Author Topic: Do not understand how works the directive AllowEmptyPasswords  (Read 213 times)

Offline Jocko

  • Regular User
  • **
  • Posts: 33
    • View Profile
    • Alternative firmware for Lacie NWSP, ISP and Philips SPD8020
Hi

I think I have an unexpected behaviour with the directive AllowEmptyPasswords.

Currently we use
Code: [Select]
root@Acrab:/ # proftpd -v
ProFTPD Version 1.3.6
On global level we added these directives
Code: [Select]
#password settings
AllowEmptyPasswords off
MaxPasswordSize 64
as we do not allow user accounts without a password.

With ftp protocol there is no issue and login successful.

But with sftp protocol, we can not ever login us
Code: [Select]
2017-07-10 18:51:50,687 mod_sftp/1.0.0[18415]: sent server version 'SSH-2.0-FTP Server ready'
2017-07-10 18:51:50,693 mod_sftp/1.0.0[18415]: received client version 'SSH-2.0-PuTTY_Local:_Jun__2_2017_19:08:37'
2017-07-10 18:51:50,693 mod_sftp/1.0.0[18415]: handling connection from SSH2 client 'PuTTY_Local:_Jun__2_2017_19:08:37'
2017-07-10 18:51:50,728 mod_sftp/1.0.0[18415]:  + Session key exchange: ecdh-sha2-nistp256
2017-07-10 18:51:50,728 mod_sftp/1.0.0[18415]:  + Session server hostkey: ssh-rsa
2017-07-10 18:51:50,728 mod_sftp/1.0.0[18415]:  + Session client-to-server encryption: aes256-ctr
2017-07-10 18:51:50,728 mod_sftp/1.0.0[18415]:  + Session server-to-client encryption: aes256-ctr
2017-07-10 18:51:50,729 mod_sftp/1.0.0[18415]:  + Session client-to-server MAC: hmac-sha2-256
2017-07-10 18:51:50,729 mod_sftp/1.0.0[18415]:  + Session server-to-client MAC: hmac-sha2-256
2017-07-10 18:51:50,729 mod_sftp/1.0.0[18415]:  + Session client-to-server compression: none
2017-07-10 18:51:50,730 mod_sftp/1.0.0[18415]:  + Session server-to-client compression: none
2017-07-10 18:51:50,848 mod_sftp/1.0.0[18415]: sending acceptable userauth methods: password
2017-07-10 18:51:50,856 Acrab.local proftpd[18415] 192.168.1.99 (192.168.1.13[192.168.1.13]): Refusing empty password from user 'Jocko'
2017-07-10 18:51:50,880 mod_sftp/1.0.0[18415]: authentication request for user 'Jocko' blocked by 'PASS' handler
2017-07-10 18:51:50,880 Acrab.local proftpd[18415] 192.168.1.99 (192.168.1.13[192.168.1.13]): USER Jocko (Login failed): blocked by 'PASS' handler
2017-07-10 18:51:50,881 mod_sftp/1.0.0[18415]: no more auth methods available, disconnecting
2017-07-10 18:51:50,881 mod_sftp/1.0.0[18415]: disconnecting 192.168.1.13 (No other authentication mechanisms available)
Same behaviour on client filezilla or winscp.

