NAS 542 - only root can login through sftp

I have set up my NAS 542 as a ftp server and port forwarded through my router.  When I use Filezilla to login using SFTP to the ftp server from a remote location it works.  When I try and login as any other user it rejects my password with "Authentication failed". 

I need to set up client sftp logins so that they can download an upload from the dedicated share folder I've set up.
I had no problem setting this up on my two Zyxel 325v2 Nas systems.  It was also very straightforward on my Synology NAS.  I can't figure out what the problem is on the NAS 542.

I also tried logging in through SSH and again the root account can log in but no-one else.  This may be unrelated I guess.

Any help gratefully appreciated.

All Replies

  • Mijzelf
    Mijzelf Posts: 1,977  Guru Member
    I have set up my NAS 542 as a ftp server and port forwarded through my router.  When I use Filezilla to login using SFTP to the ftp server from a remote location it works.

    SFTP has nothing to do with FTP. For FTP you forward port 21, and a bunch of dataports, for SFTP you forward port 22.

    SFTP is not officially supported, but because it's build in in SSH, it does work. As SSH uses Linux shell login, which is only possible for root and admin, other users can't use it. The FTP login uses a PAM plugin which uses SAMBA login, which is available for all users.

    Maybe you can temporary grant access for other users by executing 'passwd <user>' as root in an SSH shell, and setting a password. This won't survive a reboot.

  • JPDoc
    JPDoc Posts: 8
    Thanks for taking the time to answer - I should have been clearer.  I tried both FTP and SFTP with the ports set correctly and neither works for any user but root.  Yet FTP works on both my zyxel 325 units (but not SFTP, not surprisingly).  And both FTP and SFTP work fine on my Synology, so I guess they officially support both.

    I do understand that FTP is different from SFTP but given that most ftp clients (Filezilla, for example) have SFTP as an option these days - in fact most of them default to SFTP for security reasons - I'm surprised that Zyxel haven't officially supported it yet.  I'll try the PAM shell command but I really need to find an answer as at the moment the only one who can use my ftp server is me, not my clients.  I could use FTP (as opposed to SFTP) if I had to (and could get it to work!) but it's certainly not ideal. 

  • Mijzelf
    Mijzelf Posts: 1,977  Guru Member
    I tried both FTP and SFTP with the ports set correctly and neither works for any user but root.

    Are you sure about FTP? Didn't you forget to give the user FTP access, in the users/share menu?

    (but not SFTP, not surprisingly)
    Have you installed the ssh server package? If yes, and SFTP doesn't work, SCP should.

    You can try FTPES, which is supported, and what basically is FTP over SSL. The FTP server on the 542 (and also on the 325 AFAIK) accepts an FTPES login on port 21. If you install the Tweaks package, you can force FTPES.
  • JPDoc
    JPDoc Posts: 8
    Thanks again Mijzelf.  I had set the share access correctly but it got me thinking.  I tried accessing the share with FTP over the local network and it worked, so I tracked down the issue down to a port forwarding conflict in the fritzbox router that was left over from the previous FTP setup using the 325v2.  When I cleared that up plain ftp started working for non root users.

    I'd still like to get something more secure working, though.  When you say "have you installed the SSH server package" - I enabled ssh in the 542 interface, is that what you mean?  Under "apps" there isn't a SSH package that I can see.  I can SSH into the 542 as root but not as anyone else, which is I believe by design.

    I looked into FTPES and am very intrigued by your Tweaks package, and will investigate it when I can - looks like a terrific aid.  I'm still a bit mis that zyxel don't support SFTP, though - the likes of SCP and FPTS and FPTES are viable even to someone of my limited programming skills but I'm lucky if I can get my clients to deal with Filezilla and select the SFTP dropdown, never mind anything even slightly more involved!
  • Mijzelf
    Mijzelf Posts: 1,977  Guru Member
    When you say "have you installed the SSH server package" - I enabled ssh in the 542 interface, is that what you mean?
    I meant the ssh package for the 325, to enable SFTP on it.
    I can SSH into the 542 as root but not as anyone else, which is I believe by design.
    You should be able to login as admin. And yes, that is by design. The user access rights for shares are not designed to resist a user with shell access.