ftp server recomendation?

sean sean at emvis.net
Thu Mar 2 20:47:53 MST 2006


I've been reading this a lot, especially the part at the bottom where it 
talks about virtual hosts and proftpd

http://www.castaglia.org/proftpd/doc/README.PAM.html

  # This is the PAM configuration file that will be referenced when
  # authenticating.  It can be set globally and/or per VirtualHost.
  # The default is 'ftp'.
  AuthPAMConfig                       ftp

The default setting is 'ftp'. However, if you set |AuthPAMConfig| to be 
'ftp.myhost', for example, ProFTPD will try to use the PAM 
authentication settings for ftp.myhost, assuming you've set up your PAM 
configuration file(s) properly. To use the above example with FreeBSD, 
you would need to add lines such as the following:

  ftp.myhost auth    required    pam_unix.so         try_first_pass
  ftp.myhost account required    pam_unix.so         try_first_pass


I'd have to see what you're /etc/proftpd.conf says for your vhost users 
but it seems something's not matching up with the pam service name.

--sean

Mike Garfias wrote:

>account sufficient      pam_unix.so
>account sufficient      pam_pgsql.so
>auth    sufficient      pam_unix.so nullok_secure 
>auth    sufficient      pam_pgsql.so         
>
>The pam_unix.so lines are there for a testing.  Once it works, they're coming
>out.  Only virtual users will be connecting via FTP.
>
>However, I can put whatever I want in that file, and nothing changes, as
>proftpd NEVER makes a pam call.
>
>Here is output of proftpd starting up:
>
># strace proftpd -nd10 2>&1 | grep -i pam
>open("/lib/libpam.so.0", O_RDONLY)      = 3
>write(2, " - dispatching directive \'AuthPA"..., 58 - dispatching directive
>'AuthPAM' to module mod_auth_pam
>write(2, " - dispatching directive \'AuthPA"..., 64 - dispatching directive
>'AuthPAMConfig' to module mod_auth_pam
>write(2, "localhost.localdomain - AuthPAM\n", 32localhost.localdomain -
>AuthPAM
>write(2, "localhost.localdomain - AuthPAMC"..., 38localhost.localdomain -
>AuthPAMConfig
>                       
>When I try to connect, I get no further output.  If instead I grep for 'auth',
>I get lots of mod_sql and mod_auth_unix calls, but never a pam call.
>
>
>sean spoke forth with the blessed manuscript:
>  
>
>>What does your /etc/pam.d/proftpd say?
>>
>>I'm attaching how mine condenses.   debian uses  common-account, -auth, 
>>and -session in seperate files that are included.
>>
>>#%PAM-1.0
>>auth       required     pam_listfile.so item=user sense=deny 
>>file=/etc/ftpusers onerr=succeed
>>#@include common-auth
>>#from common-auth
>>auth    required        pam_unix.so nullok_secure 
>>
>># This is disabled because anonymous logins will fail otherwise,
>># unless you give the 'ftp' user a valid shell, or /bin/false and add
>># /bin/false to /etc/shells.
>>#auth       required    pam_shells.so
>>
>>#@include common-account
>>#from common-account
>>account required        pam_unix.so 
>>
>>#@include common-session
>>#from common-session
>>session required        pam_unix.so  
>>
>>--sean
>>
>>Mike Garfias wrote:
>>
>>    
>>
>>>Thats just it.  There are no messages from it.
>>>
>>>It simply will NOT query pam.
>>>
>>>I have AuthPAM set to on, it loads up the mod_auth_pam module on startup.
>>>Hell, I've run stack traces on it, and there are no pam calls anywhere in 
>>>the output.
>>>
>>>
>>>sean spoke forth with the blessed manuscript:
>>>
>>>
>>>      
>>>
>>>>I hate responding to myself but it seems odd that you are having trouble 
>>>>getting proftpd to work with pam ... there's a full readme on the 
>>>>subject if you google proftpd pam.  Are there any error messages you can 
>>>>share?
>>>>
>>>>--sean
>>>>
>>>>sean wrote:
>>>>
>>>>  
>>>>
>>>>        
>>>>
>>>>>Proftpd does all this I think.  I'm really super satisfied with our 
>>>>>setup.
>>>>>
>>>>>--sean
>>>>>
>>>>>Mike Garfias wrote:
>>>>>
>>>>>    
>>>>>
>>>>>          
>>>>>
>>>>>>I'm in need of an ftpd that doesn't suck.
>>>>>>
>>>>>>Must haves:     PAM support - it has to play nicely with pam_pgsql
>>>>>> Configurable (I want to chroot the ftpd to a specific dir)
>>>>>> must be able to turn anon OFF
>>>>>> must be able restrict user logins to only a couple of sessions
>>>>>> must run from inetd (acutally xinetd, but whatever)
>>>>>>
>>>>>>I've tried pure-ftpd, and it blew up saying it couldn't set 
>>>>>>capabilities.
>>>>>>Some kernel issue here, and I'm not going to rebuild a kernel on a 
>>>>>>production
>>>>>>system cuz the ftpd isn't happy.
>>>>>>
>>>>>>I've also tried proftpd - it absolutely refuses to try and auth 
>>>>>>against pam.
>>>>>>
>>>>>>Vsftp wasn't very granular, and had issues with pam and chroot() 
>>>>>>stuff (it was
>>>>>>TOO locked down).
>>>>>>
>>>>>>Anything else I can try?
>>>>>>---------------------------------------------------
>>>>>>PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>>>>>>To subscribe, unsubscribe, or to change  you mail settings:
>>>>>>http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>>>>>
>>>>>>
>>>>>>      
>>>>>>
>>>>>>            
>>>>>>
>>>>>---------------------------------------------------
>>>>>PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>>>>>To subscribe, unsubscribe, or to change  you mail settings:
>>>>>http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>>>>    
>>>>>
>>>>>          
>>>>>
>>>>---------------------------------------------------
>>>>PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>>>>To subscribe, unsubscribe, or to change  you mail settings:
>>>>http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>>>
>>>>
>>>>
>>>>
>>>>  
>>>>
>>>>        
>>>>
>>>---------------------------------------------------
>>>PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>>>To subscribe, unsubscribe, or to change  you mail settings:
>>>http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>>
>>>
>>>      
>>>
>>---------------------------------------------------
>>PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>>To subscribe, unsubscribe, or to change  you mail settings:
>>http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>
>>!DSPAM:11,4407acae179311932458107!
>>
>>
>>    
>>
>---------------------------------------------------
>PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>To subscribe, unsubscribe, or to change  you mail settings:
>http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>  
>



More information about the PLUG-discuss mailing list