proftp-user — User support list for ProFTPD

Re: [Proftpd-user] Proftpd AuthGroupFile

[Steven D. <Ste...@in...>]

Hello TJ,

Many thanks for your quick and sound reply !

If I read it correctly, the only option that I have is to recompile the current version.

The only (official) available version for RHEL 8.10 (via EPEL) is version 1.3.6e-7, in which I don't think the issue that I described is fixed...
https://pkgs.org/download/proftpd
https://www.rpmfind.net/linux/rpm2html/search.php?query=proftpd&submit=Search+...&system=&arch=

Luckily we have a test system where I could perform the recompilation, before bringing it into production.

Thanks again for pointing me in the right direction !

Best regards,
Steven Driesmans


Sensitivity: Company
-----Original Message-----
From: TJ Saunders <tj...@ca...>
Sent: Saturday, September 7, 2024 5:32 PM
To: ProFTPD Users <pro...@li...>; pro...@pr...
Cc: Steven Driesmans <Steven.Driesmans@inetum-realdolmen.world>
Subject: Re: [Proftpd-user] Proftpd AuthGroupFile

== EXTERNAL MAIL == This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.


> A virtual groups file (AuthGroupFile definition inside the proftpd
> config file underneath /etc/proftpd/conf.d) has one group that
> contains
> 64 or more virtual users.
>
> Some time ago, adding a new virtual user to that specific group lead
> to the following error message inside the sftp logfile:
>
> Jul 10 12:54:28 <hostname> proftpd[1176232]: session[1176232]
> <IP-address> (<IP-address>[<IP-address>]): Malformed entry in
> AuthGroupFile file (line 85) Jul 10 12:54:28 <hostname>
> proftpd[1176232]: session[1176232] <hostname>
> (<IP-address>[<IP-address>]): Malformed entry in AuthGroupFile file
> (line 170) Jul 10 12:54:28 <hostname> proftpd[1176232]: realloc():
> invalid next size

The handling of these AuthUserFile, AuthGroupFiles has changed over time.  In particular, ProFTPD _might_ use some functions in the C library for reading these files -- depending on the platform; otherwise, it would use its own internal functions.  Either way, there is a fixed buffer that is used for reading a single line of text; it is possible that your current AuthGroupFile has a line of text that is longer than that fixed buffer size.  If the line of text is longer than the buffer, then ProFTPD will not read the entire line; it will be truncated.  Which, in turn, can lead to "malformed syntax" sorts of parse errors.

In the cases where ProFTPD uses its own internal functions for handling these auth files, that fixed buffer size is 1024 characters:

  https://github.com/proftpd/proftpd/blob/master/include/options.h#L84

That buffer size can be changed, but only at compile-time, using the --enable-tunable-buffer-size configure option.

I should also point out that the use of C library functions, vs internal functions, did change in ProFTPD versions newer than yours; see:

  https://github.com/proftpd/proftpd/issues/1134

> Jul 10 12:54:28 <hostname> proftpd[1176232]: realloc(): invalid next
> size

This particular log message looks like a related, but slightly different issue:

  https://github.com/proftpd/proftpd/issues/1321

Hope this helps,
TJ

Re: [Proftpd-user] Proftpd AuthGroupFile

[TJ S. <tj...@ca...>]

> A virtual groups file (AuthGroupFile definition inside the proftpd 
> config file underneath /etc/proftpd/conf.d) has one group that contains 
> 64 or more virtual users.
> 
> Some time ago, adding a new virtual user to that specific group lead to 
> the following error message inside the sftp logfile:
> 
> Jul 10 12:54:28 <hostname> proftpd[1176232]: session[1176232] 
> <IP-address> (<IP-address>[<IP-address>]): Malformed entry in 
> AuthGroupFile file (line 85)
> Jul 10 12:54:28 <hostname> proftpd[1176232]: session[1176232] 
> <hostname> (<IP-address>[<IP-address>]): Malformed entry in 
> AuthGroupFile file (line 170)
> Jul 10 12:54:28 <hostname> proftpd[1176232]: realloc(): invalid next 
> size

The handling of these AuthUserFile, AuthGroupFiles has changed over time.  In particular, ProFTPD _might_ use some functions in the C library for reading these files -- depending on the platform; otherwise, it would use its own internal functions.  Either way, there is a fixed buffer that is used for reading a single line of text; it is possible that your current AuthGroupFile has a line of text that is longer than that fixed buffer size.  If the line of text is longer than the buffer, then ProFTPD will not read the entire line; it will be truncated.  Which, in turn, can lead to "malformed syntax" sorts of parse errors.

In the cases where ProFTPD uses its own internal functions for handling these auth files, that fixed buffer size is 1024 characters:

  https://github.com/proftpd/proftpd/blob/master/include/options.h#L84

That buffer size can be changed, but only at compile-time, using the --enable-tunable-buffer-size configure option.

I should also point out that the use of C library functions, vs internal functions, did change in ProFTPD versions newer than yours; see:

  https://github.com/proftpd/proftpd/issues/1134

> Jul 10 12:54:28 <hostname> proftpd[1176232]: realloc(): invalid next 
> size

This particular log message looks like a related, but slightly different issue:

  https://github.com/proftpd/proftpd/issues/1321

Hope this helps,
TJ

[Proftpd-user] Proftpd AuthGroupFile

[Steven D. <Ste...@in...>]

Dear all,

A virtual groups file (AuthGroupFile definition inside the proftpd config file underneath /etc/proftpd/conf.d) has one group that contains 64 or more virtual users.

Some time ago, adding a new virtual user to that specific group lead to the following error message inside the sftp logfile:

Jul 10 12:54:28 <hostname> proftpd[1176232]: session[1176232] <IP-address> (<IP-address>[<IP-address>]): Malformed entry in AuthGroupFile file (line 85)
Jul 10 12:54:28 <hostname> proftpd[1176232]: session[1176232] <hostname> (<IP-address>[<IP-address>]): Malformed entry in AuthGroupFile file (line 170)
Jul 10 12:54:28 <hostname> proftpd[1176232]: realloc(): invalid next size


  *   I scrambled the original hostname and IP-addresses from the logs
  *   There are only 84 lines in the AuthGroupFile !
[root@<hostname> conf.d]#

wc -l <sftp-fqdn>.groups

84 sftp.dewatergroep.be.groups
[root@<hostname> conf.d]#

Info on link https://fossies.org/linux/proftpd/doc/howto/LogMessages.html talks about the most common cause for this :

"Malformed entry in AuthUserFile/AuthGroupFile"
The configured AuthUserFile/AuthGroupFile<https://fossies.org/linux/proftpd/doc/howto/AuthFiles.html> has a line which is not in the necessary format. The most common cause for this is when one of the file fields is missing, or if there an extra colon (':') character in a field (e.g. in the name field).

I already looked inside the AuthUsersFile to check if the specific user(s) have a malformed entry, which is not the case.
Also nothing special or abnormal to be seen or found in the AuthGroupFile.
Moving the specific virtual user more to the beginning of the specific virtual group does work, so some sort of limitation must be in place somewhere...

Current version of OS : RHEL 8.10
Current version of proftpd : 1.3.6e

It looks like there's a limit of maximum characters or users for one virtual group, but I cannot find any info about this...

[root@<hostname> conf.d]# grep -v ^# <sftp-fqdn>.groups | grep svc | awk -F":" '{print $4}' | wc -c
1067
[root@<hostname> conf.d]#
[root@<hostname> conf.d]# grep -v ^# <sftp-fqdn>.groups | grep svc | awk -F":" '{print $4}' | tr -s "," " " |wc -w
64
[root@<hostname> conf.d]#

Anybody that can help me out or point me in the right direction ?

Best regards,
Steven Driesmans


Sensitivity: Company

[Proftpd-user] Proftpd AuthGroupFile

[Steven D. <Ste...@in...>]

Dear all,

A virtual groups file (AuthGroupFile definition inside the proftpd config file underneath /etc/proftpd/conf.d) has one group that contains 64 or more virtual users.

Some time ago, adding a new virtual user to that specific group lead to the following error message inside the sftp logfile:

Jul 10 12:54:28 <hostname> proftpd[1176232]: session[1176232] <IP-address> (<IP-address>[<IP-address>]): Malformed entry in AuthGroupFile file (line 85)
Jul 10 12:54:28 <hostname> proftpd[1176232]: session[1176232] <hostname> (<IP-address>[<IP-address>]): Malformed entry in AuthGroupFile file (line 170)
Jul 10 12:54:28 <hostname> proftpd[1176232]: realloc(): invalid next size


  *   I scrambled the original hostname and IP-addresses from the logs
  *   There are only 84 lines in the AuthGroupFile !
[root@<hostname> conf.d]#

wc -l <sftp-fqdn>.groups

84 sftp.dewatergroep.be.groups
[root@<hostname> conf.d]#

Info on link https://fossies.org/linux/proftpd/doc/howto/LogMessages.html talks about the most common cause for this :

"Malformed entry in AuthUserFile/AuthGroupFile"
The configured AuthUserFile/AuthGroupFile<https://fossies.org/linux/proftpd/doc/howto/AuthFiles.html> has a line which is not in the necessary format. The most common cause for this is when one of the file fields is missing, or if there an extra colon (':') character in a field (e.g. in the name field).

I already looked inside the AuthUsersFile to check if the specific user(s) have a malformed entry, which is not the case.
Also nothing special or abnormal to be seen or found in the AuthGroupFile.
Moving the specific virtual user more to the beginning of the specific virtual group does work, so some sort of limitation must be in place somewhere...

Current version of OS : RHEL 8.10
Current version of proftpd : 1.3.6e

It looks like there's a limit of maximum characters or users for one virtual group, but I cannot find any info about this...

[root@<hostname> conf.d]# grep -v ^# <sftp-fqdn>.groups | grep svc | awk -F":" '{print $4}' | wc -c
1067
[root@<hostname> conf.d]#
[root@<hostname> conf.d]# grep -v ^# <sftp-fqdn>.groups | grep svc | awk -F":" '{print $4}' | tr -s "," " " |wc -w
64
[root@<hostname> conf.d]#

Anybody that can help me out or point me in the right direction ?

Best regards,
Steven Driesmans




Sensitivity: Company

Re: [Proftpd-user] Mac algorithm for sftp

[TJ S. <tj...@ca...>]

> How do I configure MAC algorithm for sftp?

The SFTPDigests configuration directive can be used for this; see:

  http://www.proftpd.org/docs/contrib/mod_sftp.html#SFTPDigests

Cheers,
TJ

[Proftpd-user] Mac algorithm for sftp

[Lists <li...@se...>]

Please excuse my ignorance, getting deep into this configuration.

How do I configure MAC algorithm for sftp?

Geoffrey Myers

Re: [Proftpd-user] Sftpcipher directive

[Chris Y. <mr...@gm...>]

I don't use root when I run nmap
nmap -Pn --script ssh2-enum-algos -p 22 my.sftp.server

Root is only necessary if you're doing silly things with raw sockets.
Checking an sftp server for supported algos is basic tcp stuff.
No root required.

On Mon, Aug 12, 2024 at 12:28 PM Geoffrey Myers <li...@se...>
wrote:

> thanks Chris,
>
> If I recall correctly, map requires root access?  I don’t have root
> access.  Is there any way to determine the altos/ciphers supported by
> proftpd that does not require root access?
>
>
> On Aug 2, 2024, at 10:38 PM, Chris Young <mr...@gm...> wrote:
>
> to "visualize" the enabled ciphers for your server, install nmap, and from
> a command line, you can run
>
> ## check for ssh/sftp algos
> nmap -Pn --script ssh2-enum-algos -p 22 SFTP.HOST.WHATEVER
>
> ## check for ssl/tls ciphers
> nmap --script ssl-enum-ciphers -p 443 WWW.HOST.WHATEVER
>
> if your machine is running openssl v3+, you'll get an accurate map of the
> enable key exchange and encryption algorithms.
>
> .. pretty sure ssh will show accurate, even for openssl v1, but modern tls
> ciphers will only show if you have openssl v3+
>
>
> On Fri, Aug 2, 2024 at 1:36 PM TJ Saunders <tj...@ca...> wrote:
>
>> > TJ, thanks.  Quick question.  I’m a bit confused.  As I referenced ssh
>> > you mentioned  openssl. Does ssh use OpenSSL? I would expect openssh.
>>
>> The mod_sftp module for ProFTPD implements the SSH and SFTP protocols
>> using the OpenSSL library for the necessary cryptographic support.  It does
>> not use the OpenSSH implementations in any way.  In fact, mod_sftp
>> implements some parts of the SFTP protocol that OpenSSH does not implement.
>>
>> Cheers,
>> TJ
>>
>>
>> _______________________________________________
>> ProFTPD Users List   <pro...@pr...>
>> Unsubscribe problems?
>> http://www.proftpd.org/list-unsub.html
>
> _______________________________________________
> ProFTPD Users List   <pro...@pr...>
> Unsubscribe problems?
> http://www.proftpd.org/list-unsub.html
>
>
> --
> Until later, Geof
>
>
>
> _______________________________________________
> ProFTPD Users List   <pro...@pr...>
> Unsubscribe problems?
> http://www.proftpd.org/list-unsub.html

Re: [Proftpd-user] excluding certain sftpkeyexchanges

[TJ S. <tj...@ca...>]

> *In general, there is no need to use this directive unless only one 
> specific key exchange algorithm must be used.*
>
> If I want to exclude a particular algo, is the only solution to specify 
> only the algos you want?

Yes, if you want to omit/exclude a particular key exchange algorithm, you have to explicitly list all the other algorithms that you want to enable.

> Is there an option to do something like:
>
> STPKeyExchanges ! algoNotWanted

Not currently, no.

Cheers,
TJ

[Proftpd-user] excluding certain sftpkeyexchanges

[Geoffrey M. <li...@se...>]

In the docs for sftpkeyexchanges it states:

In general, there is no need to use this directive unless only one specific key exchange algorithm must be used.

If I want to exclude a particular algo, is the only solution to specify only the algos you want?  Is there an option to do something like:

STPKeyExchanges ! algoNotWanted

Thanks

--
Until later, Geof

Re: [Proftpd-user] Sftpcipher directive

[Geoffrey M. <li...@se...>]

thanks Chris,

If I recall correctly, map requires root access?  I don’t have root access.  Is there any way to determine the altos/ciphers supported by proftpd that does not require root access?


> On Aug 2, 2024, at 10:38 PM, Chris Young <mr...@gm...> wrote:
> 
> to "visualize" the enabled ciphers for your server, install nmap, and from a command line, you can run
> 
> ## check for ssh/sftp algos
> nmap -Pn --script ssh2-enum-algos -p 22 SFTP.HOST.WHATEVER
> 
> ## check for ssl/tls ciphers
> nmap --script ssl-enum-ciphers -p 443 WWW.HOST.WHATEVER
> 
> if your machine is running openssl v3+, you'll get an accurate map of the enable key exchange and encryption algorithms.
> 
> .. pretty sure ssh will show accurate, even for openssl v1, but modern tls ciphers will only show if you have openssl v3+
> 
> 
> On Fri, Aug 2, 2024 at 1:36 PM TJ Saunders <tj...@ca... <mailto:tj...@ca...>> wrote:
> > TJ, thanks.  Quick question.  I’m a bit confused.  As I referenced ssh 
> > you mentioned  openssl. Does ssh use OpenSSL? I would expect openssh. 
> 
> The mod_sftp module for ProFTPD implements the SSH and SFTP protocols using the OpenSSL library for the necessary cryptographic support.  It does not use the OpenSSH implementations in any way.  In fact, mod_sftp implements some parts of the SFTP protocol that OpenSSH does not implement.
> 
> Cheers,
> TJ
> 
> 
> _______________________________________________
> ProFTPD Users List   <pro...@pr... <mailto:pro...@pr...>>
> Unsubscribe problems?
> http://www.proftpd.org/list-unsub.html <http://www.proftpd.org/list-unsub.html>_______________________________________________
> ProFTPD Users List   <pro...@pr...>
> Unsubscribe problems?
> http://www.proftpd.org/list-unsub.html

--
Until later, Geof

Re: [Proftpd-user] Sftpcipher directive

[Chris Y. <mr...@gm...>]

to "visualize" the enabled ciphers for your server, install nmap, and from
a command line, you can run

## check for ssh/sftp algos
nmap -Pn --script ssh2-enum-algos -p 22 SFTP.HOST.WHATEVER

## check for ssl/tls ciphers
nmap --script ssl-enum-ciphers -p 443 WWW.HOST.WHATEVER

if your machine is running openssl v3+, you'll get an accurate map of the
enable key exchange and encryption algorithms.

.. pretty sure ssh will show accurate, even for openssl v1, but modern tls
ciphers will only show if you have openssl v3+


On Fri, Aug 2, 2024 at 1:36 PM TJ Saunders <tj...@ca...> wrote:

> > TJ, thanks.  Quick question.  I’m a bit confused.  As I referenced ssh
> > you mentioned  openssl. Does ssh use OpenSSL? I would expect openssh.
>
> The mod_sftp module for ProFTPD implements the SSH and SFTP protocols
> using the OpenSSL library for the necessary cryptographic support.  It does
> not use the OpenSSH implementations in any way.  In fact, mod_sftp
> implements some parts of the SFTP protocol that OpenSSH does not implement.
>
> Cheers,
> TJ
>
>
> _______________________________________________
> ProFTPD Users List   <pro...@pr...>
> Unsubscribe problems?
> http://www.proftpd.org/list-unsub.html

Re: [Proftpd-user] Sftpcipher directive

[TJ S. <tj...@ca...>]

> TJ, thanks.  Quick question.  I’m a bit confused.  As I referenced ssh 
> you mentioned  openssl. Does ssh use OpenSSL? I would expect openssh. 

The mod_sftp module for ProFTPD implements the SSH and SFTP protocols using the OpenSSL library for the necessary cryptographic support.  It does not use the OpenSSH implementations in any way.  In fact, mod_sftp implements some parts of the SFTP protocol that OpenSSH does not implement.

Cheers,
TJ

Re: [Proftpd-user] Sftpcipher directive

[Lists <li...@se...>]

TJ, thanks.  Quick question.  I’m a bit confused.  As I referenced ssh you mentioned  openssl. Does ssh use OpenSSL? I would expect openssh. 

Geoffrey Myers

> On Aug 2, 2024, at 1:34 PM, Matus UHLAR - fantomas <uh...@fa...> wrote:
> 
> On 02.08.24 11:53, Geoffrey Myers wrote:
>> If I don’t use the SFTPCipher directive what cipher will it use? I see in the docs: In general, there is no need to use this directive unless only one specific cipher must be used.
> 
> http://www.proftpd.org/docs/contrib/mod_sftp.html#SFTPCiphers
> 
> By default, all of the above cipher algorithms are presented to the client, in the above order, during the key exchange.
> 
> --
> Matus UHLAR - fantomas, uh...@fa... ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> If Barbie is so popular, why do you have to buy her friends?
> 
> 
> _______________________________________________
> ProFTPD Users List   <pro...@pr...>
> Unsubscribe problems?
> http://www.proftpd.org/list-unsub.html

Re: [Proftpd-user] Sftpcipher directive

[Matus U. - f. <uh...@fa...>]

On 02.08.24 11:53, Geoffrey Myers wrote:
>If I don’t use the SFTPCipher directive what cipher will it use? I see in the docs: In general, there is no need to use this directive unless only one specific cipher must be used.

http://www.proftpd.org/docs/contrib/mod_sftp.html#SFTPCiphers

  By default, all of the above cipher algorithms are presented to the client, in the above order, during the key exchange. 


-- 
Matus UHLAR - fantomas, uh...@fa... ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
If Barbie is so popular, why do you have to buy her friends?

Re: [Proftpd-user] Sftpcipher directive

[TJ S. <tj...@ca...>]

> If I don’t use the SFTPCipher directive what cipher will it use? I see 
> in the docs: In general, there is no need to use this directive unless 
> only one specific cipher must be used. 

The actual cipher algorithm used for a given SFTP session is negotiated by the client and server; each side presents its preferred list of algorithms (such as the list configured by the SFTPCiphers directive) to the other, and they use the same rules to find a matching algorithm in both lists.

If the SFTPCiphers directive is not used, then the list of cipher algorithms presented by mod_sftp is as documented:

  http://www.proftpd.org/docs/contrib/mod_sftp.html#SFTPCiphers

Note that the presence of some algorithms, in that list, depend on the version of OpenSSL being used, and the presence/absence of particular algorithms in that build of OpenSSL.

Hope this helps!
TJ

[Proftpd-user] Sftpcipher directive

[Geoffrey M. <li...@se...>]

If I don’t use the SFTPCipher directive what cipher will it use? I see in the docs: In general, there is no need to use this directive unless only one specific cipher must be used. 

--
Until later, Geof

[Proftpd-user] Sftpcipher directive

[Geoffrey M. <geo...@gm...>]

If I don’t use the SFTPCipher directive what cipher will it use? I see in the docs: In general, there is no need to use this directive unless only one specific cipher must be used. 

Thanks,

Geoffrey Myers

Re: [Proftpd-user] mod_delay

[Preuße, H. <hi...@we...>]

On 20.07.2024 03:07, Mark Grimes wrote:

Hi,

> I don't have any other modules that I can think of.  I'll contact you if 
> our requirements change.
> Including mod_delay would be very much appreciated.
> 

hille@rasppi2:~/devel/proftp/aaa_git $ dpkg-deb -c 
proftpd-core_1.3.8.b+dfsg-3_arm64.deb|grep mod_del
-rw-r--r-- root/root     68360 2024-05-22 09:12 
./usr/lib/proftpd/mod_delay.so

I'll release it with rev. -3.

Hilmar

Re: [Proftpd-user] Ubuntu 24.04 mod_tls.o seg fault?

[Roberto B. <rob...@pr...>]

uhm ... I have recompiled the package with the patch pointed to by TJ: the
situation is unchanged :/


Il giorno mer 22 mag 2024 alle ore 04:14 Brad Knorr <br...@kn...>
ha scritto:

> I have no idea if this means anything, but I was trying to use 24.04 and
> containerd/runc and app armour has broken this application. Just thought I
> would throw this out there. Sorry if I am way off base.
>
> Brad
>
> -----Original Message-----
> From: TJ Saunders <tj...@ca...>
> Sent: Tuesday, May 21, 2024 5:08 PM
> To: ProFTPD Users <pro...@li...>
> Subject: Re: [Proftpd-user] Ubuntu 24.04 mod_tls.o seg fault?
>
>
> > I am trying to configure proftpd for using ftps under Ubuntu 24.04
> > running in a virtual machine (VirtualBox, in a NAT Network).
>
> Can you provide the output from `proftpd -V`?  In particular, I'm
> wondering if you are running into this issue:
>
>   https://github.com/proftpd/proftpd/issues/1770
>
> Cheers,
> TJ
>
>
> _______________________________________________
> ProFTPD Users List   <pro...@pr...>
> Unsubscribe problems?
> http://www.proftpd.org/list-unsub.html
>
>
> _______________________________________________
> ProFTPD Users List   <pro...@pr...>
> Unsubscribe problems?
> http://www.proftpd.org/list-unsub.html
>


-- 

Roberto Brunelli

PROVINCIA AUTONOMA DI TRENTO

Agenzia provinciale per le risorse idriche e l'energia APRIE - PAT



IT - Piazza Fiera - 38122 Trento

T.  +39 0461 497358
¯¯¯¯

-- 

Re: [Proftpd-user] Ubuntu 24.04 mod_tls.o seg fault?

[Roberto B. <rob...@pr...>]

Here it comes ...

Thx,

Roberto

Il giorno mer 22 mag 2024 alle ore 01:24 TJ Saunders <tj...@ca...> ha
scritto:

>
> > I am trying to configure proftpd for using ftps under Ubuntu 24.04
> > running in a virtual machine (VirtualBox, in a NAT Network).
>
> Can you provide the output from `proftpd -V`?  In particular, I'm
> wondering if you are running into this issue:
>
>   https://github.com/proftpd/proftpd/issues/1770
>
> Cheers,
> TJ
>
>
> _______________________________________________
> ProFTPD Users List   <pro...@pr...>
> Unsubscribe problems?
> http://www.proftpd.org/list-unsub.html
>


-- 

Roberto Brunelli

PROVINCIA AUTONOMA DI TRENTO

Agenzia provinciale per le risorse idriche e l'energia APRIE - PAT



IT - Piazza Fiera - 38122 Trento

T.  +39 0461 497358
¯¯¯¯

-- 

Re: [Proftpd-user] Ubuntu 24.04 mod_tls.o seg fault?

[Brad K. <br...@kn...>]

I have no idea if this means anything, but I was trying to use 24.04 and
containerd/runc and app armour has broken this application. Just thought I
would throw this out there. Sorry if I am way off base.

Brad

-----Original Message-----
From: TJ Saunders <tj...@ca...>
Sent: Tuesday, May 21, 2024 5:08 PM
To: ProFTPD Users <pro...@li...>
Subject: Re: [Proftpd-user] Ubuntu 24.04 mod_tls.o seg fault?


> I am trying to configure proftpd for using ftps under Ubuntu 24.04
> running in a virtual machine (VirtualBox, in a NAT Network).

Can you provide the output from `proftpd -V`?  In particular, I'm
wondering if you are running into this issue:

  https://github.com/proftpd/proftpd/issues/1770

Cheers,
TJ


_______________________________________________
ProFTPD Users List   <pro...@pr...>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html

Re: [Proftpd-user] Ubuntu 24.04 mod_tls.o seg fault?

[TJ S. <tj...@ca...>]

> I am trying to configure proftpd for using ftps under Ubuntu 24.04 
> running in a virtual machine (VirtualBox, in a NAT Network). 

Can you provide the output from `proftpd -V`?  In particular, I'm wondering if you are running into this issue:

  https://github.com/proftpd/proftpd/issues/1770

Cheers,
TJ

[Proftpd-user] Ubuntu 24.04 mod_tls.o seg fault?

[Roberto B. <rob...@pr...>]

I am trying to configure proftpd for using ftps under Ubuntu 24.04 running
in a virtual machine (VirtualBox, in a NAT Network).

   1. I have generated the certificates with certbot and successfully used
   them to provide https with apache
   2. I have installed proftpd and it works in the standard ftp mode.
   3. I have then modified the standard proftpd.conf file by
uncommenting Include
   /etc/proftpd/tls.conf
   4. I have modified modules.conf uncommenting LoadModule mod_tls.c
   5. I have the following tls.conf file:

<IfModule mod_tls.c>
>
  TLSEngine                  on

  TLSLog                     /var/log/proftpd/tls.log

  TLSProtocol                SSLv23

  TLSOptions                 NoCertRequest

  TLSRSACertificateFile      /etc/letsencrypt/live/
> osservatorio.energia.provincia.tn.it/fullchain.pem

  TLSRSACertificateKeyFile   /etc/letsencrypt/live/
> osservatorio.energia.provincia.tn.it/privkey.pem

  TLSVerifyClient            off

  #TLSRequired                on

</IfModule>

and when I use lftp to connect with the following options:

oetools@oeweb:/etc/proftpd$ lftp
> lftp :~> open --user xxxx --port 21 ftps://
> osservatorio.energia.provincia.tn.it
> Password:
> lftp ap...@os...:~> ls
> ls: Fatal error: gnutls_handshake: The TLS connection was non-properly
> terminated.
>
and I get the following output in proftpd.log (tls.log remains empty):

2024-05-21 16:38:57,806 oeweb proftpd[13837]
> osservatorio.energia.provincia.tn.it (osservatorio.energia.provincia.tn.it[...]):
> -----BEGIN STACK TRACE-----

2024-05-21 16:38:57,806 oeweb proftpd[13837]
> osservatorio.energia.provincia.tn.it (osservatorio.energia.provincia.tn.it
> [ ...  ]): [0] /usr/lib/proftpd/mod_tls.so(+0x26962) [0x7fb5037e6962]

2024-05-21 16:38:57,806 oeweb proftpd[13837]
> osservatorio.energia.provincia.tn.it (osservatorio.energia.provincia.tn.it
> [ ...  ]): [1] /usr/lib/proftpd/mod_tls.so(+0x26962) [0x7fb5037e6962]

2024-05-21 16:38:57,806 oeweb proftpd[13837]
> osservatorio.energia.provincia.tn.it (osservatorio.energia.provincia.tn.it
> [ ...  ]): [2] /usr/lib/proftpd/mod_tls.so(+0x29fae) [0x7fb5037e9fae]

2024-05-21 16:38:57,806 oeweb proftpd[13837]
> osservatorio.energia.provincia.tn.it (osservatorio.energia.provincia.tn.it
> [ ...  ]): [3] proftpd: (accepting
> connections)(modules_session_init+0x64) [0x5ed9abc83244]

2024-05-21 16:38:57,806 oeweb proftpd[13837]
> osservatorio.energia.provincia.tn.it (osservatorio.energia.provincia.tn.it
> [ ...  ]): [4] proftpd: (accepting connections)(+0x2981e) [0x5ed9abc5d81e]

2024-05-21 16:38:57,806 oeweb proftpd[13837]
> osservatorio.energia.provincia.tn.it (osservatorio.energia.provincia.tn.it
> [ ...  ]): [5] proftpd: (accepting connections)(+0x2a239) [0x5ed9abc5e239]

2024-05-21 16:38:57,806 oeweb proftpd[13837]
> osservatorio.energia.provincia.tn.it (osservatorio.energia.provincia.tn.it
> [ ...  ]): [6] proftpd: (accepting connections)(main+0x648)
> [0x5ed9abc54098]

2024-05-21 16:38:57,806 oeweb proftpd[13837]
> osservatorio.energia.provincia.tn.it (osservatorio.energia.provincia.tn.it
> [ ...  ]): [7] /lib/x86_64-linux-gnu/libc.so.6(+0x2a1ca) [0x7fb50382a1ca]

2024-05-21 16:38:57,806 oeweb proftpd[13837]
> osservatorio.energia.provincia.tn.it (osservatorio.energia.provincia.tn.it
> [ ...  ]): [8] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0x8b)
> [0x7fb50382a28b]

2024-05-21 16:38:57,806 oeweb proftpd[13837]
> osservatorio.energia.provincia.tn.it (osservatorio.energia.provincia.tn.it
> [ ...  ]): [9] proftpd: (accepting connections)(_start+0x25)
> [0x5ed9abc546b5]

2024-05-21 16:38:57,806 oeweb proftpd[13837]
> osservatorio.energia.provincia.tn.it (osservatorio.energia.provincia.tn.it
> [ ...  ]): -----END STACK TRACE-----

2024-05-21 16:38:57,806 oeweb proftpd[13837]
> osservatorio.energia.provincia.tn.it (osservatorio.energia.provincia.tn.it
> [ ...  ]): ProFTPD terminating (signal 11)


Any help is greatly appreciated!

