Ssl-Certificate
vsftpd 錯誤 530 使用有效憑據發生登錄不正確錯誤
儘管有許多類似的現有問題/答案引用
vsftpd
和錯誤程式碼530
,但在這種情況下它們似乎沒有幫助:
- vsftpd 登錄錯誤:530
- VSFTPD 530 登錄錯誤
- vsftp 登錄錯誤 530 登錄不正確
- 530 登錄不正確 - vsftpd w/SSL(不使用 PAM?)
- 全新安裝時出現 VSFTPD 錯誤 530
情況是 RHEL 6 (CentOS 6) 上的工作 vsftpd-2.2.2-24.el6.x86_64 實例正在遷移到 RHEL 7 (CentOS 7) 伺服器。
的
vsftpd
配置文件中,只有這些被修改:
/etc/vsftpd.chroot_list
添加本地使用者名。/etc/vsftpd/vsftpd.conf
配置如下,(*) 表示對分發預設值的更改或添加:
anonymous_enable=NO local_enable=YES write_enable=YES local_umask=022 dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_std_format=YES ftpd_banner=Hello. listen=YES (*) listen_ipv6=NO (*) pam_service_name=vsftpd userlist_enable=YES tcp_wrappers=YES chroot_local_user=YES chroot_list_enable=YES chroot_list_file=/etc/vsftpd.chroot_list dual_log_enable=YES use_localtime=YES (*) rsa_cert_file=/etc/httpd/conf/ssl/vsftpd.crt (*) rsa_private_key_file=/etc/httpd/conf/ssl/vsftpd.key (*) ssl_enable=YES (*) allow_anon_ssl=NO (*) force_local_data_ssl=NO (*) force_local_logins_ssl=NO (*) ssl_tlsv1=YES (*) ssl_sslv2=NO (*) ssl_sslv3=NO (*) require_ssl_reuse=NO (*) ssl_ciphers=HIGH (*) ssl_tlsv1_1=YES (*) ssl_tlsv1_2=YES (*) allow_writeable_chroot=YES (*)
需要強調的是,配置是從工作
vsftpd
實例移植的。在沒有報告問題的情況下啟用和(重新)啟動服務後:
$ sudo systemctl status vsftpd $ sudo systemctl enable vsftpd $ sudo systemctl start vsftpd $ sudo systemctl -l status vsftpd
嘗試測試伺服器:
$ cd ~ ; \ TEST="${HOME}/tmp/vsftpd_tst.`date +%Y%m%d%H%M`"; \ date >${TEST} ; \ curl -v -k -u ${USER} -ftp-ssl -T ${TEST} ftp://host.domain.tld/ Enter host password for user 'xxxx': * STATE: INIT => CONNECT handle 0x600069c60; line 1418 (connection #-5000) * Added connection 0. The cache now contains 1 members * Trying host.domain.tld ... * TCP_NODELAY set * STATE: CONNECT => WAITCONNECT handle 0x600069c60; line 1470 (connection #0) % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 * Connected to host.domain.tld (x.x.x.x) port 21 (#0) * STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x600069c60; line 158 7 (connection #0) * Marked for [keep alive]: FTP default * FTP 0x60006fe40 (line 3113) state change from STOP to WAIT220 * STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0x600069c60; line 16 01 (connection #0) < 220 Hello. > USER xxxx * FTP 0x60006fe40 (line 801) state change from WAIT220 to USER < 331 Please specify the password. > PASS xxxxxxxxxxxx * FTP 0x60006fe40 (line 2541) state change from USER to PASS 0 0 0 0 0 0 0 0 --:--:-- 0:00:03 --:--:-- 0 < 530 Login incorrect. * Access denied: 530 * multi_done * Marked for [closure]: FTP ended with bad error code 0 0 0 0 0 0 0 0 --:--:-- 0:00:03 --:--:-- 0 * Closing connection 0 * The cache now contains 0 members curl: (67) Access denied: 530
憑據是已知且正確的。
在伺服器啟用 SELinux 的情況下,SELinux 可能會成為懷疑對象。在這種情況下,舊伺服器和新伺服器都安裝了 SELinux,但舊伺服器沒有強制執行。
在這種情況下,如下圖所示,在配置空間中定位 .crt 和 .key 文件似乎
httpd
導致了一個問題:$ sudo audit2allow -w -a ... type=AVC msg=audit(1532728647.463:74431): avc: denied { getattr } for pid=48253 comm="vsftpd" path="/etc/httpd/conf/ssl/vsftpd.crt" dev="dm-2" ino=6687286 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:httpd_config_t:s0 tclass=file Was caused by: The boolean ftpd_full_access was set incorrectly. Description: Allow ftpd to full access Allow access by executing: # setsebool -P ftpd_full_access 1 ...
不幸的是,在這種情況下,雖然建議很有用,但還不夠。
$ sudo setsebool -P ftpd_full_access 1
失敗繼續,並
audit2allow
顯示問題,但沒有關於執行特定命令的建議。$ sudo audit2allow -w -a ... type=AVC msg=audit(1532728647.463:74431): avc: denied { getattr } for pid=48253 comm="vsftpd" path="/etc/httpd/conf/ssl/com_vsftpd.crt" dev="dm-2" no=6687286 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:httpd_config_t:s0 tclass=file Was caused by: Unknown - would be allowed by active policy Possible mismatch between this policy and the one under which the audit message was generated. Possible mismatch between current in-memory boolean settings vs. permanent ones.
這是通過以下方式解決的:
$ sudo semodule -R