proftpd.auth

On Mon, Apr 03, 2000 at 06:51:49PM -0700, Irwan Hadi wrote: > Is it possible to make proftpd use it's own username + password and not use > I don't want use the system account because the more user in /etc/passwd > (system account) the more the system can be compromised. AuthUserFile DefaultRoot or SQL/LDAP authentication DefaultRoot At 14:01 06/04/2000 +0100, **hamster@vom.org.uk**, has written a message, and here is the reply : >On Mon, Apr 03, 2000 at 06:51:49PM -0700, Irwan Hadi wrote: >AuthUserFile >DefaultRoot > >or > >SQL/LDAP authentication >DefaultRoot Thanks fpr you reply, but if there is already somebody here who has done similar like what I like, I hope that you can give the steps to me. Because I'm in a hurry to setup the ftp server as the deadline for it is next week.

In the basic /usr/local/etc/proftpd.conf you will need to add this line: AuthUserFile <File path> Where <File Path> is the pathname of the file to use instead of /etc/passwd. Note: the auth file has to have the same format as /etc/passwd. More info: http://www.proftpd.org/docs/configuration.html#AuthUserFile You will probably also want to use: AuthGroupFile <File Path> Much the same, format is the same as the /etc/group file. More Info: http://www.proftpd.org/docs/configuration.html#AuthGroupFile In the basic configuration file, you may want to comment out the anonymous entry... That is the easiest way to do it... You can also use Ldap, MySQL, but neither are for people in a rush. :-) Information on the alternatives can be found in: http://www.proftpd.org/docs/proftpdfaq-8.html At 12:00 06/04/2000 -0400, Michael Grabenstein wrote: > > In the basic /usr/local/etc/proftpd.conf you will need to add >this line: > >AuthUserFile <File path> > > Where <File Path> is the pathname of the file to use instead of >/etc/passwd. > >Note: the auth file has to have the same format as /etc/passwd. > >More info: >http://www.proftpd.org/docs/configuration.html#AuthUserFile First of all I want to thank you for your reply, but my question is what is the meaning of "the same format ?" so I make a list of username:password::::/homedir/ how about the password ? can it be encrypted or not ? if it *can* be encrypted, with which tool should I encrypt it then.

Irwan Hadi wrote: > First of all I want to thank you for your reply, but my question is what is > the meaning of "the same format ?" > so I make a list of > username:password::::/homedir/ > how about the password ? can it be encrypted or not ? > if it *can* be encrypted, with which tool should I encrypt it then. > Yes that would be the format... I use Perl to encrypt the password, or if you already have a /etc/passwd to start with, then just copy it... An alternative easy way to do this is to encrypt a password and keep the encrypted version around. Like Change your password to 'ABC123' then as you create users in the alternate passwd file, paste the encrypted form of that password into the new logon entry. And instruct the new user to change their password as soon as they first FTP to the system, or change it for them via FTP and give them the new password. :-) BTW: once you have the encrypted version of 'ABC123' feel free to change your password back. :-) Attached is a simple Perl script that will encrypt a plain text password sent to it... Mark, please feel free to add this to the FAQ. TIA. I don't believe proftp has a way of using plain text passwords in the password file, but Mark can correct me if I am wrong. :-)

#--- Start Cut after this line #!/usr/bin/perl use Getopt::Std; use vars qw($opt_h $opt_p $opt_s); getopt ("hp:s:"); my ($salt); if ( (defined($opt_h)) || (! defined($opt_p)) ) { print "Usage: $0 -hps\n"; print "\t-h -- This Usage message\n"; print "\t-p <password> -- The password to encrypt\n"; print "\t-s <salt> -- The salt to use, optional\n\n"; exit (166); } if ($opt_s =~ /(\w+)/) { $salt = $1; } else { $chr = chr(int(rand(26)+65)); $salt = $chr; $chr = chr(int(rand(26)+97)); $salt .= $chr; } print crypt($opt_p, $salt) . "\n"; exit (0); # -- Stop here. Don't get the signature at the bottom...

> First of all I want to thank you for your reply, but my question is what is > the meaning of "the same format ?" > so I make a list of > username:password::::/homedir/ > how about the password ? can it be encrypted or not ? > if it *can* be encrypted, with which tool should I encrypt it then. > Yes that would be the format... I use Perl to encrypt the password, or if you already have a /etc/passwd to start with, then just copy it... An alternative easy way to do this is to encrypt a password and keep the encrypted version around. Like Change your password to 'ABC123' then as you create users in the alternate passwd file, paste the encrypted form of that password into the new logon entry. And instruct the new user to change their password as soon as they first FTP to the system, or change it for them via FTP and give them the new password. :-) BTW: once you have the encrypted version of 'ABC123' feel free to change your password back. :-) Attached is a simple Perl script that will encrypt a plain text password sent to it... Mark, please feel free to add this to the FAQ. TIA. I don't believe proftp has a way of using plain text passwords in the password file, but Mark can correct me if I am wrong. :-)

#--- Start Cut after this line #!/usr/bin/perl use Getopt::Std; use vars qw($opt_h $opt_p $opt_s); getopt ("hp:s:"); my ($salt); if ( (defined($opt_h)) || (! defined($opt_p)) ) { print "Usage: $0 -hps\n"; print "\t-h -- This Usage message\n"; print "\t-p <password> -- The password to encrypt\n"; print "\t-s <salt> -- The salt to use, optional\n\n"; exit (166); } if ($opt_s =~ /(\w+)/) { $salt = $1; } else { $chr = chr(int(rand(26)+65)); $salt = $chr; $chr = chr(int(rand(26)+97)); $salt .= $chr; } print crypt($opt_p, $salt) . "\n"; exit (0); # -- Stop here. Don't get the signature at the bottom...

At 09:29 07/04/2000 -0400, **Michael Grabenstein**, has written a message, and here is the reply : >Irwan Hadi wrote: > I use Perl to encrypt the password, or if you already have a /etc/passwd to >start with, then just copy it... > Attached is a simple Perl script that will encrypt a plain text password >sent >to it... Umm, sorry to bother you again, but how about the shell of the users ? should it be set to /bin/bash or /bin/ftponly (which is another name of /bin/false) ? On Tue, Apr 04, 2000 at 04:15:34PM -0700, Irwan Hadi wrote: > Umm, sorry to bother you again, but how about the shell of the users ? > should it be set to /bin/bash or /bin/ftponly (which is another name of > /bin/false) ? The shell can be whatever you want, however it has to be in either /etc/shells or the RequireValidShell directive has to be set to "off" On Tue, Apr 04, 2000 at 09:17:07AM -0700, Irwan Hadi wrote: > username:password::::/homedir/ > how about the password ? can it be encrypted or not ? > if it *can* be encrypted, with which tool should I encrypt it then. Is must be crypted, there is a script in the contrib directory (genuser.pl IIRC) to do this.