Roberto

-- 

Re: [Proftpd-user] Init script for RHEL8

[Lists <li...@se...>]

It’s my understanding init script is required for clustered rh8

Geoffrey Myers

> On Jan 26, 2024, at 7:25 PM, Robillard, Bob <bro...@ic...> wrote:
> 
> 
>> 
>> I'm wondering, why you want to work with init scripts on Redhat8 instead of doing a proper systemd integration
> 
> As an aside, that's how we did it...there's a  proftpd.service file in the "contrib" source tree to start from:
> 
> 
> [Unit]
> Description = ProFTPD FTP Server
> Wants=network-online.target
> After=network-online.target nss-lookup.target local-fs.target remote-fs.target
> 
> [Service]
> Type = simple
> Environment = PROFTPD_OPTIONS=
> EnvironmentFile = -/etc/sysconfig/proftpd
> ExecStartPre = /usr/sbin/proftpd --configtest
> ExecStart = /usr/sbin/proftpd --nodaemon $PROFTPD_OPTIONS
> ExecReload = /bin/kill -HUP $MAINPID
> PIDFile = /run/proftpd/proftpd.pid
> 
> [Install]
> WantedBy = multi-user.target
> 
> 
> 
> -----Original Message-----
> From: Preuße, Hilmar via Proftp-user <pro...@li...>
> Sent: Thursday, January 25, 2024 5:07 PM
> To: pro...@li...
> Cc: Preuße, Hilmar <hi...@we...>
> Subject: Re: [Proftpd-user] Init script for RHEL8
> 
> This message has originated from an External Source. Please use proper judgment and caution when opening attachments, clicking links, or responding to this email.
> 
> On 22.01.2024 20:36, Lists wrote:
> 
> Hi,
> 
>> We are migrating our proftpd from RHEL7 to RHEL8.  We copied our
>> /etc/init.d script but it does not work.  Curious if someone has
>> conquered this issue. Proftpd does start when calling
>> /usr/sbin/proftpd directly.
>> 
> I'm wondering, why you want to work with init scripts on Redhat8 instead of doing a proper systemd integration. IIRC there are some templates in the proftp source package, which you can use. Further I'd expect that proftp is packaged for Redhat, but I did not check.
> 
> Hilmar
> 
> _______________________________________________
> ProFTPD Users List   <pro...@pr...>
> Unsubscribe problems?
> http://www.proftpd.org/list-unsub.html

Re: [Proftpd-user] Init script for RHEL8

[Robillard, B. <bro...@ic...>]

> I'm wondering, why you want to work with init scripts on Redhat8 instead of doing a proper systemd integration

As an aside, that's how we did it...there's a  proftpd.service file in the "contrib" source tree to start from:


[Unit]
Description = ProFTPD FTP Server
Wants=network-online.target
After=network-online.target nss-lookup.target local-fs.target remote-fs.target

[Service]
Type = simple
Environment = PROFTPD_OPTIONS=
EnvironmentFile = -/etc/sysconfig/proftpd
ExecStartPre = /usr/sbin/proftpd --configtest
ExecStart = /usr/sbin/proftpd --nodaemon $PROFTPD_OPTIONS
ExecReload = /bin/kill -HUP $MAINPID
PIDFile = /run/proftpd/proftpd.pid

[Install]
WantedBy = multi-user.target



-----Original Message-----
From: Preuße, Hilmar via Proftp-user <pro...@li...> 
Sent: Thursday, January 25, 2024 5:07 PM
To: pro...@li...
Cc: Preuße, Hilmar <hi...@we...>
Subject: Re: [Proftpd-user] Init script for RHEL8

This message has originated from an External Source. Please use proper judgment and caution when opening attachments, clicking links, or responding to this email.

On 22.01.2024 20:36, Lists wrote:

Hi,

> We are migrating our proftpd from RHEL7 to RHEL8.  We copied our 
> /etc/init.d script but it does not work.  Curious if someone has 
> conquered this issue. Proftpd does start when calling 
> /usr/sbin/proftpd directly.
>
I'm wondering, why you want to work with init scripts on Redhat8 instead of doing a proper systemd integration. IIRC there are some templates in the proftp source package, which you can use. Further I'd expect that proftp is packaged for Redhat, but I did not check.

Hilmar