Re: PAM and FTP in Solaris 7

From: Crist J. Clark (
Date: 09/19/02

Date: Thu, 19 Sep 2002 13:55:15 -0700
From: "Crist J. Clark" <>
To: Darren J Moffat <Darren.Moffat@Sun.COM>

On Thu, Sep 19, 2002 at 12:17:55PM -0700, Darren J Moffat wrote:
> On Mon, 16 Sep 2002, Crist J. Clark wrote:
> > I am having a bit of trouble trying to figure out what is going on
> > with PAM and in.ftpd in Solaris 7. I have "debug" on every line in the
> 1. What problem is are you seeing ?

Despite the presence of "debug" in pam.conf, I'm not getting any
syslog debug output.

> 2. What end goal are you trying to achieve ?

Short term, getting the debug output. The real end goal was to see if
I could get in.ftpd to use a password for the ftp user rather than
accept anything. I wanted the chroot feature _and_ a password. (AFAIK,
there is no way to chroot arbitrary users with in.ftpd.) I thought that
since the documentation claimed in.ftpd use PAM, there may be a way to
do this through PAM. I have since realized in.ftpd bypasses PAM
completely when "authenticating" the ftp user. I will need to go to
another FTP server.

> 3. Are you using only the pam_unix module shipped by Sun ?


> 4. Are you using a 3rd party module ?


> 5. Are you using the pam_krb5 module along with SEAM ftpd ?


> > pam.conf file, yet I don't get any syslog output when make and ftp
> > login attempt. I am getting PAM debug output from other system that
> > use PAM. What's going on?
> Did you update syslog.conf, create the file and pkill -HUP syslogd ?

Yes. I do get PAM debugging output from other utilities,

  Sep 16 17:28:21 crist-sparc login: rhosts authenticate: user = cclark, host = localhost
  Sep 16 17:28:21 crist-sparc login: pam_authenticate: error Authentication failed
  Sep 16 17:28:21 crist-sparc login: unix pam_sm_authenticate(rlogin cclark), flags = 0
  Sep 16 17:28:24 crist-sparc login: pam_authenticate: error Authentication failed

But nothing from in.ftpd.

> Do you want PAM module debug or PAM framework debug ?

Errr... Yes? I think I would have gotten what I needed from either,
i.e. I needed to know in.ftpd skips PAM completely for authenticating
the ftp user. Had it actually used PAM for this, knowing what goes on
inside the module would have been nice, but that's moot.

> Note that not all modules understand "debug" as a module argument, and
> you may not do the same thing with it.

Sun's pam_unix was the one being used.

> Framework debugging is undocumented and private. For Solaris 7 create
> /etc/pam_debug (using touch), update syslog.conf to log auth.debug
> somewhere.

Right, someone else pointed me to this. But now I know it is
intentionally undocumented.

But I still don't understand why I don't seem to get module debug
output from in.ftpd, but I do from some others. If I do,

  $ rlogin localhost

I see,

  Sep 19 13:46:10 crist-sparc login: unix pam_sm_authenticate(rlogin cclark), flags = 0
  Sep 19 13:46:13 crist-sparc login: pam_authenticate: error Authentication failed


  $ ftp localhost
  $ rsh localhost date

Don't return anything. Oh, and to elimnate issues where r{login,sh}
also get debug output from the pam_rhost_auth module, I reduced
pam.conf just to,

  other auth required /usr/lib/security/ debug
  other account required /usr/lib/security/ debug
  other session required /usr/lib/security/ debug
  other password required /usr/lib/security/ debug

(I realize this will break stuff, but it's just for testing the
debugging output.)

Oh, well. It's not critical... until next time I want to try something
interesting with PAM.

Crist J. Clark                     |
                                   |    |