Hello .. Just to clarify something for me ..... If I use mySQL (with mySQL users) as the authentication method for users of my proftpd server, then I will not need to add them as users in the system password file. I want all users to this server to have to login, but I'd prefer not to have to add them to the password file. Am I way off base on this ? or ?? Nope, sounds pretty correct. You do have to add a couple of things to the /etc/ group and passwd file, but not all of the users. In /etc/passwd, you need to add a user for the user that proftpd will run under (or use nobody...). In /etc/group, you need to add a group for the user that will run proftpd (or use nobody, again...). Plus in /etc/group, you need the group you will be assigning to all the users on the system. (or list of groups...) Then in MySQL's user table you need to have an entry for the user you will be connecting with. The line in proftpd.conf: MySQLInfo localhost hamster ABC123 proftpd Means you need a user in the user table of the mysql DB for user id 'hamster' with password 'ABC123'. Also from the line above the DB name is proftpd... My user's don't have upload, so everything looks good. This only gets sticky if you want your users to upload... When they upload the files are assigned the user id number assigned in MySQL, but if that does not exist in /etc/passwd then 'ls' shows only the uid number. If you make the uid number the same as a user that exists in the /etc/passwd, then it looks normal with the added benefit of that user owning the file. :-) You could have a "generic" user in the /etc/passwd that can not log in and have all MySQL user id's assigned that uid. The home directory comes form MySQL, so they can all have different homes with no problems... Greetings: I am trying to get 1.20pre10 running on Solaris 7, and, using the basic configuration file shipped, can only log in as anonymous (or ftp) but never an actual user of the system. I have a shadow file (o' course) and compiled with --enable-shadow and --enable-shadow-autodetect options .. the only changes to the basic config file were in using inetd and, well, allowoverwrite off. I have since added a preemptive, if unnecessary, <limit login> allowall </limit> and remove the anonymous block (now I have no ftp access, duh!). Any ideas about what I am missing? I have several users on my Linux system. I am trying to allow them all to be able to have logins for FTP. For example, one customer can create the FTP account webmaster which logs into /home/customer1/public_html with the password poiuy, while another customer can create the FTP account webmaster which logs into /home/customer2/public_html with the password lkjhg. I looked through the configurations and AuthUserFile looked like the best way to do it. So I setup a test one. In the proftpd.conf vhost for game-guys.com, I setup AuthUserFile /home/game-guys/game-guys. In that game-guys, I would like to have several logins and passwords (encrypted of course) which can only login to game-guys.com on the server. My question is, what should go in /home/game-guys/game-guys, and how should I add users to it and set the password? All three commands, useradd, passwd and htpasswd don't seem to want to work properly. Does anyone have any ideas? Thanks, help would be appreciated. :)

On Wed, Mar 22, 2000 at 09:35:15AM -0500, Alderman, Sean wrote: > You might want to check the archives. I believe someone had built a perl > script and posted it to the list to create encrypted username/password pairs > for custom proftpd auth files. genuser.pl in the contrib/ directory. Syntax is "htpasswd.pl userid password". Output is "userid:encryptedPassword". You might need to change the path to your perl. #!/usr/bin/perl $user = $ARGV[0]; $pass1 = $ARGV[1]; my($salt)=seedchar().seedchar(); $pass = crypt($pass1, $salt); print STDOUT "$user:$pass\n"; sub seedchar { ('a'..'z','A'..'Z','0'..'9','.','/','"')[rand(64)]; } > Syntax is "htpasswd.pl userid password". Output is > "userid:encryptedPassword". You might need to change the path to your perl. Well, I tried using htpasswd, but that does not go to the same format as /etc/passwd. ProFTPD will only read the /etc/passwd format, correct?

I was wondering, what utility do you use to generate the encrypt shadow passwd??

I have several users on my Linux system. I am trying to allow them all to be able to have logins for FTP. For example, one customer can create the FTP account webmaster which logs into /home/customer1/public_html with the password poiuy, while another customer can create the FTP account webmaster which logs into /home/customer2/public_html with the password lkjhg. I looked through the configurations and AuthUserFile looked like the best way to do it. So I setup a test one. In the proftpd.conf vhost for game-guys.com, I setup AuthUserFile /home/game-guys/game-guys. In that game-guys, I would like to have several logins and passwords (encrypted of course) which can only login to game-guys.com on the server. My question is, what should go in /home/game-guys/game-guys, and how should I add users to it and set the password? All three commands, useradd, passwd and htpasswd don't seem to want to work properly. Does anyone have any ideas? Thanks, help would be appreciated. :) On Wed, Mar 22, 2000 at 09:35:15AM -0500, Alderman, Sean wrote: > You might want to check the archives. I believe someone had built a perl > script and posted it to the list to create encrypted username/password pairs > for custom proftpd auth files. genuser.pl in the contrib/ directory. > genuser.pl in the contrib/ directory. > > Mark

