Re: PAM and FTP in Solaris 7
From: Crist J. Clark (crist.clark@attbi.com)Date: 09/18/02
- Previous message: Charles Clancy: "Re: PAM and FTP in Solaris 7"
- In reply to: Charles Clancy: "Re: PAM and FTP in Solaris 7"
- Next in thread: Darren J Moffat: "Re: PAM and FTP in Solaris 7"
- Next in thread: Jan-Philip Velders: "Re: PAM and FTP in Solaris 7"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 18 Sep 2002 14:45:27 -0700 From: "Crist J. Clark" <crist.clark@attbi.com> To: Charles Clancy <security@xauth.net>
On Wed, Sep 18, 2002 at 04:04:09PM -0500, Charles Clancy wrote:
> On Wed, 18 Sep 2002, Crist J. Clark wrote:
> > On Wed, Sep 18, 2002 at 01:01:08PM -0500, Charles Clancy wrote:
> > > On Mon, 16 Sep 2002, Crist J. Clark wrote:
> > >
> > > > I am having a bit of trouble trying to figure out what is going on
> > > > with PAM and in.ftpd in Solaris 7. I have "debug" on every line in
> > > > the pam.conf file, yet I don't get any syslog output when make and
> > > > ftp login attempt. I am getting PAM debug output from other system
> > > > that use PAM. What's going on?
> > >
> > > I assume you're getting a login failure?
> >
> > No, that's not actually why I'm interested in PAM and ftpd at all. I was
> > actually trying to figure out how PAM does or doesn't interact with the
> > 'ftp' user. From what I've seen, it looks like in.ftpd skips the PAM
> > authentication step alltogether for the ftp user. PAM is used for its
> > session and account managment. PAM is used for authentication of other
> > users.
>
> If you play with truss some more, you'll see that in.ftpd only runs PAM
> session, and not PAM authenticate (or setcred).
For ftp, yes. For other users, it does call pam_authtenticate(3).
> > If anyone cares, I was trying to see if I could kludge a way to get a
> > working password on the anonymous ftp account. I wanted a password
> > protected account that was also chrooted. Looks like in.ftpd isn't up
> > to it. I'll just find another ftp server. But I was still curious as
> > to why I couldn't get PAM debugging output.
>
> I don't recall pam_unix producing any debugging output during
> pam_open_session().
>
> If the PAM client in in.ftpd is well written, the session module could
> initiate a PAM conversation with the application and request an additional
> password (other than their email address). I know there are FTP sites
> (sunsolve.sun.com) that request additional passwords (via the ACCT
> command, which is used in addition to the USER and PASS commands), so it
> should be within the realm of possibilities for the FTP protocol.
I believe what you are thinking of is "stacking" modules within the
authentication step. You're not supposed to call pam_open_session(3)
until the user has been granted access.
> However, I somehow doubt that in.ftpd would create a 332 request for you,
> accept an ACCT command, and then send that data to the session module.
> You'd be better off hacking an open-source FTP daemon to do what you want
> with the first password.
Third party daemons have all the features I want already and much,
much, much, much, much more. The fact they have so much more was the
reason I was looking at in.ftpd first. ;)
-- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org
- Previous message: Charles Clancy: "Re: PAM and FTP in Solaris 7"
- In reply to: Charles Clancy: "Re: PAM and FTP in Solaris 7"
- Next in thread: Darren J Moffat: "Re: PAM and FTP in Solaris 7"
- Next in thread: Jan-Philip Velders: "Re: PAM and FTP in Solaris 7"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
