Professional Web Applications Themes

PAM and vsftpd on debian box problem - Linux Setup, Configuration & Administration

hi. i have been trying to use PAM with vsftpd for near five hours without success. I have read man pages, pam doentation at kernel.org, a lot of posts, without success. I want to use virtual users to access my vsftp server, but vsftpd is ignoring my PAM configuration: no logs, no errors, no warnings. With the example configuration of EXAMPLES/VIRTUAL_USERS, I cannot log with other users than the debian local users. I know that vsftpd is ignoring PAM because a pam.d/ftp file that denies access by default to all users has no effect (i have tried the same file ...

  1. #1

    Default PAM and vsftpd on debian box problem

    hi. i have been trying to use PAM with vsftpd for near five hours
    without success. I have read man pages, pam doentation at
    kernel.org, a lot of posts, without success.

    I want to use virtual users to access my vsftp server, but vsftpd
    is ignoring my PAM configuration: no logs, no errors, no warnings.
    With the example configuration of EXAMPLES/VIRTUAL_USERS, I cannot log
    with other users than the debian local users. I know that vsftpd is
    ignoring PAM because a pam.d/ftp file that denies access by default to
    all users has no effect (i have tried the same file in ssh and access
    was in fact forbidden). This pam.d file is this:

    cat /etc/pam.d/ftp
    auth required pam_listfile.so \
    onerr=fail item=user sense=allow
    file=/usr/local/vsftpd/pam_listfile_cfg

    and file pam_listfile_cfg is empty.

    However, PAM is configured in vsftpd.conf. Anybody knows how to
    force vsftpd to use PAM authentification? anybody knows a way to debug
    this (i.e. to produce some log about PAM use/errors)?

    I know that vsftpd has been built with PAM support:

    ldd /usr/local/vsftpd/vsftpd
    libpam.so.0 => /lib/libpam.so.0 (0x4001c000)
    libcrypt.so.1 => /lib/libcrypt.so.1 (0x40024000)
    libdl.so.2 => /lib/libdl.so.2 (0x40051000)
    libnsl.so.1 => /lib/libnsl.so.1 (0x40054000)
    libresolv.so.2 => /lib/libresolv.so.2 (0x4006a000)
    libutil.so.1 => /lib/libutil.so.1 (0x4007c000)
    libcap.so.1 => /lib/libcap.so.1 (0x4007f000)
    libc.so.6 => /lib/libc.so.6 (0x40083000)
    /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

    and i have inspected all logs inside /var/log (vsftpd.log,
    auth.log, ... ) with no PAM information.

    my vsftpd.conf file. Please, note the PAM configuration line:

    cat /usr/local/vsftpd/vsftpd.conf
    # Standalone mode
    listen=YES
    max_clients=200
    max_per_ip=4

    # Access rights
    anonymous_enable=NO
    local_enable=YES
    write_enable=NO
    anon_upload_enable=NO
    anon_mkdir_write_enable=NO
    anon_other_write_enable=NO
    chroot_local_user=YES

    # Security
    anon_world_readable_only=YES
    connect_from_port_20=YES
    hide_ids=YES
    pasv_min_port=20000
    pasv_max_port=20100
    guest_enable=YES
    guest_username=nobody
    check_shell=NO
    pam_service_name=ftp
    # log_ftp_protocol=YES

    # Features
    xferlog_enable=YES
    ls_recurse_enable=NO
    ascii_download_enable=NO
    async_abor_enable=YES

    # Performance
    one_process_model=NO
    idle_session_timeout=120
    data_connection_timeout=300
    accept_timeout=60
    connect_timeout=60
    anon_max_rate=50000


    and the default pam.d/ftp i first used. Note the debug and dump
    arguments to force logs entries (without success):

    cat /etc/pam.d/ftp
    auth required /lib/security/pam_userdb.so
    db=/usr/local/vsftpd/vsftpd_login debug dump
    account required /lib/security/pam_userdb.so
    db=/usr/local/vsftpd/vsftpd_login debug dump

    the password database has been created with db3_load -T -t hash -f
    file.txt vsftpd_login.db



    thank you in advance.
    Pj Guest

  2. #2

    Default Re: PAM and vsftpd on debian box problem

    Pj <com> wrote: 

    You want the pam doentation at openldap.org. And you want to compile
    your ftp server with pam support.
     

    What makes you think it is using pam, or that pam is using ldap?
     

