Re: Watch out! vsftpd anonymous access always enabled!
Greetings!
On Sat, 20 Sep 2003 12:47:21 +0200 Robert van der Meulen
<rvdm@debian.org> wrote:
> I was working on a newly-installed machine for a customer who requires
> an ftp server. After installing vsftpd (which i *had* good experience
> with), I noticed that the 'anonymous_enable' switch in
> /etc/vsftpd.conf, when set to'NO' *does* allow anonymous access.
> Logging in using the 'anonymous' user does not work, logging in using
> the'ftp' user *does* work.
> The 'ftp' user is listed in /etc/passwd and /etc/shadow, and has a
> disabled password on all machines where I tried this and saw it
> working. I was only able to test this with 1.2.0-2 .
>
> If anyone here is running vsftpd on a non-anonymous box, I'd make sure
> to check this too. In the case of this customer (who has pretty
> sensitive data on his box), this could have been quite a disaster.
On Woody/stable I have version 1.0.0-2 and everythin is fine here:
Sep 22 10:03:24 login vsftpd: PAM-listfile: Refused user anonymous for service ftp
Sep 22 10:03:24 login PAM_unix[30725]: auth could not identify password for [ftp]
Sep 22 10:03:43 login vsftpd: PAM-listfile: Refused user ftp for service ftp
Sep 22 10:03:43 login PAM_unix[30875]: auth could not identify password for [ftp]
--------------------------- /etc/vsftpd.conf - excerpt ---------------------------
# Allow anonymous FTP?
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
Bye
Volker Tanger
Reply to: