where does pure-ftpd store files when anonymous logs in?
Even its man page is missing in Debian.
On Wed, Jul 09, 2025 at 23:08:05 +0200, hw wrote:
where does pure-ftpd store files when anonymous logs in?
Even its man page is missing in Debian.
According to packages.debian.org, the package "pure-ftpd" depends on
the package "pure-ftpd-common", and the latter has all the man pages:
<https://packages.debian.org/bookworm/all/pure-ftpd-common/filelist> /etc/ftpallow
/etc/logrotate.d/pure-ftpd-common
/etc/pam.d/pure-ftpd
/etc/pure-ftpd/auth/65unix
/etc/pure-ftpd/auth/70pam
/etc/pure-ftpd/conf/AltLog
/etc/pure-ftpd/conf/FSCharset
/etc/pure-ftpd/conf/MinUID
/etc/pure-ftpd/conf/NoAnonymous
/etc/pure-ftpd/conf/PAMAuthentication
/etc/pure-ftpd/conf/PureDB
/etc/pure-ftpd/conf/TLSCipherSuite
/etc/pure-ftpd/conf/UnixAuthentication
/etc/pure-ftpd/pure-ftpd.conf
/etc/pure-ftpd/pureftpd-dir-aliases
/usr/sbin/pure-ftpd-control
/usr/sbin/pure-ftpd-wrapper
/usr/share/doc/pure-ftpd-common/AUTHORS.gz /usr/share/doc/pure-ftpd-common/HISTORY /usr/share/doc/pure-ftpd-common/NEWS.Debian.gz /usr/share/doc/pure-ftpd-common/README.Authentication-Modules.gz /usr/share/doc/pure-ftpd-common/README.Configuration-File /usr/share/doc/pure-ftpd-common/README.Debian /usr/share/doc/pure-ftpd-common/README.Donations.gz /usr/share/doc/pure-ftpd-common/README.LDAP.gz /usr/share/doc/pure-ftpd-common/README.MySQL.gz /usr/share/doc/pure-ftpd-common/README.PGSQL.gz /usr/share/doc/pure-ftpd-common/README.TLS.gz /usr/share/doc/pure-ftpd-common/README.Virtual-Users.gz /usr/share/doc/pure-ftpd-common/README.gz /usr/share/doc/pure-ftpd-common/THANKS.gz /usr/share/doc/pure-ftpd-common/changelog.Debian.gz /usr/share/doc/pure-ftpd-common/changelog.gz /usr/share/doc/pure-ftpd-common/copyright /usr/share/doc/pure-ftpd-common/pureftpd.schema /usr/share/doc/pure-ftpd/FAQ.gz /usr/share/doc/pure-ftpd/README.Authentication-Modules.gz /usr/share/doc/pure-ftpd/README.Configuration-File /usr/share/doc/pure-ftpd/README.LDAP.gz /usr/share/doc/pure-ftpd/README.MacOS-X /usr/share/doc/pure-ftpd/README.MySQL.gz /usr/share/doc/pure-ftpd/README.PGSQL.gz /usr/share/doc/pure-ftpd/README.TLS.gz /usr/share/doc/pure-ftpd/README.Virtual-Users.gz /usr/share/doc/pure-ftpd/pure-ftpd.conf.gz /usr/share/doc/pure-ftpd/pureftpd-ldap.conf /usr/share/doc/pure-ftpd/pureftpd-mysql.conf /usr/share/doc/pure-ftpd/pureftpd-pgsql.conf /usr/share/doc/pure-ftpd/pureftpd.schema
/usr/share/man/man8/pure-authd.8.gz
/usr/share/man/man8/pure-certd.8.gz /usr/share/man/man8/pure-ftpd-control.8.gz /usr/share/man/man8/pure-ftpd-wrapper.8.gz
/usr/share/man/man8/pure-ftpd.8.gz
/usr/share/man/man8/pure-ftpwho.8.gz
/usr/share/man/man8/pure-mrtginfo.8.gz
/usr/share/man/man8/pure-pw.8.gz
/usr/share/man/man8/pure-pwconvert.8.gz /usr/share/man/man8/pure-quotacheck.8.gz /usr/share/man/man8/pure-statsdecode.8.gz /usr/share/man/man8/pure-uploadscript.8.gz
On Wed, 2025-07-09 at 20:19 -0400, Greg Wooledge wrote:
On Wed, Jul 09, 2025 at 23:08:05 +0200, hw wrote:
where does pure-ftpd store files when anonymous logs in?
Even its man page is missing in Debian.
According to packages.debian.org, the package "pure-ftpd" depends on
the package "pure-ftpd-common", and the latter has all the man pages:
# apt-get install pure-ftpd-common
[...]
pure-ftpd-common is already the newest version (1.0.50-2.1).
Oh, I should have tried 'man pure-ftpd' instead of 'man pure-ftp', I
guess.
According to the man page, it would use the home directory of the user
'ftp'. But that user doesn't exist. A long time ago, Debian had a
policy that packages must work out of the box, so why wasn't the user created? Has this policy been deprecated, or am I missing something?
<https://packages.debian.org/bookworm/all/pure-ftpd-common/filelist> /etc/ftpallow
/etc/logrotate.d/pure-ftpd-common
/etc/pam.d/pure-ftpd
/etc/pure-ftpd/auth/65unix
/etc/pure-ftpd/auth/70pam
/etc/pure-ftpd/conf/AltLog
/etc/pure-ftpd/conf/FSCharset
/etc/pure-ftpd/conf/MinUID
/etc/pure-ftpd/conf/NoAnonymous
/etc/pure-ftpd/conf/PAMAuthentication
/etc/pure-ftpd/conf/PureDB
/etc/pure-ftpd/conf/TLSCipherSuite
/etc/pure-ftpd/conf/UnixAuthentication
/etc/pure-ftpd/pure-ftpd.conf
/etc/pure-ftpd/pureftpd-dir-aliases
/usr/sbin/pure-ftpd-control
/usr/sbin/pure-ftpd-wrapper
/usr/share/doc/pure-ftpd-common/AUTHORS.gz /usr/share/doc/pure-ftpd-common/HISTORY /usr/share/doc/pure-ftpd-common/NEWS.Debian.gz /usr/share/doc/pure-ftpd-common/README.Authentication-Modules.gz /usr/share/doc/pure-ftpd-common/README.Configuration-File /usr/share/doc/pure-ftpd-common/README.Debian /usr/share/doc/pure-ftpd-common/README.Donations.gz /usr/share/doc/pure-ftpd-common/README.LDAP.gz /usr/share/doc/pure-ftpd-common/README.MySQL.gz /usr/share/doc/pure-ftpd-common/README.PGSQL.gz /usr/share/doc/pure-ftpd-common/README.TLS.gz /usr/share/doc/pure-ftpd-common/README.Virtual-Users.gz /usr/share/doc/pure-ftpd-common/README.gz /usr/share/doc/pure-ftpd-common/THANKS.gz /usr/share/doc/pure-ftpd-common/changelog.Debian.gz /usr/share/doc/pure-ftpd-common/changelog.gz /usr/share/doc/pure-ftpd-common/copyright /usr/share/doc/pure-ftpd-common/pureftpd.schema /usr/share/doc/pure-ftpd/FAQ.gz /usr/share/doc/pure-ftpd/README.Authentication-Modules.gz /usr/share/doc/pure-ftpd/README.Configuration-File /usr/share/doc/pure-ftpd/README.LDAP.gz /usr/share/doc/pure-ftpd/README.MacOS-X /usr/share/doc/pure-ftpd/README.MySQL.gz /usr/share/doc/pure-ftpd/README.PGSQL.gz /usr/share/doc/pure-ftpd/README.TLS.gz /usr/share/doc/pure-ftpd/README.Virtual-Users.gz /usr/share/doc/pure-ftpd/pure-ftpd.conf.gz /usr/share/doc/pure-ftpd/pureftpd-ldap.conf /usr/share/doc/pure-ftpd/pureftpd-mysql.conf /usr/share/doc/pure-ftpd/pureftpd-pgsql.conf /usr/share/doc/pure-ftpd/pureftpd.schema /usr/share/man/man8/pure-authd.8.gz
/usr/share/man/man8/pure-certd.8.gz /usr/share/man/man8/pure-ftpd-control.8.gz /usr/share/man/man8/pure-ftpd-wrapper.8.gz /usr/share/man/man8/pure-ftpd.8.gz
/usr/share/man/man8/pure-ftpwho.8.gz
/usr/share/man/man8/pure-mrtginfo.8.gz
/usr/share/man/man8/pure-pw.8.gz
/usr/share/man/man8/pure-pwconvert.8.gz /usr/share/man/man8/pure-quotacheck.8.gz /usr/share/man/man8/pure-statsdecode.8.gz /usr/share/man/man8/pure-uploadscript.8.gz
And why is is so difficult and troublesome on Debian?
