Learn about Centmin Mod LEMP Stack today
Become a Member

Centmin Mod pure-ftpd 530 Login Authentication Failed on 131.00stable & 140.00beta01

Discussion in 'Centmin Mod News' started by eva2000, Jul 7, 2024.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    54,546
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    1:23 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Centmin Mod 131.00stable and 140.00beta01 were released on July 1, 2024 and both are based off of 130.00beta01 development code. Near end of 130.00beta01 development, I changed the Nginx install routine to set a defined nginx linux user (uid) and group id (gid) to be under <1000 as 956. The below issue only applies to new Centmin Mod 131.00stable or 140.00beta01 installs. Existing Centmin Mod users who installed prior using 124.00stable/130.00beta01 or older do not have an issue.

    Centmin Mod LEMP stack is developed for my usage and my paid clients usage and 2 of the use cases are if they have paid commercial software which licenses per user fees for uid>1000 regular linux users and if setting up distributed filesystem/clusters for multiple servers, you'd ideally want the same uniform uid/gid for the same user across all servers. Most of my clients and I do not use the created pure-ftpd virtual FTP user for login but use SFTP, so didn't catch this issue.

    Pure-FTD Issue



    However, this change for default nginx uid/gid, had unintended consequences for Centmin Mod Nginx vhost creation routine via centmin.sh menu option 2 or nv command line in that pure-ftpd server is configured by default to only allow regular linux users with minium UID of 1000 and over from logging in. So setting default nginx uid/gid to 956 now meant pure-ftpd virtual FTP users couldn't log into their accounts and got error messages like: Login failed: 530 Login authentication failed.

    Example where I install lftp FTP client via YUM and try to log into Centmin Mod created pure-ftpd virtual ftp user = ftp123 using password = Io\"kMGPQr9(S.QV81Hg@& to IP address = 192.168.122.60 using explicit FTP over TLS and FTP passive mode which requires connecting to port 21 first
    Code (Text):
    lftp -e "set ftp:passive-mode yes; set ftp:ssl-allow yes; set ftp:ssl-force yes; set ssl:verify-certificate no; open -u ftp123,'Io\"kMGPQr9(S.QV81Hg@&' -p 21 ftp://192.168.122.60"
    lftp ftp123@192.168.122.60:~> ls
    ls: Login failed: 530 Login authentication failed
    

    Or in pure-ftpd logs via journalctl command give Can't login as [ftp123]: account disabled (uid < 1000)
    Code (Text):
    journalctl -u pure-ftpd --no-pager
    
    Jul 06 15:11:42 almalinux9dev1 pure-ftpd[518898]: (?@192.168.122.60) [INFO] TLS: Enabled TLSv1.3 with TLS_AES_256_GCM_SHA384, 256 secret bits cipher
    Jul 06 15:11:42 almalinux9dev1 pure-ftpd[518898]: (?@192.168.122.60) [DEBUG] Command [opts] [UTF8 ON]
    Jul 06 15:11:42 almalinux9dev1 pure-ftpd[518898]: (?@192.168.122.60) [DEBUG] Command [user] [ftp123]
    Jul 06 15:11:42 almalinux9dev1 pure-ftpd[518898]: (?@192.168.122.60) [DEBUG] Command [pass] [<*>]
    Jul 06 15:11:42 almalinux9dev1 pure-ftpd[518898]: (?@192.168.122.60) [WARNING] Can't login as [ftp123]: account disabled (uid < 1000)
    Jul 06 15:11:44 almalinux9dev1 pure-ftpd[518898]: (?@192.168.122.60) [INFO] Logout.
    


    Pure-FTD Fixes



    To fix this issue I've updated Centmin Mod 131.00stable and 140.00beta01 to now default to creating nginx linux user with uid/gid = 1068 high up enough to to not conflict with other linux created users after Centmin Mod's initial install. For example, some users might create sudo linux users before Centmin Mod initial install as well.

    The updated nginx install routine is also smart enough to detect if 1068 uid/gid is already in use and increment to the next value i.e. 1069.


    So fresh Centmin Mod 131.00stable and 140.00beta01 installs should be fine from July 7, 2024 AEST onwards. For existing Centmin Mod 131.00stable and 140.00beta01 installs, you can update your local Centmin Mod code via cmupdate, and run and exit centmin.sh menu once.
    Code (Text):
    cmupdate
    centmin
    

    Then enter option 24 to exit centmin.sh menu.

    Then verify nginx uid/gid is 1068 via id nginx command. The automated solution is also smart enough to increment the desired uid/gid if it's already been used. So if 1068 is already been used, it will increment and use 1069 and so on.
    Code (Text):
    id nginx
    uid=1068(nginx) gid=1068(nginx) groups=1068(nginx)
    

    verify your pure-ftpd virtual FTP user's reported UID/GID is 1068 as well i.e. for pure-ftp virtual FTP user ftp123 via pure-pw show command
    Code (Text):
    pure-pw show ftp123
    
    Login              : ftp123
    Password           : $2a$10$0.cZEtKeiurOrPrcvO5Ltu4AkiytgFMh6WfBDAA7eeHRKC.KgTRFO
    UID                : 1068 (-)
    GID                : 1068 (-)
    Directory          : /home/nginx/domains/domain.com/./
    Full name          :
    Download bandwidth : 0 Kb (unlimited)
    Upload   bandwidth : 0 Kb (unlimited)
    Max files          : 0 (unlimited)
    Max size           : 0 Mb (unlimited)
    Ratio              : 0:0 (unlimited:unlimited)
    Allowed local  IPs :
    Denied  local  IPs :
    Allowed client IPs :
    Denied  client IPs :
    Time restrictions  : 0000-0000 (unlimited)
    Max sim sessions   : 0 (unlimited)

    If your id nginx returns 1068 but pure-pw show username command shows UID/GID as still not 1068, you can change pure-ftpd virtual FTP users via new script passing the desired uid and gid value on command line as
    Code (Text):
    /usr/local/src/centminmod/tools/switch_pureftpd_uid.sh -u 1068 -g 1068
    

    Then re-verify via pure-pw show command
    Code (Text):
    pure-pw show ftp123
    


    Now try logging into your pure-ftpd virtual FTP user account again i.e. using lftp and logged in, run ls command to list current directories contents
    Code (Text):
    lftp -e "set ftp:passive-mode yes; set ftp:ssl-allow yes; set ftp:ssl-force yes; set ssl:verify-certificate no; open -u ftp123,'Io\"kMGPQr9(S.QV81Hg@&' -p 21 ftp://192.168.122.60"
    lftp ftp123@192.168.122.60:~> ls
    drwxr-s---    6 1068       nginx              60 Jul  6 12:46 .
    drwxr-s---    6 1068       nginx              60 Jul  6 12:46 ..
    drwxr-s---    2 1068       nginx               6 Jul  6 12:46 backup
    drwxr-s---    2 1068       nginx              41 Jul  6 12:47 log
    drwxr-s---    2 1068       nginx               6 Jul  6 12:46 private
    drwxr-s---    2 1068       nginx             191 Jul  6 12:46 public
    

    and list contents of public web root
    Code (Text):
    lftp ftp123@192.168.122.60:/> ls public
    drwxr-s---    2 1068       nginx             191 Jul  6 12:46 .
    drwxr-s---    6 1068       nginx              60 Jul  6 12:46 ..
    -rw-r-----    1 1068       nginx            1991 Jul  6 12:46 401.html
    -rw-r-----    1 1068       nginx            1973 Jul  6 12:46 403.html
    -rw-r-----    1 1068       nginx            1965 Jul  6 12:46 404.html
    -rw-r-----    1 1068       nginx            1997 Jul  6 12:46 500.html
    -rw-r-----    1 1068       nginx            1977 Jul  6 12:46 502.html
    -rw-r-----    1 1068       nginx            2017 Jul  6 12:46 503.html
    -rw-r-----    1 1068       nginx            7687 Jul  6 12:46 503.jpg
    -rw-r-----    1 1068       nginx            1987 Jul  6 12:46 504.html
    -rw-r-----    1 1068       nginx            2038 Jul  6 12:46 50x.html
    -rw-r-----    1 1068       nginx            6356 Jul  6 12:46 index.html
    -rw-r-----    1 1068       nginx            3376 Jul  6 12:46 maintenance.html
    

    Test transfer file /home/filename.txt to Centmin Mod nginx vhost's pure-ftpd virtual FTP user ftp123's web root directory /public
    Code (Text):
    lftp -e "set ftp:passive-mode yes; set ftp:ssl-allow yes; set ftp:ssl-force yes; set ssl:verify-certificate no; open -u ftp123,'Io\"kMGPQr9(S.QV81Hg@&' -p 21 ftp://192.168.122.60; put /home/filename.txt -o public/filename.txt; quit"
    

