Re: some ftpd problems

[Rick Stevens <rstevens vitalstream com>]

Mitchell Marks wrote:
> First, I apologize if redhat-install-list is supposed to be just about 
> installation questions.  From the description, I took it to be open for 
> all sorts of issues, for those new to Red Hat or with new RH installations.

So far, it seems to be something of a free-for-all! ;-)

> RH is 7.2
> ftpd is  wu-2.6.1-18, as shipped
>
>
> The FTP is working generally but giving me a few problems.
>
> 1.  When contacted via commandline from another Unix host, ftp-ing in as 
> real user, when I do an "ls" it does return a listing but then hangs.  
> (I've turned on verbose command logging, and) the log shows a "LIST" 
> command, but nothing about trouble after that.

Have you noticed any slow login stuff (e.g. getting a "connected to"
message, then a delay before the login prompt)?

> 2.  It does not seem to allow passive connections, i.e. PASV, from GUI 
> programs where this is a checkbox option.  I'm going to have some users 
> from behind firewalls who will need to use this.  I've tried various 
> things with "pasv-allow" in /etc/ftpaccess, but they don't seem relevant.

You could have a problem with your firewall settings.  If you're running
ipchains or iptables, try disabling those and seeing if the PASV works
then.  If so, we've found it and we'll need to see your settings.  If
not, hmmmm.  Try doing a tcpdump on the server while a PASV is attempted
and see what's going on at that point.

> P.S. 
> Here is the /etc/xinetd.d/wu-ftpd:
>
>
> # default: on
> # description: The wu-ftpd FTP server serves FTP connections. It uses \
> #       normal, unencrypted usernames and passwords for authentication.
> service ftp
> {
>         disable = no
>         socket_type             = stream
>         wait                    = no
>         user                    = root
>         server                  = /usr/sbin/in.ftpd
>         server_args             = -l -a
>         log_on_success          += DURATION USERID
>         log_on_failure          += USERID
>         nice                    = 10
> }

Nothing weird in there

> And here is /etc/ftpaccess:
>
>
> # This file controls the behavior of the wu-ftpd
> # ftp server.
> #
> # If you're looking for a graphical frontend to
> # editing it, try kwuftpd from the kdeadmin
> # package.
>
> # Don't allow system accounts to log in over ftp
> deny-uid %-99 %65534-
> deny-gid %-99 %65534-
> # allow-uid ftp
> # allow-gid ftp
> guestserver

Ah, no anonymous FTP, eh  Good!

> # The ftpchroot group doesn't exist by default, this
> # entry is just supplied as an example.
> # To chroot a user, modify the line below or create
> # the ftpchroot group and add the user to it.
> #
> # You will need to setup the required applications
> # and libraries in the root directory (set using
> # guest-root).
> #
> # Look at the anonftp package for the files you'll need.
> guestgroup ftpchroot
>
> # User classes...
> class   all   real,guest,anonymous  *
> #class   all   real  *
>
> pasv-allow real *

That should be legit.

> # Set this to your email address
> email root localhost
>
> # Allow 5 mistyped passwords
> loginfails 5
>
> # Notify the users of README files at login and when
> # changing to a different directory
> readme  README*    login
> readme  README*    cwd=*
>
> # Messages displayed to the user
> message /welcome.msg            login
> message .message                cwd=*
>
> # Allow on-the-fly compression and tarring
> compress        yes             all
> tar             yes             all
>
> # Prevent anonymous users (and partially guest users)
> # from executing dangerous commands
> chmod           no              guest,anonymous
> delete          no              anonymous
> overwrite       no              anonymous
> rename          no              anonymous
>
> # Turn on logging to /var/log/xferlog
> log transfers anonymous,guest,real inbound,outbound
> log commands
>
> # If /etc/shutmsg exists, don't allow logins
> # see ftpshut man page
> shutdown /etc/shutmsg
>
> # Ask users to use their email address as anonymous
> # password
> passwd-check rfc822 warn
>
>
> # Allow keepalive
> keepalive yes
>
> # Timeout listing

I don't see anything weird there.  Keep in mind the default PASV
timeout is 120 seconds, so if your users don't try to download
within 2 minutes of logging in, they won't be able to.
----------------------------------------------------------------------
- Rick Stevens, SSE, VitalStream, Inc.      rstevens vitalstream com -
- 949-743-2010 (Voice)                    http://www.vitalstream.com -
-                                                                    -
-   Which is worse: ignorance or apathy?  I don't know.  Who cares?  -
----------------------------------------------------------------------