Why is vsftpd configured as FTPS not listing directories?

S

Sevastoporn2020-07-13 12:26:51

linux

Sevastoporn, 2020-07-13 12:26:51

There is a vsftpd server with access through the certificate.
The connection to the server is successful, but an error occurs when getting the list of directories.
Here is the actual config:

vsftpd.conf

anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/xferlog
syslog_enable=YES
xferlog_std_format=YES
vsftpd_log_file=/var/log/vsftpd.log
log_ftp_protocol=YES
chroot_local_user=YES
allow_writeable_chroot=YES
listen=YES
pam_service_name=vsftpd
tcp_wrappers=YES
pasv_enable=YES
pasv_min_port=40000
pasv_max_port=41000
ssl_enable=YES
rsa_cert_file=/etc/vsftpd/cert/cert.pem
rsa_private_key_file=/etc/vsftpd/cert/privkey.pem

The connection to the server goes well, but the client does not receive a list of directories and falls off.
How it looks in FileZilla:

FileZilla Log

Статус: Соединяюсь с 192.168.1.20:21...
Статус: Соединение установлено, ожидание приглашения...
Статус: Инициализирую TLS...
Статус: Проверка сертификата...
Статус: TLS соединение установлено.
Статус: Авторизовались
Статус: Получение списка каталогов...
Команда: PWD
Ответ: 257 "/"
Команда: TYPE I
Ответ: 200 Switching to Binary mode.
Команда: PASV
Ответ: 227 Entering Passive Mode (10,77,59,21,118,52).
Команда: LIST
Ошибка: Соединение прервано после 20 секунд неактивности
Ошибка: Не удалось получить список каталогов

How it looks in journalctl -xe:

journalctl -xe

CONNECT: Client "192.168.1.24"
FTP response: Client "192.168.1.24", "220 (vsFTPd 3.0.2)"
FTP command: Client "192.168.1.24", "AUTH TLS"
FTP response: Client "192.168.1.24", "234 Proceed with negotiation."
FTP command: Client "192.168.1.24", "USER ftpuser"
[ftpuser] FTP response: Client "192.168.1.24", "331 Please specify the password."
[ftpuser] FTP command: Client "192.168.1.24", "PASS "
[ftpuser] OK LOGIN: Client "192.168.1.24"
[ftpuser] FTP response: Client "192.168.1.24", "230 Login successful."
[ftpuser] FTP command: Client "192.168.1.24", "OPTS UTF8 ON"
[ftpuser] FTP response: Client "192.168.1.24", "200 Always in UTF8 mode."
[ftpuser] FTP command: Client "192.168.1.24", "PBSZ 0"
[ftpuser] FTP response: Client "192.168.1.24", "200 PBSZ set to 0."
[ftpuser] FTP command: Client "192.168.1.24", "PROT P"
[ftpuser] FTP response: Client "192.168.1.24", "200 PROT now Private."
[ftpuser] FTP command: Client "192.168.1.24", "PWD"
[ftpuser] FTP response: Client "192.168.1.24", "257 "/""
[ftpuser] FTP command: Client "192.168.1.24", "TYPE I"
[ftpuser] FTP response: Client "192.168.1.24", "200 Switching to Binary mode."
[ftpuser] FTP command: Client "192.168.1.24", "PASV"
[ftpuser] FTP response: Client "192.168.1.24", "227 Entering Passive Mode (10,77,59,21,119,159)."
[ftpuser] FTP command: Client "192.168.1.24", "LIST"
CONNECT: Client "192.168.1.24"
FTP response: Client "192.168.1.24", "220 (vsFTPd 3.0.2)"
FTP command: Client "192.168.1.24", "AUTH TLS"
FTP response: Client "192.168.1.24", "234 Proceed with negotiation."
FTP command: Client "192.168.1.24", "USER ftpuser"
[ftpuser] FTP response: Client "192.168.1.24", "331 Please specify the password."
[ftpuser] FTP command: Client "192.168.1.24", "PASS "
[ftpuser] OK LOGIN: Client "192.168.1.24"

If you disable ssl, then the client can easily connect and get a list of directories.
Ports 20-21 and 40000-41000 are open.

vsftpd 3.0.2
CentOS 7

There is one more little clue.
There is a line in the errors where you can see that the client is breaking right into the root of the server:
FileZilla: Ответ: 257 "/"
Although the user's home directory is /data/ftp
passwd: ftpuser:x:1000:1000::/data/ftp:/sbin/nologin
/sbin/nologin is present in /etc/shells

but if the chroot_local_user and allow_writeable_chroot parameters are changed to NO, then it already knocks on the correct
FileZilla directory: Ответ: 257 "/data/ftp"
but the main error does not go away