    Login and verify filename.txt was transferred
    Code (Text):
    lftp -e "set ftp:passive-mode yes; set ftp:ssl-allow yes; set ftp:ssl-force yes; set ssl:verify-certificate no; open -u ftp123,'Io\"kMGPQr9(S.QV81Hg@&' -p 21 ftp://192.168.122.60"
    lftp ftp123@192.168.122.60:~> ls public
    drwxr-s---    2 1068       nginx             211 Jul  6 16:46 .
    drwxr-s---    6 1068       nginx              60 Jul  6 12:46 ..
    -rw-r-----    1 1068       nginx            1991 Jul  6 12:46 401.html
    -rw-r-----    1 1068       nginx            1973 Jul  6 12:46 403.html
    -rw-r-----    1 1068       nginx            1965 Jul  6 12:46 404.html
    -rw-r-----    1 1068       nginx            1997 Jul  6 12:46 500.html
    -rw-r-----    1 1068       nginx            1977 Jul  6 12:46 502.html
    -rw-r-----    1 1068       nginx            2017 Jul  6 12:46 503.html
    -rw-r-----    1 1068       nginx            7687 Jul  6 12:46 503.jpg
    -rw-r-----    1 1068       nginx            1987 Jul  6 12:46 504.html
    -rw-r-----    1 1068       nginx            2038 Jul  6 12:46 50x.html
    -rw-r-----    1 1068       nginx               0 Jul  6 16:45 filename.txt
    -rw-r-----    1 1068       nginx            6356 Jul  6 12:46 index.html
    -rw-r-----    1 1068       nginx            3376 Jul  6 12:46 maintenance.html
    
     
  2. eva2000

    eva2000 Administrator Staff Member

    54,546
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    1:23 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Changing Nginx UID/GID As Desired



    Some folks may not like the new defaults of nginx user's UID/GID = 1068 and have their own configurations in mind. As such I updated the recently created /usr/local/src/centminmod/tools/switch_nginx_uid.sh script to support changing linux nginx uid/gid + changing all pure-ftpd virtual FTP user's assigned nginx uid/gid values in one step.

    The script takes 4 arguments
    Code (Text):
    /usr/local/src/centminmod/tools/switch_nginx_uid.sh
    Error: All arguments must be provided.
    Usage: /usr/local/src/centminmod/tools/switch_nginx_uid.sh --current-uid <uid> --current-gid <gid> --desired-uid <uid> --desired-gid <gid>
       or: /usr/local/src/centminmod/tools/switch_nginx_uid.sh -uf <uid> -gf <gid> -ut <uid> -gt <gid>
    

    So -uf and -gf are uid/gid from and -ut and -gt are uid/gid to. So changing from uid/gid = 1068 to uid/gid = 958 would be:
    Code (Text):
    /usr/local/src/centminmod/tools/switch_nginx_uid.sh -uf 1068 -gf 1068 -ut 958 -gt 958
    

    gives output
    Code (Text):
    /usr/local/src/centminmod/tools/switch_nginx_uid.sh -uf 1068 -gf 1068 -ut 958 -gt 958
    Using UID/GID: 958
    Stopping nginx service...
    Changing UID and GID of nginx user from 1068:1068 to 958:958...
    Updating ownership of files for nginx user...
    
    Updating from UID=1068 GID=1068 to UID=958 GID=958 for ftp123...
    Updating from UID=1068 GID=1068 to UID=958 GID=958 for ftp234...
    All pure-ftpd virtual FTP users have been processed.
    Restarting nginx service...
    Verifying ownership of critical directories...
    Ownership of /home/nginx is correct: UID=958, GID=958
    
    id nginx
    uid=958(nginx) gid=958(nginx) groups=958(nginx)

    Now nginx uid/gid is 958
    Code (Text):
    id nginx
    uid=958(nginx) gid=958(nginx) groups=958(nginx)
    

    and pure-ftpd virtual FTP user is as well
    Code (Text):
    pure-pw show ftp123
    
    Login              : ftp123
    Password           : $2a$10$0.cZEtKeiurOrPrcvO5Ltu4AkiytgFMh6WfBDAA7eeHRKC.KgTRFO
    UID                : 958 (nginx)
    GID                : 958 (nginx)
    Directory          : /home/nginx/domains/domain.com/./
    Full name          :
    Download bandwidth : 0 Kb (unlimited)
    Upload   bandwidth : 0 Kb (unlimited)
    Max files          : 0 (unlimited)
    Max size           : 0 Mb (unlimited)
    Ratio              : 0:0 (unlimited:unlimited)
    Allowed local  IPs :
    Denied  local  IPs :
    Allowed client IPs :
    Denied  client IPs :
    Time restrictions  : 0000-0000 (unlimited)
    Max sim sessions   : 0 (unlimited)

    The /usr/local/src/centminmod/tools/switch_nginx_uid.sh script allows me to now cater to my clients and own usage requirements, but still cater to existing Centmin Mod users and their pure-ftpd virtual FTP user login needs :)
     
Thread Status:
Not open for further replies.