[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Watch out! vsftpd anonymous access always enabled!

On Sun, Sep 21, 2003 at 10:40:40PM +0400, tokza wrote:
> 
> > > I was working on a newly-installed machine for a customer who requires an
> > > ftp server. After installing vsftpd (which i *had* good experience with),
> > > I noticed that the 'anonymous_enable' switch in /etc/vsftpd.conf, when
> > > set to 'NO' *does* allow anonymous access.
> > > Logging in using the 'anonymous' user does not work, logging in using the
> > > 'ftp' user *does* work.
> > > The 'ftp' user is listed in /etc/passwd and /etc/shadow, and has a
> > > disabled password on all machines where I tried this and saw it working.
> > > I was only able to test this with 1.2.0-2 .
> 
> 
> What are you talking about?
> This is my box running fbsd 4-stable, vsftpd-1.2.0, anonymous access disabled:
> (take no look at the banner string, this is just kidding :)
> 
> 22:36:32:toxa $ ftp toxa.lan
> Trying 192.168.2.1...
> Connected to toxa.lan.
> 220  toxadomain Microsoft FTP Service (Version 5.0) 
> Name (toxa.lan:toxa): ftp
> 530 Permission denied.
> ftp: Login failed.
> ftp> quit
> 221 Goodbye.
> 22:36:39:toxa $
> 
> I use vsftpd.user_list with users allowed to acces to my box, ofcourse there's 
> no 'ftp' user in it.

If that's built for FreeBSD then it probably doesn't use PAM.  This is
a bug in the Debian PAM configuration.

-- 
Daniel Jacobowitz
MontaVista Software                         Debian GNU/Linux Developer
Reply to: