standard ftpd and PAM

Martin P. Hellwig mhellwig at xs4all.nl
Fri Jan 21 05:34:43 PST 2005


Joerg Sonnenberger wrote:
On Thu, Jan 20, 2005 at 11:07:27PM +0100, Martin P. Hellwig wrote:

Martin P. Hellwig wrote:

Hello all,

I am lately fooling around with pam trying to understand it.
So my hypothese was when I enable ftp via inetd.conf and comment out all 
rules in /etc/pam.conf I should not be able to login.
By all I mean the ones regarding ftpd


I just wanted to ask that :) There's a fallback default called "other".

Joerg
I commented "other" too now, when I log in now (from my work) I get the 
following in syslog:

Jan 21 12:26:05 xinagnet ftpd[15290]: connection from 
213.126.48.224.ip.onderwijs.casematelecom.nl (213.126.48.224)
Jan 21 12:26:10 xinagnet ftpd[15290]: no modules loaded for `ftpd' service
Jan 21 12:26:10 xinagnet kernel: Jan 21 12:26:10 xinagnet ftpd[15290]: 
no modules loaded for `ftpd' service
Jan 21 12:26:10 xinagnet ftpd[15290]: auth_pam: Permission denied
Jan 21 12:26:10 xinagnet kernel: Jan 21 12:26:10 xinagnet ftpd[15290]: 
auth_pam: Permission denied
Jan 21 12:26:10 xinagnet ftpd[15290]: FTP LOGIN FROM 
213.126.48.224.ip.onderwijs.casematelecom.nl as martin

when I don't comment out the "other" I get:
Jan 21 12:41:48 xinagnet ftpd[15345]: connection from 
213.126.48.224.ip.onderwijs.casematelecom.nl (213.126.48.224)
Jan 21 12:41:52 xinagnet ftpd[15345]: FTP LOGIN FROM 
213.126.48.224.ip.onderwijs.casematelecom.nl as martin

++++++++++
So from this behaviour I think I could conclude that:
- ftpd recieves a logon request for a user
- pam gets a authentication request by ftpd
- pam looks up an entry for ftpd (can't find any) falls back to other 
(can't find that either, I commented both out) and says "no modules 
loaded for `ftpd' service"
- ftpd recieves an "auth_pam" Permission denied" by PAM
- ftpd falls back to "internal" mechanisme to resolve authentication.

Is the above a correct assumption?
Is there any way to make pam itself be more verbose?
Is there an application (provided the above was correct) what doesn't 
use an internal fallback for authentication?

--
mph





More information about the Users mailing list