Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Options
Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

Options

Topic review

martin

Re: WinSCP connects via SFTP without user certificate

Please attach a full log file both from WinSCP and FireFTP, without the certificate.
MrBrik

WinSCP connects via SFTP without user certificate

Hello.
Server Centos7 with VSFTPD with the following config

local_enable=YES 


anonymous_enable=NO

write_enable=NO
local_umask=022

anon_upload_enable=NO
dirmessage_enable=YES
xferlog_enable=YES

connect_from_port_20=YES

xferlog_file=/var/log/xferlog
xferlog_std_format=YES
log_ftp_protocol=YES
debug_ssl=YES

listen=YES

pam_service_name=vsftpd
userlist_enable=YES
userlist_file=/etc/vsftpd/user_list
userlist_deny=YES
tcp_wrappers=YES

#SSL conf BEGIN
ssl_enable=YES
validate_cert=YES
require_ssl_reuse=NO
require_cert=YES

ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
ssl_ciphers=HIGH
#SSL conf END


force_local_data_ssl=YES
force_local_logins_ssl=YES

#SSL certificates
rsa_cert_file=/etc/ssl/ftp2.cer
rsa_private_key_file=/etc/ssl/ftp.key
ca_certs_file=/etc/ssl/ca.cer

pasv_enable=YES
pasv_address=192.168.200.1 #(ip is not real)

pasv_min_port=34000
pasv_max_port=35000
listen_port=21

hide_ids=YES


I used to connect to it via FireFTP (Firefox plugin) and it works as expected (using SFTP, port 22):
1. I can connect only if I give client key signed by this server's CA (it's PKCS12 file)
2. My users is chrooted and I can't modify or add files in directory, only download/read (files and folders belong to 'root' and I'm connecting as "someftpuser").
3. I'm kicked out without client key.

I've made some modifications to sshd_config to make "unprivileged sftp users" thing work (using this article)

The thing is, when I connect to my server using WinSCP (SFTP, port 22) it never requires client certificate. Checked it on several machines.
How FireFTP acts in the case I dont provide client certificate? It throws error "530 Non-anonymous sessions must use encryption."

So, why WinSCP acts like a coolhacker or what am I doing wrong?