2

I am running the FTP daemon VSFTPD. I'd like to control FTP access by adding users to a group such that only members of the defined group can access the FTP services. I am thinking I can do this by modifying /etc/pam.d/vsftpd, but am not sure how to get started. Or is this only for virtual users in VSFTPD?

I am aware of user_list and this does not seem to support groups. This doesn't provide the function I am looking for which is described above. If I am mistaken though this would be great.

Aaron Copley
  • 12,525
  • 5
  • 47
  • 68
  • I found this user who was trying to do the same thing with PAM module pam_group.so but was unsuccesful. http://forums.freebsd.org/showthread.php?t=3010 – Aaron Copley Feb 23 '11 at 00:11

2 Answers2

2

Figures. I got it sorted out after posting here. I was reading the The Linux-PAM System Administrators' Guide and found pam_succeed_if. There's an example which illustrates emulating pam_wheel.

To emulate the behaviour of pam_wheel, except there is no fallback to group 0:

auth required pam_succeed_if.so quiet user ingroup wheel

I inserted this in /etc/pam.d/vsftpd under the last "auth required" line and tested it. Now you must be a user of the defined group to login to FTP. I also am removing the quiet flag as I would like to see authentication failures / successes in the logs.

Aaron Copley
  • 12,525
  • 5
  • 47
  • 68
  • Your link is dead for me. I think this should work: http://www.linux-pam.org/Linux-PAM-html/sag-pam_succeed_if.html – donothingsuccessfully Jan 28 '22 at 11:27
  • 1
    That can happen after 11(!) years. :) I can update this since you've commented, but feel free to submit edits as you would a wiki. Unless there's a minimum reputation, you should see an [Edit](https://serverfault.com/posts/238943/edit) link above. – Aaron Copley Jan 28 '22 at 20:50
0

Aaron, if you mean controlling vsftpd in terms of start/stop, etc. you can easily create a group for it and assign the service to start within the groups' privilege. But on the other hand if you need to control access to directories on the server by clients, it should be done in the conf. file.

Hosm
  • 53
  • 1
  • 9
  • No, sorry, I meant authentication to the FTP service. Also, telling me it should be done in the configuration file isn't very helpful. I've spent the day going over the man page for vsftpd.conf and it provides no mechanism for access control at the group level. If I am mistaken please assist with specifics. – Aaron Copley Feb 23 '11 at 00:03
  • I got it now. you mean you wanna authenticate ftp users with pam backend. please have a look at [link](http://www.linuxquestions.org/questions/linux-networking-3/vsftpd-pam-authentication-286864/) and [link](http://fixunix.com/debian/129361-pam-userdb-auth-issue-pam_userdb-cant-open-database-vsftpd-sarge.html) – Hosm Feb 23 '11 at 01:04
  • Sorry, neither of those links address the question. It's ok though, as I've already found and posted the solution. Thanks, anyway. – Aaron Copley Feb 23 '11 at 02:18