Using PAM and vsftpd without root access

Question

I'm trying to set up a few vsftpd instances on a machine that I have no root access to. The authentication should be done through PAM with pam_listfile, like this:

pam_listfile.so item=group sense=allow file=/path/filename onerr=fail

I can ask the administrator to set up a PAM service for me and include that line but he is not willing to create 6 PAM services for my 6 vsftpd instances and I really need different /path/filename set for each vsftpd server.

Is there a way to solve this problem? Can I somehow not use absolute path as the parameter?

(I know the correct solution would be to use one vsftpd instance and set up virtual users properly. However unfortunately I have to work what I have and the users already exist in an Active Directory and are authenticated to the system using another PAM service.)

Answer 1

Well, unfortunately the answer is that it can't be done with vsftpd.

Answer 2

Rather than using a file, would it help at all to specify the group in the PAM file? In this way you may not need a number of flat files. (Depending on your intentions.)

How Can I Restrict FTP to a Particular Local Group?

Answer 3

Your better answer may be to migrate away from vsftpd to proftpd, which can support the need for virtual users without PAM integration. In your /etc/proftpd.conf you'd include lines like:

AuthPAMAuthoritative            off
AuthPam                         off
AuthUserFile                    /opt/etc/passwd.ftp
AuthGroupFile                   /opt/etc/group.ftp

The group.ftp file is just a standard group setup for 'ftp' and 'nobody', and your passwd file would assign the user:group the same for all entries. You'd just specifiy usernames, passwords and login directories (use /sbin/nologin for the shell). It takes all of 5 minutes to set up if your admin will get the groundwork in place for you, and allow you to own/edit the password file.