VSFTPD – Troubleshooting PAM Authentication Failure

authenticationftppamSecurity

Moving a tried-and-true vsftpd configuration onto a new server with Fedora 16, I ran into a problem. All seems to go as it should, but user authentication fails. I cannot find any entry in any log that indicates what happened.

Here is the full config file:

anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
idle_session_timeout=0
data_connection_timeout=0
nopriv_user=ftpsecure
connect_from_port_20=YES
listen=YES
chroot_local_user=YES
chroot_list_enable=NO
ls_recurse_enable=YES
listen_ipv6=NO

pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

FTP challenges me for a username and password, I provide them, Login Incorrect. I have verified, this user is able to login from ssh. Something is screwed up with pam_service.

Anonymous (if changed to allowed) seems to work well.

SELinux is disabled.

Ftpsecure appears to be configured fine… I am at a complete loss!

Here are the log files I examined with no success:

/var/log/messages
/var/log/xferlog      #empty
/var/log/vsftpd.log   #empty
/var/log/secure

Found something in /var/log/audit/audit.log:

type=USER_AUTH msg=audit(1335632253.332:18486): user pid=19528 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct="kate" exe="/usr/sbin/vsftpd" hostname=ip68-5-219-23.oc.oc.cox.net addr=68.5.219.23 terminal=ftp res=failed'

Perhaps I should look at /var/log/wtf-is-wrong.help 🙂

Further info:

/etc/pam.d/vsftpd looks like this:

#%PAM-1.0
session    optional     pam_keyinit.so    force revoke
auth       required     pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth       required     pam_shells.so
auth       include      password-auth
account    include      password-auth
session    required     pam_loginuid.so
session    include      password-auth

Best Answer

Whew. I solved the problem. It amounts to a config but within /etc/pam.d/vsftpd

Because ssh sessions succeeded while ftp sessions failed, I went to

/etc/pam.d/vsftpd, removed everything that was there and instead placed the contents of ./sshd to match the rules precisely. All worked!

By method of elimination, I found that the offending line was:

    auth       required     pam_shells.so

Removing it allows me to proceed.

Tuns out, "pam_shells is a PAM module that only allows access to the system if the users shell is listed in /etc/shells." I looked there and sure enough, no bash, no nothing. This is a bug in vsftpd configuration in my opinion as nowhere in the documentation does it have you editing /etc/shells. Thus default installation and instructions do not work as stated.

I'll go find where I can submit the bug now.

Related Solutions

Custom PAM modules and security considerations

When you call into Linux-PAM for some authentication procedure, there is always one and only one stack that is run.

The stack definition is looked up in these places; the first successful attempt determines which file is read:

the file in /etc/pam.d named after the application "service name" (e.g., sshd or gdm), or
the file /etc/pam.d/other if no service-specific file exists, or
the file /etc/pam.conf if directory /etc/pam.d does not exist.

See the documentation for function pam_start for details.

The common-* files are a convention followed by many Linux distributions but are not mandated by the PAM software itself. They are usually included by other PAM files by means of @include statements; for instance the /etc/pam.d/other file on Debian has the following content:

# We fall back to the system default in /etc/pam.d/common-*
@include common-auth
@include common-account
@include common-password
@include common-session

The same @include statements may be used by service-specific file as well, and -indeed- they are in the default configuration on Debian. Note that this is a matter of configuration: a sysadmin is free to change the file in /etc/pam.d not to include any common-* files at all!

Therefore: if your PAM module is specific to your application, create an application-specific service file and call the module from there. Do not automatically add a module to other services' PAM file nor to the fall-back others file, as this may break other applications installed on the system. Management of the PAM software stack is a task for the system administrator, not for the application developers.

Linux – How to control authentication attempts in PAM

There is a login counter module for PAM called pam_tally which can be used maintain a count of attempted login attempts, and block further attempts if a certain number of login attempts fail.

Example:

On Debian you could add the following lines to /etc/pam.d/common-auth to give users three login attempts before the account is locked:

auth required pam_tally.so onerr=fail deny=3 no_magic_root

The no_magic_root prevents the root user from being locked out.

As peterph pointed out, the unlock_time option can be used to specify a number of seconds after which a locked-out account will automatically be unlocked. By setting this option to 1, i.e. locking the account for one second, the login attempt can be aborted after a specified number of tries, while still allowing the user to retry (almost) immediately.

Adding the following line to /etc/pam.d/common-account will reset the login count on a successful login:

account required pam_tally.so reset no_magic_root

On Fedora, both lines can be added to /etc/pam.d/system-auth.

Access to a locked-out user account can be restored with the accompanying pam_tally utility as follows:

$ pam_tally --user user --reset=0

Best Answer

Related Solutions

Custom PAM modules and security considerations

Linux – How to control authentication attempts in PAM

Related Question