mod_auth_file
This module is contained in the mod_auth_file.c
file for
ProFTPD 1.3.x, and is compiled by default.
<VirtualHost>
, <Global>
The AuthFileOptions
directive is used to configure various optional
behavior of mod_auth_file
.
Example:
AuthFileOptions InsecurePerms
The currently implemented options are:
InsecurePerms
When this option is used, mod_auth_file
will ignore insecure
permissions (i.e. group- or world-readable) on
AuthUserFile
and AuthGroupFile
files. Note
that this option must appear before any
AuthUserFile
and AuthGroupFile
directives in
order to function properly, for the option changes the behavior of the
mod_auth_file
module at parse time.
Note that this option first appeared in
proftpd-1.3.7rc1
.
<VirtualHost>
, <Global>
The AuthGroupFile
directive configures an alternate group file for
providing group membership information; the specified file must have the same
format as the system /etc/group
file, and if specified is used
during authentication and group lookups for directory/access control
operations. The path argument should be the full path to the specified
file. This directive can be configured on a per-server basis, so that virtual
FTP servers can each have their own authentication file, often in conjunction
with an AuthUserFile
.
Note that this file does not need to reside inside a
chroot()
ed directory structure for anonymous or
DefaultRoot
logins, as it is held open for the duration of a
session.
The optional parameters are used to set restrictions on the contents of
the specified file. The id restriction is used to specify a range
of GIDs that may appear in the file; when doing a lookup, if a group entry
has a GID that is less than the minimum or greater than the maximum is
encountered, that entry is ignored. The name restriction is used
to specify a regular expression that is applied to the name of a group
entry. If the group name does not match the regular expression, the group
entry is ignored. A leading !
in the regular expression can
be used to negate the given expression.
Example:
# This makes an AuthGroupFile that can only have GIDs 2000 to 4000, and # whose groups must start with 'cust' AuthGroupFile /etc/ftpd/group id 2000-4000 name ^cust
Note: In order to prevent other users from modifying the
AuthGroupFile
, the mod_auth_file
module
requires that the permissions on the file not be world-readable
or world-writable, and that the directory containing the
file not be world-writable. In addition, if the file is not a file
(e.g. the path points to a symlink, or a FIFO, etc), a warning
will be logged on server startup/restart.
<VirtualHost>
, <Global>
The AuthUserFile
directive configures an alternate passwd file for
providing user account information; the specified file must have the same
format as the system /etc/passwd
file, and if specified is used
during authentication and user lookups for directory/access control operations.
The path argument should be the full path to the specified file. This
directive can be configured on a per-server basis, so that virtual FTP servers
can each have their own authentication file, often in conjunction with an
AuthGroupFile
.
Note that this file does not need to reside inside a
chroot()
ed directory structure for anonymous or
DefaultRoot
logins, as it is held open for the duration of a
session.
The optional parameters are used to set restrictions on the contents of
the specified file. The id restriction is used to specify a range
of UIDs that may appear in the file; when doing a lookup, if a user entry
has a UID that is less than the minimum or greater than the maximum is
encountered, that entry is ignored. The home restriction is used
to specify a regular expression that is applied to the home directory of a user
entry. If the home does not match the regular expression, the user entry
is ignored. The name restriction is used to specify a regular
expression that is applied to the name of a user entry. If the user name does
not match the regular expression, the user entry is ignored. A leading
!
in these regular expressions can be used to negate the given
expression.
Example:
# This makes an AuthUserFile whose user names must start with 'ftp', and # whose homes cannot start with /home. AuthUserFile /etc/ftpd/passwd name ^ftp home !^/home
Note: In order to prevent other users from modifying the
AuthUserFile
, the mod_auth_file
module
requires that the permissions on the file not be world-readable
or world-writable, and that the directory containing the
file not be world-writable. In addition, if the file is not a file
(e.g. the path points to a symlink, or a FIFO, etc), a warning
will be logged on server startup/restart.
mod_auth_file
module is compiled by default.
Logging
The mod_auth_file
module supports trace logging, via the module-specific log channels:
proftpd.conf
:
TraceLog /path/to/ftpd/trace.log Trace auth.file:20This trace logging can generate large files; it is intended for debugging use only, and should be removed from any production configuration.
Frequently Asked Questions
Question: I found that only the first 8 characters of
passwords are used! This is a security bug!
The default Unix password hashing scheme uses the Data Encryption Standard (DES) algorithm.
As per the
Later, other
Answer: No, it is not.
crypt(3)
man page, only the first 8 characters
of the password are used. Thus this 8 character limitation comes from
the underlying system authentication, not from proftpd. The whole
purpose of the PAM system was to enable replacing the use of DES with other
authentication algorithms, which do not have this 8 character limitation.
crypt(3)
implementations were made which can also
support algorithms such as MD5, or Blowfish. Some platforms support these
enhanced versions of crypt(3)
, some do not. The
ftpasswd
script can generate
AuthUserFiles
which use the MD5 algorithm instead of DES.