Java Mailing List Archive

http://www.redhatconfig.com/

Home » Red Hat Enterprise Linux 5 »

RE: [rhelv5-list] VSFTPd and LDAP

Sam Sharpe

2008-03-12

Replies:

Author LoginPost Reply

On Wed, 2008-03-12 at 15:44 +0900, Coe, Colin C. (Unix Engineer) wrote:
> In the end I just enabled authentication via LDAP for everything

Now you've done that, it should be simple to take your /etc/pam.d/vsftpd
and /etc/pam.d/system-auth files and merge them into one (replace the
references to "<service> include system-auth" in vsftpd with the
relevant "<service>" lines from system-auth, save that file as vsftpd

Then, turn off LDAP authentication (by commenting out the lines in
system-auth). You should end up with a system that uses LDAP for vsftpd
but not for anything else.

> but the
> bizarre thing is every thing someone logs in successfully a message is
> logged in /var/log/secure
>
> Mar 12 15:41:06 server vsftpd: pam_unix(vsftpd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ftp ruser=user
> rhost=localhost.localdomain user=user

That says that the vsftpd user fails the pam_unix test in the PAM
configs. It's not surprising if they are only in LDAP and indeed I get
the same behaviour. I believe you can configure it to not print the
warnings, but I'm not sure exactly which PAM module option controls
this.

