mod_auth_pam
PAM stands for Pluggable Authentication Modules,
and is used to configure ways for authenticating users. Now
"authenticating" a user usually means comparing a password they
give with some other information, and returning a "yes/no"-style
answer. PAM does not provide all of the other information for a user,
such as UID, GID, home, and shell. This means that mod_auth_pam
cannot be used, by itself, as an auth module for proftpd
;
mod_auth_pam
is used to supplement other auth modules by
providing access to PAM's additional authentication checks.
Installation instructions for mod_auth_pam
can be found
here.
The most current version of mod_auth_pam
is distributed in the
ProFTPD source distribution.
<VirtualHost>
, <Global>
The AuthPAM
directive enables or disables the module's runtime
PAM check. If it is set to off this module does not consult PAM
when authenticating a user.
<VirtualHost>
, <Global>
The AuthPAMConfig
directive is used to specify the name of
the service used when performing the PAM check; PAM configurations can
vary depending on the service. By default, the "ftp" service
is used. Note that on some platforms, e.g. FreeBSD, this may
need to be set to "ftpd", depending on the PAM configuration
involved.
Here's an example of changing the service used:
<IfModule mod_auth_pam.c> AuthPAMConfig ftpd </IfModule>
<VirtualHost>
, <Global>
The AuthPAMOptions
directive is used to configure various optional
behavior of mod_auth_pam
.
Example:
<IfModule mod_auth_pam.c> # Do not set the PAM_TTY token when authenticating via PAM AuthPAMOptions NoTTY </IfModule>
The currently implemented options are:
NoTTY
By default, mod_auth_pam
will use the PAM_TTY
PAM API item, and will use a value of "/dev/ftpdPID". The item
can be used by PAM modules for filtering access, for example. This
"NoTTY" option tells mod_auth_pam
to not set the
PAM_TTY
item.
Note: On Solaris platforms, the use of this PAM_TTY
token is mandatory, and cannot be disabled. This is due to
Solaris Bug ID 4250887.
mod_auth_pam
module is automatically included when
proftpd
is built on a system that supports PAM. To disable
this automatic inclusion, use the --disable-auth-pam
configure
option.
FreeBSD
To use PAM with ProFTPD, you must edit /etc/pam.conf
(or
/etc/pam.d/ftpd
) and add the following lines, if they are not
already present:
ftpd auth required pam_unix.so try_first_pass ftpd account required pam_unix.so try_first_pass ftpd session required pam_permit.soIn your
proftpd.conf
, you will need to set
AuthPAMConfig
to use the above service name, i.e. "ftpd":
<IfModule mod_auth_pam.c> AuthPAMConfig ftpd </IfModule>PAM authentication should now work properly.
Linux
To use PAM with ProFTPD, you must edit /etc/pam.d/ftp
and add the
following lines for RedHat installations:
#%PAM-1.0 auth required /lib/security/pam_pwdb.so shadow nullok account required /lib/security/pam_pwdb.so session required /lib/security/pam_pwdb.soFor SuSE:
#%PAM-1.0 auth required /lib/security/pam_unix.so shadow nullok account required /lib/security/pam_unix.so session required /lib/security/pam_unix.soThese settings are valid for RedHat and SuSE Linux systems. Other Linux distributions may differ.
NOTE: If you are using a 64-bit system, you may need to change the above paths from "/lib/security/..." to "/lib64/security/...". Without this correction, on 64-bit systems, your ProFTPD logs may contain errors like:
PAM unable to dlopen(/lib/security/pam_pwdb.so) PAM [dlerror: /lib/security/pam_pwdb.so: cannot open shared object file: No such file or directory]After updating the paths in your
/etc/pam.d/ftp
file, be sure to
restart ProFTPD, so that the new PAM configuration takes effect.
Mac OS X
To use PAM with ProFTPD, you must edit /etc/pam.d/ftp
and add the
following lines:
auth required pam_unix.so try_first_pass account required pam_unix.so try_first_pass session required pam_permit.soOr, if you are running Mac OSX 10.3 or later, you should have an
/etc/pam.d/ftpd
file that contains the following:
auth sufficient pam_securityserver.so auth required pam_deny.so account required pam_permit.so password required pam_deny.so session required pam_permit.soThen, in your
proftpd.conf
, use:
<IfModule mod_auth_pam.c> AuthPAMConfig ftpd </IfModule>
Logging
The mod_auth_pam
module supports trace logging, via the module-specific log channels:
proftpd.conf
:
TraceLog /path/to/ftpd/trace.log Trace auth.pam:20This trace logging can generate large files; it is intended for debugging use only, and should be removed from any production configuration.