I am trying to set up a FTP server that authenticates against an LDAP server. This part is done and works. My server is VsFTPd on Ubuntu Server 11.04. But I have to create the home directories for my LDAP users. I am trying to user the pam_mkhomedir module but it is not working: when I add its line to the /etc/pam.d/vsftpd file, my users can not login anymore to the FTP server. The problem is that I have very few information on what is wrong. VsFTPd just responds 530: login incorrect and I could not find a way to get debug or error messages from pam_mkhomedir.

Here are my different configuration files. The /etc/pam.d/vsftpd file:

auth    required    pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed

auth        required    pam_ldap.so
account     required    pam_ldap.so
password    required    pam_ldap.so
session     optional    pam_mkhomedir.so skel=/home/skel debug

The /etc/vsftpd.conf file:

listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/private/vsftpd.pem
guest_enable=YES
session_support=YES
log_ftp_protocol=YES
tcp_wrappers=YES

Permissions on /home and /home/skel:

root@ftp:/home# ls -al
total 16
drwxrwxrwx  4 root     root     4096 2011-10-11 21:19 .
drwxr-xr-x 21 root     root     4096 2011-09-27 13:32 ..
drwxrwxrwx  2 root     root     4096 2011-10-11 19:34 skel
drwxrwxrwx  5 foo      foo      4096 2011-10-11 21:11 foo

root@ftp:/home# ls -al skel/
total 16
drwxrwxrwx 2 root root 4096 2011-10-11 19:34 .
drwxrwxrwx 4 root root 4096 2011-10-11 21:19 ..
-rwxrwxrwx 1 root root 3352 2011-10-11 19:34 .bashrc
-rwxrwxrwx 1 root root  675 2011-10-11 19:34 .profile

Yes, I know, permissions are not properly set but security is not the issue here: I first need to get it to work.

So, to recapitulate: without pam_mkhomedir my LDAP users can login, but they cannot do anything because they are in an empty chrooted jail. If I add pam_mkhomedir, they cannot login anymore. If anyone has an idea why, or know how to get more information from logs, I would be very grateful, thanks.


Solution 1:

Simple answer - it is necessary enable session support in vsftpd.conf:

session_support=YES

Solution 2:

Perhaps not directly relevant to vsftpd, but something I ran across with SFTP is that pam_mkhomedir.so creates the homedir owned by the user:group - naturally, even if the skel files are owned by root. But chroot with SFTP wants root:root to own the chroot homedir for security reasons (with permissions 755). Even with the skel files owned by root.