View previous topic :: View next topic |
Author |
Message |
Ti_Uhl n00b
Joined: 28 Nov 2002 Posts: 6 Location: Belgium
|
Posted: Fri Dec 06, 2002 2:19 pm Post subject: Problem with proftpd and PAM |
|
|
Hello,
When i try to login to my proftpd server it keeps saying login failed. I use pam to login and i know that the passwords and loginnames are correct.....
Code: | #%PAM-1.0
auth required pam_pwdb.so nodelay shadow
account required pam_pwdb.so
password required pam_pwdb.so shadow nullok use_authtok
session required pam_pwdb.so
|
Thx anyway |
|
Back to top |
|
|
474 l33t
Joined: 19 Apr 2002 Posts: 714
|
Posted: Sat Dec 07, 2002 8:54 pm Post subject: |
|
|
Have you checked any log files? Are your config files in /etc merged in and up-to-date? I just checked my proftpd.conf file and noticed that I had: Code: | AuthPAM off
AuthPAMConfig ftp
|
which works. I tried enabling AuthPAM, restarted ProFTPD and it still worked. I'm using pam-0.75-r10 and proftpd-1.2.7_rc3. Here's my /etc/pam.d/ftp file: Code: | #%PAM-1.0
auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth required /lib/security/pam_pwdb.so shadow nullok
account required /lib/security/pam_pwdb.so
session required /lib/security/pam_pwdb.so |
|
|
Back to top |
|
|
frogger n00b
Joined: 05 Dec 2002 Posts: 35
|
Posted: Sat Dec 07, 2002 9:26 pm Post subject: |
|
|
Although this doesn't answer your question... Do you REALLY need to be running ftp? The idea of sending passwords plain text just doesn't appeal to me.
Might I suggest using sftp instead (part of openssh)? Much better security. |
|
Back to top |
|
|
474 l33t
Joined: 19 Apr 2002 Posts: 714
|
Posted: Sat Dec 07, 2002 9:52 pm Post subject: |
|
|
Quote: | Much better security. |
Yes. But maybe it's not needed. He didn't say he was running an FTP server exposed over the Internet! You never know, maybe he's just using it for convenient transfers between a Windows box and his Linux box over a crossover Ethernet cable, instead of getting into the SMB hoopla or fussing over installing a Windows scp capable client. Don't get me wrong, I totally agree - but plain text authentication security issues aren't always of a massive precedence - depending on the user's requirements and setup. Nevertheless, I resolutely accept that it's always worth reminding people of the dangers of FTP and that I hadn't done so here.
Personally, I'm only using ProFTPD to experiment with and so that I can add it to my repertoire of sysadmin skills. I, for one, use SSH almost exclusively! |
|
Back to top |
|
|
SirronD Tux's lil' helper
Joined: 05 Jun 2002 Posts: 100 Location: Oakland, CA
|
Posted: Fri Dec 20, 2002 1:16 am Post subject: Had the same problem, here is how I fixed it |
|
|
I recently updated from my old gentoo to the 1.4_rc1 (plus emerge updates).
I got around today to emerging proftpd, and on first use I had the same problem as you. I was using the same proftpd.conf as my old setup, so I thought everything would work the same but it did not.
I was able to get it working with the following updates fo configuration.
/etc/pam.d/ftp
Code: |
#%PAM-1.0
auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth required /lib/security/pam_pwdb.so shadow nullok
# If this is enabled, anonymous logins will fail because the 'ftp' user does
# not have a "valid" shell, as listed in /etc/shells.
#
# If you enable this, it is recommended that you do *not* give the 'ftp'
# user a real shell. Instead, give the 'ftp' user /bin/false for a shell and
# add /bin/false to /etc/shells.
auth required /lib/security/pam_shells.so
account required /lib/security/pam_pwdb.so
session required /lib/security/pam_pwdb.so
|
Note: "auth required /lib/security/pam_shells.so" was previously commented out. I made the line active (removed the "#")
/etc/shells
Code: |
# /etc/shells: valid login shells
# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/shells,v 1.4 2002/11/18 19:39:22 azarah Exp $
/bin/sh
/bin/bash
/bin/tcsh
/bin/esh
/bin/ksh
/bin/zsh
/bin/sash
/bin/false
|
note: I added the line "/bin/false"
Then I restarted proftpd, and now it is working. Don't know why I needed to do this, as I did not have these configurations in my older gentoo system.
Hope this helps |
|
Back to top |
|
|
|