ProFTP login horror
Paul Howarth
paul at city-fan.org
Tue Feb 28 20:45:01 UTC 2006
On Tue, 2006-02-28 at 21:24 +0100, Marcel Janssen wrote:
> Hi Les,
> > I haven't used proftpd for a while. Does it have any security
> > options (like not running as root or living in a chroot jail)
> > that would keep it from reading your shadow password file?
>
> Yes, it doesn't run as root and can live in a chroot jail.
Here's what I use:
In proftpd.conf:
...
# Use pam to authenticate (default) and be authoritative
AuthPAMConfig proftpd
AuthOrder mod_auth_pam.c* mod_auth_unix.c
# Do not perform ident lookups (hangs when the port is filtered)
IdentLookups off
# Turn off reverse DNS lookups
# Not having this option can cause problems for chrooted users e.g.
anonymous
#UseReverseDNS off
# This sometimes helps too
PersistentPasswd off
...
And in /etc/pam.d/proftpd
#%PAM-1.0
auth required pam_listfile.so item=user sense=deny
file=/etc/ftpusers onerr=succeed
auth required pam_stack.so service=system-auth
auth required pam_shells.so
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
Paul.
More information about the fedora-list
mailing list