    What makes you think it uses pam? Is it compiled against pam? Linked
    against pam? Does the strace show an attempt to use pam?
     

    What makes you think it uses that file?
     

    ssh does not use that file. You mean something else.
     

    Uh - you forgot to add pam_ldap.so, no? Anyway, convince me that that
    file is the one to use.
     

    Well, what pam file is it configured to use, and is it compiled to use
    pam in the first place?
     

    Sure - everyone.
     

    Aha!
     

    Yep - you have pam support. Now read the source and find out which pam
    file it uses. Or just strace the thing and find out.
     

    Then add it. Somehow! Surely these things go into auth.log, usually?
     
     

    Aha! That means it uses the ftp file. So check, using a strace.
     
     

    no ldap.
     

    COnfirm what should happen is happening, using strace.

    Peter
    P.T. Guest

  3. #3

    Default Re: PAM and vsftpd on debian box problem

    thanks for your help. First of all i want to emphasize some points
    that maybe were not enought clear in my first post:

    - i'm pretty sure that vsftpd is not using PAM, not even trying.
    - i'm pretty sure that the vsftpd.conf is configured as the vsftpd
    manual indicates for PAM use
    - i have configured PAM in two ways: db3 (pam_userdb) and a text
    file (pam_listfile), both without success.
    - i know that PAM is activated in my system correctly because
    changes in the /etc/pam.d/ssh file actually sensibly changes the sshd
    login behaviour
    - i don't know how to find out the origin of the problem or to
    force vsftpd to use PAM

    ideas would be welcomed

    Breuer, thanks for your comments. I have new clues. I have used
    strace, but the results only confirm that vsftpd is not trying to
    access any pam related file (see details below).
    I have used strace correctly, because strace on sshd show
    successful access to several pam files and libraries.

    Acording with your suggestion about reading the sources, and i have
    found some interesting preprocessor comments in the sysdeputil.c
    vsftpd file.

    -- fragment of sysdeputil.c (not included in any ifdef|ifndef nest)--
    /* PAM support - we include our own dummy version if the system lacks
    this */
    #include <security/pam_appl.h>

    /* No PAM? Try getspnam() with a getpwnam() fallback */
    #ifndef VSF_SYSDEP_HAVE_PAM
    /* This may hit our own "dummy" include and undef
    VSF_SYSDEP_HAVE_SHADOW */
    #include <shadow.h>
    #include <pwd.h>
    #include <unistd.h>
    #include <crypt.h>
    #endif
    -- end of fragment --

    i don't know what this means; maybe an own-pam-motor ? however,
    VSF_SYSDEP_HAVE_PAM is defined at the begining of the file and only
    undefined ifdef __AIX. I need more time to fool around this (maybe the
    next post ;) )


    BTW, i'm stuck again. Some more ideas?

    PS: i didn't worked before with strace and i have had fun. Thanks
    breuer. I include this stder fragment logs:

    -- fragment of strace -p (sshd pid) -f 2> file.txt --
    [pid 1297] stat64("/etc/pam.d", {st_mode=S_IFDIR|0755, st_size=4096,
    ....}) = 0
    [pid 1297] open("/etc/pam.d/ssh", O_RDONLY) = 3
    [pid 1297] fstat64(3, {st_mode=S_IFREG|0644, st_size=775, ...}) = 0
    [pid 1297] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE,
    MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40018000
    [pid 1297] read(3, "#%PAM-1.0\nauth required "..., 4096) =
    775
    -- end of fragment

    the pam call are clear in this case. However, there are no pam
    calls in the vsftpd case, just /etc/passwd calls:




    -- fragments of strace -f ./vsftpd ./vsftpd.conf 2> file.txt --
    -- fragment 1 --
    open("/lib/libpam.so.0", O_RDONLY) = 3
    read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\1 0\25\0"...,
    512) = 512
    fstat64(3, {st_mode=S_IFREG|0644, st_size=28884, ...}) = 0
    old_mmap(NULL, 31944, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =
    0x4001c000
    old_mmap(0x40023000, 4096, PROT_READ|PROT_WRITE,
    MAP_PRIVATE|MAP_FIXED, 3, 0x6000) = 0x40023000
    close(3)
    -- fragment 2 --
    [pid 1343] read(0, "USER jose\r\n", 11) = 11
    [pid 1343] write(0, "331 Please specify the password."..., 34) = 34
    [pid 1343] rt_sigaction(SIGALRM, {0x8053760, ~[], SA_RESTORER,
    0x400ac498}, NULL, 8) = 0
    [pid 1343] alarm(120) = 119
    [pid 1343] recv(0, "PASS uno\r\n", 4096, MSG_PEEK) = 10
    [pid 1343] read(0, "PASS uno\r\n", 10) = 10
    [pid 1343] write(5, "\1", 1) = 1
    [pid 1343] write(5, "jose\0", 5) = 5
    [pid 1343] write(5, "uno\0", 4) = 4
    [pid 1343] read(5, <unfinished ...>
    [pid 1342] <... read resumed> "\1", 1) = 1
    [pid 1342] rt_sigprocmask(SIG_BLOCK, [CHLD], NULL, 8) = 0
    [pid 1342] old_mmap(NULL, 12288, PROT_READ|PROT_WRITE,
    MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40018000
    [pid 1342] mprotect(0x4001a000, 4096, PROT_NONE) = 0
    [pid 1342] mprotect(0x40018000, 4096, PROT_NONE) = 0
    [pid 1342] recv(4, "jose\0", 1024, MSG_PEEK) = 5
    [pid 1342] read(4, "jose\0", 5) = 5
    [pid 1342] recv(4, "uno\0", 1024, MSG_PEEK) = 4
    [pid 1342] read(4, "uno\0", 4) = 4
    [pid 1342] open("/etc/passwd", O_RDONLY) = 6
    [pid 1342] fcntl64(6, F_GETFD) = 0
    [pid 1342] fcntl64(6, F_SETFD, FD_CLOEXEC) = 0
    [pid 1342] _llseek(6, 0, [0], SEEK_CUR) = 0
    [pid 1342] fstat64(6, {st_mode=S_IFREG|0644, st_size=1070, ...}) = 0
    [pid 1342] mmap2(NULL, 1070, PROT_READ, MAP_SHARED, 6, 0) =
    0x4001b000
    [pid 1342] _llseek(6, 1070, [1070], SEEK_SET) = 0
    [pid 1342] fstat64(6, {st_mode=S_IFREG|0644, st_size=1070, ...}) = 0
    [pid 1342] munmap(0x4001b000, 1070) = 0
    [pid 1342] close(6) = 0
    [pid 1342] gettimeofday({1074726281, 791557}, NULL) = 0
    [pid 1342] getpid() = 1342
    [pid 1342] fcntl64(3, F_SETLKW64, {type=F_WRLCK, whence=SEEK_SET,
    start=0, len=0}, 0xbffffae0) = 0
    [pid 1342] write(3, "Thu Jan 22 00:04:41 2004 [pid 13"..., 77) = 77
    [pid 1342] fcntl64(3, F_SETLK64, {type=F_UNLCK, whence=SEEK_SET,
    start=0, len=0}, 0xbffffad0) = 0
    [pid 1342] write(4, "\2", 1) = 1
    [pid 1343] <... read resumed> "\2", 1) = 1
    [pid 1343] write(0, "530 Login incorrect.\r\n", 22) = 22
    -- end of fragments --

    So, from fragment 1, vsftpd successfully access /lib/libpam.so.0
    However, as you can see from fragment 2, since the moment that
    vsftpd receives the login information till it sends a "530 Login
    incorrect", there is only one file call: to /etc/passwd. Therefore, it
    is confirmed, there is no PAM use.
    Pj Guest

  4. Moderated Post

    Default Re: PAM and vsftpd on debian box problem

    Removed by Administrator
    P.T. Guest
    Moderated Post

Similar Threads

  1. vsftpd
    By pkt in forum Linux / Unix Administration
    Replies: 1
    Last Post: February 23rd, 09:19 PM
  2. vsftpd setup
    By wesley in forum Linux Setup, Configuration & Administration
    Replies: 16
    Last Post: October 16th, 05:01 PM
  3. vsftpd questions
    By David in forum Linux Setup, Configuration & Administration
    Replies: 1
    Last Post: September 21st, 09:05 PM
  4. Starting vsftpd
    By Vwakes in forum Linux Setup, Configuration & Administration
    Replies: 2
    Last Post: July 1st, 02:31 AM
  5. SSH tunneling to vsftpd not working RH8
    By Nico Kadel-Garcia in forum Linux Setup, Configuration & Administration
    Replies: 4
    Last Post: June 30th, 05:30 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139