--
Sam


> When a wrong password is tried I get a pam_ldap invalid credentials
> message in /var/log/messages and the FTP session is not started.
>
> CC
>
> > -----Original Message-----
> > From: rhelv5-list-bounces@(protected)
> > [mailto:rhelv5-list-bounces@(protected),
> > Kevin [Beeline]
> > Sent: Wednesday, 12 March 2008 12:55 AM
> > To: Red Hat Enterprise Linux 5 (Tikanga) discussion mailing-list
> > Subject: RE: [rhelv5-list] VSFTPd and LDAP
> >
> > I haven't followed this whole thread, but hopefully I can offer some
> > help. On my system, the unmodified /etc/pam.d/vsftpd looks like this:
> >
> > -------
> > #%PAM-1.0
> > session   optional   pam_keyinit.so   force revoke
> > auth     required pam_listfile.so item=user sense=deny
> > file=/etc/vsftpd/ftpusers onerr=succeed
> > auth     required pam_shells.so
> > auth     include system-auth
> > account   include system-auth
> > session   include system-auth
> > session   required   pam_loginuid.so
> > -------
> >
> > I think you want it to look more like this:
> >
> > -------
> > #%PAM-1.0
> > session   optional   pam_keyinit.so   force revoke
> > auth     required pam_listfile.so item=user sense=deny
> > file=/etc/vsftpd/ftpusers onerr=succeed
> > auth     required pam_shells.so
> > auth     sufficient   pam_ldap.so try_first_pass
> > auth     required    pam_deny.so
> > account   include system-auth
> > session   include system-auth
> > session   required   pam_loginuid.so
> > -------
> >
> >
> > The key things being to use the "try_first_pass" (or no option) rather
> > than "use_first_pass" (see below from 'man pam_ldap' for the
> > distinction):
> >
> >     use_first_pass
> >          Specifies that pam_ldap should always use the first
> > password provided in the authentication stack.
> >
> >     try_first_pass
> >          Specifies that pam_ldap should first try the first
> > password provided in the authentication stack, and
> >          then prompt the user for their LDAP password if
> > authentication fails.
> >
> > and also the inclusion of the "pam_deny" entry as the last in the auth
> > stack...
> >
> > Also, I assume your system is properly configured to talk to the LDAP
> > server?
> >
> > Kevin
> >
> > -----Original Message-----
> > From: rhelv5-list-bounces@(protected)
> > [mailto:rhelv5-list-bounces@(protected),
> > Colin C. (Unix
> > Engineer)
> > Sent: Monday, March 10, 2008 8:24 PM
> > To: Red Hat Enterprise Linux 5 (Tikanga) discussion mailing-list
> > Subject: RE: [rhelv5-list] VSFTPd and LDAP
> >
> >
> > Hi Sam
> >
> > I've been working on this but have not made much preogess.
> >
> > The following vsftpd PAM config lets me in, regardless of the
> > password.
> > If I uncomment the 'auth include system-auth' line then no
> > password will
> > let me in.
> >
> > I'm trying for something in the middle i.e. the correct password will
> > let me in :)
> >
> > #%PAM-1.0
> > session   optional   pam_keyinit.so   force revoke
> > auth     required   pam_listfile.so item=user sense=deny
> > file=/etc/vsftpd/ftpusers onerr=succeed
> > auth     sufficient  pam_ldap.so use_first_pass
> > auth     required   pam_shells.so
> > auth     required   pam_nologin.so
> > #auth     include   system-auth
> > account [default=bad success=ok user_unknown=ignore
> > service_err=ignore
> > system_err=ignore] pam_ldap.so
> > account   include    system-auth
> > password  required   pam_cracklib.so
> > password  sufficient  pam_ldap.so use_authok
> > session   include    system-auth
> > session   required   pam_loginuid.so
> >
> > The following line gets logged in /var/log/secuure
> > Mar 11 12:15:29 server vsftpd: pam_unix(vsftpd:auth): authentication
> > failure; logname= uid=0 euid=0 tty=ftp ruser=user
> > rhost=localhost.localdomain user=user
> >
> > Any ideas?
> >
> > CC
> >
> > ________________________________
> >
> >  From: rhelv5-list-bounces@(protected)
> > [mailto:rhelv5-list-bounces@(protected)
> >  Sent: Thursday, 6 March 2008 8:49 AM
> >  To: Red Hat Enterprise Linux 5 (Tikanga) discussion
> > mailing-list; Red Hat Enterprise Linux 5 (Tikanga) discussion
> > mailing-list
> >  Subject: RE: [rhelv5-list] VSFTPd and LDAP
> >  
> >  
> >
> >  > We've got a server running ProFTPd that uses an OpenLDAP
> > server
> >  > for authentication. I want to migrate this over to EL5 and
> > VSFTPd.
> >  > I've googled and found many references to getting VSFTPd to
> > work
> >  > with LDAP via PAM but the problem is that the system itself
> > *must
> >  > not* use LDAP for non-FTP logins.
> >  
> >  I don't see why this is a problem. If you modify
> > /etc/pam.d/vsftpd
> >  to allow LDAP logins, but don't touch system-auth, then your
> > system
> >  can be not using PAM, while vsftpd happily is.
> >  
> >  I do this for lots of services... (but not vsftpd)
> >  
> >  --
> >  Sam
> >
> >
> > NOTICE: This email and any attachments are confidential.
> > They may contain legally privileged information or
> > copyright material. You must not read, copy, use or
> > disclose them without authorisation. If you are not an
> > intended recipient, please contact us at once by return
> > email and then delete both messages and all attachments.
> >
> >
> > _______________________________________________
> > rhelv5-list mailing list
> > rhelv5-list@(protected)
> > https://www.redhat.com/mailman/listinfo/rhelv5-list
> >
> > _______________________________________________
> > rhelv5-list mailing list
> > rhelv5-list@(protected)
> > https://www.redhat.com/mailman/listinfo/rhelv5-list
> >
>
> NOTICE: This email and any attachments are confidential.
> They may contain legally privileged information or
> copyright material. You must not read, copy, use or
> disclose them without authorisation. If you are not an
> intended recipient, please contact us at once by return
> email and then delete both messages and all attachments.
>
>
> _______________________________________________
> rhelv5-list mailing list
> rhelv5-list@(protected)
> https://www.redhat.com/mailman/listinfo/rhelv5-list

_______________________________________________
rhelv5-list mailing list
rhelv5-list@(protected)
https://www.redhat.com/mailman/listinfo/rhelv5-list
©2008 redhatconfig.com - Jax Systems, LLC, U.S.A.