2

I have an Ubuntu 14.04 server with vsftpd and pam_script installed using apt-get. I've configured vsftpd to use pam_script for virtual user authentication and my /etc/pam.d/vsftpd file looks like this:

auth    sufficient      pam_script.so
account required        pam_permit.so

The pam_script_auth script is very simple:

#!/bin/bash
echo "$PAM_USER" >> /home/me/pam_script.log

if [ "$PAM_USER" == "asdf" ]; then
  exit 0
fi

exit 1

I've confirmed that this script is used correctly (it logs the username each time I try logging in to vsftpd).

In theory this should allow access to the asdf user regardless of the password and disallow it to anyone else. But vsftpd freezes every time I try using a different username. I test it like that:

$ ftp localhost
Connected to ****
220 (vsFTPd 3.0.2)
Name (****:edziubudzik): [I type "asdf2"]
331 Please specify the password.
Password:

After providing password nothing happens and vsftpd freezes - it doesn't accept any other connections until I restart it.

/var/log/vsftpd.log only registers a connection from an IP address (Tue Feb 17 15:50:01 2015 [pid 9517] CONNECT: Client [my IP address]") and both /var/log/auth.log and /var/log/syslog don't change at all during this test.

However, if I change the first line in /etc/pam.d/vsftpd to auth required pam_deny.so vsftp correctly serves 530 Authentication Failed error in response to any authentication attempt.

Does anyone have any idea what might be going on?

Edit: I've tested the same pam setup with both su and ssh (by replacing original /etc/pam.d/su and /etc/pam.d/ssh with my /etc/pam.d/vsftpd) and they both worked correctly -- allowed the user asdf regardless of the password and disallowing any other user. None of those procesess hanged when my pam_script script exited with 1. I've also confirmed that they really used my script by logging the username and by checking if original authentication methods (unix) ceased working (they did).

So it looks like it's vsftpd that's having problems with pam_script authentication failure. Still no idea for a fix or workaround though...

Castaglia
  • 3,239
  • 3
  • 19
  • 40
edziubudzik
  • 21
  • 2

1 Answers1

0

I normally test my answers, but this time I did not, forgive me.

I am suspecting that you cannot exit twice. It is likely when the ID matches "asdf", you are halting vsftpd without realizing it.

Specifically, try this instead:

#!/bin/bash
echo "$PAM_USER" >> /home/me/pam_script.log

if [ "$PAM_USER" == "asdf" ]; then
  exit 0
else
  exit 1
fi
Andrew S
  • 510
  • 4
  • 7
  • Thanks for the answer! Unfortunately that's not the case: exit exits the script so it never gets to the second exit if the username matches "asdf". I even tried with `exit 1` only - same result. – edziubudzik Feb 18 '15 at 16:11
  • Sorry to hear. Can you log in if you do provide a password? It seems that if you succeed with a password and fail without one, the problem points to the need for additional directives somewhere, either in the vsftpd pam auth, or perhaps a different pam auth file. – Andrew S Feb 18 '15 at 20:43
  • I provide password in both cases. – edziubudzik Feb 19 '15 at 18:28