Ssl-Certificate

vsftpd 錯誤 530 使用有效憑據發生登錄不正確錯誤

  • August 1, 2018

儘管有許多類似的現有問題/答案引用vsftpd和錯誤程式碼530,但在這種情況下它們似乎沒有幫助:

情況是 RHEL 6 (CentOS 6) 上的工作 vsftpd-2.2.2-24.el6.x86_64 實例正在遷移到 RHEL 7 (CentOS 7) 伺服器。

vsftpd配置文件中,只有這些被修改:

  • /etc/vsftpd.chroot_list添加本地使用者名。
  • /etc/vsftpd/vsftpd.conf

配置如下,(*) 表示對分發預設值的更改或添加:

anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
ftpd_banner=Hello.
listen=YES (*)
listen_ipv6=NO (*)
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
dual_log_enable=YES
use_localtime=YES (*)
rsa_cert_file=/etc/httpd/conf/ssl/vsftpd.crt (*)
rsa_private_key_file=/etc/httpd/conf/ssl/vsftpd.key (*)
ssl_enable=YES (*)
allow_anon_ssl=NO (*)
force_local_data_ssl=NO (*)
force_local_logins_ssl=NO (*)
ssl_tlsv1=YES (*)
ssl_sslv2=NO (*)
ssl_sslv3=NO (*)
require_ssl_reuse=NO (*)
ssl_ciphers=HIGH (*)
ssl_tlsv1_1=YES (*)
ssl_tlsv1_2=YES (*)
allow_writeable_chroot=YES (*)

需要強調的是,配置是從工作vsftpd實例移植的。

在沒有報告問題的情況下啟用和(重新)啟動服務後:

$ sudo systemctl status vsftpd
$ sudo systemctl enable vsftpd
$ sudo systemctl start vsftpd
$ sudo systemctl -l status vsftpd

嘗試測試伺服器:

$ cd ~ ; \
 TEST="${HOME}/tmp/vsftpd_tst.`date +%Y%m%d%H%M`"; \
 date >${TEST} ; \
 curl -v -k -u ${USER} -ftp-ssl -T ${TEST} ftp://host.domain.tld/

Enter host password for user 'xxxx':
* STATE: INIT => CONNECT handle 0x600069c60; line 1418 (connection #-5000)
* Added connection 0. The cache now contains 1 members
*   Trying host.domain.tld ...
* TCP_NODELAY set
* STATE: CONNECT => WAITCONNECT handle 0x600069c60; line 1470 (connection #0)
 % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                Dload  Upload   Total   Spent    Left  Speed
 0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Connected to host.domain.tld (x.x.x.x) port 21 (#0)
* STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x600069c60; line 158 7 (connection #0)
* Marked for [keep alive]: FTP default
* FTP 0x60006fe40 (line 3113) state change from STOP to WAIT220
* STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0x600069c60; line 16 01 (connection #0)
< 220 Hello.
> USER xxxx
* FTP 0x60006fe40 (line 801) state change from WAIT220 to USER
< 331 Please specify the password.
> PASS xxxxxxxxxxxx
* FTP 0x60006fe40 (line 2541) state change from USER to PASS
 0     0    0     0    0     0      0      0 --:--:--  0:00:03 --:--:--     0
< 530 Login incorrect.
* Access denied: 530
* multi_done
* Marked for [closure]: FTP ended with bad error code
 0     0    0     0    0     0      0      0 --:--:--  0:00:03 --:--:--     0
* Closing connection 0
* The cache now contains 0 members
curl: (67) Access denied: 530

憑據是已知且正確的。

在伺服器啟用 SELinux 的情況下,SELinux 可能會成為懷疑對象。在這種情況下,舊伺服器和新伺服器都安裝了 SELinux,但舊伺服器沒有強制執行。

在這種情況下,如下圖所示,在配置空間中定位 .crt 和 .key 文件似乎httpd導致了一個問題:

$ sudo audit2allow -w -a
...
type=AVC msg=audit(1532728647.463:74431): avc:  denied  { getattr } for pid=48253 comm="vsftpd" path="/etc/httpd/conf/ssl/vsftpd.crt" dev="dm-2" ino=6687286 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:httpd_config_t:s0 tclass=file

       Was caused by:
       The boolean ftpd_full_access was set incorrectly.
       Description:
       Allow ftpd to full access

       Allow access by executing:
       # setsebool -P ftpd_full_access 1
...

不幸的是,在這種情況下,雖然建議很有用,但還不夠。

$ sudo setsebool -P ftpd_full_access 1

失敗繼續,並audit2allow顯示問題,但沒有關於執行特定命令的建議。

$ sudo audit2allow -w -a
...
type=AVC msg=audit(1532728647.463:74431): avc:  denied  { getattr } for pid=48253 comm="vsftpd" path="/etc/httpd/conf/ssl/com_vsftpd.crt" dev="dm-2" no=6687286 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:httpd_config_t:s0 tclass=file

         Was caused by:
         Unknown - would be allowed by active policy
         Possible mismatch between this policy and the one under which
           the audit message was generated.

         Possible mismatch between current in-memory boolean settings
           vs. permanent ones.

這是通過以下方式解決的:

$ sudo semodule -R

引用自:https://serverfault.com/questions/924478