Re: FTP/SSL fails at server (550 Views)
Reply
Occasional Contributor
ranger57
Posts: 5
Registered: ‎08-30-2011
Message 1 of 6 (609 Views)

FTP/SSL fails at server

[ Edited ]

Hello.

 

We have been having problems establishing an FTP session over SSL from our OpenVMS client to a Linux server.

We are running v8.3-1h1 of VMS, TCPIP services v5.7 ECO 3 and SSL v1.4.

The Linux ftp server is in our DMZ and not behind a firewall.

 

These are the errors we see from the Linux server:

 

PINACO>ftp/ssl sftp.xxxxxx.org
220-Welcome to Pure-FTPd.
220-You are user number 1 of 15 allowed.
220-This is a private system - No anonymous login
220 You will be disconnected after 15 minutes of inactivity.
Connected to crpvlx2sftp1.xxxxxxx.org.
234 AUTH TLS OK.
200 PBSZ=0
200 Data protection level set to "private"
Name (crpvlx2sftp1.xxxxxx.org:sysjames): smithj
331 User smithj OK. Password required
Password:
230-User smithj has group access to: sftp-lum-g
230-OK. Current restricted directory is /
230-8888 88 88 88 8888888888
230-88888 88 888 888 8888 8888
230-88 888 88 888 888 888
230-88 888 88 888888 88
230-88 888 88 8888 88
230-88 888 88 88 888
230-88 88888 88 888 8888
230-88 8888 88 88888888
230-
230-
230-88 88 88 88 8888888888
230-88 88 88 88 8888 8888
230-88 88 88 88 888
230-88888888 88888888 88
230-88888888 88888888 88
230-88 88 88 88 888
230-88 88 88 88 888 8888
230-88 88 88 88 88888888
230
FTP>
FTP> debug
Debugging on (debug=1).
FTP>
FTP>
FTP> pwd
---> PWD
257 "/" is your current location
FTP>
FTP> cd officemax
---> CWD officemax
250 OK. Current directory is /OfficeMax
FTP>
FTP> pwd
---> PWD
257 "/OfficeMax" is your current location
FTP>
FTP> ls -l
---> PORT 172,23,160,23,193,65
200 PORT command successful
---> NLST -l
425 Could not open data connection to port 49473: Connection timed out
%TCPIP-E-FTP_NOSUCHFILE, no such file -l
FTP>
FTP> dir
---> PORT 172,23,160,23,193,66
200 PORT command successful
---> LIST
425 Could not open data connection to port 49474: Connection timed out
%TCPIP-E-FTP_NOSUCHFILE, no such file (* or directory)
FTP>
FTP> pwd
---> PWD
257 "/OfficeMax" is your current location
FTP>
FTP> get testfile.txt
---> PORT 172,23,160,23,193,67
200 PORT command successful
---> RETR testfile.txt
425 Could not open data connection to port 49475: Connection timed out
FTP>
FTP>
FTP> ls -a testfile.txt
---> PORT 172,23,160,23,193,68
200 PORT command successful
---> NLST -a
425 Could not open data connection to port 49476: Connection timed out
%TCPIP-E-FTP_NOSUCHFILE, no such file -a
FTP>
FTP>
FTP> ls - a
---> PORT 172,23,160,23,193,69
200 PORT command successful
---> NLST -
425 Could not open data connection to port 49477: Connection timed out
%TCPIP-E-FTP_NOSUCHFILE, no such file -
FTP>

 

So, as you can see we can log in to the Linux server successfully and can also do commands like pwd.  Any other command, however, fails.  Any ideas?

 

thanks in advance.

Please use plain text.
Honored Contributor
Richard Brodie_1
Posts: 582
Registered: ‎10-09-2003
Message 2 of 6 (601 Views)

Re: FTP/SSL fails at server

It appears to be a problem with the data channel somewhere; which often is a firewall problem.

 

How about trying "passive" after you log on?

Please use plain text.
Occasional Contributor
ranger57
Posts: 5
Registered: ‎08-30-2011
Message 3 of 6 (595 Views)

Re: FTP/SSL fails at server

By "passive" I'll assume you mean 'pasv'?  I'll try that, thank you.

Please use plain text.
Honored Contributor
Steven Schweda
Posts: 9,084
Registered: ‎02-23-2005
Message 4 of 6 (586 Views)

Re: FTP/SSL fails at server

Please use plain text.
Honored Contributor
The Brit
Posts: 1,291
Registered: ‎06-18-2007
Message 5 of 6 (558 Views)

Re: FTP/SSL fails at server

I dont know the answer to your problem, however I have seen something similar when I was trying to set up IPclustering (TCPIP V5.7, ECO 3, with OpenVMS 8.4, SSL 1.4).    I found that I could login via FTP(without "/SSL"), to the other cluster node, however I couldn't see any files, and I got the same error indicating a problem establishing the "data" channel..      This issue was never resolved.   I assumed it was something to do with my choice of clustering IP's.

 

At that point it went onto the back burner, for later resolution.      (Other issues to deal with)

 

Dont know if this is of any use to you.    But I would be interested in any resolution you find.

 

Dave. 

Please use plain text.
Honored Contributor
Hoff
Posts: 4,931
Registered: ‎01-29-2006
Message 6 of 6 (550 Views)

Re: FTP/SSL fails at server

Before being allowed to use FTP (and enforced by a typical modern network design), consider that the network administrator must be able to provide answers to the following questions.

 

1:  is it permissible to post the server login credentals for all to access?

2: do you need user accountability?

3: does the client or does the server originate the data channel connection when in passive mode?

4: which IP port(s) are used by FTP on your client, and on your server?

 

If you can answer all of these correctly, then you have a start at understanding why ftp is a problem here.

 

sftp is vastly easier to deal with in modern networks, assuming a version that doesn't have those sequential-file corruption bugs is available to you.

 

Answer Key:

 

1: ftp transmits login user and password in cleartext.  tools are widly available to monitor for these credentials

2: if you do, you'll want to use sftp, as access to ftp credentials is insecure.

3: from server to client, meaning any managed switched and any firewalls between the server and the client must expect an incoming ftp connection.  (active-mode transfers requires a second connection from client to server, which means the server firewall needs a range of ports open, or the device needs to understand the ftp protocol and automatically open the approprate port.)

4: "the ephemeral port range", AIX and HP-UX use  32768 through 65535, OpenVMS and OS X and OS X Server use  49152 to 65535, and other implementations may vary.  You'll need to keep this port range accessible on managed switches and firewalls on whichever end receives the (active or passive) data connection.

Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation