symbol lookup error: /usr/libexec/proftpd/mod_sftp_ldap.so: undefined symbol: sftp_ldap_keys_parse_rfc4716

[olistubbs]

Hi there,

I've built a proftpd RPM (working in itself) with mod_sftp_ldap (and mod_proxy_protocol but not loaded in this instance) support, but when I try to auth with a user that has the ldapPublicKey objectClass set and the sshPublicKey in multiline RFC4716 format, I get the error in the title.

ldap entry

dn: cn=${USER},dc=example,dc=com accountId: ${USER} uid: ${USER} cn: ${USER} sn: ${USER} objectClass: posixAccount objectClass: ldapPublicKey userPassword:: ... sshPublicKey:: LS0tLSBCRUdJTiBTU0gyIFBVQkxJQyBLRVkgLS0tLQpBQUFBQjNOemFDMXljMkV ...... VBXZ2Jla0ZocXZoenc9PQotLS0tIEVORCBTU0gyIFBVQkxJQyBLRVkgLS0tLQ==

Full log entry

2023-05-24 15:51:27,705 233b53bbde79 proftpd[238] 0.0.0.0 (${SERVER}[${IP}]): mod_ldap/2.9.5: LDAPGroups not configured, skipping LDAP-based group memberships 2023-05-24 15:51:27,715 233b53bbde79 proftpd[238] 0.0.0.0 (${SERVER}[${IP]}): mod_delay/0.7: no DelayOnEvent rules configured with "DelayTable none" in effect, disabling module 2023-05-24 15:51:27,716 233b53bbde79 proftpd[238] 0.0.0.0 (${SERVER}[${IP}]): SSH2 session opened. proftpd: (authenticating) - (connecting): IDLE: symbol lookup error: /usr/libexec/proftpd/mod_sftp_ldap.so: undefined symbol: sftp_ldap_keys_parse_rfc4716

Full proftpd.conf (sanitised)

# # /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file. # To really apply changes, reload proftpd after modifications, if # it runs in daemon mode. It is not required in inetd/xinetd mode. # # Set off to disable IPv6 support which is annoying on IPv4 only boxes. UseIPv6 off # If set on you can experience a longer connection delay in many cases. IdentLookups off ServerName "FTP Server" ServerType standalone DeferWelcome off MultilineRFC2228 on DefaultServer on ShowSymlinks on TimeoutNoTransfer 600 TimeoutStalled 600 TimeoutIdle 1200 DisplayLogin welcome.msg DisplayChdir .message true ListOptions "-l" DenyFilter \*.*/ # Use this to jail all users in their homes DefaultRoot ~ LoadModule mod_sftp.c LoadModule mod_sftp_ldap.c # Users require a valid shell listed in /etc/shells to login. # Use this directive to release that constrain. RequireValidShell off # Port 21 is the standard FTP port. Port 21 # In some cases you have to specify passive ports range to by-pass # firewall limitations. Ephemeral ports can be used for that, but # feel free to use a more narrow range. PassivePorts 50000 50050 # If your host was NATted, this option is useful in order to # allow passive tranfers to work. You have to use your public # address and opening the passive ports used on your firewall as well. MasqueradeAddress 1.2.3.4 # This is useful for masquerading address with dynamic IPs: # refresh any configured MasqueradeAddress directives every 8 hours DynMasqRefresh 28800 # To prevent DoS attacks, set the maximum number of child processes # to 30. If you need to allow more than 30 concurrent connections # at once, simply increase this value. Note that this ONLY works # in standalone mode, in inetd mode you should use an inetd server # that allows you to limit maximum number of processes per service # (such as xinetd) MaxInstances 30 # Set the user and group that the server normally runs at. User nobody Group nobody # Umask 022 is a good standard umask to prevent new files and dirs # (second parm) from being group and world writable. #Umask 022 022 # Normally, we want files to be overwriteable. AllowOverwrite on AllowOverwrite yes AllowAll DenyAll # Default to show dot files in directory listings ListOptions "-al" Umask 002 # Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords: # PersistentPasswd off # This is required to use both PAM-based authentication and local passwords LoadModule mod_ldap.c AuthOrder mod_ldap.c # Be warned: use of this directive impacts CPU average load! # Uncomment this if you like to see progress and transfer rate with ftpwho # in downloads. That is not needed for uploads rates. # # UseSendFile off LogFormat default "%h %l %u %t \"%r\" %s %b" LogFormat auth "%v [%P] %h %t \"%r\" %s" LogFormat logproc "%{%a %b %d %H:%M:%S %Y %z}t %T %a %b %f %m %u %s %{protocol}" ExtendedLog /var/log/extended_xfer.log READ,WRITE logproc TransferLog /var/log/xferlog SystemLog /var/log/proftpd.log # Logging onto /var/log/lastlog is enabled but set to off by default #UseLastlog on # In order to keep log file dates consistent after chroot, use timezone info # from /etc/localtime. If this is not set, and proftpd is configured to # chroot (e.g. DefaultRoot or ), it will use the non-daylight # savings timezone regardless of whether DST is in effect. #SetEnv TZ :/etc/localtime #CreateHome on 550 dirmode 771 skel /etc/proftpd/skel/sftp QuotaEngine off Ratios off # Delay engine reduces impact of the so-called Timing Attack described in # http://www.securityfocus.com/bid/11430/discuss # It is on by default. DelayEngine on ControlsEngine off ControlsMaxClients 2 ControlsLog /var/log/proftpd/controls.log ControlsInterval 5 ControlsSocket /var/run/proftpd/proftpd.sock AdminControlsEngine off # # Alternative authentication frameworks # Include /etc/proftpd/ldap.conf # # This is used for FTPS connections # Include /etc/proftpd/tls.conf UseEncoding on SFTPEngine on #SFTPPAMEngine off SFTPDisplayBanner /etc/ftpissue CreateHome on 550 dirmode 771 skel /etc/proftpd/skel/sftp RequireValidShell off SFTPOptions IgnoreSFTPSetPerms IgnoreSFTPSetTimes IgnoreSFTPUploadPerms IgnoreSCPUploadPerms # Configure the server to listen on the normal SSH2 port, port 22 Port 30022 # Configure both the RSA and DSA host keys, using the same host key # files that OpenSSH uses. SFTPHostKey /etc/ssh/ssh_host_dsa_key SFTPHostKey /etc/ssh/ssh_host_rsa_key # Configure the file used for comparing authorized public keys of users. SFTPAuthorizedUserKeys file:~/.sftp/authorized_keys ldap: # Enable compression SFTPCompression delayed # Allow the same number of authentication attempts as OpenSSH. # # It is recommended that you explicitly configure MaxLoginAttempts # for your SSH2/SFTP instance to be higher than the normal # MaxLoginAttempts value for FTP, as there are more ways to authenticate # using SSH2. MaxLoginAttempts 6 DefaultRoot ~ AuthOrder mod_ldap.c LDAPQueryTimeout 30 LDAPAuthBinds on LDAPServer ${SERVER} LDAPAuthBinds on LDAPBindDN ${BINDUSER} ${BINDPASS} LDAPUsers ${SEARCHBASE} ${FILTER} LDAPSearchScope subtree ExtendedLog /var/log/extended_xfer.log READ,WRITE logproc

