# Please help! VsFTPd with browsers works with user@ but...

## hunterhunter

I set up an ftp server using vsftpd. Everything's working fine except for one minor detail.

In my browsers, I type:

ftp://user@ftp.whatever.com

ftp://user@ip_address

They work, and I'm prompted for a password. Then I'm in.

but

When I try just this in the browser... "ftp.whatever.com" then it should prompt me for a user name and password, but it doesn't. It just says anonymous logins are not allowed. You do not have permission to access this directory.

What can I add, or remove from the vsftpd.conf file to resolve this issue??

Because users just want to type ftp.whatever.com and be prompted. It just confuses them when they have to put ftp://user@ftp.whatever.com... or even the ip address.

Please help!

Thanks!

----------

## sschlueter

This is not an issue with vsftpd. It's just the way some browsers work.

----------

## hunterhunter

We used to use proftpd and it would prompt for a user name and password with browsers. Even though anonymous logins were disabled the daemon atleast sent back a login prompt.

You guys sure that I'm not missing anything??

I appreciate the help.

Many thanks.

----------

## sschlueter

I have just run a small test scenario:

Linux vsftpd 2.0, no anonymous logins allowed.

Windows Firefox 1.5 dns+ip: password prompt

Windows Internet Explorer 6 dns+ip: password prompt

Windows Opera 8.5 dns+ip: password prompt

Linux Konqueror 3.4 dns+ip: password prompt

----------

## hunterhunter

Did you type.

user@dns + ip

or just dns? I.E. "ftp.whatever.com"?

If you type only ftp.whatever.com in the address bar then you should get an error stating that anonymous logins are not allowed.

Try only the dns, no user names.

----------

## sschlueter

Ah, sorry for the confusion.

I have entered ftp://hostname.intern and ftp://192.168.1.1 into the browser's address bars. as i already said, all browsers showed a password prompt.

I have now run another test scenario, this time simply entering ftp.hostname.intern. (I had to add an entry to my local dns server, so that clients can resolve this name.)

Windows Firefox 1.5: password prompt

Windows Internet Explorer 6: password prompt

Windows Opera 8.5: password prompt

Linux Konqueror 3.4: password prompt

Again, all browsers show a password prompt.

Here is my vsftpd config file:

```

background=YES

listen=YES

tcp_wrappers=YES

max_clients=10

max_per_ip=10

write_enable=YES

anonymous_enable=NO

anon_mkdir_write_enable=YES

anon_upload_enable=YES

anon_other_write_enable=YES

anon_umask=022

local_enable=YES

chroot_local_user=YES

userlist_enable=YES

userlist_deny=NO

connect_from_port_20=YES

xferlog_enable=YES

text_userdb_names=YES

```

Normally, this server is used to allow both anonymous and non-anonymous logins. So I changed the line anonymous_enable=YES to anonymous_enable=NO during the test.

----------

## truc

he 'd like to his users to be "user prompted" than password prompted, not only password, if I understood him right. I'd like to know too, how this can be achieve!

----------

## sschlueter

Sorry for the confusion (part 2)

Of course it's a user and password prompt.

----------

## sschlueter

I think I have figured this out.

If the FTP server does not allow anonymous logins, there are two different ways it can treat clients that try to login as user anonymous:

Either

220 (vsFTPd 2.0.3)

USER anonymous

331 Please specify the password.

PASS mozilla@example.com

530 Login incorrect.

or

220 xxxx FTP server ready.

USER anonymous

530 Guest login not allowed on this machine.

All browsers that I have tested show a user+password prompt in the first case. Only Opera and Konqueror show a user+password prompt in the second case. Firefox and Internet Explorer just show an error message.

@hunterhunter Which version of vsftpd are you using?

----------

## hunterhunter

The newest version.

2.0.4

Thanks for the help by the way!

----------

## hunterhunter

You see what I mean now? I need I.E. and Firefox to be sent the uid/password box  :Sad: 

I also emailed the author of vsftpd. I'm probably not going to get a response though.

Thanks again for trying.

----------

## truc

 *hunterhunter wrote:*   

> You see what I mean now? I need I.E. and Firefox to be sent the uid/password box 
> 
> I also emailed the author of vsftpd. I'm probably not going to get a response though.
> 
> Thanks again for trying.

 

Tell us if there is anything new! :Smile: 

----------

## sschlueter

Well, this should be fairly simple now.

Make sure the file /etc/vsftpd/vsftpd.conf contains the following three lines:

anonymous_enable=NO

userlist_enable=YES

userlist_deny=NO

And make sure the file /etc/vsftpd/user_list contains the following two lines:

ftp

anonymous

These names must not be listed in the file /etc/vsftpd/ftpusers.

after restarting vsftpd you should get a login+password prompt just like I do. 

And in order to make the non-anonymous logins works, their login names must be added to user_list as well.

This way your clients will get a password prompt when they try to login anonymously because the users ftp and anonymous are listed in user_list. They are still being denied because anonymous logins are disabled in vsftpd.conf.

----------

## hunterhunter

Didn't work.

I've tried these things in all sorts of combinations.

