VsFTPd - pam_mkhomedir
I am trying to set up a FTP server that authenticates against an LDAP server. This part is done and works. My server is VsFTPd on Ubuntu Server 11.04.
But I have to create the home directories for my LDAP users. I am trying to user the pam_mkhomedir
module but it is not working: when I add its line to the /etc/pam.d/vsftpd
file, my users can not login anymore to the FTP server.
The problem is that I have very few information on what is wrong. VsFTPd just responds 530: login incorrect
and I could not find a way to get debug or error messages from pam_mkhomedir.
Here are my different configuration files.
The /etc/pam.d/vsftpd
file:
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth required pam_ldap.so
account required pam_ldap.so
password required pam_ldap.so
session optional pam_mkhomedir.so skel=/home/skel debug
The /etc/vsftpd.conf
file:
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/private/vsftpd.pem
guest_enable=YES
session_support=YES
log_ftp_protocol=YES
tcp_wrappers=YES
Permissions on /home
and /home/skel
:
root@ftp:/home# ls -al
total 16
drwxrwxrwx 4 root root 4096 2011-10-11 21:19 .
drwxr-xr-x 21 root root 4096 2011-09-27 13:32 ..
drwxrwxrwx 2 root root 4096 2011-10-11 19:34 skel
drwxrwxrwx 5 foo foo 4096 2011-10-11 21:11 foo
root@ftp:/home# ls -al skel/
total 16
drwxrwxrwx 2 root root 4096 2011-10-11 19:34 .
drwxrwxrwx 4 root root 4096 2011-10-11 21:19 ..
-rwxrwxrwx 1 root root 3352 2011-10-11 19:34 .bashrc
-rwxrwxrwx 1 root root 675 2011-10-11 19:34 .profile
Yes, I know, permissions are not properly set but security is not the issue here: I first need to get it to work.
So, to recapitulate: without pam_mkhomedir my LDAP users can login, but they cannot do anything because they are in an empty chrooted jail. If I add pam_mkhomedir, they cannot login anymore. If anyone has an idea why, or know how to get more information from logs, I would be very grateful, thanks.
Solution 1:
Simple answer - it is necessary enable session support in vsftpd.conf:
session_support=YES
Solution 2:
Perhaps not directly relevant to vsftpd, but something I ran across with SFTP is that pam_mkhomedir.so creates the homedir owned by the user:group - naturally, even if the skel files are owned by root. But chroot with SFTP wants root:root to own the chroot homedir for security reasons (with permissions 755). Even with the skel files owned by root.