VSFTPD - Cannot make a successful connection with SSL enabled!

Issues related to applications and software problems

VSFTPD - Cannot make a successful connection with SSL enabled!

Postby dass » 2012/03/25 00:44:58

Centos 6.2 / x86_64 / no firewall / not using inetd/xinetd

I have been all over the internet. So many people complaining about the same thing - but so few signs of hope.

Normal FTP works easy. But, with SSL enabled... I never get a successful connection. My client (tried with sftp and FileZilla) just hangs and the connection times out. I don't even get a chance to enter credentials.

If I let the client time out (it takes a few minutes) I get this:

Code: Select all
ssh_exchange_identification: Connection closed by remote host
Couldn't read packet: Connection reset by peer


All all I see in /var/log/vsftpd.log is:

Code: Select all
Sat Mar 24 20:58:45 2012 [pid 2] CONNECT: Client "x.x.x.x"


I have tried building (2.3.5) with and without PAM. I have tried installing with yum (2.2.2). I have tried crossing my fingers and praying to many of my favourite Star Wars characters. I have even tried configuring VSFTPD ;)

Okay. Here is my /etc/vsftpd.conf - showing the absolute minimal settings required just to show some sign of VSFTPD responding:

Code: Select all
listen=YES
listen_address=x.x.x.x
listen_port=22
local_enable=YES
ssl_enable=YES
rsa_cert_file=/etc/ssl/certs/xxx.pem


I have tried setting all sorts of other options, but without any different results. I've even tried turning on debug_ssl, but no helpful information shows up in the logs.

Its been 2 days. Can somebody please help?
dass
 
Posts: 4
Joined: 2012/03/25 00:27:42

Re: VSFTPD - Cannot make a successful connection with SSL enabled!

Postby TrevorH » 2012/03/25 02:22:48

The mention of ssh in the error message doesn't tell you that it isn't using vsftpd? :-) I think you'll find that sftp is handled by the openssh daemon and not by vsftpd at all.
User avatar
TrevorH
Forum Moderator
 
Posts: 9075
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: VSFTPD - Cannot make a successful connection with SSL enabled!

Postby dass » 2012/03/25 02:39:35

VSFTPD is listening to x.x.x.82, while SSHD is listening to x.x.x.83. When I use sftp (part of the ssh package) that's when I get the "ssh..." error. If I use FileZilla I get "Error: "Connection timed out / Could not connect to server".

Plus, I'm certain that it's VSFTPD that's listenting since if I shut it down and try to connect the connection is instantly refused.

I'm really hoping somebody points out something really obvious - only so I can get this thing working.

I would use the sftpd that comes with ssh, but the chroot feature doesn't appear to actually work (it just starts the user of in the home directory without stopping them from performing cd /), and I really need that extra security.
dass
 
Posts: 4
Joined: 2012/03/25 00:27:42

VSFTPD - Cannot make a successful connection with SSL enable

Postby pschaff » 2012/03/25 13:26:24

I'm not sure exactly where the problem is, other than potential confusion between sftp (which despite the name uses the SSH protocol and not FTP) and ftp, but having vsftpd listen on port 22 (the SSH port) is likely to cause problems, and may confuse clients and servers that expect port 22 to be used for SSH.

Perhaps the Wiki vsftpd articles will be helpful.

What exactly is the issue with ssh chroot? I can't find any bugs referencing a problem with it failing to confine users to the chroot for CentOS-6. There is a forum thread about CentOS-5 issues here.
pschaff
Retired Moderator
 
Posts: 18277
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America

Re: VSFTPD - Cannot make a successful connection with SSL enabled!

Postby dass » 2012/03/27 04:36:52

I'm not sure exactly where the problem is, other than potential confusion between sftp (which despite the name uses the SSH protocol and not FTP) and ftp, but having vsftpd listen on port 22 (the SSH port) is likely to cause problems, and may confuse clients and servers that expect port 22 to be used for SSH.


Port 22 is standard to SFTP. I don't really have a reason to use a different port - unless I need SSH on the same IP address. Also, if I don't explicitly tell VSFTPD to listen on port 22, I can't connect to it. My assumption is that even though SSL is enabled, VSFTPD is bound to port 21 (based on what I am experiencing). Is this wrong?

What exactly is the issue with ssh chroot? I can't find any bugs referencing a problem with it failing to confine users to the chroot for CentOS-6.


Unless something is just not configured properly (I am using Match criteria in sshd_config)... Logging in doesn't seem to properly chroot. A user logs in... starts in the home directory... but still has the ability to browse the entire file system ("cd /" doesn't lead to user's home directory - it leads to the root of the whole file system).
dass
 
Posts: 4
Joined: 2012/03/25 00:27:42

Re: VSFTPD - Cannot make a successful connection with SSL enabled!

Postby dass » 2012/03/27 04:43:56

Also, the chroot issues are with SSH, not VSFTP
dass
 
Posts: 4
Joined: 2012/03/25 00:27:42

Re: VSFTPD - Cannot make a successful connection with SSL enabled!

Postby pschaff » 2012/03/27 11:43:23

dass wrote:
...
Port 22 is standard to SFTP. I don't really have a reason to use a different port - unless I need SSH on the same IP address. Also, if I don't explicitly tell VSFTPD to listen on port 22, I can't connect to it. My assumption is that even though SSL is enabled, VSFTPD is bound to port 21 (based on what I am experiencing). Is this wrong?

You are wrong in assuming that ssh-based sftp can work with the vsftpd FTP server, no matter what port is used. You can connect to vsftpd on standard ports if you use an FTP client, which sftp is not.
pschaff
Retired Moderator
 
Posts: 18277
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America


Return to CentOS 6 - Software Support

Who is online

Users browsing this forum: No registered users and 4 guests