It wasn't an issue at all on Fedora.
On Thu, Jul 10, 2025 at 4:49β―AM hw <hw@adminart.net> wrote:
On Wed, 2025-07-09 at 20:19 -0400, Greg Wooledge wrote:
On Wed, Jul 09, 2025 at 23:08:05 +0200, hw wrote:
where does pure-ftpd store files when anonymous logs in?
Even its man page is missing in Debian.
According to packages.debian.org, the package "pure-ftpd" depends on
the package "pure-ftpd-common", and the latter has all the man pages:
# apt-get install pure-ftpd-common
[...]
pure-ftpd-common is already the newest version (1.0.50-2.1).
Oh, I should have tried 'man pure-ftpd' instead of 'man pure-ftp', I
guess.
According to the man page, it would use the home directory of the user 'ftp'. But that user doesn't exist. A long time ago, Debian had a
policy that packages must work out of the box, so why wasn't the user created? Has this policy been deprecated, or am I missing something?
Anonymous logins are not enabled by default (if I recall correctly).
See the PureFTP FAQ at </usr/share/doc/pure-ftpd/FAQ.gz>. From the
FAQ:
<SNIP>
* Anonymous FTP with virtual users.
I successfully created a virtual user called 'ftp' or 'anonymous', butanonymous FTP doesn't work.
Pure-FTPd never fetch any info from the virtual users backends (puredb, MySQL, LDAP, etc) for anonymous sessions. There are three reasons not to do so: - Speed: do we need to query a database just to get the anonymous
user's home directory? We don't need to retrieve any password for anonymous sessions.
- Consistency: with the virtual hosting mechanism.
To run an anonymous FTP server you must have a *system* account called
'ftp'. Don't give it any valid shell, just a home directory. That home directory is the anonymous area.
</SNIP>
Right. Anonymous logins are allowed and I have created a system account 'ftp', and it still doesn't work. It keeps asking for a password when
trying to log in as 'anonymous' or 'ftp'.
I have the same on Fedora, and there it does not ask for a password when trying to log in as 'anonymous', and it just works fine.
This must be some kind of weird Debian issue. Why does it keep asking
for a password?
On Thu, 2025-07-10 at 12:55 +0200, tomas@tuxteam.de wrote:
I'd have a look at /var/log/auth.log, or however this is spelt in systemd-ese these days.
The log says nothing new:
[...] pure-ftpd: pam_unix(pure-ftpd:auth): authentication failure;
logname= uid=0 euid=0 tty=pure-ftpd ruser=anonymous rhost=[...]
[...] pure-ftpd: pam_unix(pure-ftpd:auth): authentication failure;
logname= uid=0 euid=0 tty=pure-ftpd ruser=ftp rhost=[...] user=ftp
On Thu, Jul 10, 2025 at 12:45:22PM +0200, hw wrote:
Right. Anonymous logins are allowed and I have created a system account 'ftp', and it still doesn't work. It keeps asking for a password when trying to log in as 'anonymous' or 'ftp'.
I have the same on Fedora, and there it does not ask for a password when trying to log in as 'anonymous', and it just works fine.
This must be some kind of weird Debian issue. Why does it keep asking
for a password?
I'd have a look at /var/log/auth.log, or however this is spelt in
systemd-ese these days.
On Thu, Jul 10, 2025 at 01:41:51PM +0200, hw wrote:
On Thu, 2025-07-10 at 12:55 +0200, tomas@tuxteam.de wrote:
[...]
I'd have a look at /var/log/auth.log, or however this is spelt in systemd-ese these days.
The log says nothing new:
[...] pure-ftpd: pam_unix(pure-ftpd:auth): authentication failure;
logname= uid=0 euid=0 tty=pure-ftpd ruser=anonymous rhost=[...]
[...] pure-ftpd: pam_unix(pure-ftpd:auth): authentication failure;
logname= uid=0 euid=0 tty=pure-ftpd ruser=ftp rhost=[...] user=ftp
Still interesting that it asks PAM...
