Chapter 7. User Authentication

1. Why is PAM the default authentication system?
2. Authentication methods supported
3. Problems with non-PAM authentication
4. AuthPAMAuthorative is an unknown directive!
5. Configuring PAM
6. Normal users can't login, only anon.
7. AuthPAMAuthoritative
8. LDAP
9. One time passwords
10. RADIUS
11. Anonymous password checking
12. Why do I see "PAM(name): Authentication failure", but I can login anyway?

This section is being re-written due to major structural changes to the SQL module prior to 1.2.0

1. Why is PAM the default authentication system?

Security, pure and simple. PAM is the most secure (or securable) of the available authentication systems. Many of the issues and configuration hints for PAM are contained in README.PAM which is bundled with the server source and in the various packaged builds. To use /etc/passwd manual compilation will be required with the configure script being run with the --without-pam flag. Unless the PAM subsystem is properly configured authentication will fail.

2. Authentication methods supported

  • PAM

  • Standard /etc/passwd lookups

  • NIS

  • Shadow passwords

  • Indvidual passwd/group files for each virtual

  • SQL databases

  • If these don't fit in with your system then writing a custom module or using such as the "ld.so.preload" approach to intercept getpwbynam() system calls works happily with ProFTPD.

    3. Problems with non-PAM authentication

    Generally these problems will be cured by either disabling PAM completely or by ensuring that these directives are set

    PersistentPasswd   off
    AuthPAMAuthoritative off
              

    4. AuthPAMAuthorative is an unknown directive!

    Check the spelling it should be AuthPAMAuthoritative not AuthPAMAuthorative or any other variation.

    5. Configuring PAM

    There is a README.Pam in the top directory of the ProFTPD install directory :

    Redhat Linux

    #%PAM-1.0
    auth       required     /lib/security/pam_listfile.so item=user
    sense=deny file=/etc/ftpusers onerr=succeed
    auth       required     /lib/security/pam_pwdb.so shadow nullok
    account    required     /lib/security/pam_pwdb.so
    session    required     /lib/security/pam_pwdb.so
              

    SuSE Linux

    SuSE appears to uses pam_unix rather than pam_pwdb which is the Redhat approach. All references to pam_pwdb should be replaced with "pam_unix" on SuSE systems.

    The following fragment is reported to work fine on SuSE 6.2

    /etc/pam.d/ftpd
    #%PAM-1.0
    
    # Uncomment this to achieve what used to be ftpd -A.
    # auth       required     /lib/security/pam_listfile.so item=user sense=allow file=/etc/ftpchroot onerr=fail
    
    auth     required       /lib/security/pam_listfile.so item=user
    sense=deny file=/etc/ftpusers onerr=succeed
    auth     sufficient     /lib/security/pam_ftp.so
    auth     required       /lib/security/pam_unix.so
    auth     required       /lib/security/pam_shells.so
    account  required       /lib/security/pam_unix.so
    password required       /lib/security/pam_unix.so
    session  required       /lib/security/pam_unix.so
              

    FreeBSD

    FreeBSD does not support PAM session directives. If you remove the following line from the FreeBSD section of README.PAM, PAM should work properly under recent versions of FreeBSD.

     ftp session required    pam_unix.so         try_first_pass
              

    6. Normal users can't login, only anon.

    Check that the /etc/pam.d/ftp file exists on the system and is configured as detailed in README.PAM

    7. AuthPAMAuthoritative

    Currently AuthPAMAuthoritative defaults on "ON" resulting in login failures if PAM cannot authenticate the user. This breaks the AuthUserFile directive as it never gets a chance to authenticate the user unless the AuthPAMAuthoritative directive is set to "OFF"

    The reasoning behind the current default is to ensure that the system is secure by default requiring that the admin explicitly and knowingly has to disable it. There are discussions underway which may result in the directive flipping to a default of "Off" if AuthUserFile is specified.

    Note: as of the current CVS and the forthcoming pre9 release the default has changed to "Off"

    8. LDAP

    mod_ldap is part of the core distribution.

    9. One time passwords

    This is possible using either PAM or the Opie modules. The module passes back a challenge which the user puts into a key generator along with their "pass phrase" and it gives them back 5 words which get sent as the password. As long as you do it correctly it will never repeat.

    It requires http://inner.net/opie/ to be installed on the server. There are key gen clients for win95/98, *nix, mac.

    ftp://ftp.urbanrage.com/pub/c/mod_opie.c

    10. RADIUS

    The new mod_radius module provides RADIUS authentication and accounting support to ProFTPD.

    11. Anonymous password checking

    Is it possible to check an offered email address in an anonymous login before allowing access. Simple answer, not a hope in hell, anonymous access is pretty much designed to be freely open without checks and restrictions other than those placed on upload/download from the site. The best that can be hoped for is decent logging and tracking of accesses, and the requesting IP.

    12. Why do I see "PAM(name): Authentication failure", but I can login anyway?

    If the operating system supports PAM (Pluggable Authentication Modules) proftpd will perform PAM authentication by default. However, this authentication is not "authoritative" by default, meaning that a PAM authentication failure will not necessary cause a login to fail. The use of PAM can be configured using the AuthPAM configuration directive; the "authoritativeness" of any PAM checks is controlled via the AuthPAMAuthoritative configuration directive.