th April 2009, 19:41
And you are really sure that the username is "steve-ftp" and not something like "defaultsteve-ftp" or so? There is a user prefix prepended by default, please check the ftp username that is displayed in the ftp user list in ispconfig. Also make sure that the ftp user is active.

SirLancelot
24th April 2009, 20:07
Yes the user steve-ftp is correct.

After installing ISPConfig 3 I logged in as admin and created a client "steve".
I then logged in as steve and created a web site for steve. Then created an ftp account for this website selecting client "steve" plus my user defined text "-ftp" so creating "steve-ftp"

Is this the correct way to do it?
Thanks

I think I should add that in order to use debian 5 I upgraded the basic Hypervm ostemplate provided by hypevm from deb 4 to deb 5. If you have looked back through this thread you will notice that this template was missing the ftp client that I believe comes with a basic install of Debian. (I had to apt-get install ftp). I am now wondering if there are any other packages that are required that the hypervm ostemplate is missing.

till
24th April 2009, 21:09
Is this the correct way to do it?

Yes, this is fine.

may you plese execute the following sql command and post the output:

select * from ftp_user where username like "%steve%";

SirLancelot
24th April 2009, 21:38
Now I think we are getting somwhere.
mysql will not let me log in:-

test:~# mysql

produces:-

ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)

I've also tried:-

mysql -u root
mysql -u admin
mysql -u steve

mysql -u root -p mypassword
mysql -u admin -p mypassword
mysql -u steve -p mypassword

they all produce:-

ERROR 1045 (28000): Access denied for user

though i can log in with phpmyadmin and if I select table "ftp_user" steve_ftp is there.
It is strange that I am unable to connect from the command line as this is the 5'th time that I have built an ISPConfig 3 server and the problem is always the same.

till
24th April 2009, 21:47
Please note the difference, you said that steve_ftp is there but you tried to login with steve-ftp with the FTP client (underscore not -). Please try to login with steve_ftp with your ftp client now.

SirLancelot
24th April 2009, 21:53
Sorry that was a typo the user that is in the table "ftp_user" is steve-ftp.

And I am able to log into mysql from the command line with:-

mysql -u root -p

I wasnt thinking earlier.

The output of:-

select * from ftp_user where username like "%steve%";

does confirm the ftp user is correct:-

+-------------+------------+-------------+---------------+----------------+----------------+-----------+------------------+-----------+------------------------------------+------------+--------+------+---------+-------------------------------+-------------+----------+----------+--------------+--------------+
| ftp_user_id | sys_userid | sys_groupid | sys_perm_user | sys_perm_group | sys_perm_other | server_id | parent_domain_id | username | password | quota_size | active | uid | gid | dir | quota_files | ul_ratio | dl_ratio | ul_bandwidth | dl_bandwidth |
+-------------+------------+-------------+---------------+----------------+----------------+-----------+------------------+-----------+------------------------------------+------------+--------+------+---------+-------------------------------+-------------+----------+----------+--------------+--------------+
| 2 | 2 | 2 | riud | riud | | 1 | 1 | steve-ftp | $1$]x[ZlDk{$iqfI7NbkFBsUBhnrPcDLr1 | -1 | y | web1 | client1 | /var/www/clients/client1/web1 | -1 | -1 | -1 | -1 | -1 |
+-------------+------------+-------------+---------------+----------------+----------------+-----------+------------------+-----------+------------------------------------+------------+--------+------+---------+-------------------------------+-------------+----------+----------+--------------+--------------+
1 row in set (1.02 sec)

SirLancelot
25th April 2009, 12:44
I am now thinking that there is something strange with how the password is saved, because if I change the password for "steve-ftp" in ISPConfig to something like "123456" then issue:-

select * from ftp_user where username like "%steve%";

the follwing is displayed:-

+-------------+------------+-------------+---------------+----------------+----------------+-----------+------------------+-----------+------------------------------------+------------+--------+------+---------+-------------------------------+-------------+----------+----------+--------------+--------------+
| ftp_user_id | sys_userid | sys_groupid | sys_perm_user | sys_perm_group | sys_perm_other | server_id | parent_domain_id | username | password | quota_size | active | uid | gid | dir | quota_files | ul_ratio | dl_ratio | ul_bandwidth | dl_bandwidth |
+-------------+------------+-------------+---------------+----------------+----------------+-----------+------------------+-----------+------------------------------------+------------+--------+------+---------+-------------------------------+-------------+----------+----------+--------------+--------------+
| 2 | 2 | 2 | riud | riud | | 1 | 1 | steve-ftp | $1$iA@S_fYP$oFSVwi/B1PMg1hfUxJs4G0 | -1 | y | web1 | client1 | /var/www/clients/client1/web1 | -1 | -1 | -1 | -1 | -1 |
+-------------+------------+-------------+---------------+----------------+----------------+-----------+------------------+-----------+------------------------------------+------------+--------+------+---------+-------------------------------+-------------+----------+----------+--------------+--------------+
1 row in set (0.00 sec)

now if I again change the password in ISPConfig to something else, then change it back to "123456" and again issue at the command prompt:-

select * from ftp_user where username like "%steve%";

