63196 – proftpd and pam without pwdb

Bug 63196 - proftpd and pam without pwdb

Summary: proftpd and pam without pwdb

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All All

Importance:	High normal (vote)
Assignee:	Gustavo Felisberto (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2004-09-08 01:27 UTC by Andrei Ivanov
Modified:	2005-03-02 15:20 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andrei Ivanov 2004-09-08 01:27:54 UTC

If pam is compiled without the pwdb flag, the pam module installed by proftpd won't work.

These settings taken from /etc/pam.d/ftp won't work:

auth       required     /lib/security/pam_pwdb.so shadow nullok
account    required     /lib/security/pam_pwdb.so
session    required     /lib/security/pam_pwdb.so

Comment 1 Gustavo Felisberto (RETIRED) gentoo-dev

2004-09-09 14:32:57 UTC

I have:
#%PAM-1.0
auth       required     /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth       required     /lib/security/pam_pwdb.so shadow nullok
account    required     /lib/security/pam_pwdb.so
session    required     /lib/security/pam_pwdb.so

and pam-0.77 with no pwdb flag.

Comment 2 Andrei Ivanov 2004-09-11 04:49:41 UTC

So? What's your point?

Comment 3 Gustavo Felisberto (RETIRED) gentoo-dev

2004-09-11 06:48:06 UTC

Sorry, my point is that for me with the same settings it works :)
So i cannot duplicate your problem.

Comment 4 Andrei Ivanov 2004-09-11 07:06:56 UTC

Hmm.. then it's strange that your pam_pwdb module was built even though you have -pwdb in the USE flags. Can you make sure that you don't have the flag set and maybe recompile pam and restart proftpd?

Comment 5 Gustavo Felisberto (RETIRED) gentoo-dev

2004-09-17 17:01:24 UTC

I have no pwdb pam module. But i have an extra line in /etc/pam.d/ftp can you add that and see if it works?

Comment 6 Andrei Ivanov 2004-09-17 23:41:10 UTC

I do have it, I've just pasted the lines which contain the pam_pwdb module.
Anyway, I really don't see how your proftpd server works without the module...
Do you have this in proftpd.conf, in the <Global> section?
  AuthPAM                 on
  AuthPAMAuthoritative    on

Comment 7 David Röhr 2004-11-11 14:40:38 UTC

My proftpd is compiled with +pam, but pam is installed with without pwdb.

Yet, the /etc/pam.d/ftp is

account    required     /lib/security/pam_pwdb.so
session    required     /lib/security/pam_pwdb.so

Gives me some errors in my syslog, but auth works, since I don't use AuthPAM in my config.

Nov 11 23:29:27 [proftpd] PAM unable to dlopen(/lib/security/pam_pwdb.so)
Nov 11 23:29:27 [proftpd] PAM [dlerror: /lib/security/pam_pwdb.so: cannot open shared object file: No such file or directory]
Nov 11 23:29:27 [proftpd] PAM adding faulty module: /lib/security/pam_pwdb.so

Comment 8 Kevin Bryan 2005-02-16 21:46:44 UTC

I'd like to "me too" comment #7, and ask if there is a more appropriate PAM configuration that should be used if pwdb is not enabled.  I don't know really know much about how PAM configuration, but, for example, the imap file contains:

auth       required     pam_nologin.so
auth       required     pam_stack.so service=system-auth
account    required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth

Would this make sense for ftp as well?  Is there any reason that this configuation wouldn't always be desirable over the default ftp config?  (I.e., regardless of whether or not PAM was build with USE=pwdb .)

Comment 9 Gustavo Felisberto (RETIRED) gentoo-dev

2005-03-02 15:20:27 UTC

Fixed in 1.2.10-r3 if you do not want to upgrade please copy files/ftp.pamd to /etc/pam.d/ftp.