Assistance with VSFTP

[Herculeon]

Sorry, my eloquence sometimes fails.
I copied the contents of the vsftpd to the vsftpd-2 and did do a rule by rule elimination attempt. In simple language, I did what you said you thought I did.

[Rexilion]

Ok, time to dig deeper.

It seems the pam file contains some include statements. Go to the other files and replace these include statements to the necessary sections (auth, password, session etc...) out of those files and into your vsftpd-2 file. If these statements include new include statements, then repeat until all of them are gone. You might end up with a pretty big file but that's okay.

Then try doing the rule by rule thing again. It has to be PAM, since your connection hangs during authentication.

[Herculeon]

from what I can see, it is only the 1 file of password-auth. Am I looking at it correct? The other files such pam...., are not existant. Could that be the problem? Well, I did try bring over the password-auth info and it changed nothing.

[Rexilion]

Yes, it's only password-auth. I noticed just now since you mentioned it.

Bringing it over will not change PAM's behaviour at all. Could you post the password-auth file?

[Herculeon]

sure not a problem...here it is:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so

password requisite pam_pwquality.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

[Rexilion]

Wait, before we continue.

In post nr 9 you mentioned:

ok, i attempted your suggestion and it did not work.

Does that mean that the authentication failed or that the FTP sessions keeps hanging again?

Are you sure you restarted the vsftpd service and made it point to vsftpd-2? If that is the case, then there is actually no point in going down (much) further this path. However (as a somewhat last resort), you might want to try the below vsftpd-2 to rule out pam_unix.so from doing icky things (NOTE: this will set your ftp server WIDE OPEN!):

auth requisite pam_permit.so

[Herculeon]

I meant "it did not work" as in the step through of turning on and off, it failed authentication. Once it was back to the original way, it was back to the hanging.
I tried removing everything from the vsftpd-2 file and only put that auth command. I then restarted vsftp and I got a critical error of could not connect to the server. I then copied over the vsftpd file 1 command at a time and saved and restarted the vsftpd until it started working again. I then started the statement juggling and ended up with the same thing of that auth requisite pam_permit.so being commented out. I did do an little better organization this time when I brought over the commands.

[Rexilion]

That's unexpected. One more shot:

auth required pam_permit.so
account required pam_permit.so
password required pam_permit.so
session required pam_permit.so

Code:

su -c 'chown 0:0 /etc/pam.d/vsftpd-2'
su -c 'chmod 644 /etc/pam.d/vsftpd-2'

And then edit vsftpd.conf to contain 'pam_service_name=vsftpd-2' and finally restart vsftpd.

You should just automatically log in if you enter a valid user account. Any password should be accepted. Don't know what happens you if you insert a non existent user account. Finally, disable anonymous logon if you don't need it.

[Herculeon]

well, I have completed the additions and it still hanges at the same place. Yes, I started the vsftpd service. There must be something with a time-out feature somewhere that needs to be met before the logon can continue. Is there anywhere that has such a time-out? I have no clue about the way pam works.

below is the result of the authconfig test maybe this will shed some light.

[root@webforms administrator]# authconfig --test
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
hesiod LHS = ""
hesiod RHS = ""
nss_ldap is disabled
LDAP+TLS is disabled
LDAP server = ""
LDAP base DN = ""
nss_nis is disabled
NIS server = ""
NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
SMB workgroup = ""
SMB servers = ""
SMB security = "user"
SMB realm = ""
Winbind template shell = "/bin/false"
SMB idmap uid = "16777216-33554431"
SMB idmap gid = "16777216-33554431"
nss_sss is disabled by default
nss_wins is disabled
nss_mdns4_minimal is enabled
DNS preference over NSS or WINS is disabled
pam_unix is always enabled
shadow passwords are enabled
password hashing algorithm is sha512
pam_krb5 is disabled
krb5 realm = "#"
krb5 realm via dns is disabled
krb5 kdc = ""
krb5 kdc via dns is disabled
krb5 admin server = ""
pam_ldap is disabled
LDAP+TLS is disabled
LDAP server = ""
LDAP base DN = ""
LDAP schema = "rfc2307"
pam_pkcs11 is disabled
use only smartcard for login is disabled
smartcard module = "coolkey"
smartcard removal action = "Ignore"
pam_fprintd is enabled
pam_ecryptfs is disabled
pam_winbind is disabled
SMB workgroup = ""
SMB servers = ""
SMB security = "user"
SMB realm = ""
pam_sss is disabled by default
credential caching in SSSD is enabled
SSSD use instead of legacy services if possible is enabled
IPAv2 is disabled
IPAv2 domain was not joined
IPAv2 server = ""
IPAv2 realm = ""
IPAv2 domain = ""
pam_pwquality is enabled (try_first_pass retry=3 type=)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_mkhomedir or pam_oddjob_mkhomedir is disabled ()
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled
[root@webforms administrator]#

[Rexilion]

To confirm: You did this with the 'new' and latest (4 line) vsftpd-2 file I provided? So, login works now but is still slow, right?