The following is generated:-

+-------------+------------+-------------+---------------+----------------+----------------+-----------+------------------+-----------+------------------------------------+------------+--------+------+---------+-------------------------------+-------------+----------+----------+--------------+--------------+
| ftp_user_id | sys_userid | sys_groupid | sys_perm_user | sys_perm_group | sys_perm_other | server_id | parent_domain_id | username | password | quota_size | active | uid | gid | dir | quota_files | ul_ratio | dl_ratio | ul_bandwidth | dl_bandwidth |
+-------------+------------+-------------+---------------+----------------+----------------+-----------+------------------+-----------+------------------------------------+------------+--------+------+---------+-------------------------------+-------------+----------+----------+--------------+--------------+
| 2 | 2 | 2 | riud | riud | | 1 | 1 | steve-ftp | $1$LJ{jwQ]L$qR3hTenZw0ueRN7MDhjkO0 | -1 | y | web1 | client1 | /var/www/clients/client1/web1 | -1 | -1 | -1 | -1 | -1 |
+-------------+------------+-------------+---------------+----------------+----------------+-----------+------------------+-----------+------------------------------------+------------+--------+------+---------+-------------------------------+-------------+----------+----------+--------------+--------------+
1 row in set (0.00 sec)

As can be seen the encrypted password is now different even though I set it to "123456" in both cases.

till
25th April 2009, 12:47
Thats all fine. This is named a salted password, it is always different so it can not be attacked with wordbook attacks. Al Linux passwords are saved as salted passwords for this reason.

SirLancelot
25th April 2009, 12:51
Thats all fine. This is named a salted password, it is always different so it can not be attacked with wordbook attacks. Al Linux passwords are saved as salted passwords for this reason.

OK thanks, at least I know the ftp account and password are being stored correctly. I just cannot seem to get to the bottom of the login problem.

SirLancelot
28th April 2009, 19:10
I'm pretty convinced that this is an issue with the original debian template that I am using, as it does not seem to matter how many times I try to rebuild my ISPConfig 3 server the error with ftp password rejected is always the same.
I believe that Hypervm uses a jailtime xen domu image to build xen domu servers. I had a look at the image details listed at:-

http://jailtime.org/download:debian:v4.0?s=debian+4

and it states that:-

tls has been disabled (/lib/tls –> /lib/tls.disabled)

Is it possible that this could cause a problem?
I may be just grasping at straws here.

SirLancelot
6th May 2009, 14:11
SOLVED

Though I used the brute force method.
If you use HyperVM to administrate your Xen domu's there is an issue with the osteplate (at least for Debian) this also goes for the Debian image from jailtime.org. (though I am not sure about other distros), that prevents ftp from working when ISPConfig 3 is installed.
In order to get ISPConfig 3 working as a domu using HyperVM I had to install a xen dom0 on an old server, then create a basic debian domu with ssh installed. Then convert the domu image to a formate that HyperVM uses (debian-5.0-i386-minimal.tar.gz) then move this to the xen ostemplates of the HyperVM server. I was then able to use this template for building the ISPConfig 3 server, and all worked perfectly.

Many thanks to all involved while trying to fix this.

TomasZu
15th May 2013, 15:46
EDIT: noobish me, slipped under username prefix...

till
15th May 2013, 16:13
If you use ubuntu 12.04 LTS then its very unlikely thats its the same problem as the problem is about a issue in a debian image from jailtime.org and not a ispconfig specific problem.

The most likely reason for rejected passwords is that you tried to use a wrong ftp username, e.g. using it without prefix. Take a look at the ftp user list in ispconfig, you have to use the full ftp username incl. prefix as it is displayed there.

TomasZu
15th May 2013, 16:17
yes, you are 100% right.

Is there any magic to get rid of prefix for ftp users ?

till
15th May 2013, 16:31
See: System > Interface > Main config

TomasZu
15th May 2013, 16:46
thank you twice till. I'll check it later.