How do I get lftp to use SSL/TLS security mechanis

2020-07-09 02:54发布

站内问答 / 前沿技术
1046 7 4

I'm trying to log into an ftps site. I've tried giving the login creds at the command line (and putting set parameters in ~/.lftprc, then opening an lftp session and typing those parameters with lftp job control statements. Regardless, I keep hitting the same roadblock:

 421 Sorry, cleartext sessions are not accepted on this server.
 Please reconnect using SSL/TLS security mechanisms.

I got furthest with the following parameters, but keep getting the error above.

How do I get lftp to use SSL/TLS security mechanism from the command line?

The objective is to script the access to this ftps site using bash (programming without using expect).

 lftp
 lftp :~> set ssl-allow false
 lftp :~> set passive-mode yes
 lftp :~> open ftp.abc.com
 lftp ftp.abc.com:~> login theuser
 Password:
 lftp theuser@ftp.abc.com:~> cd
  `cd' at 0 [Delaying before reconnect: 26]
 CTRL-C
 lftp theuser@ftp.abc.com:~> debug
 lftp theuser@ftp.abc.com:~> cd
 ---- Connecting to ftp.abc.com (XX.XXX.XX.XX) port 21
 <--- 220-Welcome to the Yahoo! Web Hosting FTP server
 <--- 220-Need help? Get all details at:
 <--- 220-http://help.yahoo.com/help/us/webhosting/gftp/
 <--- 220-
 <--- 220-No anonymous logins accepted.
 <--- 220-Yahoo!
 <--- 220-Local time is now 15:30. Server port: 21.
 <--- 220-This is a private system - No anonymous login
 <--- 220 You will be disconnected after 5 minutes of inactivity.
 ---> FEAT
 <--- 211-Extensions supported:
 <---  EPRT
 <---  IDLE
 <---  MDTM
 <---  SIZE
 <---  MFMT
 <---  REST STREAM
 <---  MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
 <---  MLSD
 <---  XDBG
 <---  AUTH TLS
 <---  PBSZ
 <---  PROT
 <---  TVFS
 <---  ESTA
 <---  PASV
 <---  EPSV
 <---  SPSV
 <---  ESTP
 <--- 211 End.
 ---> OPTS MLST type;size;modify;UNIX.mode;UNIX.uid;UNIX.gid;
 <--- 200  MLST OPTS type;size;sizd;modify;UNIX.mode;UNIX.uid;UNIX.gid;unique;
 ---> USER theuser
 <--- 421 Sorry, cleartext sessions are not accepted on this server.
 Please reconnect using SSL/TLS security mechanisms.

7条回答
2楼-- · 2020-07-09 02:55

lftp :~> set ssl-allow false

You've explicitly set ssl-allow to false. But this must be true if lftp should attempt to use SSL.

查看更多
0人赞 添加讨论(0) 举报
疯言疯语
3楼-- · 2020-07-09 03:01

You might also need to 

set ssl:verify-certificate no
查看更多
0人赞 添加讨论(0) 举报
我欲成王,谁敢阻挡
4楼-- · 2020-07-09 03:02

This worked for me for a FTPS server connection (with port 990, but not necessary to specify) using lftp

code: lftp ftps://USER:PASSWORD@server.com -c "set ssl:verify-certificate false;"

then: do stuff

more info at: how-to-avoid-lftp-certificate-verification-error

查看更多
0人赞 添加讨论(0) 举报
萌系小妹纸
5楼-- · 2020-07-09 03:11

It seems like lftp is not configured correctly on many systems, which makes it unable to verify server certificates (producing Fatal error: Certificate verification: Not trusted).

The web (and answers in this post) is full of suggestions to fix this by disabling certificate verification or encryption altogether. This is unsecure as it allows man-in-the-middle attacks to pass unnoticed.

The better solution is to configure certificate verification correctly, which is easy, fortunately. To do so, add the following line to /etc/lftp.conf (or alternatively ~/.lftp/rc, or ~/.config/lftp/rc):

set ssl:ca-file "/etc/ssl/certs/ca-certificates.crt"

ca-certificates.crt is a file that contains all CA certificates of the system. The location used above is the one from Ubuntu and may vary on different systems. To generate or update the file, run update-ca-certificates:

sudo update-ca-certificates

If your system does not have this command, you can create one manually like this:

cat /etc/ssl/certs/*.pem | sudo tee /etc/ssl/certs/ca-certificates.crt > /dev/null
查看更多
0人赞 添加讨论(0) 举报
Summer. ? 凉城
6楼-- · 2020-07-09 03:14

What worked for me step by step with lftp:

  1. get certificate of host with openssl s_client -connect <ftp_hostname>:21 -starttls ftp, at the begining of result I got something like -----BEGIN CERTIFICATE----- MIIEQzCCAyu.....XjMO -----END CERTIFICATE-----
  2. copy that -----BEGIN CERTIFICATE----- MIIEQzCCAyu.....XjMO -----END CERTIFICATE----- into /etc/ssl/certs/ca-certificates.crt
  3. Into lftp configuration reference this certificate file adding to /etc/lftp.conf for systemwide set ssl:ca-file "/etc/ssl/certs/ca-certificates.crt"
  4. and then do your sync or whatever with lftp, on my case it is lftp -u "${FTP_USER},${FTP_PWD}" ${FTP_HOST} -e "set net:timeout 10;mirror ${EXCLUDES} -R ${LOCAL_SOURCE_PATH} ${REMOTE_DEST_PATH} ; quit"
查看更多
0人赞 添加讨论(0) 举报
爱情/是我丢掉的垃圾
7楼-- · 2020-07-09 03:19

Setting ftp:ssl-allow true didn't work for me.

By typing set:

lftp :~> set

I noticed this:

set ftp:ssl-allow true
set ftp:ssl-allow/XXX.XXX.XXX.XXX no

with XXX.XXX.XXX.XXX being the server, I was logging into.

So the final set of commands I needed was:

lftp :~> set ftp:ssl-allow true
lftp :~> set ftp:ssl-allow/XXX.XXX.XXX.XXX true
lftp :~> set ssl:verify-certificate no
查看更多
0人赞 添加讨论(0) 举报
1 2 下一页
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)