Output of `proftpd -nd10`

2023-05-24 16:26:03,942 233b53bbde79 proftpd[280]: using TCP receive buffer size of 87380 bytes 2023-05-24 16:26:03,942 233b53bbde79 proftpd[280]: using TCP send buffer size of 16384 bytes 2023-05-24 16:26:03,943 233b53bbde79 proftpd[280]: testing Unix domain socket using S_ISFIFO 2023-05-24 16:26:03,943 233b53bbde79 proftpd[280]: testing Unix domain socket using S_ISSOCK 2023-05-24 16:26:03,943 233b53bbde79 proftpd[280]: using S_ISSOCK macro for Unix domain socket detection 2023-05-24 16:26:03,944 233b53bbde79 proftpd[280]: using 'ANSI_X3.4-1968' as local charset for UTF-8 conversion 2023-05-24 16:26:03,944 233b53bbde79 proftpd[280]: disabling runtime support for IPv6 connections 2023-05-24 16:26:03,944 233b53bbde79 proftpd[280]: : skipping 'mod_ident.c' section at line 11 2023-05-24 16:26:03,944 233b53bbde79 proftpd[280]: DenyFilter: compiling regex '\*.*/' 2023-05-24 16:26:03,944 233b53bbde79 proftpd[280]: mod_dso/0.5: loading 'mod_sftp.c' 2023-05-24 16:26:03,945 233b53bbde79 proftpd[280]: mod_dso/0.5: loaded module 'mod_sftp' (from '/usr/libexec/proftpd/mod_sftp.so', last modified on Tue Apr 25 11:03:10 2023) 2023-05-24 16:26:03,945 233b53bbde79 proftpd[280]: mod_sftp/1.0.1: using OpenSSL 1.0.2k-fips 26 Jan 2017 2023-05-24 16:26:03,945 233b53bbde79 proftpd[280]: mod_dso/0.5: loading 'mod_sftp_ldap.c' 2023-05-24 16:26:03,945 233b53bbde79 proftpd[280]: mod_dso/0.5: loaded module 'mod_sftp_ldap' (from '/usr/libexec/proftpd/mod_sftp_ldap.so', last modified on Tue Apr 25 11:03:10 2023) 2023-05-24 16:26:03,945 233b53bbde79 proftpd[280]: : skipping 'mod_dynmasq.c' section at line 58 2023-05-24 16:26:03,945 233b53bbde79 proftpd[280]: retrieved UID 99 for user 'nobody' 2023-05-24 16:26:03,945 233b53bbde79 proftpd[280]: retrieved GID 99 for group 'nobody' 2023-05-24 16:26:03,945 233b53bbde79 proftpd[280]: mod_dso/0.5: loading 'mod_ldap.c' 2023-05-24 16:26:03,947 233b53bbde79 proftpd[280]: mod_dso/0.5: loaded module 'mod_ldap' (from '/usr/libexec/proftpd/mod_ldap.so', last modified on Tue Apr 25 11:03:10 2023) 2023-05-24 16:26:03,947 233b53bbde79 proftpd[280]: mod_ldap/2.9.5: compiled using LDAP vendor 'OpenLDAP', LDAP API version 3001 2023-05-24 16:26:03,948 233b53bbde79 proftpd[280]: mod_ldap/2.9.5 linked with LDAP vendor 'OpenLDAP' (LDAP API version 3001, vendor version 20444), features: X_OPENLDAP 2023-05-24 16:26:03,948 233b53bbde79 proftpd[280]: mod_ldap/2.9.5: LDAP TLS package = OpenSSL 2023-05-24 16:26:03,948 233b53bbde79 proftpd[280]: : skipping 'mod_quotatab.c' section at line 125 2023-05-24 16:26:03,948 233b53bbde79 proftpd[280]: : skipping 'mod_ratio.c' section at line 129 2023-05-24 16:26:03,948 233b53bbde79 proftpd[280]: : using 'mod_delay.c' section at line 137 2023-05-24 16:26:03,948 233b53bbde79 proftpd[280]: : using 'mod_ctrls.c' section at line 141 2023-05-24 16:26:03,948 233b53bbde79 proftpd[280]: ROOT PRIVS at mod_ctrls.c:111 2023-05-24 16:26:03,948 233b53bbde79 proftpd[280]: RELINQUISH PRIVS at mod_ctrls.c:114 2023-05-24 16:26:03,948 233b53bbde79 proftpd[280]: : skipping 'mod_ctrls_admin.c' section at line 149 2023-05-24 16:26:03,948 233b53bbde79 proftpd[280]: ROOT PRIVS at mod_core.c:377 2023-05-24 16:26:03,948 233b53bbde79 proftpd[280]: RELINQUISH PRIVS at mod_core.c:379 2023-05-24 16:26:03,948 233b53bbde79 proftpd[280]: ROOT PRIVS at mod_core.c:386 2023-05-24 16:26:03,948 233b53bbde79 proftpd[280]: ROOT PRIVS at parser.c:1186 2023-05-24 16:26:03,948 233b53bbde79 proftpd[280]: : using 'mod_ldap.c' section at line 7 2023-05-24 16:26:03,949 233b53bbde79 proftpd[280]: RELINQUISH PRIVS at parser.c:1189 2023-05-24 16:26:03,949 233b53bbde79 proftpd[280]: RELINQUISH PRIVS at mod_core.c:389 2023-05-24 16:26:03,949 233b53bbde79 proftpd[280]: ROOT PRIVS at mod_core.c:377 2023-05-24 16:26:03,949 233b53bbde79 proftpd[280]: RELINQUISH PRIVS at mod_core.c:379 2023-05-24 16:26:03,949 233b53bbde79 proftpd[280]: ROOT PRIVS at mod_core.c:386 2023-05-24 16:26:03,949 233b53bbde79 proftpd[280]: ROOT PRIVS at parser.c:1186 2023-05-24 16:26:03,949 233b53bbde79 proftpd[280]: : skipping 'mod_tls.c' section at line 9 2023-05-24 16:26:03,949 233b53bbde79 proftpd[280]: RELINQUISH PRIVS at parser.c:1189 2023-05-24 16:26:03,949 233b53bbde79 proftpd[280]: RELINQUISH PRIVS at mod_core.c:389 2023-05-24 16:26:03,949 233b53bbde79 proftpd[280]: : using 'mod_sftp.c' section at line 164 2023-05-24 16:26:03,949 233b53bbde79 proftpd[280]: : using 'mod_lang.c' section at line 167 2023-05-24 16:26:03,949 233b53bbde79 proftpd[280]: ROOT PRIVS at mod_sftp.c:1201 2023-05-24 16:26:03,949 233b53bbde79 proftpd[280]: RELINQUISH PRIVS at mod_sftp.c:1204 2023-05-24 16:26:03,949 233b53bbde79 proftpd[280]: ROOT PRIVS at mod_sftp.c:1201 2023-05-24 16:26:03,949 233b53bbde79 proftpd[280]: RELINQUISH PRIVS at mod_sftp.c:1204 2023-05-24 16:26:03,950 233b53bbde79 proftpd[280]: ROOT PRIVS at mod_core.c:377 2023-05-24 16:26:03,950 233b53bbde79 proftpd[280]: RELINQUISH PRIVS at mod_core.c:379 2023-05-24 16:26:03,950 233b53bbde79 proftpd[280]: ROOT PRIVS at mod_core.c:386 2023-05-24 16:26:03,950 233b53bbde79 proftpd[280]: ROOT PRIVS at parser.c:1327 2023-05-24 16:26:03,950 233b53bbde79 proftpd[280]: RELINQUISH PRIVS at parser.c:1330 2023-05-24 16:26:03,950 233b53bbde79 proftpd[280]: RELINQUISH PRIVS at mod_core.c:389 2023-05-24 16:26:03,950 233b53bbde79 proftpd[280] 233b53bbde79: 172.17.0.8:21 masquerading as 1.2.3.4 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: Config for FTP Server: 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: DeferWelcome 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: MultilineRFC2228 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: DefaultServer 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: ShowSymlinks 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: TimeoutNoTransfer 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: TimeoutStalled 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: TimeoutIdle 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: DisplayLogin 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: DisplayChdir 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: ListOptions 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: DenyFilter 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: DefaultRoot 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: RequireValidShell 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: PassivePorts 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: MasqueradeAddress 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: UserID 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: UserName 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: GroupID 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: GroupName 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: AllowOverwrite 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: AuthOrder 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: LogFormat 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: LogFormat 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: LogFormat 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: ExtendedLog 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: TransferLog 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: SystemLog 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: DelayEngine 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: LDAPServer 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: LDAPAuthBinds 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: LDAPBindDN 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: LDAPUsers 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: LDAPSearchScope 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: LDAPGenerateHomedir 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: Limit 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: DenyAll 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: Limit 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: AllowAll 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: AllowOverwrite 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: ListOptions 2023-05-24 16:26:03,951 233b53bbde79 proftpd[280] 233b53bbde79: Umask 2023-05-24 16:26:03,955 233b53bbde79 proftpd[280] 233b53bbde79: 2023-05-24 16:26:03,955 233b53bbde79 proftpd[280] 233b53bbde79: Config for FTP Server: 2023-05-24 16:26:03,955 233b53bbde79 proftpd[280] 233b53bbde79: UseEncoding 2023-05-24 16:26:03,955 233b53bbde79 proftpd[280] 233b53bbde79: SFTPEngine 2023-05-24 16:26:03,955 233b53bbde79 proftpd[280] 233b53bbde79: SFTPDisplayBanner 2023-05-24 16:26:03,955 233b53bbde79 proftpd[280] 233b53bbde79: SFTPClientMatch 2023-05-24 16:26:03,955 233b53bbde79 proftpd[280] 233b53bbde79: CreateHome 2023-05-24 16:26:03,955 233b53bbde79 proftpd[280] 233b53bbde79: RequireValidShell 2023-05-24 16:26:03,955 233b53bbde79 proftpd[280] 233b53bbde79: SFTPOptions 2023-05-24 16:26:03,955 233b53bbde79 proftpd[280] 233b53bbde79: SFTPHostKey 2023-05-24 16:26:03,955 233b53bbde79 proftpd[280] 233b53bbde79: SFTPHostKey 2023-05-24 16:26:03,955 233b53bbde79 proftpd[280] 233b53bbde79: SFTPAuthorizedUserKeys 