standard ftpd and PAM
Martin P. Hellwig
mhellwig at xs4all.nl
Fri Jan 21 05:34:43 PST 2005
Joerg Sonnenberger wrote:
On Thu, Jan 20, 2005 at 11:07:27PM +0100, Martin P. Hellwig wrote:
Martin P. Hellwig wrote:
Hello all,
I am lately fooling around with pam trying to understand it.
So my hypothese was when I enable ftp via inetd.conf and comment out all
rules in /etc/pam.conf I should not be able to login.
By all I mean the ones regarding ftpd
I just wanted to ask that :) There's a fallback default called "other".
Joerg
I commented "other" too now, when I log in now (from my work) I get the
following in syslog:
Jan 21 12:26:05 xinagnet ftpd[15290]: connection from
213.126.48.224.ip.onderwijs.casematelecom.nl (213.126.48.224)
Jan 21 12:26:10 xinagnet ftpd[15290]: no modules loaded for `ftpd' service
Jan 21 12:26:10 xinagnet kernel: Jan 21 12:26:10 xinagnet ftpd[15290]:
no modules loaded for `ftpd' service
Jan 21 12:26:10 xinagnet ftpd[15290]: auth_pam: Permission denied
Jan 21 12:26:10 xinagnet kernel: Jan 21 12:26:10 xinagnet ftpd[15290]:
auth_pam: Permission denied
Jan 21 12:26:10 xinagnet ftpd[15290]: FTP LOGIN FROM
213.126.48.224.ip.onderwijs.casematelecom.nl as martin
when I don't comment out the "other" I get:
Jan 21 12:41:48 xinagnet ftpd[15345]: connection from
213.126.48.224.ip.onderwijs.casematelecom.nl (213.126.48.224)
Jan 21 12:41:52 xinagnet ftpd[15345]: FTP LOGIN FROM
213.126.48.224.ip.onderwijs.casematelecom.nl as martin
++++++++++
So from this behaviour I think I could conclude that:
- ftpd recieves a logon request for a user
- pam gets a authentication request by ftpd
- pam looks up an entry for ftpd (can't find any) falls back to other
(can't find that either, I commented both out) and says "no modules
loaded for `ftpd' service"
- ftpd recieves an "auth_pam" Permission denied" by PAM
- ftpd falls back to "internal" mechanisme to resolve authentication.
Is the above a correct assumption?
Is there any way to make pam itself be more verbose?
Is there an application (provided the above was correct) what doesn't
use an internal fallback for authentication?
--
mph
More information about the Users
mailing list