VsFTPd - pam_mkhomedir

ftp vsftpd ldap home-directory pam

I am trying to set up a FTP server that authenticates against an LDAP server. This part is done and works. My server is VsFTPd on Ubuntu Server 11.04. But I have to create the home directories for my LDAP users. I am trying to user the pam_mkhomedir module but it is not working: when I add its line to the /etc/pam.d/vsftpd file, my users can not login anymore to the FTP server. The problem is that I have very few information on what is wrong. VsFTPd just responds 530: login incorrect and I could not find a way to get debug or error messages from pam_mkhomedir.

Here are my different configuration files. The /etc/pam.d/vsftpd file:

auth    required    pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed

auth        required    pam_ldap.so
account     required    pam_ldap.so
password    required    pam_ldap.so
session     optional    pam_mkhomedir.so skel=/home/skel debug

The /etc/vsftpd.conf file:

listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/private/vsftpd.pem
guest_enable=YES
session_support=YES
log_ftp_protocol=YES
tcp_wrappers=YES

Permissions on /home and /home/skel:

root@ftp:/home# ls -al
total 16
drwxrwxrwx  4 root     root     4096 2011-10-11 21:19 .
drwxr-xr-x 21 root     root     4096 2011-09-27 13:32 ..
drwxrwxrwx  2 root     root     4096 2011-10-11 19:34 skel
drwxrwxrwx  5 foo      foo      4096 2011-10-11 21:11 foo

root@ftp:/home# ls -al skel/
total 16
drwxrwxrwx 2 root root 4096 2011-10-11 19:34 .
drwxrwxrwx 4 root root 4096 2011-10-11 21:19 ..
-rwxrwxrwx 1 root root 3352 2011-10-11 19:34 .bashrc
-rwxrwxrwx 1 root root  675 2011-10-11 19:34 .profile

Yes, I know, permissions are not properly set but security is not the issue here: I first need to get it to work.

So, to recapitulate: without pam_mkhomedir my LDAP users can login, but they cannot do anything because they are in an empty chrooted jail. If I add pam_mkhomedir, they cannot login anymore. If anyone has an idea why, or know how to get more information from logs, I would be very grateful, thanks.


Solution 1:

Simple answer - it is necessary enable session support in vsftpd.conf:

session_support=YES

Solution 2:

Perhaps not directly relevant to vsftpd, but something I ran across with SFTP is that pam_mkhomedir.so creates the homedir owned by the user:group - naturally, even if the skel files are owned by root. But chroot with SFTP wants root:root to own the chroot homedir for security reasons (with permissions 755). Even with the skel files owned by root.

Related

Add a subdomain that is hosted elsewhere [closed]
Securing phpmyadmin: non-standard port + https
Is tcp_keepalive application dependant on Linux?
Monitoring "Request Wait Time" in PerfMon
How do I reinstall the Search/Indexing Feature on Server 2012 R2?
Postfix illegal address syntax
HW Raid controller error
Lots of unused memory on EL6 compared to EL5
Do wheel spikes actually accomplish anything?
Where is the golden horn?
Can Sith use lightsabers of any other colour than red or yellow?
How do I strategically use Promote?