2023-05-24 16:26:03,955 233b53bbde79 proftpd[280] 233b53bbde79: SFTPCompression 2023-05-24 16:26:03,955 233b53bbde79 proftpd[280] 233b53bbde79: MaxLoginAttempts 2023-05-24 16:26:03,955 233b53bbde79 proftpd[280] 233b53bbde79: DefaultRoot 2023-05-24 16:26:03,955 233b53bbde79 proftpd[280] 233b53bbde79: AuthOrder 2023-05-24 16:26:03,955 233b53bbde79 proftpd[280] 233b53bbde79: LDAPUsers 2023-05-24 16:26:03,955 233b53bbde79 proftpd[280] 233b53bbde79: LDAPQueryTimeout 2023-05-24 16:26:03,955 233b53bbde79 proftpd[280] 233b53bbde79: LDAPAuthBinds 2023-05-24 16:26:03,955 233b53bbde79 proftpd[280] 233b53bbde79: LDAPServer 2023-05-24 16:26:03,955 233b53bbde79 proftpd[280] 233b53bbde79: LDAPAuthBinds 2023-05-24 16:26:03,955 233b53bbde79 proftpd[280] 233b53bbde79: LDAPBindDN 2023-05-24 16:26:03,955 233b53bbde79 proftpd[280] 233b53bbde79: LDAPUsers 2023-05-24 16:26:03,955 233b53bbde79 proftpd[280] 233b53bbde79: LDAPSearchScope 2023-05-24 16:26:03,955 233b53bbde79 proftpd[280] 233b53bbde79: ExtendedLog 2023-05-24 16:26:03,955 233b53bbde79 proftpd[280] 233b53bbde79: Limit 2023-05-24 16:26:03,955 233b53bbde79 proftpd[280] 233b53bbde79: DenyAll 2023-05-24 16:26:03,955 233b53bbde79 proftpd[280] 233b53bbde79: Limit 2023-05-24 16:26:03,955 233b53bbde79 proftpd[280] 233b53bbde79: AllowAll 2023-05-24 16:26:03,955 233b53bbde79 proftpd[280] 233b53bbde79: AllowOverwrite 2023-05-24 16:26:03,955 233b53bbde79 proftpd[280] 233b53bbde79: ListOptions 2023-05-24 16:26:03,955 233b53bbde79 proftpd[280] 233b53bbde79: Umask 2023-05-24 16:26:03,955 233b53bbde79 proftpd[280] 233b53bbde79: LDAPServer: parsed URL 'ldap://${SERVER}/??sub' as 'ldap://${SERVER}:389/??sub' 2023-05-24 16:26:03,955 233b53bbde79 proftpd[280] 233b53bbde79: LDAPServer: parsed URL 'ldap://${SERVER}/??sub' as 'ldap://${SERVER}:389/??sub' 2023-05-24 16:26:03,959 233b53bbde79 proftpd[280] 233b53bbde79: ROOT PRIVS at keys.c:799 2023-05-24 16:26:03,959 233b53bbde79 proftpd[280] 233b53bbde79: RELINQUISH PRIVS at keys.c:802 2023-05-24 16:26:03,961 233b53bbde79 proftpd[280] 233b53bbde79: ROOT PRIVS at keys.c:799 2023-05-24 16:26:03,961 233b53bbde79 proftpd[280] 233b53bbde79: RELINQUISH PRIVS at keys.c:802 2023-05-24 16:26:03,963 233b53bbde79 proftpd[280] 233b53bbde79: mod_sftp/1.0.1: Server 'FTP Server': ListOptions directive is not supported by mod_sftp, and will be ignored 2023-05-24 16:26:03,963 233b53bbde79 proftpd[280] 233b53bbde79: mod_lang/1.1: binding to text domain 'proftpd' using locale path '/usr/share/locale' 2023-05-24 16:26:03,963 233b53bbde79 proftpd[280] 233b53bbde79: mod_lang/1.1: using locale files in '/usr/share/locale' 2023-05-24 16:26:03,963 233b53bbde79 proftpd[280] 233b53bbde79: mod_lang/1.1: added the following supported languages: en_US 2023-05-24 16:26:03,963 233b53bbde79 proftpd[280] 233b53bbde79: ROOT PRIVS at mod_log.c:864 2023-05-24 16:26:03,963 233b53bbde79 proftpd[280] 233b53bbde79: RELINQUISH PRIVS at mod_log.c:867 2023-05-24 16:26:03,963 233b53bbde79 proftpd[280] 233b53bbde79: ROOT PRIVS at mod_rlimit.c:555 2023-05-24 16:26:03,963 233b53bbde79 proftpd[280] 233b53bbde79: RELINQUISH PRIVS at mod_rlimit.c:558 2023-05-24 16:26:03,963 233b53bbde79 proftpd[280] 233b53bbde79: set core resource limits for daemon 2023-05-24 16:26:03,963 233b53bbde79 proftpd[280] 233b53bbde79: ignoring supplemental groups for non-root UID 99 2023-05-24 16:26:03,963 233b53bbde79 proftpd[280] 233b53bbde79: SETUP PRIVS at main.c:2619 2023-05-24 16:26:03,963 233b53bbde79 proftpd[280] 233b53bbde79: ROOT PRIVS at main.c:1897 2023-05-24 16:26:03,963 233b53bbde79 proftpd[280] 233b53bbde79: deleting existing scoreboard '/run/proftpd/proftpd.scoreboard' 2023-05-24 16:26:03,964 233b53bbde79 proftpd[280] 233b53bbde79: opening scoreboard '/run/proftpd/proftpd.scoreboard' 2023-05-24 16:26:03,964 233b53bbde79 proftpd[280] 233b53bbde79: RELINQUISH PRIVS at main.c:1924 2023-05-24 16:26:03,964 233b53bbde79 proftpd[280] 233b53bbde79: ROOT PRIVS at inet.c:432 2023-05-24 16:26:03,964 233b53bbde79 proftpd[280] 233b53bbde79: RELINQUISH PRIVS at inet.c:491 2023-05-24 16:26:03,964 233b53bbde79 proftpd[280] 233b53bbde79: Failed binding to 0.0.0.0, port 21: Address already in use 2023-05-24 16:26:03,965 233b53bbde79 proftpd[280] 233b53bbde79: Check the ServerType directive to ensure you are configured correctly 2023-05-24 16:26:03,965 233b53bbde79 proftpd[280] 233b53bbde79: Check to see if inetd/xinetd, or another proftpd instance, is already using 0.0.0.0, port 21 2023-05-24 16:26:03,965 233b53bbde79 proftpd[280] 233b53bbde79: Unable to start proftpd; check logs for more details

