ProFTPD module mod_auth_pam



PAM stands for Pluggable Authentication Modules, and is used to configure ways for authenticating users. Now "authenticating" a user usually means comparing a password they give with some other information, and returning a "yes/no"-style answer. PAM does not provide all of the other information for a user, such as UID, GID, home, and shell. This means that mod_auth_pam cannot be used, by itself, as an auth module for proftpd; mod_auth_pam is used to supplement other auth modules by providing access to PAM's additional authentication checks.

Installation instructions for mod_auth_pam can be found here.

The most current version of mod_auth_pam is distributed in the ProFTPD source distribution.

Directives


AuthPAM

Syntax: AuthPAM on|off
Default: AuthPAM on
Context: server config, <VirtualHost>, <Global>
Module: mod_auth_pam
Compatibility: 1.2.8rc2 and later

The AuthPAM directive enables or disables the module's runtime PAM check. If it is set to off this module does not consult PAM when authenticating a user.


AuthPAMConfig

Syntax: AuthPAMConfig service
Default: AuthPAMConfig ftp
Context: server config, <VirtualHost>, <Global>
Module: mod_auth_pam
Compatibility: 1.2.8rc2 and later

The AuthPAMConfig directive is used to specify the name of the service used when performing the PAM check; PAM configurations can vary depending on the service. By default, the "ftp" service is used. Note that on some platforms, e.g. FreeBSD, this may need to be set to "ftpd", depending on the PAM configuration involved.

Here's an example of changing the service used:

  <IfModule mod_auth_pam.c>
    AuthPAMConfig ftpd
  </IfModule>


AuthPAMOptions

Syntax: AuthPAMOptions opt1 opt2 ... optN
Default: None
Context: server config, <VirtualHost>, <Global>
Module: mod_auth_pam
Compatibility: 1.3.2rc1 and later

The AuthPAMOptions directive is used to configure various optional behavior of mod_auth_pam.

Example:

  <IfModule mod_auth_pam.c>
    # Do not set the PAM_TTY token when authenticating via PAM
    AuthPAMOptions NoTTY
  </IfModule>

The currently implemented options are:


Installation

The mod_auth_pam module is automatically included when proftpd is built on a system that supports PAM. To disable this automatic inclusion, use the --disable-auth-pam configure option.

Logging
The mod_auth_pam module supports trace logging, via the module-specific log channels:

Thus for trace logging, to aid in debugging, you would use the following in your proftpd.conf:
  TraceLog /path/to/ftpd/trace.log
  Trace auth.pam:20
This trace logging can generate large files; it is intended for debugging use only, and should be removed from any production configuration.

Frequently Asked Questions

Question: I need to use PAM for enforcing the handling of aged/expired passwords on my Unix system. How do I make sure that PAM does the right thing?
Answer: For this sort of requirement, you are probably already using ProFTPD's default authentication modules, which include mod_auth_unix and mod_auth_pam. But to make sure that the PAM rules are enforced, you need to make mod_auth_pam be "authoritative", i.e. have the final say on whether a given password is acceptable. Use the AuthOrder directive to accomplish this, using:

  # It is important that mod_auth_pam appear before mod_auth_unix, and
  # that the asterisk appear after the name, not before.
  AuthOrder mod_auth_pam.c* mod_auth_unix.c
The asterisk ("*") after a module name in the AuthOrder directive is what tells proftpd to treat that module's results as authoritative.


© Copyright 2017 The ProFTPD Project
All Rights Reserved