PureFTPd every auth fails on new DA server

WholesaleDialup

WholesaleDialup

Verified User
Joined
Sep 25, 2004
Messages
179
Location
San Antonio, TX
I have had several DA servers over the years and I just setup two new DA server running CentOS 6.4 I think after a yum update it's now 6.5.

Of the two new servers I setup one allows PureFTPD logins and the other denies everything saying it's a bad password, it's NOT..

I have changed the password on an account for example, selected to also change the main FTP account and DA account, then logged into DA successfully with the new password. I then try to login using FileZilla FTP client and I constantly get:

Command: PASS *******
Response: 530 Login authentication failed
Error: Critical error
Error: Could not connect to server


In the message log on the server I get:
Jan 11 03:43:31 myhost pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [myuid]
Jan 11 03:43:31 myhost pure-ftpd: ([email protected]) [INFO] Logout.

I have changed the hostname, IP and username to protect the innocent :)

Nothing else in the log file (messages or proftpd.log).

Kind of confused as to why one server setup the same way with PureFTP as the default works and the second does not, setup the same way within a few days of each other.

Any ideas on what I can try to "Gently" fix this as I already have some important stuff hosted on this server?

I hadn't tried FTP for my own use because I use SFTP exclusively for my own connections, FTP is for my customers. I tested today after moving a customer domain over just to find out it's hosed. I need to get it back up before my customer tries to login via FTP and finds out it's broke :-( Yeah, I know.. I should have tested FTP before moving the domain over.. ***Moves to the front of the line for his Dunce Hat***

Thanks in advance for any help on this one.
 
Hello,

A few things to try:
1) Test locally to see if that works:
Code: 
curl ftp://1.2.3.4:21/.shadow -u 'username:password' -O
where you'd repalce 1.2.3.4 with your server IP... .shadow with a filename (if you want to test with something else), and username:password accordingly.

2) Check /etc/proftpd.passwd for that account.
- ensure the home path set there exists
- ensure the path is chowned to the user
- the uid/gid values on that line should be that of the user.
- test the password crypt to ensure it's correct: http://help.directadmin.com/item.php?id=288

3) Try rebuilding the pure-ftpd database:
Code: 
/usr/bin/pure-pw mkdb /etc/pureftpd.pdb -f /etc/proftpd.passwd
4) One confusion is that pure-ftpd has a 95% full disk limit..meaning if you disk is full, or getting full, it won't let you do anything.
Check your disk:
Code: 
df -h
5) Beyond that, check /var/log/messages and /var/log/pureftpd.log

John
 
curl ftp://1.2.3.4:21/.shadow -u 'username:password' -O
Click to expand...

Using my servers external IP and 127.0.0.1 both result in:
curl: (67) Access denied: 530

2) Check /etc/proftpd.passwd for that account.
Click to expand...

It's there.

- ensure the home path set there exists
Click to expand...

Yes it does

- ensure the path is chowned to the user
Click to expand...

It is

- the uid/gid values on that line should be that of the user.
Click to expand...

The user is set to the correct user for that account but the group is set to "access" but this is the same on both the new working DA system and the one that doesn't. All accounts have a group of "access" set for their home dir. Is this not correct?

- test the password crypt to ensure it's correct: http://help.directadmin.com/item.php?id=288
Click to expand...

Tested and it's correct.

3) Try rebuilding the pure-ftpd database:
Click to expand...

This fixed my issue and I appreciate your help. I am curious though, why this happened in the first place. I didn't mess with the FTP configs in any way shape or form.. I just ran the DA installer :) Same on other machine and no problems. Wondering what happened on this system that caused the problem.

I only added like 3 accounts to this server.

Was even stranger is that the /etc/proftpd.passwd didn't look much different to me, before or after the rebuild but I couldn't be 100% certain.

Even the crypt for the account I was testing with appeared to be the same.

Thanks again and I will sleep better if I know how or why this happen but I will live if not. Thanks again.
 
@John

I just encountered the same issue with PureFTPD on a fresh installation. Rebuilding the database worked, but there definitely appears to be a bug of some kind here.
The task queue is processed normally.
 
A bit of an old thread, but what login didn't work.. was it a system account or something else?
Note the admin account doesn't have an ftp account unless you create a domain at the User Level.

John
 
DirectAdmin Support said:
A bit of an old thread, but what login didn't work.. was it a system account or something else?
Note the admin account doesn't have an ftp account unless you create a domain at the User Level.

John
Click to expand...

Thanks for the quick reply. Indeed it's admin I'm having issues with, and there is no domain currently associated with it.
The strange thing is that, some connection attempts do actually succeed, but at other times fail. I can't really explain this.
In addition, the database really was corrupt initially as this issue was also present for a user specific account.
 
For a couple of days now I've been trying to fix a similar issue. I did notice that after changing a user's password (not a virtual user in this case) there's no update to the /etc/pureftpd.pdb file (which I didn't expect anyway, because it's an actual user, not a virtual one). But no matter what I do, I keep getting

Code: 
Jul 11 08:21:56 apache pure-ftpd: (?@some ip address) [WARNING] Authentication failed for user [username]

I've added a virtual ftp for this specific user, but the error stays the same. The virtual user is indeed added to /etc/pureftpd.pdb though, but still, no login.

I've tried rebuilding pure-ftpd, I've tried all the fixes in the threads I could find (even the one from 2008), all to no avail. I even added '/bin/false' to /etc/shells (was surprised to not see it in there though).
 
Last edited:
Pure-ftpd *only* uses the /etc/pureftpd.pdb file.
It's built based on the /etc/proftpd.passwd after any change, so:
1) Ensure your User and password are setup in /etc/proftpd.passwd
2) You can manually rebuild the pureftpd.pdb with the command
Code: 
/usr/bin/pure-pw mkdb /etc/pureftpd.pdb -f /etc/proftpd.passwd
John
 
John,

The user is added to /etc/proftpd.passwd and I've ran the rebuild command more times then I can count. Still error 530.
 
If you're stilling getting
Code: 
[WARNING] Authentication failed for user [username]
in the logs, then it's either a wrong password, or a permission issue with the uid.

I'd recommend manually checking the crypt:
https://help.directadmin.com/item.php?id=288

You could just add "--verboselog" to the startup options.
Related guide, but use "--verboselog" instead of "--bind 21".
Then check the /var/log/messages log again to see if it shows anything else.

Last step is to run it in full debug mode in the foreground console, which would give the exact message.

John
 
I tried everything and it didn't work. Out of desperation I decided to do a "passwd username". That helped. :/
 
Ok, I'm then not convinced this is a DA ftp daemon.. or at least not the DA configs.

If you have:
/etc/pure-ftpd.conf

ensure you see:
PureDB /etc/pureftpd.pdb

and we want to see:
# PAMAuthentication yes

where the # character means it's commented out/disabled.

Else, the boot options are in:
/etc/init.d/pure-ftpd

eg:
Code: 
LOG=/var/log/pureftpd.log
DB=/etc/pureftpd.pdb
OPTIONS="-B -A -C 4 -E -H -k 95 -L 10000:8 -O stats:${LOG} -l puredb:${DB} -p 35000:35999 -u 100 -U 133:022 -w -Z"
OPTIONS="${OPTIONS} -Y 1 -J -S:HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3"
OPTIONS="${OPTIONS} -S 21"

John
 
You must log in or register to reply here.
Back
Top