Okay, I ran genuser with ftp1 as my username and lala as my password. It came up as this: ftp1:9l/MJ4vLeAAlU So everything after that colon can be put in the passwd file, and it will work? Thanks for all of your help! On Thu, Mar 23, 2000 at 06:09:56PM -0500, Vincent Paglione wrote: > ftp1:9l/MJ4vLeAAlU > > So everything after that colon can be put in the passwd file, and it will > work? Thanks for all of your help! What you need to do from this point is generate a /etc/passwd compatible file ie. ftp1:9l/MJ4vLeAAlU:103:65534::/var/run/identd:/bin/false ftp2:9l/MJ4vLeAAlU:103:65534::/var/run/identd:/bin/false ftp3:9l/MJ4vLeAAlU:103:65534::/var/run/identd:/bin/false ftp4:9l/MJ4vLeAAlU:103:65534::/var/run/identd:/bin/false and save this as your $CONF/authpasswdfile and then reference it from the proftpd.conf I've got my own homebrew system running on the core ftp vhost server which takes a condensed version of the proftpd.conf and builds it into the full configuration and generates the passwd/group files. I'll toss it up there if anyone is interested (but it's nasty evil perl with no documentation :)

Okay, I have everything with my AuthUserFile setup. THANKS everyone who helped me. I just have one more request. In /etc/passwd, if I wanted to make additional FTP accounts for a user, I would make the UID the same as the original account so that the sub-ftp account could write/overwrite the data in the main accounts directory, and once it was uploaded, the main account could write/overwrite it too. Do you know how I can accomplis this with multiple passwd's?

I was using Fetch 3.0.03 (MacOS) to transfer 10's of thousands of files (over 1GB total data) and about half way through I received: Mar 25 01:48:15 sneex proftpd[539]: Internal error: non-PASV mode, yet data connection already exists?!? Anyone seen this or have comments?

On Sat, 25 Mar 2000, Vincent Paglione wrote: >Okay, I have everything with my AuthUserFile setup. THANKS everyone who >helped me. I just have one more request. > >In /etc/passwd, if I wanted to make additional FTP accounts for a user, I >would make the UID the same as the original account so that the sub-ftp >account could write/overwrite the data in the main accounts directory, and >once it was uploaded, the main account could write/overwrite it too. > >Do you know how I can accomplis this with multiple passwd's? >From the sound of things what you want to do is create a group, say fnord, and make all of the relevant users have fnord as their primary group then play with umask to give everyone the requisite access. This is a far tidier solution than creating multiple accounts with the same UID, which while technically possible is messy. Have a play with groupadd(8), addgroup(8), and group(5) and see how you go.

> and save this as your $CONF/authpasswdfile and then reference it from > the proftpd.conf This is the only part I did not udnerstand. I was hoping to save the passwd file somewhere like /etc/users/userpasswd. What is this $CONF/authpasswdfile?

I noticed that there may be a bug in using AuthUserFile. When you create a new passwd file on FreeBSD 3.4, it only reads the first 3 lines of the passwd file. Any user that is after the 3rd line is not read, and proftpd says that user is not found. Anybody have any idea.

if you don't want to have PAM-support, try to compile without PAM, otherwise compile with PAM. Configure looks like configure --with-modules=mod_pam if you want to have PAM-Support, or --without-modules=mod_pam (?) if you don't want to have support for PAM.

tstoev@compsci.lyon.edu on 09.02.2000 06:42:18 Bitte antworten an proftpd@proftpd.org @ Internet An: proftpd@proftpd.org @ Internet Kopie: Thema: [ProFTPD] AuthPAMAuthoritative I have tried to use the AuthPAMAuthoritative directive and it does not seem to work, because it seems like PAM is always the authority. That is on FreeBSD 3.4 and RedHat 6.0. Does anybody have an idea.

I have tried to use the AuthPAMAuthoritative directive and it does not seem to work, because it seems like PAM is always the authority. That is on FreeBSD 3.4 and RedHat 6.0. Does anybody have an idea.

I have a question, i am Using a special AuthUserFile which i think is = correctly created! (username:crypt(password,salt)) But when i try to login with a user, given in this AuthUserFile, it = doesn't work. I have already added the Directive=20 RequireValidShell off but it does not work, what can i do?? is there a way to find the mistake = ??

I wish to only have FTP access to to "fake", non shell users, since my shell users login with ssh, and they cannot use the same username password pair in an unencrypted FTP session. The server running FTP only has a single IP and will only be listening in on PORT 21, so there won't be any virtual FTP hosts. ProFTPd is configured in as a standalone daemon, no inetd.

To that end, I have created an alternative passwd file, using the apache htpasswd command, and a group file. ProFTPd is configured to run as user nobody, and does a chroot for to the www root directory which it owns. Just for testing purposes, I have made these alternative passwd & group files, plus the directories they are in, readable by all user ids.

I have added the following directives to proftpd.conf: AuthUserFile /opt/proftpd/etc/passwd AuthGroupFile /opt/proftpd/etc/group PersistentPasswd off As mentioned, I only want proftpd to use /opt/proftpd/etc/passwd and *NOT* the server's /etc/passwd file. Unfortunately, when I use this configuration, no one can log in. Reading the FAQ, I try to add the directive: AuthPAMAuthoritative off Unfortunately when I do so, I get the following error when I start up ProFTPd: - Fatal: unknown configuration directive 'AuthPAMAuthoritative'. Running "proftpd -l" to get a list of modules reveals: mod_core.c mod_auth.c mod_xfer.c mod_site.c mod_ls.c mod_unixpw.c mod_log.c

Unfortunately the AuthPAMAuthoritative directive is *ONLY* read by the "mod_pam" module, which is missing. So when I try to recompile ProFTPd, with the configure "--with-modules=mod_pam" option, I get the following compiler error when I run gmake: mod_pam.c:39: security/pam_appl.h: No such file or directory

No "pam_appl.h" file is included with ProFTPd, and it is not included in "/usr/include/security". (I am running NetBSD 1.4.1 on ix86 and sparc, neither of which have anything related to PAMs. No pam_appl.h, pam.conf, or pam_unix.so files. "apropos pam" finds nothing appropriate.)

What can I do? I simple want ProFTPd to use an alternative passwd and group file, just like my apache does. I have went through all of the ProFTPd documentation, FAQ, and mailing list archive without any solution.

On Mon, Jan 31, 2000 at 07:29:13AM -0500, Alicia da Conceicao wrote: > I wish to only have FTP access to to "fake", non shell users, since > my shell users login with ssh, and they cannot use the same username > password pair in an unencrypted FTP session. The server running FTP [...] > I have added the following directives to proftpd.conf: > > AuthUserFile /opt/proftpd/etc/passwd > AuthGroupFile /opt/proftpd/etc/group > PersistentPasswd off [...] > this configuration, no one can log in. Reading the FAQ, I try to > add the directive: > > AuthPAMAuthoritative off > > Unfortunately when I do so, I get the following error when I start > up ProFTPd: > > - Fatal: unknown configuration directive > 'AuthPAMAuthoritative'. [..] > with the configure "--with-modules=mod_pam" option, I get the following > compiler error when I run gmake: > > mod_pam.c:39: security/pam_appl.h: No such file or directory Given that you don't appear to have PAM installed on your machine you don't need to concern yourself with the "AuthPAMAuthoritative" directive.

>> I have added the following directives to proftpd.conf: >> AuthUserFile /opt/proftpd/etc/passwd >> AuthGroupFile /opt/proftpd/etc/group >> PersistentPasswd off >> ... >> mod_pam.c:39: security/pam_appl.h: No such file or directory > > Given that you don't appear to have PAM installed on your machine you > don't need to concern yourself with the "AuthPAMAuthoritative" > directive. Dear Mark: If that is the case, then why doesn't the AuthUserFile work? No one can login using the alternative passwd and group files I created with apache htpasswd. I assumed that AuthPAMAuthoritative might be the cause of the problem, since the FAQ mentioned it. My goal is to restrict FTP access to users who do not have entries in the server /etc/passwd file. All FTP users must be specified in /opt/proftpd/etc/passwd. For security reasons, users with shell access will be *NOT* be allowed to use FTP (they can use ssh/scp instead). Am I doing any thing work?

I have some problems with 'AuthUserFile' / 'AuthGroupFile'. I set them to an absolute path but I cannot login. I created my own passwd with the following line: userxyz:x:501:101:Webadmin:/var/http/userxyz:/bin/bash and my own group file: wwwuser:x:101: What about /etc/shadow? A test with an own passwd (with the crypted password in it) of userxyz:fsdf76s23:501:101:Webadmin:/var/http/userxyz:/bin/bash didn't work, too... I am using SuSE Linux 6.3 on x86.

On Fri, Jan 28, 2000 at 04:38:26PM +0100, Chris Loos wrote: > Hi, > I have some problems with 'AuthUserFile' / 'AuthGroupFile'. > I set them to an absolute path but I cannot login. > I created my own passwd with the following line: > userxyz:x:501:101:Webadmin:/var/http/userxyz:/bin/bash > and my own group file: > wwwuser:x:101: > What about /etc/shadow? > A test with an own passwd (with the crypted password in it) of > userxyz:fsdf76s23:501:101:Webadmin:/var/http/userxyz:/bin/bash > didn't work, too... Check the FAQ.... AuthPAMAuthoritive off (check the spelling of the directive) PersistantPasswd off (IIRC)

of course I checked the FAQs but the only hint I found was theses two comments you wrote. But after using "AuthPamAuthoritve off" and "PersistantPasswd off" inetd isn't able to start proftpd - seems that the ftpd crashed or stops itself immediately.

Weird, I'm using AuthUserFile extensively on one machine (virtualhosting and I want the user/password details to be unique to the virtual) with no problems. The only difference is I run in standalone, can you try that approach and see what happens? Can you run in debug mode? (ie proftpd -n -dx, where x = a number between 1 and 9)

Problem: Valid user accounts are not able to log in. System: Sun SPARC, running Solaris 7. Hardware details available on request. Symptoms: (From perl Net::FTP, Debug mode)... Net::FTP: Net::FTP(2.53) Net::FTP: Exporter Net::FTP: Net::Cmd(2.16) Net::FTP: IO::Socket::INET Net::FTP: IO::Socket(1.1603) Net::FTP: IO::Handle(1.1505) Net::FTP=GLOB(0xc9268)<<< 220 members.friendfactory.com Net::FTP=GLOB(0xc9268)>>> user whoami Net::FTP=GLOB(0xc9268)<<< 331 Password required for whoami. Net::FTP=GLOB(0xc9268)>>> PASS .... Net::FTP=GLOB(0xc9268)<<< 230 User whoami logged in. Net::FTP=GLOB(0xc9268)>>> QUIT Net::FTP=GLOB(0xc9268)<<< 221 Goodbye. Net::FTP=GLOB(0xc604c)<<< 220 members.friendfactory.com Net::FTP=GLOB(0xc604c)>>> user whatsyrname Net::FTP=GLOB(0xc604c)<<< 331 Password required for whatsyrname. Net::FTP=GLOB(0xc604c)>>> PASS .... Net::FTP=GLOB(0xc604c)<<< 530 Login incorrect. Net::FTP=GLOB(0xc604c)>>> QUIT Net::FTP=GLOB(0xc604c)<<< 421 Login Timeout (300 seconds): closing control connection. >From ftpdlog: pluto.driftwood.com 207.229.89.167 nobody [23/Jan/2000:15:14:22 -0800] "USER whoami" 331 - pluto.driftwood.com 207.229.89.167 whoami [23/Jan/2000:23:14:22 +0000] "PASS (hidden)" 230 - pluto.driftwood.com 207.229.89.167 nobody [23/Jan/2000:15:14:23 -0800] "USER whatsyrname" 331 - pluto.driftwood.com 207.229.89.167 nobody [23/Jan/2000:15:14:24 -0800] "PASS (hidden)" 530 -

Notes on above: 1) The output is from a perl script which goes cycling through random sets of known usernames and passwords in order to do performance testing on our new authentication server. The names of the users have been changed to protect the innocent. 2) Note that the timezone in the ftpdlog changes from -0800 to +0000 when there is a sucessful login. Note also that the username registers sucessfully. 3) This problem has repeated itself using Solaris /usr/bin/ftp, ncftp, and perl Net::FTP. As such, I don't think it's a client issue per se. 4) On Net::FTP (the only one which I have done extensive testing on) we have gotten about 80% reproducability on a sample of 2000 attempted connections. The other 20% of the queries validate normally. 5) I originally thought that the problem may be related to a disparity with the time clocks between the client and server machines. (a mystic longshot, given that RFC-959 doesn't exchange date/time stamps per se). An earlier test eradicated this problem by synchronizing the system clocks. Any ideas on what the errors of my ways might be?

I am intending to use proftpd to set up an ftp server (and thint it is a Good Thing) Configuration is a Linux box, RedHat 6.1 kernel 2.2.12-20 Intending to use simply /etc/passwd and shadow for authentication to begin with. Therefore I'm using PAM, and have configured /etc/init.d/ftp as per the README.PAM file Problem is that at authentication time the PAM module is tryint to make connections back to the calling machine on Port 113, which is the port for the auth protocol. Has anyone come across this one please, and how do we stop it doing this? It is not what we want the ftp server to do, and is making authentication take a long time. Sorry if this is a real simple RTFM.

John Hearns wrote: > > Problem is that at authentication time the > PAM module is tryint to make connections back to the > calling machine on Port 113, which is the > port for the auth protocol. I answer my own question by finding the IdentLookups directive. I hang my head in shame - I should have all my merit badges ceremonially stripped off and be drummed out of the sys admin brownies, to be banished to scratching a poor existence loading Windows printer drivers. Apologies for a wasted post to the list - I'm not a baby sys admin who's unwrapped his first box of Linux CDs (honest!). I only asked for help after watching loads of firewall log traces and a lot of head scratching. One tip though - I finally got clued into my problem by finding documentation on the Apache IdentityCheck directive, which the IdentLookups directive is similar to.

I've been working with proftpd for a while and I still don't quite understand how authentication works. The object is to have users listed in /etc/passwd authenticated via system methods which works but I would like to have an additional password file used for guest users that are confined to their home dir. Can anyone suggest how to do this or point me to some documentation. I'm using the config file that gets installed when you run make install with 1.2.0pre8 with the addition of the two lines below. AuthUserFile /usr/local/etc/test.pwd AuthPAMAuthoritative off

Can someoe explain these two directives please? What I would like to know is the following: 1. Must they exactly follow the format of /etc/passwd and /etc/group?=20 2. Which crypt must be used for the password - crypt or MD5? 3. Under which user will the VirtualHost execute? 4. How do they influence a chroot'd <VirtualHost>? 5. How is an <Anonymous> section inside a <VirtualHost> influenced? 6. If (1) is true, what is the significance of the UIDs and GIDs?

Note to Mark: Maybe we should clarify the documentation on the AuthUserFile directive? > 2. Which crypt must be used for the password - crypt or MD5? The password check is done via the crypt() call...so if your system happens to map that to an MD5 version of crypt(), then it's MD5. There's a script in the contrib directory called genuser.pl that will generate valid usename:password crypt-ed pairs for you. > 3. Under which user will the VirtualHost execute? Pardon? Under whatever user you've specified via the User directive of course. > 4. How do they influence a chroot'd <VirtualHost>? They don't really. Whatever you've listed as the home directories is used in determined a user-chroot jail as appropriate. > 5. How is an <Anonymous> section inside a <VirtualHost> influenced? Huh? > 6. If (1) is true, what is the significance of the UIDs and GIDs? > UIDs and GIDs are your method to control access on the system. Presumably you have these allocated in some fashion. ProFTPD will honor whatever you specify.

Can somebody please tell me how to create the AuthUser file? I can't seem to find out how I should encode the passwords in that file.

I am building a ProFTP ratio server. I was able to get mod.ratio installed and working properly and I think I understand the rest of the configuration that I need to do. Except, I want a basic anonymous user, a user1/user1 (username/password) user with better access and ration, and a user2/user2 with full access no ratio. As I understand it my conf file would look something like this... AuthUserFile /usr/ftp/etc/passwd <Anonymous ~ftp> User ftp Group ftp UserAlias anonymous ftp MaxClients 10 "Sorry, the maximum number of allowed users are already connected (%m) " MaxClientsPerHost 1 "Sorry, you may not connect more than one time." RequireValidShell off DisplayLogin welcome.msg DisplayFirstChdir .message <Limit WRITE> AllowUser User1 AllowUser User2 DenyAll </Limit> <Limit STOR> AllowAll </Limit> Ratios on UserRatio * 0 0 1 0 UserRatio user1 0 0 10 0 UserRatio user2 0 0 0 0 </Anonymous> How do I generate the AuthUserFile so that this will work?? Thanks in advance!

I'm using pre9, with an anon section like this: <Anonymous /virtual/ftp> User virtual Group virtual UserAlias joe virtual AuthAliasOnly on </Anonymous> This works as expected -- I can't login anonymously with "virtual", but I can with "joe". When I do this: <Anonymous /virtual/ftp> User virtual Group virtual UserAlias joe virtual AuthAliasOnly off </Anonymous> There is no change -- I still can't login anonymously with "virtual", but I should be able to. Now, if I do this: <Anonymous /virtual/ftp> User virtual Group virtual UserAlias joe virtual # AuthAliasOnly off </Anonymous>

...it _does_ allow me to login anonymously with "virtual". In other words, "AuthAliasOnly off" doesn't work. If I want the functionality that it provides, I have to comment it out or remove it completely.

Yes, you can. Go to httpd://www.proftpd.org Read the Documentation. Using an alternate password is documented very well. Tsanko Stoev Lyon College > Can I use a different password file (other than /etc/passwd) with in the > same domain???

My mail server is down so i gotta use hotmail...ugh. Anyway... I fixed the anonymous login problem by adding a "RequireValidShell off" into proftpd.conf. Now my problem is that valid users of the machine cannot login into the proftpd service but can with ssh and telnet. Anyone know any reasons as to why that is happening? Thanks in advance! -Andrew

I tried that already but it still does not work. >From: Matt Critcher <MCritch@lifeplususa.com> >Reply-To: proftpd@proftpd.org >To: "'proftpd@proftpd.org'" <proftpd@proftpd.org> >Subject: RE: [ProFTPD] Login Problems >Date: Wed, 15 Mar 2000 08:33:14 -0600 > >You probably dont have an entry in /etc/pam.d/ for ftp > >you have to put a file there called ftp that contains something similar the >following: > >#%PAM-1.0 >auth required pam_listfile.so item=user sense=deny >file=/etc/ftpusers onerr=succeed >auth sufficient pam_userdb.so icase db=/tmp/dbtest >auth required pam_pwdb.so shadow nullok try_first_pass >auth required pam_shells.so >account required pam_pwdb.so >session required pam_pwdb.so > >or something like this. its all i can remember without being on my machine >(stuck to the hells of windows at work). in any case there is a file >called >README.PAM that comes with the src for proftpd that has the correct >contents.

You probably dont have an entry in /etc/pam.d/ for ftp you have to put a file there called ftp that contains something similar the following: #%PAM-1.0 auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed auth sufficient pam_userdb.so icase db=/tmp/dbtest auth required pam_pwdb.so shadow nullok try_first_pass auth required pam_shells.so account required pam_pwdb.so session required pam_pwdb.so or something like this. its all i can remember without being on my machine (stuck to the hells of windows at work). in any case there is a file called README.PAM that comes with the src for proftpd that has the correct contents.

I'm having the exact same problem. I have a binary and config file that allows logins on my 6.0 machines, but when I copy them to a 6.1 box, I cannot login as a normal user... I get this message (proftpd -n): localhost (10.80.80.10[10.80.80.10]) - PAM(bobo): Authentication failure. localhost (10.80.80.10[10.80.80.10]) - USER bobo (Login failed): Incorrect password.