Viewing file:  mod_auth_pam.html (8.42 KB) -rw-r--r--
Select action/file-type:
 (+) | (+) |  (+) | Code (+) | Session (+) |  (+) | SDB (+) |  (+) |  (+) |  (+) |  (+) |  (+) |
ProFTPD module mod_auth_pam
ProFTPD module mod_auth_pam
PAM stands for Pluggable Authentication Modules,
and is used to configure ways for authenticating users. Now
"authenticating" a user usually means comparing a password they
give with some other information, and returning a "yes/no"-style
answer. PAM does not provide all of the other information for a user,
such as UID, GID, home, and shell. This means that mod_auth_pam
cannot be used, by itself, as an auth module for proftpd;
mod_auth_pam is used to supplement other auth modules by
providing access to PAM's additional authentication checks.
Installation instructions for mod_auth_pam can be found
here.
The most current version of mod_auth_pam is distributed in the
ProFTPD source distribution.
Directives
Syntax: AuthPAM on|off
Default: AuthPAM on
Context: server config, <VirtualHost>, <Global>
Module: mod_auth_pam
Compatibility: 1.2.8rc2 and later
The AuthPAM directive enables or disables the module's runtime
PAM check. If it is set to off this module does not consult PAM
when authenticating a user.
Syntax: AuthPAMConfig service
Default: AuthPAMConfig ftp
Context: server config, <VirtualHost>, <Global>
Module: mod_auth_pam
Compatibility: 1.2.8rc2 and later
The AuthPAMConfig directive is used to specify the name of
the service used when performing the PAM check; PAM configurations can
vary depending on the service. By default, the "ftp" service
is used. Note that on some platforms, e.g. FreeBSD, this may
need to be set to "ftpd", depending on the PAM configuration
involved.
Here's an example of changing the service used:
<IfModule mod_auth_pam.c>
AuthPAMConfig ftpd
</IfModule>
Syntax: AuthPAMOptions opt1 opt2 ... optN
Default: None
Context: server config, <VirtualHost>, <Global>
Module: mod_auth_pam
Compatibility: 1.3.2rc1 and later
The AuthPAMOptions directive is used to configure various optional
behavior of mod_auth_pam.
Example:
<IfModule mod_auth_pam.c>
# Do not set the PAM_TTY token when authenticating via PAM
AuthPAMOptions NoTTY
</IfModule>
The currently implemented options are:
NoTTY
By default, mod_auth_pam will use the PAM_TTY
PAM API item, and will use a value of "/dev/ftpdPID". The item
can be used by PAM modules for filtering access, for example. This
"NoTTY" option tells mod_auth_pam to not set the
PAM_TTY item.
Note: On Solaris platforms, the use of this PAM_TTY
token is mandatory, and cannot be disabled. This is due to
Solaris Bug ID 4250887.
The mod_auth_pam module is automatically included when
proftpd is built on a system that supports PAM. To disable
this automatic inclusion, use the --disable-auth-pam configure
option.
The following are some example platform-specific PAM configurations.
FreeBSD
To use PAM with ProFTPD, you must edit /etc/pam.conf (or
/etc/pam.d/ftpd) and add the following lines, if they are not
already present:
ftpd auth required pam_unix.so try_first_pass
ftpd account required pam_unix.so try_first_pass
ftpd session required pam_permit.so
In your proftpd.conf, you will need to set
AuthPAMConfig to use the above service name, i.e. "ftpd":
<IfModule mod_auth_pam.c>
AuthPAMConfig ftpd
</IfModule>
PAM authentication should now work properly.
Linux
To use PAM with ProFTPD, you must edit /etc/pam.d/ftp and add the
following lines for RedHat installations:
#%PAM-1.0
auth required /lib/security/pam_pwdb.so shadow nullok
account required /lib/security/pam_pwdb.so
session required /lib/security/pam_pwdb.so
For SuSE:
#%PAM-1.0
auth required /lib/security/pam_unix.so shadow nullok
account required /lib/security/pam_unix.so
session required /lib/security/pam_unix.so
These settings are valid for RedHat and SuSE Linux systems. Other Linux
distributions may differ.
NOTE: If you are using a 64-bit system, you may need to change the above
paths from "/lib/security/..." to "/lib64/security/...". Without this
correction, on 64-bit systems, your ProFTPD logs may contain errors like:
PAM unable to dlopen(/lib/security/pam_pwdb.so)
PAM [dlerror: /lib/security/pam_pwdb.so: cannot open shared object file:
No such file or directory]
After updating the paths in your /etc/pam.d/ftp file, be sure to
restart ProFTPD, so that the new PAM configuration takes effect.
Mac OS X
To use PAM with ProFTPD, you must edit /etc/pam.d/ftp and add the
following lines:
auth required pam_unix.so try_first_pass
account required pam_unix.so try_first_pass
session required pam_permit.so
Or, if you are running Mac OSX 10.3 or later, you should have an
/etc/pam.d/ftpd file that contains the following:
auth sufficient pam_securityserver.so
auth required pam_deny.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so
Then, in your proftpd.conf, use:
<IfModule mod_auth_pam.c>
AuthPAMConfig ftpd
</IfModule>
Logging
The mod_auth_pam module supports trace logging, via the module-specific log channels:
Thus for trace logging, to aid in debugging, you would use the following in
your proftpd.conf:
TraceLog /path/to/ftpd/trace.log
Trace auth.pam:20
This trace logging can generate large files; it is intended for debugging use
only, and should be removed from any production configuration.
Frequently Asked Questions
Question: I need to use PAM for enforcing the
handling of aged/expired passwords on my Unix system. How do I make sure
that PAM does the right thing?
Answer: For this sort of requirement, you are
probably already using ProFTPD's default authentication modules, which include
mod_auth_unix and mod_auth_pam. But to make sure
that the PAM rules are enforced, you need to make mod_auth_pam
be "authoritative", i.e. have the final say on whether a given password
is acceptable. Use the AuthOrder directive to accomplish this,
using:
# It is important that mod_auth_pam appear before mod_auth_unix, and
# that the asterisk appear after the name, not before.
AuthOrder mod_auth_pam.c* mod_auth_unix.c
The asterisk ("*") after a module name in the AuthOrder directive
is what tells proftpd to treat that module's results as
authoritative.
© Copyright 2017 The ProFTPD Project
All Rights Reserved
|