But if we restore the default value
Code: [Select]
AllowEmptyPasswords onwe can login us
Code: [Select]
2017-07-10 18:45:15,703 mod_sftp/1.0.0[18239]: sent server version 'SSH-2.0-FTP Server ready'
2017-07-10 18:45:15,706 mod_sftp/1.0.0[18239]: received client version 'SSH-2.0-WinSCP_release_5.10'
2017-07-10 18:45:15,707 mod_sftp/1.0.0[18239]: handling connection from SSH2 client 'WinSCP_release_5.10'
2017-07-10 18:45:15,728 mod_sftp/1.0.0[18239]:  + Session key exchange: ecdh-sha2-nistp256
2017-07-10 18:45:15,728 mod_sftp/1.0.0[18239]:  + Session server hostkey: ssh-rsa
2017-07-10 18:45:15,729 mod_sftp/1.0.0[18239]:  + Session client-to-server encryption: aes256-ctr
2017-07-10 18:45:15,729 mod_sftp/1.0.0[18239]:  + Session server-to-client encryption: aes256-ctr
2017-07-10 18:45:15,729 mod_sftp/1.0.0[18239]:  + Session client-to-server MAC: hmac-sha2-256
2017-07-10 18:45:15,730 mod_sftp/1.0.0[18239]:  + Session server-to-client MAC: hmac-sha2-256
2017-07-10 18:45:15,730 mod_sftp/1.0.0[18239]:  + Session client-to-server compression: none
2017-07-10 18:45:15,730 mod_sftp/1.0.0[18239]:  + Session server-to-client compression: none
2017-07-10 18:45:15,897 mod_sftp/1.0.0[18239]: sending acceptable userauth methods: password
2017-07-10 18:45:17,348 mod_sftp/1.0.0[18239]: sending userauth success
The basic config on the sftp server is
Code: [Select]
# enabling mod_sftp
<IfModule mod_sftp.c>
<virtualhost192.168.1.99>
SFTPEngine on
SFTPLog /tmp/var/log/proftpd/proftpd.log

# Configure the server to listen on the normal SSH2 port,
Port 8022

# Configure both the RSA and DSA host keys, using the same host key
# files that dropbear uses.
SFTPHostKey /rw_fs/etc/dropbear/dropbear_rsa_host_key_openssh
#SFTPHostKey /etc/ssh_host_dsa_key

#use UTF8 for all SFTP protocol versions and all clients.
SFTPClientMatch .* sftpUTF8ProtocolVersion 3

SFTPClientMatch ".*WS_FTP.*" channelWindowSize 1GB 
SFTPClientMatch ".*ClientSftp" sftpUTF8ProtocolVersion 3
SFTPClientMatch CoreFTP channelWindowSize 1GB
SFTPClientMatch ".*SecureBlackbox.*" sftpUTF8ProtocolVersion 3
SFTPClientMatch "1.0" sftpUTF8ProtocolVersion 3 channelWindowSize 1GB
SFTPClientMatch ".*J2SSH_Maverick.*" channelWindowSize 1GB
SFTPClientMatch ".*WeOnlyDo.*" sftpUTF8ProtocolVersion 3 channelWindowSize 1GB
SFTPClientMatch ".*EldoS.SSHBlackbox.3.*" sftpUTF8ProtocolVersion 3 channelWindowSize 1GB
SFTPClientMatch ".*IP.Works.*" channelWindowSize 1GB
SFTPClientMatch "SecureFX.*" sftpUTF8ProtocolVersion 3
SFTPClientMatch ".*Sun_SSH.*" channelWindowSize 1GB
SFTPClientMatch ".*XFB.Gateway Unix.*" channelWindowSize 1GB
SFTPClientMatch ".*SharpSSH.*" channelWindowSize 256MB
SFTPClientMatch "1.30" channelWindowSize 256MB channelPacketSize 16KB

#Fix channel size for Axway SFTP clients can not support normal channel 4GB
SFTPClientMatch .*Axway channelWindowSize 1GB

# JSch - Java Secure Channel (SSH-2.0-JSCH-0.1.39)
SFTPClientMatch "JSCH.*" channelWindowSize 1GB

#Fix for FireFTP SFTP clients
SFTPOptions PessimisticKexinit IgnoreSCPUploadPerms IgnoreSCPUploadTimes IgnoreFIFOs

#Allow the same number of authentication attempts as Dropbear.
MaxLoginAttempts 5

#Path of a file which will be sent to the client prior to authentication
SFTPDisplayBanner /etc/sftp_msg


# Allow site commands on sftp server
<Limit SITE_CHMOD SITE_CHGRP SYMLINK>
AllowAll
</Limit>

SFTPExtensions +checkFile +copyFile +fsync +versionSelect +posixRename +spaceAvailable +statvfs

RootRevoke off

</virtualhost>
</IfModule>

Offline Jocko

  • Regular User
  • **
  • Posts: 33
    • View Profile
    • Alternative firmware for Lacie NWSP, ISP and Philips SPD8020
Re: Do not understand how works the directive AllowEmptyPasswords
« Reply #1 on: July 12, 2017, 07:31:59 am »
Please, can someone confirm me it is not the expected behaviour of AllowEmptyPasswords directive on the module sftp ?