Nothing...

In your reply you also specified two user files. I only have one user file.

Thanks

----------

## hunterhunter

Here's my config. I changed everything back after what you told me didn't work.

I don't know what else to do???

<code>

anonymous_enable=NO

local_enable=YES

write_enable=YES

local_umask=077

anon_upload_enable=NO

anon_mkdir_write_enable=NO

dirmessage_enable=YES

xferlog_enable=YES

connect_from_port_20=YES

#chown_uploads=YES

#chown_username=whoever

#xferlog_file=/var/log/vsftpd.log

#xferlog_std_format=YES

idle_session_timeout=120

data_connection_timeout=180

nopriv_user=nobody

async_abor_enable=YES

#ascii_upload_enable=YES

ascii_download_enable=NO

ftpd_banner=Welcome to Our FTP service!

#chroot_list_enable=YES

# (default follows)

#chroot_list_file=/etc/vsftpd.chroot_list

ls_recurse_enable=NO

chroot_local_user=YES

check_shell=NO

#rsa_cert_file=/usr/local/etc/vsftpd.pem

#force_local_logins_ssl=YES

#force_local_data_ssl=YES

pasv_enable=YES

pasv_min_port=65000

pasv_max_port=65025

#SSL Section

#ssl_enable=YES

#ssl_sslv2=YES

#ssl_sslv3=YES

#ssl_tlsv1=YES

listen_address=64.*.*.* <- removed this for obvious reasons... (pretend there's an ip here)

listen_port=21

userlist_enable=YES

userlist_deny=NO

userlist_file=/etc/userlist_secure

listen=NO

</code>

I tried changing anonymous_enable to YES, then added the user anonymous in the /etc/userlist_secure file.

Nothing... perhaps it's one of my configuration options that's affecting it somehow...

Thanks again!

----------

## sschlueter

I've noticed that you have set listen=NO in your vsftpd.conf

Can you paste the output of 

```
# netstat -tlpn | grep :21
```

?

----------

## hunterhunter

tcp        0      0 64.*.*.*:21              0.0.0.0:*                   LISTEN      5694/xinetd

Obviously I had to edit the IP  :Smile: 

It's running in with xinetd so I had to turn listen to NO

Thanks.

----------

## sschlueter

Can you paste the output of 

```

# cat /etc/xinetd.d/vsftpd

```

?

----------

## hunterhunter

# vsftpd is the secure FTP server.

service ftp

{

        disable                  = no

        socket_type           = stream

        wait                      = no

        user                      = root

        server                   = /usr/local/sbin/vsftpd

        server_args           = /etc/vsftpd_secure.conf

        per_source            = 5

        instances               = 200

        no_access              = 192.168.1.100

        banner_fail             = /etc/vsftpd.busy_banner

        log_on_success      += PID HOST DURATION

        log_on_failure        += HOST

        bind                        = 64.*.*.* <-- again, edited for obvious reasons  :Smile: 

}

BTW, I really appreciate your help.

Thanks again.

----------

## sschlueter

So I guess you have manually compiled and installed vsftpd and not used the ebuild?

And the config file that you have posted is the content of /etc/vsftpd_secure.conf ?

Can you paste the output of 

```
# cat /etc/userlist_secure | egrep 'anonymous|ftp'
```

And can you log the traffic between vsftpd and your ftp client and paste it here? You can use ethereal for that.

Can you paste the output of 

```
# tail /var/log/vsftpd.log 
```

?

----------

## hunterhunter

Yes

&

Yes

cat /etc/userlist_secure | egrep 'anonymous|ftp'

No output.

[root@host etc]# tail /var/log/vsftpd.log

Mon Apr 10 11:57:46 2006 [pid 5564] CONNECT: Client "192.168.1.149"

Mon Apr 10 11:58:38 2006 [pid 5584] CONNECT: Client "192.168.1.149"

Mon Apr 10 11:58:38 2006 [pid 5586] CONNECT: Client "192.168.1.149"

Mon Apr 10 11:59:20 2006 [pid 5605] CONNECT: Client "192.168.1.149"

Mon Apr 10 11:59:20 2006 [pid 5604] [ftp] OK LOGIN: Client "192.168.1.149", anon password "IEUser@"

Mon Apr 10 12:00:20 2006 [pid 5629] CONNECT: Client "192.168.1.149"

Mon Apr 10 12:00:20 2006 [pid 5631] CONNECT: Client "192.168.1.149"

Mon Apr 10 12:01:26 2006 [pid 5678] CONNECT: Client "192.168.1.149"

Mon Apr 10 12:01:26 2006 [pid 5680] CONNECT: Client "192.168.1.149"

Mon Apr 10 12:01:52 2006 [pid 5697] CONNECT: Client "192.168.1.149"

As for using Ethereal. I'd have to read about it. I have never used it.

Thanks again.

Also, how do you guys use that "code" area. I tried <code> </code>...

Thanks

----------

## sschlueter

 *hunterhunter wrote:*   

> 
> 
> cat /etc/userlist_secure | egrep 'anonymous|ftp'
> 
> No output.
> ...

