DSM-G600, DNS-3xx and NSA-220 Hack Forum

Unfortunately no one can be told what fun_plug is - you have to see it for yourself.

You are not logged in.

#1 2009-07-16 22:24:20

johnx
New member
Registered: 2009-07-16
Posts: 1

Can't log into pure-ftpd

I picked up a 343 a few weeks ago and after much trial and error I've finally gotten it to do most of what I want it to do.  The last thing I need to get working is Passive FTP.

I found ShadowAndy's script (http://www.shadowandy.net/2008/10/setti … e-ftpd.htm) to start the FTP server from fun_plug and set that up.  But now when I try to login to the server i get a message telling me that my user is ok, but the password is not.  To make sure I went in to the GUI and reset the password for that particular user and tried again.  Same message.  I've tried from an external IP and a local machine behind the firewall.

I'm running the latest beta firmware (because 1.02 causes all sorts of issues with fun_plug), 1.03b70.

Anyone else get the passive FTP working on the 343 with the new firmware?

Thanks,

j.

Ftp log:

Status:    Connection established, waiting for welcome message...
Response:    220---------- Welcome to Pure-FTPd [TLS] ----------
Response:    220-You are user number 2 of 4 allowed.
Response:    220-Local time is now 10:13. Server port: 20021.
Response:    220-This is a private system - No anonymous login
Response:    220 You will be disconnected after 2 minutes of inactivity.
Command:    USER XXXXXX
Response:    331 User XXXXXX OK. Password required
Command:    PASS *******
Response:    530 Login authentication failed

Last edited by johnx (2009-07-18 17:16:13)

Offline

 

#2 2010-07-29 08:40:22

c22
New member
Registered: 2010-07-29
Posts: 2

Re: Can't log into pure-ftpd

My DNS-343 runs firmware 1.03, latest as of July 25, 2010, running the pure-ftpd that 343 1.03
firmware came with. Note the 1.03 on DNS-343 corresponds to something like 1.05 or 1.07
in DNS-323 land, I think. Mine gives a password error unless in the DNS-343 in
WebGUI, Advanced, Users the password set is short. My 12 char password always failed at
FTP login, my 8 char password always worked. The WebGUI shows only 9 dots represending characters
on password. Maybe the limit is 8 or 9 characters.

I am still trying to get PASV to work to allow remote access. I can't use Active(PORT) because
the client-side's NAT-firewall won't forward, and I have no control of it. I can only control my
DD-WRT router on the DNS-343 side. Pure-ftpd gives RANDOM ports all over for PASV.  I've seen 1605 up
through 45000. DMZ is too insecure. When I changed my port forwarding rule from a 10 port range,
to 1000 to 65000, then PASV from outside works fine. But too unsecure, and interferes with
other home PCs and their services. I seek a way to constrain pure-ftpd to a 10 port range for
pasv, that survives power cycles, and reboots. I have fun-plug up, SSH, but lack knowledge.

Pure-ftpd gives pasv replies like:
227 Entering Passive Mode (192,168,1,20,110,246)

That's always an illegal local IP 192.168.1.20 (DNS-343 on LAN), and port is calculated
110 * 256 + 246 here, 28406 tcp. For me, I can tolerate the 192,168,1,20 because I have
dynamic IP, dyndns.org, and am using Filezilla Client, open source. Filezilla Client
sees the 192,168,1,20 and says "unroutable address, using server address instead"
which sounds very helpful. It means it will use the server IP it connected
with for the command channel, nice. Of course I always timeout waiting for the first
directory. Now if I can make find a way to constrain pure-ftpd to a 10 port pasv range
for pasv, that survives power cycles, and reboots, I am happy.

Last edited by c22 (2010-07-29 08:54:02)

Offline

 

#3 2011-06-23 05:37:55

philipjfry
New member
Registered: 2011-06-23
Posts: 1

Re: Can't log into pure-ftpd

After spending several days getting reacquainted with my old friend linux I've both experienced this issue and seen many others on the web have the same message as johnx
The fix is to take shadowandy's script on his site (or your own pure-ftpd script) and add the -l unix (that's lower case L) to the pure-ftpd command you are executing
"correct" version of shadowandy's command:
pure-ftpd -P ${ip_add} -p ${pureftp_passive} -S ,${pureftp_ftpport} -A -B -C 10 -I 2 -E -l unix -T ${pureftp_bandwidth}

the reason is whoever compiled pure-ftpd on dns-343 (i don't know about 323 or any other DNS or DNS-like server) included PAM support. After a cursory glance and maybe noobish assumption, it seems that PAM shared objects were statically linked to some original creator's home directory.

After enabling syslogd (thank you so much for including this in fun_plug!!) showed that a user logged in and suddenly there were several lines of PAM objects and directories not being found.

