VSFTPD - Cannot make a successful connection with SSL enabled!

Issues related to applications and software problems
Post Reply
dass
Posts: 4
Joined: 2012/03/25 00:27:42

VSFTPD - Cannot make a successful connection with SSL enabled!

Post by dass » 2012/03/25 00:44:58

Centos 6.2 / x86_64 / no firewall / not using inetd/xinetd

I have been all over the internet. So many people complaining about the same thing - but so few signs of hope.

Normal FTP works easy. But, with SSL enabled... I never get a successful connection. My client (tried with sftp and FileZilla) just hangs and the connection times out. I don't even get a chance to enter credentials.

If I let the client time out (it takes a few minutes) I get this:

[code]ssh_exchange_identification: Connection closed by remote host
Couldn't read packet: Connection reset by peer[/code]

All all I see in /var/log/vsftpd.log is:

[code]Sat Mar 24 20:58:45 2012 [pid 2] CONNECT: Client "x.x.x.x"[/code]

I have tried building (2.3.5) with and without PAM. I have tried installing with yum (2.2.2). I have tried crossing my fingers and praying to many of my favourite Star Wars characters. I have even tried configuring VSFTPD ;)

Okay. Here is my /etc/vsftpd.conf - showing the absolute minimal settings required just to show some sign of VSFTPD responding:

[code]listen=YES
listen_address=x.x.x.x
listen_port=22
local_enable=YES
ssl_enable=YES
rsa_cert_file=/etc/ssl/certs/xxx.pem[/code]

I have tried setting all sorts of other options, but without any different results. I've even tried turning on debug_ssl, but no helpful information shows up in the logs.

Its been 2 days. Can somebody please help?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: VSFTPD - Cannot make a successful connection with SSL enabled!

Post by TrevorH » 2012/03/25 02:22:48

The mention of ssh in the error message doesn't tell you that it isn't using vsftpd? :-) I think you'll find that sftp is handled by the openssh daemon and not by vsftpd at all.

dass
Posts: 4
Joined: 2012/03/25 00:27:42

Re: VSFTPD - Cannot make a successful connection with SSL enabled!

Post by dass » 2012/03/25 02:39:35

VSFTPD is listening to x.x.x.82, while SSHD is listening to x.x.x.83. When I use sftp (part of the ssh package) that's when I get the "ssh..." error. If I use FileZilla I get "Error: "Connection timed out / Could not connect to server".

Plus, I'm certain that it's VSFTPD that's listenting since if I shut it down and try to connect the connection is instantly refused.

I'm really hoping somebody points out something really obvious - only so I can get this thing working.

I would use the sftpd that comes with ssh, but the chroot feature doesn't appear to actually work (it just starts the user of in the home directory without stopping them from performing cd /), and I really need that extra security.

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

VSFTPD - Cannot make a successful connection with SSL enable

Post by pschaff » 2012/03/25 13:26:24

I'm not sure exactly where the problem is, other than potential confusion between sftp (which despite the name uses the SSH protocol and not FTP) and ftp, but having vsftpd listen on port 22 (the SSH port) is likely to cause problems, and may confuse clients and servers that expect port 22 to be used for SSH.

Perhaps the Wiki [url=http://wiki.centos.org/?action=fullsearch&context=180&value=vsftpd&titlesearch=Titles]vsftpd articles[/url] will be helpful.

What exactly is the issue with ssh chroot? I can't find any bugs referencing a problem with it failing to confine users to the chroot for CentOS-6. There is a forum thread about CentOS-5 issues [url=https://www.centos.org/modules/newbb/viewtopic.php?viewmode=flat&topic_id=35293&forum=41]here[/url].

dass
Posts: 4
Joined: 2012/03/25 00:27:42

Re: VSFTPD - Cannot make a successful connection with SSL enabled!

Post by dass » 2012/03/27 04:36:52

[quote]I'm not sure exactly where the problem is, other than potential confusion between sftp (which despite the name uses the SSH protocol and not FTP) and ftp, but having vsftpd listen on port 22 (the SSH port) is likely to cause problems, and may confuse clients and servers that expect port 22 to be used for SSH.[/quote]

Port 22 is standard to SFTP. I don't really have a reason to use a different port - unless I need SSH on the same IP address. Also, if I don't explicitly tell VSFTPD to listen on port 22, I can't connect to it. My assumption is that even though SSL is enabled, VSFTPD is bound to port 21 (based on what I am experiencing). Is this wrong?

[quote]What exactly is the issue with ssh chroot? I can't find any bugs referencing a problem with it failing to confine users to the chroot for CentOS-6.[/quote]

Unless something is just not configured properly (I am using Match criteria in sshd_config)... Logging in doesn't seem to properly chroot. A user logs in... starts in the home directory... but still has the ability to browse the entire file system ("cd /" doesn't lead to user's home directory - it leads to the root of the whole file system).

dass
Posts: 4
Joined: 2012/03/25 00:27:42

Re: VSFTPD - Cannot make a successful connection with SSL enabled!

Post by dass » 2012/03/27 04:43:56

Also, the chroot issues are with SSH, not VSFTP

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: VSFTPD - Cannot make a successful connection with SSL enabled!

Post by pschaff » 2012/03/27 11:43:23

[quote]
dass wrote:
...
Port 22 is standard to SFTP. I don't really have a reason to use a different port - unless I need SSH on the same IP address. Also, if I don't explicitly tell VSFTPD to listen on port 22, I can't connect to it. My assumption is that even though SSL is enabled, VSFTPD is bound to port 21 (based on what I am experiencing). Is this wrong?[/quote]
You are wrong in assuming that ssh-based [b]sftp[/b] can work with the [b]vsftpd[/b] FTP server, no matter what port is used. You [b][i]can[/i][/b] connect to [b]vsftpd[/b] on standard ports if you use an FTP client, which [b]sftp[/b] is not.

Post Reply