The proftpd.conf is fairly generic, apart from the <IfModule mod_sftp.c> section, which works when using just passwords, after adding ldap: to SFTPAuthorizedUserKeys it no longer works. The mod_sftp section is currently in use on an older version of proftpd elsewhere in our estate along with mod_sftp_ldap however that was loaded after proftpd installation using pcre, so we know the config is sound.

(Apologies if anything is formatted incorrectly or I've missed any information, just let me know and I'll adjust or provide - cheers!)

Any ideas?

Cheers, Oliver

[Castaglia]

Could you provide the output from proftpd -V? Also, which distro (and version) are you using? I'd like to see if I can reproduce this behavior locally.

[olistubbs]

Certainly,

It's running on a centos 7 docker container, running on OEL 7. The RPM was also built on a OEL7 box.

proftpd -V

# proftpd -V Compile-time Settings: Version: 1.3.7f (maint) Platform: LINUX [Linux 4.1.12-124.15.1.el7uek.x86_64 x86_64] Built: Tue Apr 25 2023 11:01:44 UTC Built With: configure '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/ usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--libexecdir=/usr/libexec/proftpd' '--localstatedi r=/run/proftpd' '--disable-strip' '--enable-ctrls' '--enable-dso' '--enable-facl' '--enable-ipv6' '--enable-nls' '--enable-openssl' '--enable-shadow' '--with-lastlog' '--with-libraries=/usr/lib64/mysql' '--with-includes=/usr/include/mysql' '--wi th-pkgconfig=lib64/pkgconfig' '--with-shared=mod_auth_pam:mod_ban:mod_copy:mod_ctrls_admin:mod_deflate:mod_dnsbl:mod_dynmasq:mod_exec:mod_facl:mod_load:mod_quotatab:mod_quotatab_file:mod_quotatab_radius:mod_quotatab_sql:mod_radius:mod_ratio:mod_ readme:mod_rewrite:mod_shaper:mod_site_misc:mod_snmp:mod_sql:mod_wrap2:mod_wrap2_file:mod_wrap2_redis:mod_wrap2_sql:mod_unique_id:mod_auth_otp:mod_digest:mod_ldap:mod_quotatab_ldap:mod_sftp:mod_sftp_pam:mod_sftp_sql:mod_sftp_ldap:mod_sql_passwd: mod_tls:mod_tls_fscache:mod_tls_shmcache:mod_proxy_protocol:mod_ifsession' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --para m=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=gen eric' CFLAGS: -g2 -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wall -fno-omit-frame-pointer -fno-strict-aliasing -Werror=implicit-function-dec laration LDFLAGS: -L$(top_srcdir)/lib -L$(top_builddir)/lib -Wl,-z,relro -rdynamic -L/usr/lib64/mysql LIBS: -lacl -lssl -lcrypto -lcap -lsupp -lattr -lnsl -lresolv -lresolv -lcrypt -ldl Files: Configuration File: /etc/proftpd.conf Pid File: /run/proftpd/proftpd.pid Scoreboard File: /run/proftpd/proftpd.scoreboard Header Directory: /usr/include/proftpd Shared Module Directory: /usr/libexec/proftpd