Jun 22 20:49:03 Fileserver ftp.info pure-ftpd: (?@192.168.1.106) [INFO] New connection from 192.168.1.106
Jun 22 20:49:03 Fileserver authpriv.err pure-ftpd: PAM unable to dlopen(/home/jerry/gmail343_321/linuxpam/lib/security/pam_listfile.so)
Jun 22 20:49:03 Fileserver authpriv.err pure-ftpd: PAM [error: /home/jerry/gmail343_321/linuxpam/lib/security/pam_listfile.so: cannot open shared object file: No such file or directory]
Jun 22 20:49:03 Fileserver authpriv.err pure-ftpd: PAM adding faulty module: /home/jerry/gmail343_321/linuxpam/lib/security/pam_listfile.so
Jun 22 20:49:03 Fileserver authpriv.err pure-ftpd: PAM unable to dlopen(/home/jerry/gmail343_321/linuxpam/lib/security/pam_unix.so)
Jun 22 20:49:03 Fileserver authpriv.err pure-ftpd: PAM [error: /home/jerry/gmail343_321/linuxpam/lib/security/pam_unix.so: cannot open shared object file: No such file or directory]
Jun 22 20:49:03 Fileserver authpriv.err pure-ftpd: PAM adding faulty module: /home/jerry/gmail343_321/linuxpam/lib/security/pam_unix.so
Jun 22 20:49:03 Fileserver authpriv.err pure-ftpd: PAM unable to dlopen(/home/jerry/gmail343_321/linuxpam/lib/security/pam_shells.so)
Jun 22 20:49:03 Fileserver authpriv.err pure-ftpd: PAM [error: /home/jerry/gmail343_321/linuxpam/lib/security/pam_shells.so: cannot open shared object file: No such file or directory]
Jun 22 20:49:03 Fileserver authpriv.err pure-ftpd: PAM adding faulty module: /home/jerry/gmail343_321/linuxpam/lib/security/pam_shells.so
Jun 22 20:49:03 Fileserver authpriv.err pure-ftpd: PAM unable to dlopen(/home/jerry/gmail343_321/linuxpam/lib/security/pam_nologin.so)
Jun 22 20:49:03 Fileserver authpriv.err pure-ftpd: PAM [error: /home/jerry/gmail343_321/linuxpam/lib/security/pam_nologin.so: cannot open shared object file: No such file or directory]
Jun 22 20:49:03 Fileserver authpriv.err pure-ftpd: PAM adding faulty module: /home/jerry/gmail343_321/linuxpam/lib/security/pam_nologin.so
Jun 22 20:49:03 Fileserver authpriv.err pure-ftpd: PAM _pam_init_handlers: no default config /etc/pam.d/other
Jun 22 20:49:03 Fileserver authpriv.debug pure-ftpd: pam_winbind(pure-ftpd:auth): getting password (0x00000000)
Jun 22 20:49:03 Fileserver authpriv.err pure-ftpd: pam_winbind(pure-ftpd:auth): pam_winbind_request: write to socket failed!
Jun 22 20:49:03 Fileserver authpriv.err pure-ftpd: pam_winbind(pure-ftpd:auth): internal module error (retval = 3, user = 'ftpuser')
Jun 22 20:49:03 Fileserver ftp.warn pure-ftpd: (?@192.168.1.106) [WARNING] Authentication failed for user [ftpuser]
Jun 22 20:49:08 Fileserver ftp.info pure-ftpd: (?@192.168.1.106) [INFO] Logout.

Pure-ftpd's page indicated that if PAM support was enabled, this form of authentication would be tried FIRST. The site's FAQ page was misleading to me when it stated "every method is tried in order" but it was referring to chaining together methods of authentication. The butter zone was struck when I read the next section

If you don't specify any -l option, PAM is assumed by default if the server
is compiled with PAM support and Unix is assumed by default otherwise.

Thus if you receive the following error

Status:    Connection established, waiting for welcome message...
Response:    220---------- Welcome to Pure-FTPd [TLS] ----------
Response:    220-You are user number 2 of 4 allowed.
Response:    220-Local time is now 10:13. Server port: 20021.
Response:    220-This is a private system - No anonymous login
Response:    220 You will be disconnected after 2 minutes of inactivity.
Command:    USER XXXXXX
Response:    331 User XXXXXX OK. Password required
Command:    PASS *******
Response:    530 Login authentication failed

you MUST specify -l unix to use your /etc/passwd instead of the unavailable PAM modules

sorry for the lengthy post but i wanted to make very sure that no one else runs into this issue again

P.S. to Jerry, from the logs, I want my five days back I spent researching this tongue

DNS-343

Offline

 

Board footer

Powered by PunBB
© Copyright 2002–2010 PunBB