[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

FTP system using PAM

I'm new to the list and PAM, so please bear with me. I've looked through some of the archives, but since there is no search function I gave up after browsing through several months archives and not finding what I was looking for.

Here's the short version of what I'm trying to do:
setup a secure (encrypted) ftp system that will allow clients to access their sites (some directory) but not allow any other system access.

Long version:
I think a system can be setup using OpenSSH, WU-FTPD and PAM. OpenSSH to accomplish FTP over SSH (tunneling, I'm already doing it now for regular FTP access); and using PAM (with the pam_pwdfile module) and WU-FTPD for authentication from a file other than /etc/passwd.

I've considered the obvious options of setting the 'untrusted' users shells to /bin/false, but the user is still dangerously close (I think) to getting in to the system. Using /bin/false, the user will still get MOTD and mail info. before being returned to a login prompt. To me, that seems like further into the system than I would like to allow. I don't even want to have an entry in /etc/passwd for these accounts.

The system would probably function something like this:
1. User (trusted or untrusted) initiates FTP over SSH connection and sends username and password.
2. Since SSH is not doing any authenticating (it's just tunneled), WU-FTPD receives the username and password and checks them against the /etc/foopasswd password file. If they match, we chroot them to the directory of our choosing.
3. If not, we check /etc/passwd and give them normal FTP access if they match there.

Now, for the issues that I think may be a problem or I need help/ideas on how to implement them.

1. How do I setup the two stage authentication in the /etc/pam.d/wu-ftpd file? It would have to be an either-or operation. Either they are in /etc/passwd or they are in /etc/ftppasswd (but not both), but only fail if they aren't in either.

2. Using pam_pwdfile, how do I create a file with the format username:enc_password? Every adduser utility I've found only puts the usernames/passwords in /etc/passwd.

3. What user would WU-FTPD run under? The directories I would be giving access to are owned by two regular system accounts (web, cgi). How would I manage the read/write permissions? WU-FTPD tries to run as the user logged in, but if the user is untrusted, they don't exist as a normal system user. Would it still run as that untrusted user and they would just have a lot of file permission problems? How would they read/write to the directories they need to without make them world read/write/execute?

This last one seems to be a big one.

I hope this has made sense!

If you've read this far, I appreciate your patience. If you have any comments or suggestions, I would appreciate it.



-- -------------------------------------------- -- Kelly Corbin -- Systems Administrator -- -- http://www.theiqgroup.com -- -- The IQ Group, Inc. -- 6740 Antioch Suite 110 -- Merriam, KS 66204 -- (913)-722-6700 -- Fax (913)722-7264 --------------------------------------------

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []