PAM not playing nicely with vsftpd and pam_exec.so

Jason Gerfen jason.gerfen at utah.edu
Thu Dec 25 16:55:33 UTC 2014 

Strange. It seems like it is not using the /etc/pam.d/vsftpd file. Or it is exiting early due to the current stack; i.e. required, sufficient directives that may exist in the /etc/pam.d/common-session file.

That is why I suggested to place it in the common-session to trigger the pam_exec.so for all services. Perhaps place it higher in the stack vs. the end.

________________________________
From: pam-list-bounces at redhat.com [pam-list-bounces at redhat.com] on behalf of Chip [jeffschips at gmail.com]
Sent: Thursday, December 25, 2014 9:27 AM
To: Pluggable Authentication Modules
Subject: Re: PAM not playing nicely with vsftpd and pam_exec.so


On 12/25/2014 10:02 AM, Jason Gerfen wrote:
Correct. I have to apologize for my short and totally incoherent response. I received the question at near midnight and know better than to respond to a fairly technical question right before retiring for the evening.

My assumption is that your /etc/pam.d/vsftpd matches /etc/pam.d/sshd line for line except the line for session triggering the pam_exec.so module.

I originally thought of that idea but didn't invoke it out of fear that it could cause security issues since sshd is built for sshd and vsftpd is built for vsftpd -- and not being very well versed in pam didn't want to take any risks.  Are you sure it's a good idea to copy over the sshd to vsftpd?

Does the user you are testing with have a valid shell directive within the /etc/passwd file? I.E. /bin/bash, /bin/sh etc?
etc/passwd for the specified user contains:
specifieduser:x:1000:1000:specifieduser,,,:/home/specifieduser:/bin/bash


And if so, does pam_shells.so exist anywhere within the common includes for the /etc/pam.d/vsftpd file? I ask these questions due to this particular configuration http://unix.stackexchange.com/questions/37539/vsftpd-fails-pam-authentication.

only exists in chsh which I believe is not referenced in any of this work

Can you add a debug directive to the line; i.e. 'session optional pam_exec.so debug'? According to the documentation for pam_exec.so at http://linux.die.net/man/8/pam_exec you can also add a log directive and monitor that during your tests.

When I tail auth.log after inserting "session optional pam_exec.so" at the end of the sshd file (which properly triggers the executable) I see this:

Dec 25 11:16:06 specifieduser sshd[6699]: Accepted password for specifieduser from xx.xx.xx.xx port 50393 ssh2
Dec 25 11:16:06 specifieduser sshd[6699]: pam_unix(sshd:session): session opened for user specifieduser by (uid=0)
Dec 25 11:16:09 specifieduser sshd[6699]: pam_exec(sshd:session): No path given as argument
Dec 25 11:16:09 specifieduser sshd[6699]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
Dec 25 11:16:09 specifieduser sshd[6699]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory

However, inserting "session optional pam_exec.so" into the vsftpd file at the end, produces no output. . . is pam not seeing vsftpd or vica versa?


Those should help you further diagnose the actual problem when it works for the sshd service.
________________________________
From: pam-list-bounces at redhat.com<mailto:pam-list-bounces at redhat.com> [pam-list-bounces at redhat.com<mailto:pam-list-bounces at redhat.com>] on behalf of Jeffrey Starin [jeffschips at gmail.com<mailto:jeffschips at gmail.com>]
Sent: Thursday, December 25, 2014 12:48 AM
To: Pluggable Authentication Modules
Subject: Re: PAM not playing nicely with vsftpd and pam_exec.so


Okay. I need a bit more explanation. Glad to hear there might be hope but don't completely understand "always that directive to common session" .  I think you mean place the statement:

session    optional     pam_exec.so

Inside the common session file?

If so what is the theory behind why that could work -- trying to teach myself the reasons why that could be a solution.

Thank you.

On Dec 25, 2014 2:24 AM, "Jason Gerfen" <jason.gerfen at utah.edu<mailto:jason.gerfen at utah.edu>> wrote:
You could always that directive to common-session and try.


On Dec 24, 2014, at 11:01 PM, "Chip" <jeffschips at gmail.com<mailto:jeffschips at gmail.com>> wrote:


I've researched this feature extensively and need help. PAM is a difficult authentication program for me to thoroughly understand although I'm learning.

Running Debian Wheezy.

Have pam setup to trigger off an email when users login using sshd -- that works fine.  No problem using this command in the /etc/pam.d/sshd file:

session    optional     pam_exec.so /usr/local/bin/notify.sh

However, I need it to work with vsftpd and getting it to work with sshd was just a test.  However, I can't get it to work with vsftpd, the contents of /etc/pam.d/vsftpd are:

auth    required        pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
@include common-account
@include common-session
@include common-auth
session    optional     pam_exec.so /usr/local/bin/notify-login.sh

What am I missing here?  Is pam even designed to work with vsftpd?  Running the following command indicates it's hooked into vsftpd, but pam_exec.so doesn't seem to want to play nicely with vsftpd.

$ ldd /{,usr/}{bin,sbin}/* | grep -B 5 libpam | grep '^/'
/bin/login:
/bin/su:
/sbin/mkhomedir_helper:
/sbin/pam_tally2:
/usr/bin/chfn:
/usr/bin/chsh:
/usr/bin/c_rehash:
/usr/bin/crontab:
/usr/bin/passwd:
/usr/sbin/aspell-autobuildhash:
/usr/sbin/atd:
/usr/sbin/chpasswd:
/usr/sbin/cron:
/usr/sbin/newusers:
/usr/sbin/sshd:
/usr/sbin/vsftpd:


_______________________________________________
Pam-list mailing list
Pam-list at redhat.com<mailto:Pam-list at redhat.com>
https://www.redhat.com/mailman/listinfo/pam-list

_______________________________________________
Pam-list mailing list
Pam-list at redhat.com<mailto:Pam-list at redhat.com>
https://www.redhat.com/mailman/listinfo/pam-list



_______________________________________________
Pam-list mailing list
Pam-list at redhat.com<mailto:Pam-list at redhat.com>
https://www.redhat.com/mailman/listinfo/pam-list

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20141225/1c45005d/attachment.htm>

More information about the Pam-list mailing list