I've been reading this a lot, especially the part at the bottom where it
talks about virtual hosts and proftpd
http://www.castaglia.org/proftpd/doc/README.PAM.html
# This is the PAM configuration file that will be referenced when
# authenticating. It can be set globally and/or per VirtualHost.
# The default is 'ftp'.
AuthPAMConfig ftp
The default setting is 'ftp'. However, if you set |AuthPAMConfig| to be
'
ftp.myhost', for example, ProFTPD will try to use the PAM
authentication settings for
ftp.myhost, assuming you've set up your PAM
configuration file(s) properly. To use the above example with FreeBSD,
you would need to add lines such as the following:
ftp.myhost auth required pam_unix.so try_first_pass
ftp.myhost account required pam_unix.so try_first_pass
I'd have to see what you're /etc/proftpd.conf says for your vhost users
but it seems something's not matching up with the pam service name.
--sean
Mike Garfias wrote:
>account sufficient pam_unix.so
>account sufficient pam_pgsql.so
>auth sufficient pam_unix.so nullok_secure
>auth sufficient pam_pgsql.so
>
>The pam_unix.so lines are there for a testing. Once it works, they're coming
>out. Only virtual users will be connecting via FTP.
>
>However, I can put whatever I want in that file, and nothing changes, as
>proftpd NEVER makes a pam call.
>
>Here is output of proftpd starting up:
>
># strace proftpd -nd10 2>&1 | grep -i pam
>open("/lib/libpam.so.0", O_RDONLY) = 3
>write(2, " - dispatching directive \'AuthPA"..., 58 - dispatching directive
>'AuthPAM' to module mod_auth_pam
>write(2, " - dispatching directive \'AuthPA"..., 64 - dispatching directive
>'AuthPAMConfig' to module mod_auth_pam
>write(2, "localhost.localdomain - AuthPAM\n", 32localhost.localdomain -
>AuthPAM
>write(2, "localhost.localdomain - AuthPAMC"..., 38localhost.localdomain -
>AuthPAMConfig
>
>When I try to connect, I get no further output. If instead I grep for 'auth',
>I get lots of mod_sql and mod_auth_unix calls, but never a pam call.
>
>
>sean spoke forth with the blessed manuscript:
>
>
>>What does your /etc/pam.d/proftpd say?
>>
>>I'm attaching how mine condenses. debian uses common-account, -auth,
>>and -session in seperate files that are included.
>>
>>#%PAM-1.0
>>auth required pam_listfile.so item=user sense=deny
>>file=/etc/ftpusers onerr=succeed
>>#@include common-auth
>>#from common-auth
>>auth required pam_unix.so nullok_secure
>>
>># This is disabled because anonymous logins will fail otherwise,
>># unless you give the 'ftp' user a valid shell, or /bin/false and add
>># /bin/false to /etc/shells.
>>#auth required pam_shells.so
>>
>>#@include common-account
>>#from common-account
>>account required pam_unix.so
>>
>>#@include common-session
>>#from common-session
>>session required pam_unix.so
>>
>>--sean
>>
>>Mike Garfias wrote:
>>
>>
>>
>>>Thats just it. There are no messages from it.
>>>
>>>It simply will NOT query pam.
>>>
>>>I have AuthPAM set to on, it loads up the mod_auth_pam module on startup.
>>>Hell, I've run stack traces on it, and there are no pam calls anywhere in
>>>the output.
>>>
>>>
>>>sean spoke forth with the blessed manuscript:
>>>
>>>
>>>
>>>
>>>>I hate responding to myself but it seems odd that you are having trouble
>>>>getting proftpd to work with pam ... there's a full readme on the
>>>>subject if you google proftpd pam. Are there any error messages you can
>>>>share?
>>>>
>>>>--sean
>>>>
>>>>sean wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>Proftpd does all this I think. I'm really super satisfied with our
>>>>>setup.
>>>>>
>>>>>--sean
>>>>>
>>>>>Mike Garfias wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>I'm in need of an ftpd that doesn't suck.
>>>>>>
>>>>>>Must haves: PAM support - it has to play nicely with pam_pgsql
>>>>>> Configurable (I want to chroot the ftpd to a specific dir)
>>>>>> must be able to turn anon OFF
>>>>>> must be able restrict user logins to only a couple of sessions
>>>>>> must run from inetd (acutally xinetd, but whatever)
>>>>>>
>>>>>>I've tried pure-ftpd, and it blew up saying it couldn't set
>>>>>>capabilities.
>>>>>>Some kernel issue here, and I'm not going to rebuild a kernel on a
>>>>>>production
>>>>>>system cuz the ftpd isn't happy.
>>>>>>
>>>>>>I've also tried proftpd - it absolutely refuses to try and auth
>>>>>>against pam.
>>>>>>
>>>>>>Vsftp wasn't very granular, and had issues with pam and chroot()
>>>>>>stuff (it was
>>>>>>TOO locked down).
>>>>>>
>>>>>>Anything else I can try?
>>>>>>---------------------------------------------------
>>>>>>PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
>>>>>>To subscribe, unsubscribe, or to change you mail settings:
>>>>>>http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>---------------------------------------------------
>>>>>PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
>>>>>To subscribe, unsubscribe, or to change you mail settings:
>>>>>http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>>>>
>>>>>
>>>>>
>>>>>
>>>>---------------------------------------------------
>>>>PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
>>>>To subscribe, unsubscribe, or to change you mail settings:
>>>>http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>---------------------------------------------------
>>>PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
>>>To subscribe, unsubscribe, or to change you mail settings:
>>>http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>>
>>>
>>>
>>>
>>---------------------------------------------------
>>PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
>>To subscribe, unsubscribe, or to change you mail settings:
>>http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>
>>!DSPAM:11,4407acae179311932458107!
>>
>>
>>
>>
>---------------------------------------------------
>PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
>To subscribe, unsubscribe, or to change you mail settings:
>http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)