 

This file should contain the lines

```
anonymous

ftp

```

 *hunterhunter wrote:*   

> 
> 
> As for using Ethereal. I'd have to read about it. I have never used it.
> 
> 

 

You can run the command

```
tethereal -p -i eth0 -n port 21
```

as root. Please paste the output of an anonymous session started by a browser.

 *hunterhunter wrote:*   

> 
> 
> Also, how do you guys use that "code" area. I tried <code> </code>...
> 
> Thanks

 

You have to use square brackets.

----------

## hunterhunter

I put anonymous and ftp in that file when I tested it. Once I found out that it wasn't working I promptly removed them so that I wouldn't forget.

They were in there though.

ethereal isn't installed and I doubt my boss wants me to install it...

Are you certain that you didn't do something special to get this working on your box??

When I add the user anonymous then the daemon still returns "anonymous not allowed".

When I turn anonymous on and add the user anonymous to the config file then it comes back with "permission denied" because the user anonymous isn't a user on the system. I added anonymous as a user and it just automatically logged me into anonymous' directory, because that's what the browser wanted.

GRRR!!

Thanks for all the help. I really appreciate it.

```

Testing 12 12.

```

----------

## sschlueter

 *hunterhunter wrote:*   

> 
> 
> When I add the user anonymous then the daemon still returns "anonymous not allowed".
> 
> When I turn anonymous on and add the user anonymous to the config file then it comes back with "permission denied" because the user anonymous isn't a user on the system. I added anonymous as a user and it just automatically logged me into anonymous' directory, because that's what the browser wanted.
> ...

 

Can you paste the output of 

 *Quote:*   

> # cat /etc/passwd | egrep 'anonymous|ftp'

 

A user 'anonymous' should not exist. (I have no idea what happens when a user 'anonymous' exists, but let's say such a user should not exist.) But there must be a user 'ftp'. The user should have an existing home directory and an invalid shell like /bin/false. There should exist a group ftp as well. When I run the command above I get:

```
ftp:x:21:21::/home/ftp:/bin/false
```

So, make sure you have a user 'ftp' and a corresponding group and no user 'anonymous'.

Now run the following tests:

test 1

------

anonymous_enable=YES

userlist_enable=NO

==> anonymous logins work

(The content of the userlist file is not important, so anonymous logins work because they are globally enabled.)

test 2

------

anonymous_enable=YES

userlist_enable=YES

userlist_deny=NO

users ftp and anonymous not in userlist_file

==> "Permission denied"

(The content of the userlist file is important, and the FTP server does not even prompt for a password when the given username is not in the userlist file. It doesn't matter if anonymous logins are enabled globally or not. So test 3 is just the same.)

test 3

------

anonymous_enable=NO

userlist_enable=YES

userlist_deny=NO

users ftp and anonymous not in userlist_file

==> "Permission denied"

(See above.)

test 4

------

anonymous_enable=YES

userlist_enable=YES

userlist_deny=NO

users ftp and anonymous are in userlist_file

==> anonymous logins work

(The server issues a password prompt since the given user is in the userlist file. Anonymous logins work because they are globally enabled.)

test 5

------

anonymous_enable=NO

userlist_enable=YES

userlist_deny=NO

users ftp and anonymous are in userlist_file

==> "Login incorrect".

(The server issues a password prompt since the given user is in the userlist file. Anonymous logins still don't work because they are globally disabled.)

Tataaaa. Browsers show a user and password prompt in this case.   :Smile: 

----------

## hunterhunter

No matter what I do I get either 530 permission denied, or anonymous logins are not allowed.

It never prompts me with a password, let alone a uid box.

If I enable anonymous, and put anonymous in the user list then it lets me right in.

I do have a user ftp, with /sbin/nologin as shell /var/ftp is the home.

When I do that test #5 it says anonymous logins are not allowed on this server. I click Ok. Then it just sits there.

I can select file>login as

Then user anonymous and the password.

This, however, is manually accomplished and I'm not prompted.

I guess we're back at square 1.

Thanks for all your effort though. I appreciate it a lot.

----------

## sschlueter

I have just upgraded vsftpd from 2.0.3 to 2.0.4 and this anonymous-logins-not-allowed-but-still-password-prompt thingy doesn't work anymore   :Exclamation: 

Stay tuned, I'll try to figure out another solution   :Wink: 

----------

## sschlueter

It seems to me that it really doesn't work anymore.

The Changelog also indicates that the author has changed the behaviour of vsftpd in this respect from version 2.0.3 to 2.0.4. See ftp://vsftpd.beasts.org/users/cevans/untar/vsftpd-2.0.4/Changelog

 *Quote:*   

> Add explicit "This FTP server does not allow anonymous logins" message.

 

As far as I can see, you have three options:

1. Use vsftpd 2.0.3

2. Use a different ftpd.

3. Tell your users they should bookmark the service as ftp://user@...

----------

## diilbert

I know someone having this problem (the one listed in your first post).  And upgrading to 2.0.3 does not fix it.  What setting to you need to set to avoid this issue ?

Thanks,

diilbert

----------

