Thread: FTPS auth error over WAN
View Single Post
Old 12-13-2012, 06:55 AM  
rchalwin
Junior Member
 
Join Date: Apr 2007
Posts: 6
Default
Thanks for helping out.

My NAS (thecus 4800) runs a Pure-FTP daemon. Sorry but I can't find the assoc .conf file anywhere on the system.

I can confirm that FTPS with explicit TLSv1 works on my LAN:

Code:
[R] Connecting to Local Home SFTP -> IP=192.168.xxx.xxx PORT=21
[R] Connected to Local Home SFTP
[R] 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
[R] 220-You are user number 1 of 300 allowed.
[R] 220-Local time is now 22:09. Server port: 21.
[R] 220-This is a private system - No anonymous login
[R] 220-IPv6 connections are also welcome on this server.
[R] 220 You will be disconnected after 15 minutes of inactivity.
[R] AUTH TLS
[R] 234 AUTH TLS OK.
[R] Connected. Negotiating SSL/TLS session
[R] TLSv1 negotiation successful...
[R] TLSv1 encrypted session using cipher DHE-RSA-AES256-SHA (256 bits)
[R] PBSZ 0
[R] 200 PBSZ=0
[R] USER xxxx
[R] 331 User xxxx OK. Password required
[R] PASS (hidden)
[R] 230-This server supports FXP transfers
[R] 230 OK. Current restricted directory is /
[R] SYST
[R] 215 UNIX Type: L8
[R] FEAT
[R] 211-Extensions supported:
[R]  EPRT
[R]  IDLE
[R]  MDTM
[R]  SIZE
[R]  MFMT
[R]  REST STREAM
[R]  MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
[R]  MLSD
[R]  AUTH TLS
[R]  PBSZ
[R]  PROT
[R]  UTF8
[R]  ESTA
[R]  PASV
[R]  EPSV
[R]  SPSV
[R]  ESTP
[R] 211 End.
[R] OPTS UTF8 ON
[R] 200 OK, UTF-8 enabled
[R] PWD
[R] 257 "/" is your current location
[R] TYPE A
[R] 200 TYPE is now ASCII
[R] PROT P
[R] 200 Data protection level set to "private"
[R] Listening on PORT: 49527, Waiting for connection.
[R] PORT 192,168,0,197,193,119
[R] 200 PORT command successful
[R] LIST -al
[R] Connected. Negotiating SSL/TLS session
[R] TLSv1 negotiation successful...
[R] TLSv1 encrypted session using cipher DHE-RSA-AES256-SHA (256 bits)
[R] 150 Connecting to port 49527
[R] 226-Options: -a -l 
[R] 226 16 matches total
[R] List Complete: 1 KB in 0.04 second (1.1 KB/s)
Trying the exact same settings across WAN dumped the following error into syslog:

Code:
N4800 pure-ftpd: PAM _pam_init_handlers: no default config /etc/pam.d/other
N4800 pure-ftpd: pam_winbind(pure-ftpd:auth): internal module error (retval = PAM_AUTHINFO_UNAVAIL(9), user = 'xxxx')
It seems pure-ftpd is using PAM for authentication:

Code:
#! /bin/sh
/app/bin/auth.sh ${AUTHD_ACCOUNT} ${AUTHD_PASSWORD}
check=$?
echo ${check}
if [ $check -ne 0 ]; then
	echo 'auth_ok:0'
else
	echo 'auth_ok:1'
	echo 'uid:'`/opt/bin/getent passwd | /bin/grep "^$AUTHD_ACCOUNT:"|/usr/bin/awk '{FS=":";print $3}'`
	echo 'gid:'`/opt/bin/getent passwd | /bin/grep "^$AUTHD_ACCOUNT:"|/usr/bin/awk '{FS=":";print $4}'`
	echo 'dir:/raid/ftproot/'
fi
echo 'end'
And the PAM.d conf shows:

Code:
auth       sufficient   pam_ldap.so
auth       sufficient   pam_winbind.so
auth       required     pam_unix.so use_first_pass
account    sufficient   pam_ldap.so
account    sufficient   pam_winbind.so
account    required     pam_unix.so
session    sufficient   pam_ldap.so
session    sufficient   pam_winbind.so
session    required     pam_unix.so
I don't understand any of this, especially why the authentication should go through perfectly across LAN yet fails on WAN with exactly the same login details.

Perhaps there is some problem with my ISP passing encrypted packets inbound? Especially since my NAS sits in DMZ.
rchalwin is offline