Thank in advance

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5394
    • View Profile
    • http://www.castaglia.org/
Re: Do not understand how works the directive AllowEmptyPasswords
« Reply #2 on: July 12, 2017, 02:56:55 pm »
I've seen this post, but haven't had time yet to reproduce the issue locally...

Offline Jocko

  • Regular User
  • **
  • Posts: 33
    • View Profile
    • Alternative firmware for Lacie NWSP, ISP and Philips SPD8020
Re: Do not understand how works the directive AllowEmptyPasswords
« Reply #3 on: July 12, 2017, 05:09:04 pm »
Sorry for my last post I was not sure if my post has been noticed.

In addition, the trace log on a authentication failure:
Code: [Select]
2017-07-10 19:12:19,985 [19134] <ssh2:10>: 'ssh-userauth' service requested
2017-07-10 19:12:19,986 [19134] <ssh2:19>: waiting for max of 600 secs while polling socket 1 for writing using select(2)
2017-07-10 19:12:19,987 [19134] <ssh2:3>: sent SSH_MSG_SERVICE_ACCEPT (6) packet (64 bytes)
2017-07-10 19:12:19,987 [19134] <ssh2:19>: waiting for max of 600 secs while polling socket 0 for reading using select(2)
2017-07-10 19:12:19,992 [19134] <ssh2:20>: SSH2 packet len = 44 bytes
2017-07-10 19:12:19,993 [19134] <ssh2:20>: SSH2 packet padding len = 7 bytes
2017-07-10 19:12:19,994 [19134] <ssh2:20>: SSH2 packet payload len = 36 bytes
2017-07-10 19:12:19,995 [19134] <ssh2:19>: waiting for max of 600 secs while polling socket 0 for reading using select(2)
2017-07-10 19:12:20,002 [19134] <ssh2:20>: SSH2 packet MAC len = 32 bytes
2017-07-10 19:12:20,002 [19134] <ssh2:19>: waiting for max of 600 secs while polling socket 0 for reading using select(2)
2017-07-10 19:12:20,002 [19134] <ssh2:3>: received SSH_MSG_USER_AUTH_REQUEST (50) packet
2017-07-10 19:12:20,003 [19134] <ssh2:3>: sending userauth banner from SFTPDisplayBanner file '/etc/sftp_msg'
2017-07-10 19:12:20,004 [19134] <ssh2:19>: waiting for max of 600 secs while polling socket 1 for writing using select(2)
2017-07-10 19:12:20,004 [19134] <ssh2:3>: sent SSH_MSG_USER_AUTH_BANNER (53) packet (112 bytes)
2017-07-10 19:12:20,005 [19134] <ssh2:10>: auth requested for user 'Jocko', service 'ssh-connection', using method 'none'
2017-07-10 19:12:20,005 [19134] <ssh2:9>: no SFTPAuthorizedUserKeys configured, not offering 'publickey' authentication
2017-07-10 19:12:20,005 [19134] <ssh2:9>: no SFTPAuthorizedHostKeys configured, not offering 'hostbased' authentication
2017-07-10 19:12:20,005 [19134] <ssh2:9>: no kbdint drivers present, not offering 'keyboard-interactive' authentication
2017-07-10 19:12:20,005 [19134] <ssh2:9>: offering authentication methods: password
2017-07-10 19:12:20,006 [19134] <ssh2:19>: waiting for max of 600 secs while polling socket 1 for writing using select(2)
2017-07-10 19:12:20,006 [19134] <ssh2:3>: sent SSH_MSG_USER_AUTH_FAILURE (51) packet (64 bytes)
2017-07-10 19:12:20,007 [19134] <ssh2:19>: waiting for max of 600 secs while polling socket 0 for reading using select(2)
2017-07-10 19:12:20,007 [19134] <ssh2:20>: SSH2 packet len = 76 bytes
2017-07-10 19:12:20,008 [19134] <ssh2:20>: SSH2 packet padding len = 17 bytes
2017-07-10 19:12:20,008 [19134] <ssh2:20>: SSH2 packet payload len = 58 bytes
2017-07-10 19:12:20,008 [19134] <ssh2:19>: waiting for max of 600 secs while polling socket 0 for reading using select(2)
2017-07-10 19:12:20,008 [19134] <ssh2:20>: SSH2 packet MAC len = 32 bytes
2017-07-10 19:12:20,008 [19134] <ssh2:19>: waiting for max of 600 secs while polling socket 0 for reading using select(2)
2017-07-10 19:12:20,008 [19134] <ssh2:3>: received SSH_MSG_USER_AUTH_REQUEST (50) packet
2017-07-10 19:12:20,009 [19134] <ssh2:10>: auth requested for user 'Jocko', service 'ssh-connection', using method 'password'
2017-07-10 19:12:20,033 [19134] <ssh2:9>: disconnecting (No other authentication mechanisms available) [at auth.c:840]
2017-07-10 19:12:20,033 [19134] <ssh2:19>: waiting for max of 5 secs while polling socket 1 for writing using select(2)
2017-07-10 19:12:20,034 [19134] <ssh2:3>: sent SSH_MSG_DISCONNECT (1) packet (112 bytes)