[olistubbs]

Sorry, full proftpd -V output below

proftpd -V

# proftpd -V Compile-time Settings: Version: 1.3.7f (maint) Platform: LINUX [Linux 4.1.12-124.15.1.el7uek.x86_64 x86_64] Built: Tue Apr 25 2023 11:01:44 UTC Built With: configure '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/ usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--libexecdir=/usr/libexec/proftpd' '--localstatedi r=/run/proftpd' '--disable-strip' '--enable-ctrls' '--enable-dso' '--enable-facl' '--enable-ipv6' '--enable-nls' '--enable-openssl' '--enable-shadow' '--with-lastlog' '--with-libraries=/usr/lib64/mysql' '--with-includes=/usr/include/mysql' '--wi th-pkgconfig=lib64/pkgconfig' '--with-shared=mod_auth_pam:mod_ban:mod_copy:mod_ctrls_admin:mod_deflate:mod_dnsbl:mod_dynmasq:mod_exec:mod_facl:mod_load:mod_quotatab:mod_quotatab_file:mod_quotatab_radius:mod_quotatab_sql:mod_radius:mod_ratio:mod_ readme:mod_rewrite:mod_shaper:mod_site_misc:mod_snmp:mod_sql:mod_wrap2:mod_wrap2_file:mod_wrap2_redis:mod_wrap2_sql:mod_unique_id:mod_auth_otp:mod_digest:mod_ldap:mod_quotatab_ldap:mod_sftp:mod_sftp_pam:mod_sftp_sql:mod_sftp_ldap:mod_sql_passwd: mod_tls:mod_tls_fscache:mod_tls_shmcache:mod_proxy_protocol:mod_ifsession' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --para m=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=gen eric' CFLAGS: -g2 -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wall -fno-omit-frame-pointer -fno-strict-aliasing -Werror=implicit-function-dec laration LDFLAGS: -L$(top_srcdir)/lib -L$(top_builddir)/lib -Wl,-z,relro -rdynamic -L/usr/lib64/mysql LIBS: -lacl -lssl -lcrypto -lcap -lsupp -lattr -lnsl -lresolv -lresolv -lcrypt -ldl Files: Configuration File: /etc/proftpd.conf Pid File: /run/proftpd/proftpd.pid Scoreboard File: /run/proftpd/proftpd.scoreboard Header Directory: /usr/include/proftpd Shared Module Directory: /usr/libexec/proftpd Info: + Max supported UID: 4294967295 + Max supported GID: 4294967295 Features: - Autoshadow support + Controls support + curses support - Developer support + DSO support + IPv6 support + Largefile support + Lastlog support - Memcache support + ncursesw support + NLS support + OpenSSL support (OpenSSL 1.0.2k 26 Jan 2017, FIPS enabled) - PCRE support + POSIX ACL support - Redis support + Sendfile support + Shadow file support - Sodium support + Trace support + xattr support Tunable Options: PR_TUNABLE_BUFFER_SIZE = 1024 PR_TUNABLE_DEFAULT_RCVBUFSZ = 8192 PR_TUNABLE_DEFAULT_SNDBUFSZ = 8192 PR_TUNABLE_ENV_MAX = 2048 PR_TUNABLE_GLOBBING_MAX_MATCHES = 100000 PR_TUNABLE_GLOBBING_MAX_RECURSION = 8 PR_TUNABLE_HASH_TABLE_SIZE = 40 PR_TUNABLE_LOGIN_MAX = 256 PR_TUNABLE_NEW_POOL_SIZE = 512 PR_TUNABLE_PATH_MAX = 4096 PR_TUNABLE_SCOREBOARD_BUFFER_SIZE = 80 PR_TUNABLE_SCOREBOARD_SCRUB_TIMER = 30 PR_TUNABLE_SELECT_TIMEOUT = 30 PR_TUNABLE_TIMEOUTIDENT = 10 PR_TUNABLE_TIMEOUTIDLE = 600 PR_TUNABLE_TIMEOUTLINGER = 10 PR_TUNABLE_TIMEOUTLOGIN = 300 PR_TUNABLE_TIMEOUTNOXFER = 300 PR_TUNABLE_TIMEOUTSTALLED = 3600 PR_TUNABLE_XFER_SCOREBOARD_UPDATES = 10

