Topic: Additional PassivePorts in /etc/proftpd.conf

[Pepino]

Hi

I have already set i my Koozali SME Server 10.1:

Code: [Select]

db configuration setprop ftp TCPPorts 44900:44950
Checked here:

Code: [Select]

config show ftp
ftp=service
    LoginAccess=public
    TCPPort=21
    TCPPorts=44900:44950
    TLSEnable=on
    TLSRequired=on
    TLSVerifyClient=off
    access=public
    status=enabled
but

Code: [Select]

signal-event remoteaccess-updateregenerate only firewall config (i check by iptables -nvL)

I had to add manually in /etc/proftpd.conf:

Code: [Select]

PassivePorts 44900 44950and after

Code: [Select]

systemctl restart ftp.serviceit's works, but as we all know it will be overwritten at the next configuration (re)generation.
How to add it permanently and according to the rules?

By the way, it's strange that there is nothing about it in the koozali documentation about that passive connections with tls from the ftp client (which has a private address) to the sme server (which is available on a public address), requires additional ports for the data transfer.
Without them, the client will establish a connection, it will authorized but it will not download or send anything or even display a list of remote files/directories.

I immediately ask how can I add in proftpd.conf

Code: [Select]

AuthPam off?

[Jean-Philippe Pialasse]

open a bug for each
- missing PassivePorts fragment
- missing PassivePorts documentation and tls explicit/implicit method and active vs passive mode

This is a complexe situation and there is not a one size fit all because it depends on if sme server is server-gateway or not and if directly connected to internet or also behind another level of NAT and it also depends on where the client is. 
The passive/ active mode has always been an issue to handle to have it working depending on the  network architecture, but tls adds the explicit vs implicit method. 



regarding authpam.  I am not sure why you would like to disable this.

[Pepino]

regarding authpam.  I am not sure why you would like to disable th

Because in the /var/log/proftpd/proftpd.log I see all the time:

Code: [Select]

Jan 23 10:35:25 cube proftpd: pam_env(ftp:setcred): Unable to open config file: /etc/security/pam_env.conf: No such file or directoryalthough he exists and has the right permissions:

Code: [Select]

ls -al /etc/security/pam_env.conf
-rw-r--r--. 1 root root 2972 Apr  1  2020 /etc/security/pam_env.confAnother thing is that all his lines are commented out:

Code: [Select]

grep -v '#' -c /etc/security/pam_env.conf
0
As for PassivePort of course I will open a bug ticket.
I know that there are different scenarios, only the most popular one is that the server has a public ip address. The client may have it, but does not have to.
The exceptions are rather situations when:
a) the server is behind nat - then it will be even worse
b) the server is on the same network as the client eg in a small office (then ssl/tls is less critical).

P.S. explicit/implicit mode - these can be set on the client's side. The current default configuration of the sme server doesn't support unencrypted connections and there is no variable/definition of another listening port anywhere.

[Jean-Philippe Pialasse]

regarding authpam, this is just log noise and you need this to allow to auth your users. If you search this message on the internet you will see few trial to avoid this message but you will also loose the logout message in log.

[Pepino]

regarding authpam, this is just log noise and you need this to allow to auth your users. If you search this message on the internet you will see few trial to avoid this message but you will also loose the logout message in log.

It's not a noise, it's just a bug for over 10 years (since SME8).
https://bugs.koozali.org/show_bug.cgi?id=7129

[Jean-Philippe Pialasse]

what is the bug preventing you to do?

if nothing is not working as expected, then this is log noise not a bug.

and removing authentication availability to remove the log noise will create a bug.