Right. Anonymous logins are allowed and I have created a system account 'ftp', and it still doesn't work. It keeps asking for a password when
trying to log in as 'anonymous' or 'ftp'.
So am I to assume that it's broken on Debian
On Thu Jul 10, 2025 at 3:25 PM BST, hw wrote:
So am I to assume that it's broken on Debian
The problem could be the presence of /etc/pure-ftpd/conf/NoAnonymous,
which causes the start-up wrapper to pass -E (= --noanonymous) to the daemon. Try removing that file and restarting the daemon.
I would consider the contradiction between
/etc/pure-ftpd/conf/NoAnonymous and /etc/pure-ftpd/pure-ftpd.conf to be
a package bug at the very least.
On Thu Jul 10, 2025 at 11:45 AM BST, hw wrote:
Right. Anonymous logins are allowed and I have created a system account 'ftp', and it still doesn't work. It keeps asking for a password when trying to log in as 'anonymous' or 'ftp'.
Conventionally, when logging into an anonymous ftp server, as a user, at least in my experience, you would provide your email address as the
password. Try that? (Or a fake email?)
When running it on Debian, filezilla shows a password request for
anonymous logins, and the login fails. This is not what the man page
says. The ftp user doesn't have a password anyway. Apparently,
Debians pure-ftpd version doesn't understand that it must not ask for
a password for anonymous logins for unknown reasons.
On 7/10/25 18:58, hw wrote:
On Thu, 2025-07-10 at 16:28 +0100, Jonathan Dowland wrote:
On Thu Jul 10, 2025 at 11:45 AM BST, hw wrote:
Right. Anonymous logins are allowed and I have created a system account
'ftp', and it still doesn't work. It keeps asking for a password when trying to log in as 'anonymous' or 'ftp'.
Conventionally, when logging into an anonymous ftp server, as a user, at least in my experience, you would provide your email address as the password. Try that? (Or a fake email?)
Right again. Yet when you use filezilla with pure-ftpd running on
Fedora, you can see that there is no password request showing up in the logging output in filezilla for anonymous logins. It's as the man page says.
When running it on Debian, filezilla shows a password request for
anonymous logins, and the login fails. This is not what the man page
says. The ftp user doesn't have a password anyway. Apparently, Debians
Look at the config on both distros and see what's different.
On Thu, 2025-07-10 at 13:55 -0400, Jeffrey Walton wrote:
[...]
Nowadays it seems like scp and sftp are the norm, not ftp.
(S)FTP is still in use like for cameras, scanners (printers) and phones.
For local usages I don't want to do all the hassle the certificates
bring about unless it particularly makes sense to use encryption.
(S)FTP is still in use like for cameras, scanners (printers) and phones.
On Thu, Jul 10, 2025 at 1:39β―PM Charles Curley <charlescurley@charlescurley.com> wrote:
On Thu, 10 Jul 2025 18:58:03 +0200
hw <hw@adminart.net> wrote:
When running it on Debian, filezilla shows a password request for anonymous logins, and the login fails. This is not what the man page says. The ftp user doesn't have a password anyway. Apparently,
Debians pure-ftpd version doesn't understand that it must not ask for
a password for anonymous logins for unknown reasons.
I seem to recall that the anonymous was exactly that, anonymous. I.e.
the server would let anyone log in. But that didn't mean no login,
like a web page. It meant you logged in with the user name "anonymous"
and any password you liked.
Since the Internet was much smaller, more friendly, and more courteous,
FTP site operators liked to know who there users were. So it became the custom to use your email address as your password, thus identifying yourself to your kindly hosts.
Yeah, that's what I remember, too. Back when FTP was used.
Nowadays it seems like scp and sftp are the norm, not ftp.
The Debian package doesn't seem to be managed well. It even still
uses an init.d script instead of a service file.
Debian keeps letting me down now every time. It's scary to see that
it has gone that bad. I was hoping to put it on some servers, but I
might have to go with Fedora instead.
| Sysop: | Keyop |
|---|---|
| Location: | Huddersfield, West Yorkshire, UK |
| Users: | 546 |
| Nodes: | 16 (2 / 14) |
| Uptime: | 153:23:08 |
| Calls: | 10,383 |
| Files: | 14,054 |
| Messages: | 6,417,839 |