fix(ftp): agent self-heals vsftpd config + /etc/shells (fixes 530 login)#24
Merged
Conversation
…lly works
FTP set the system user's password correctly, but login was refused with "530
Login incorrect" because vsftpd wasn't actually CONFIGURED for local-user FTP on
the node — the config only ever came from the one-time install script. A node
installed before that block existed, or where vsftpd was auto-installed later by
ensure_vsftpd_running, has:
- Debian's stock /etc/vsftpd.conf (local_enable commented → NO), and/or
- an /etc/shells without /usr/sbin/nologin, so the vsftpd PAM's pam_shells
rejects every hosting user (they have a nologin shell).
ensure_vsftpd_running only STARTED vsftpd (its doc claimed it wrote "our local
config block" — it never did). Add ensure_vsftpd_configured(), called on every
FTP-enable, which idempotently installs the Hyperion vsftpd.conf (backing up the
original) + adds /usr/sbin/nologin,/bin/false to /etc/shells + restarts vsftpd
only when the config was wrong.
clippy -D warnings clean; config-directive sanity test + adapters suite green.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The bug
FTP set the system user's password fine, but login was refused (530 Login incorrect) because vsftpd was never actually configured for local-user FTP on the node — that setup only lived in the one-time install script. A node installed before that block existed (or where vsftpd got auto-installed later by the agent) ends up with:
/etc/vsftpd.conf(local_enablecommented → NO) → local users can't log in; and/or/etc/shellswithout/usr/sbin/nologin→ the vsftpd PAM'spam_shellsrejects every hosting user (they have a nologin shell).ensure_vsftpd_runningonly started the service — its doc even claimed it wrote "our local config block", but it never did.Fix
New
ensure_vsftpd_configured(), called on every FTP-enable, idempotently:vsftpd.conf(local_enable/chroot/pam_service_name/…), backing up the original as*.hyperion-orig(mirrors the installer);/usr/sbin/nologin+/bin/falseto/etc/shells;So FTP works regardless of when/how the node was set up.
On s4 after deploy
Update, then re-hit Set FTP password on the hosting — that runs the self-heal (writes config + /etc/shells + restarts vsftpd) and the login will work.
Test
clippy -D warningsclean; config-directive sanity test + adapters suite green.🤖 Generated with Claude Code