Topic: Additional PassivePorts in /etc/proftpd.conf

[Pepino]

Hi

I have already set i my Koozali SME Server 10.1:

Code: [Select]

db configuration setprop ftp TCPPorts 44900:44950
Checked here:

Code: [Select]

config show ftp
ftp=service
    LoginAccess=public
    TCPPort=21
    TCPPorts=44900:44950
    TLSEnable=on
    TLSRequired=on
    TLSVerifyClient=off
    access=public
    status=enabled
but

Code: [Select]

signal-event remoteaccess-updateregenerate only firewall config (i check by iptables -nvL)

I had to add manually in /etc/proftpd.conf:

Code: [Select]

PassivePorts 44900 44950and after

Code: [Select]

systemctl restart ftp.serviceit's works, but as we all know it will be overwritten at the next configuration (re)generation.
How to add it permanently and according to the rules?

By the way, it's strange that there is nothing about it in the koozali documentation about that passive connections with tls from the ftp client (which has a private address) to the sme server (which is available on a public address), requires additional ports for the data transfer.
Without them, the client will establish a connection, it will authorized but it will not download or send anything or even display a list of remote files/directories.

I immediately ask how can I add in proftpd.conf

Code: [Select]

AuthPam off?

[Jean-Philippe Pialasse]

open a bug for each
- missing PassivePorts fragment
- missing PassivePorts documentation and tls explicit/implicit method and active vs passive mode

This is a complexe situation and there is not a one size fit all because it depends on if sme server is server-gateway or not and if directly connected to internet or also behind another level of NAT and it also depends on where the client is. 
The passive/ active mode has always been an issue to handle to have it working depending on the  network architecture, but tls adds the explicit vs implicit method. 



regarding authpam.  I am not sure why you would like to disable this.

[Pepino]

regarding authpam.  I am not sure why you would like to disable th

Because in the /var/log/proftpd/proftpd.log I see all the time:

Code: [Select]

Jan 23 10:35:25 cube proftpd: pam_env(ftp:setcred): Unable to open config file: /etc/security/pam_env.conf: No such file or directoryalthough he exists and has the right permissions:

Code: [Select]

ls -al /etc/security/pam_env.conf
-rw-r--r--. 1 root root 2972 Apr  1  2020 /etc/security/pam_env.confAnother thing is that all his lines are commented out:

Code: [Select]

grep -v '#' -c /etc/security/pam_env.conf
0
As for PassivePort of course I will open a bug ticket.
I know that there are different scenarios, only the most popular one is that the server has a public ip address. The client may have it, but does not have to.
The exceptions are rather situations when:
a) the server is behind nat - then it will be even worse
b) the server is on the same network as the client eg in a small office (then ssl/tls is less critical).

P.S. explicit/implicit mode - these can be set on the client's side. The current default configuration of the sme server doesn't support unencrypted connections and there is no variable/definition of another listening port anywhere.

[Jean-Philippe Pialasse]

regarding authpam, this is just log noise and you need this to allow to auth your users. If you search this message on the internet you will see few trial to avoid this message but you will also loose the logout message in log.

[Pepino]

regarding authpam, this is just log noise and you need this to allow to auth your users. If you search this message on the internet you will see few trial to avoid this message but you will also loose the logout message in log.

It's not a noise, it's just a bug for over 10 years (since SME8).
https://bugs.koozali.org/show_bug.cgi?id=7129

[Jean-Philippe Pialasse]

what is the bug preventing you to do?

if nothing is not working as expected, then this is log noise not a bug.

and removing authentication availability to remove the log noise will create a bug. 

[Pepino]

Could you please explain me the content of /etc/e-smith/templates-custom/etc/proftpd.conf/05portPassive?

Code: [Select]

{
my $PassivePorts=$ftp{TcpPorts}||"49200:49999";
$PassivePorts=~ s/:/ /;
$PassivePorts="49200:49999" if (index(',', $PassivePorts) != -1);
$OUT= "PassivePorts             $PassivePorts\n";
}
1) we init a variable PassivePorts with value from config ftp TcpPorts. If value not exist we use a string "49200:49999"
2) it looks like a regular expression that replaces : with space. (sed-like syntax)
3) We redeclare PassivePorts if? ...and I don't understand here.
4) We Send to output line with "PassivePorts[tab][tab]49200 49999 [new line]";

Sorry to write about it here, but I guess it's better than cluttering up  the bug tracker.

[ReetP]

1) we init a variable PassivePorts with value from config ftp TcpPorts.

3) We redeclare PassivePorts if? ...and I don't understand here.

For 1, yes that's one way of retrieving db values. Have a good read on the wiki for more info (or PM me for a rocket account and talk to us directly)

2 I think yes.

Not sure about 4 but for 3 perl only needs you to declare once with 'my'.

After that you can modify as required without using 'my'.

JP will fill you in.

[Jean-Philippe Pialasse]

made a typo trying to prevent one
here is an alternative.  one could have also inverted lines 2 and 3

Code: [Select]

{
my $PassivePorts=$ftp{TcpPorts}||"49200:49999";
$PassivePorts=~ s/:/ /;
$PassivePorts="49200 49999" if (index(',', $PassivePorts) != -1);
$OUT= "PassivePorts             $PassivePorts\n";
}

1/ declare variable initializing it if empty
2/ replace : by space to make it compatible with the proftpd syntax
3/ if we have a coma in the string then we can not trust the content, and force the default. 


FYI TCPPorts could looks like
345:350,23,67,456:458,8900

[Jean-Philippe Pialasse]

for reference, the related bug with suggested bug/ workaround

https://bugs.koozali.org/show_bug.cgi?id=12454

[Pepino]

Thanks for explanation
In your last comment (nr 10) on bugtracker you lost ; (semicolon) at the end of the third line.
Without it there will be a syntax error.