[Castaglia]

While I work on reproducing this locally, a workaround might be to build mod_sftp_ldap as a static module, rather than as a shared module, to avoid the dynamic loader symbol resolution error.

[Castaglia]

Hmm. I'm not able to reproduce this behavior locally yet.

In looking at what might be different between my local setup, and yours, I noticed your LDIF uses:

sshPublicKey:: LS0tLSBCRUdJTiBTU0gyIFBVQkxJQyBLRVkgLS0tLQpBQUFBQjNOemFDMXljMkV
...... 
VBXZ2Jla0ZocXZoenc9PQotLS0tIEVORCBTU0gyIFBVQkxJQyBLRVkgLS0tLQ==

whereas mine uses:

sshPublicKey: ---- BEGIN SSH2 PUBLIC KEY ----
 Comment: "2048-bit RSA, converted by root@01beb187f976 from OpenSSH"
 ...
 IO+z5VnBDG5lMOix0iksf/
 ---- END SSH2 PUBLIC KEY ----

It looks like your LDIF SSH public key is bsae64-encoded. If you're using the RFC 4716 format, it already is base64-encoded, and doesn't need any additional encoding. Also, I can't quite tell if your LDIF has the single space before each of your base64 lines, to indicate a multiline LDIF attribute. (And is your sshPublicKey:: provided, using that double-colon ::, a typo? My LDIF only uses single colons between key/value pairs.)

[Castaglia]

Could I also trouble you for the output of proftpd -vv? In particular, this should list the versions of the modules being used. I'm wondering if it's possible that the mod_sftp_ldap version being used isn't what I'm using locally.

[olistubbs]

Hi, sorry for the delay.

proftpd -vv

``` [root@233b53bbde79 /]# proftpd -vv 2023-06-14 12:31:00,008 233b53bbde79 proftpd[43] 233b53bbde79: 172.17.0.4:21 masquerading as 1.2.3.4 2023-06-14 12:31:00,020 233b53bbde79 proftpd[43] 233b53bbde79: LDAPServer: parsed URL 'ldap://${ldapServer}/??sub' as 'ldap://${ldapServer}:389/??sub' 2023-06-14 12:31:00,020 233b53bbde79 proftpd[43] 233b53bbde79: LDAPServer: parsed URL 'ldap://${ldapServer}/??sub' as 'ldap://${ldapServer}:389/??sub' 2023-06-14 12:31:00,027 233b53bbde79 proftpd[43] 233b53bbde79: mod_sftp/1.0.1: Server 'FTP Server': ListOptions directive is not supported by mod_sftp, and will be ignored ProFTPD Version: 1.3.7f (maint) Scoreboard Version: 01040003 Built: Tue Apr 25 2023 11:01:44 UTC Loaded modules: mod_ldap/2.9.5 mod_sftp_ldap/0.2 mod_sftp/1.0.1 mod_lang/1.1 mod_ctrls/0.9.5 mod_cap/1.1 mod_dso/0.5 mod_facts/0.6 mod_delay/0.7 mod_site.c mod_log/1.0 mod_ls.c mod_auth.c mod_auth_file/1.0 mod_auth_unix.c mod_rlimit/1.0 mod_xfer.c mod_core.c ```

As far as the double colon, afaik in ldap that denotes a base64 encoded entry.

We have proftpd working with ssh keys on another system, however mod_sftp_ldap was patched in after install using pcre and this was built in as an RPM. And the keys are base64 encoded on the working version.

I will however see if I can change the ldap schema on the dev server to not automatically encode those entries.

Cheers!