WinSCP connects via SFTP without user certificate

Advertisement

MrBrik
Guest

WinSCP connects via SFTP without user certificate

Hello.
Server Centos7 with VSFTPD with the following config

local_enable=YES 

anonymous_enable=NO

write_enable=NO
local_umask=022 

anon_upload_enable=NO 
dirmessage_enable=YES 
xferlog_enable=YES 

connect_from_port_20=YES 

xferlog_file=/var/log/xferlog 
xferlog_std_format=YES 
log_ftp_protocol=YES 
debug_ssl=YES 

listen=YES 

pam_service_name=vsftpd 
userlist_enable=YES 
userlist_file=/etc/vsftpd/user_list 
userlist_deny=YES 
tcp_wrappers=YES 

#SSL conf BEGIN 
ssl_enable=YES 
validate_cert=YES 
require_ssl_reuse=NO 
require_cert=YES 

ssl_tlsv1=YES 
ssl_sslv2=NO 
ssl_sslv3=NO 
ssl_ciphers=HIGH 
#SSL conf END 


force_local_data_ssl=YES
force_local_logins_ssl=YES

#SSL certificates 
rsa_cert_file=/etc/ssl/ftp2.cer 
rsa_private_key_file=/etc/ssl/ftp.key 
ca_certs_file=/etc/ssl/ca.cer 

pasv_enable=YES 
pasv_address=192.168.200.1 #(ip is not real) 

pasv_min_port=34000 
pasv_max_port=35000 
listen_port=21 

hide_ids=YES

I used to connect to it via FireFTP (Firefox plugin) and it works as expected (using SFTP, port 22):
1. I can connect only if I give client key signed by this server's CA (it's PKCS12 file)
2. My users is chrooted and I can't modify or add files in directory, only download/read (files and folders belong to 'root' and I'm connecting as "someftpuser").
3. I'm kicked out without client key.

I've made some modifications to sshd_config to make "unprivileged sftp users" thing work (using this article)

The thing is, when I connect to my server using WinSCP (SFTP, port 22) it never requires client certificate. Checked it on several machines.
How FireFTP acts in the case I dont provide client certificate? It throws error "530 Non-anonymous sessions must use encryption."

So, why WinSCP acts like a coolhacker or what am I doing wrong?

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
29,791
Location:
Prague, Czechia

Re: WinSCP connects via SFTP without user certificate

Please attach a full log file both from WinSCP and FireFTP, without the certificate.

Reply with quote

Advertisement

You can post new topics in this forum