Linux – Using PAM and vsftpd without root access

ftplinuxpamvsftpd

I'm trying to set up a few vsftpd instances on a machine that I have no root access to. The authentication should be done through PAM with pam_listfile, like this:

pam_listfile.so item=group sense=allow file=/path/filename onerr=fail

I can ask the administrator to set up a PAM service for me and include that line but he is not willing to create 6 PAM services for my 6 vsftpd instances and I really need different /path/filename set for each vsftpd server.

Is there a way to solve this problem? Can I somehow not use absolute path as the parameter?

(I know the correct solution would be to use one vsftpd instance and set up virtual users properly. However unfortunately I have to work what I have and the users already exist in an Active Directory and are authenticated to the system using another PAM service.)

Best Answer

Your better answer may be to migrate away from vsftpd to proftpd, which can support the need for virtual users without PAM integration. In your /etc/proftpd.conf you'd include lines like:

AuthPAMAuthoritative            off
AuthPam                         off
AuthUserFile                    /opt/etc/passwd.ftp
AuthGroupFile                   /opt/etc/group.ftp

The group.ftp file is just a standard group setup for 'ftp' and 'nobody', and your passwd file would assign the user:group the same for all entries. You'd just specifiy usernames, passwords and login directories (use /sbin/nologin for the shell). It takes all of 5 minutes to set up if your admin will get the groundwork in place for you, and allow you to own/edit the password file.

Related Solutions

Centos – vsftpd Unable to log in to ftp using Berkeley DB (V4) databases and PAM (pam_userdb.so)

In the /etc/pam.d/vsftpd file, it turns out I was only supposed to have the last three lines (the ones they provided in the tutorial).

After I changed the file to this:

#%PAM-1.0
auth       required    pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user
account    required    pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user
session    required    pam_loginuid.so

It worked just fine. However, I haven't used it long enough to figure out whether it created errors elsewhere. Please let me know if anyone sees anything wrong with this change.

VsFTPd – LDAP and PAM Integration

According to man ldap.conf:

URI <ldap[si]://[name[:port]] ...>

The URI scheme may be any of ldap, ldaps or ldapi, which refer to LDAP over TCP, LDAP over SSL (TLS) and LDAP over IPC (UNIX domain sockets), respectively.

So, change uri ldapi:///ldap.example.com to uri ldap:///ldap.example.com and try again.

Best Answer

Related Solutions

Centos – vsftpd Unable to log in to ftp using Berkeley DB (V4) databases and PAM (pam_userdb.so)

VsFTPd – LDAP and PAM Integration

Related Topic