Pure-ftpd FTP server 530 Login authentication failed in ubuntu

After pure-ftpd is configured in ubuntu, an error occurs during logon.

-> % Ftp ssi@xxxx.xx
Connected to xxxx. xx.
220 ---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now. Server port: 21.
220-This is a private system-No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
331 User ssi OK. Password required
Password:
530 Login authentication failed
Ftp: Login failed

The following is a solution.

1. Prerequisites

On ubuntu, you can directly use apt-get to install the latest version of pure-ftpd. However, its configuration is somewhat odd.

The configuration file of pure-ftpd is in/etc/pure-ftpd/conf by default. Each file is the name of a command line parameter, and the content of the file is the value of this parameter.

Pure-ftpd uses the pure-ftpd-wrapper command to convert these configuration files into command line parameters and use them to start the service.

For example, if you want to disable chroot, add a/etc/pure-ftpd/conf/ChrootEveryone file, and write the value yes.

All command line parameters of pure-ftpd correspond to one short parameter and one long parameter. You can view all supported parameters through man pure-ftpd.

These parameters are all in lowercase. To view their standard format, use man pure-ftpd-wrapper.

Now, this is the topic. To clearly describe the configuration process, I will repeat it.

2. Create a system user

Create an ftp account and an ftp user group. Set its shell to prohibit logon. Note: the home value is the access address of the Anonymous account.

Useradd-M-U-s/usr/sbin/nologin-d/var/ftp

For shell settings that prohibit logon, we usually use/usr/sbin/nologn and/bin/false. Here we can learn about their differences. For more details, see man false and man nologin (you can also see man true by the way ).

3. Create a virtual user

The following command creates a user named ssi and writes its information to/etc/pure-ftpd/pureftpd. passwd.

This ssi user is a virtual user. This user does not have to exist in the system. This user has the same permissions as the system account we specified through the-u and-g parameters.

During this period, pure-pw will ask you to enter the ftp password of this user.

Pure-pw useradd ssi-u ftp-g ftp-d/var/ftp/ssi

Ftp serves www most of the time. Sometimes, for convenience (not necessarily safe), you can even directly bind a virtual user to a www-data user.

Update user information to the/etc/pure-ftpd/pureftpd. pdb file:

Pure-pw mkdb

4. Set the mask

Write the required file and directory mask to the Umask configuration file, separated by spaces:

Echo '003 002 '>/etc/pure-ftpd/conf/Umask

Note that although the pure-ftp man page says this:

-U umask files: umask dirs
Change the mask for creation of new files and directories. The default are 133 (files
Are readable-but not writable-by other users) and 022 (same thing for directory,
With the execute bit on). If new files shoshould only be readable by the user, use
177: 077. If you want uploaded files to be executable, use 022:022 (files will be read?
Able by other people) or 077: 077 (files will only be readable by their owner ).

However, if you set it to, pure-ftpd will report an error upon restart:

Restarting ftp server:/usr/sbin/pure-ftpd-wrapper: Invalid configuration file/etc/pure-ftpd/conf/Umask: "00:002" not two octal numbers

Therefore, set the delimiter to a space. This may also be a feature of ubuntu. ;)

5. Fixed logon errors

The question is finally coming.

According to google's information, first specify PureDB in auth.

Ln-s/etc/pure-ftpd/conf/PureDB/etc/pure-ftpd/auth/50 pure

After processing, the problem persists.

Then find this passage in README of pure-ftpd:

? With-pam: use pluggable authentification modules. Don't use this option
If your login/passwd pairs are always refused (but the real fix wocould be
Fix your PAM configuration). You need to create a/etc/pam. d/pure-ftpd file
To properly use the PAM authentication. The 'PAM 'directory contains
Example of such a file.

At the same time, locate here and confirm that the PAM verification is canceled, and the logon is successful.

Echo no>/etc/pure-ftpd/conf/PAMAuthentication

However, it is unreasonable to cancel PAM, which may make the system insecure. Check that the configuration of/etc/pam. d/pure-ftpd is correct, which indicates that this is not a problem with PAM.

The PAM configuration file contains the words pam_shells.so. Then, the ghost glances at/etc/shells and finds that it does not contain/usr/sbin/nologin.

Add it:

Echo '/usr/sbin/nologin'>/etc/shells

Then, restore the PAMAuthentication settings and restart the service:

Service pure-ftpd restart

6. Analysis

Man pam_shells can see the following information:

NAME
Pam_shells-PAM module to check for valid login shell

SYNOPSIS
Pam_shells.so

DESCRIPTION
Pam_shells is a PAM module that only allows access to the system if the users shell is listed
In/etc/shells.

It also checks if/etc/shells is a plain file and not world writable.

The following content is configured in/etc/pam. d/pure-ftpd:

Auth required pam_shells.so

Because the ftp user's shell is/usr/sbin/nologin, this shell must exist in/etc/shells to pass through the PAM module.

7. Other problems

On CentOS, I compile and install pure-ftpd. Here are some precautions.
7.1 script used to start the service

The source code does not provide the startup script. I will upload an available script to gist, download it, modify the path, and copy it to/etc/init. d.

Remember to add the -- with-ftpwho option during compilation. In this way, when using the above script to implement service pureftpd status, you can see the information of the client currently being connected.
7.2 421 error occurred when restarting the service

It is because the -- with-puredb option is not added during compilation. Need to be re-compiled.

421 Unknown authentication method: puredb:/opt/pureftpd/etc/pureftpd. pdb

7.3 530 Sorry, but I can't trust you

The same is the 530 logon error. The prompt is as follows:

530 Sorry, but I can't trust you
Ftp: Login failed.

This is because the ftp account of the system is a system account, and the-r parameter may be added when an ftp account is created. Check the ftp account id:

Id ftp
Uid = 14 (ftp) gid = 50 (ftp) groups = 50 (ftp)

There is an option in the pure-ftp.conf configuration file to set the minimum account UID, and if it is smaller than this UID, the above 530 error will occur. This value is 100 by default.

# Minimum UID for an authenticated user to log in.
Min UID 100

There are two solutions:

Modify the MinUID value so that it is smaller than the ftp account value (my value is 14, so change it to 13 or smaller ),
Modify the UID of the ftp account.

Here I select the latter:

Usermod-u 600 ftp
Groupmod-g 600 ftp

You must update the virtual account to make it take effect:

Pure-pw usermod ssi-u ftp-g ftp-m