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5394
    • View Profile
    • http://www.castaglia.org/
Re: Do not understand how works the directive AllowEmptyPasswords
« Reply #4 on: July 13, 2017, 06:13:25 am »
I've reproduced this behavior locally, and confirmed that it is a bug, for which I've filed this ticket:

  http://bugs.proftpd.org/show_bug.cgi?id=4309

I will have a patch (via GitHub pull request) shortly, which I'll mention in the above BugZilla ticket.

Offline Jocko

  • Regular User
  • **
  • Posts: 33
    • View Profile
    • Alternative firmware for Lacie NWSP, ISP and Philips SPD8020
Re: Do not understand how works the directive AllowEmptyPasswords
« Reply #5 on: July 13, 2017, 09:30:24 am »
Thank you Castaglia.

So I go to wait the patch  :)

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5394
    • View Profile
    • http://www.castaglia.org/
Re: Do not understand how works the directive AllowEmptyPasswords
« Reply #6 on: July 13, 2017, 02:59:59 pm »
That ticket has been fixed; I merged the fix (link in the Bugzilla ticket) to the master branch on GitHub last night.

Offline Jocko

  • Regular User
  • **
  • Posts: 33
    • View Profile
    • Alternative firmware for Lacie NWSP, ISP and Philips SPD8020
Re: Do not understand how works the directive AllowEmptyPasswords
« Reply #7 on: July 15, 2017, 10:19:02 pm »
Ok,

I tested the version available on the master branch (1.3.7rc1) and the issue is fixed.

But with this version I had an issue with the directive "IdentLookUps"
Code: [Select]
2017-07-15 23:48:57,745 Acrab.local proftpd[1724]: fatal: unknown configuration directive 'IdentLookUps' on line 68 of '/etc/proftpd.conf'
it seems this directive is no longer available with version 1.3.7 and confirmed according to https://github.com/proftpd/proftpd/blob/4df05cd7de1c16731347c52f120daf07a81bc715/doc/modules/mod_core.html where the directive is not listed

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5394
    • View Profile
    • http://www.castaglia.org/

Offline Jocko

  • Regular User
  • **
  • Posts: 33
    • View Profile
    • Alternative firmware for Lacie NWSP, ISP and Philips SPD8020
Re: Do not understand how works the directive AllowEmptyPasswords
« Reply #9 on: July 16, 2017, 08:53:08 am »
Thank You for this information.

So IdentLookUps directive has been removed and replaced by a compile option.

Anyhow we used this option only for very small platforms and it is not important to manage no longer this configuration on the user side.