Fixed: Upgrade to 12.5.x - FTP Login error 530

[Elompenta]

After Upgrading to Plesk 12.5.x some FTP Accounts doesnt work anymore

Nov  4 23:01:07 marge proftpd: pam_listfile(proftpd:auth): Couldn't open /etc/ftpusers
Nov  4 23:01:07 marge proftpd: pam_unix(proftpd:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/ftpd6280 ruser=username rhost=1.2.3.4 user=username

The file /etc/ftpusers doesnt exist?
Is this a problem?

FileZilla Connect

Status:    Auflösen der IP-Adresse für xyz.de
Status:    Verbinde mit 1.2.3.4:21...
Status:    Initialisiere TLS...
Status:    Überprüfe Zertifikat...
Status:    TLS-Verbindung hergestellt.
Befehl:    USER username
Antwort:    331 Password required for username
Befehl:    PASS *******************
Antwort:    530 Login incorrect.
Fehler:    Kritischer Fehler: Herstellen der Verbindung zum Server fehlgeschlagen

- Create new FTP User in affected vhost diesnt help
- Reset Password doesnt help
- Check known KB entry doesnt help (http://kb.odin.com/4647)
- Service restart doesnt help

Do you have any idea?

 

[Bitpalast]

Have you verified that your domain resolves to the IP address of the server? Maybe you are trying to connect to a different server, especially as a subdomain is involved?

Else all possible failure reasons are given in kb.odin.com/4647 . It must either be a wrong user name, wrong password or wrong file/directory permissions (or owner). If other accounts on the same machine can be accessed, it is impossible that when working through the 4647 notes it won't work for your account.

 

[Elompenta]

Maybe you are trying to connect to a different server

No - I've attached a logfile from the login

kb.odin.com/4647

Already checked - this is not the Problem

It must either be a wrong user name, wrong password or wrong file/directory permissions (or owner)

I dont think so, reset user or pass - or create a new User doesnt help
-> Login via SSH Key - not pasword - works fine.
-> No Password logins are possible on the affected vhosts.

 

[Bitpalast]

You must be overlooking something, as it is technically impossible that ProFTPd connects to one user but not another when your user and file permissions are correct. It's actually very simple, so you may want to go through the KB article once again. I don't think this is a complicated issue. It will rather be something like pasting an additional space to the password or user name box in your FTP software or one tiny missing file permission on the user directory. ProFTPd serves everything equally, using the same authentication mechanisms on your host. if one account works, all the others will also work (unless permissions or user settings are wrong on the system).

Can you post or pm-send
a) the exact, original line from /etc/passwd where the user is defined that you are trying to login with
b) the result of
# mysql -uadmin -p`cat /etc/psa/.psa.shadow ` psa -e 'select home from sys_users where login="username"'
(with username replaced by your "real" username you are trying to login with)
c) the result of
ls -lad /var/www/vhosts/domain.com
with "domain.com" replaced by the domain you are trying to login to?
d) the IP address your connect is resolving to OR the original log excerpt from your FileZilla log

 

[Elompenta]

Sorry! i missed one information.
The affected vhost are chrotted-environments

I hope this helps - i will test your steps

 

[Elompenta]

a) the exact, original line from /etc/passwd where the user is defined that you are trying to login with

root@hostname ~ # cat /etc/passwd | grep username
username:x:10009:1003::/var/www/vhosts/customer-domain:/opt/psa/bin/chrootsh

b) the result of
# mysql -uadmin -p`cat /etc/psa/.psa.shadow ` psa -e 'select home from sys_users where login="username"'
(with username replaced by your "real" username you are trying to login with)

root@hostname ~ # mysql -uadmin -p`cat /etc/psa/.psa.shadow ` psa -e 'select home from sys_users where login="username"'
+---------------------------------+
| home                            |
+---------------------------------+
| /var/www/vhosts/customer-domain |
+---------------------------------+

The result ist the exact folder like the /etc/passwd output

c) the result of
ls -lad /var/www/vhosts/domain.com
with "domain.com" replaced by the domain you are trying to login to?

root@hostname ~ # ls -lad /var/www/vhosts/customer-domain
drwxr-x--- 17 username psaserv 4.0K Nov  4 22:54 /var/www/vhosts/customer-domain

d) the IP address your connect is resolving to OR the original log excerpt from your FileZilla log

The IP Address is correct - Login with key instead of password works well done.
If you need the ip, i can write a PM

Thanks for your help!

 

[Bitpalast]

If all these are set correctly and you are sure that you *really* use the the correct password (e.g. no extra spaces in that), the issue must be caused by something completely different.

The only factor I cannot fully oversee is the chrooted shell and the way you are using SSH key login. Do things work when you remove the chrooted shell?

Are you using Keychain SSH Key Manager? That may prevent SFTP connections for users defined there (see http://unix.stackexchange.com/quest...ssh-key-manager-prevents-sftp-login-on-centos). Have you applied any custom changes to /etc/proftpd.conf that may ban certain users from login?

 

[Elompenta]

> Do things work when you remove the chrooted shell?
i dont will do that with live vhosts

For keybased login i use the deafult .ssh/authorized_host file in the vhost chrotted environment
The keychain binary is not installed on this machine

> /etc/proftpd.conf
The only changes are passive ports and my SSL certificate

 

[Bitpalast]

I do not have any additional suggestions on this at the moment.

 

[Elompenta]

I have found the issue, the Update to Plesk 12.5.x has deactivated some hosting without a website (only FTP stotages)

After activating this customers, FTP Login works finde