Question about PAM in FreeBSD 9.2+

Rainer Duffner rainer at ultra-secure.de
Thu Aug 14 09:34:58 UTC 2014 

Hi,


I've got a pure-ftpd configuration that uses PAM and the following
configuration file in /etc/pam.d/pure-ftpd:

auth    sufficient      /usr/local/lib/pam_ldap.so
auth    required        pam_nologin.so
auth    required        pam_unix.so     nullok

account required        pam_permit.so

session required        pam_permit.so



This has worked since FreeBSD 6 (or 5) until FreeBSD 9.1

Howver, after upgrading to FreeBSD 9.2 (and 9.3 and probably 10), it
does not work anymore.

Mapping UIDs/GIDs from LDAP still works, but login in via FTP does not
work anymore.


I tried a slightly different pam.d configuration, after studying the
handbook:

auth    sufficient      /usr/local/lib/pam_ldap.so debug

auth	required	pam_nologin.so
auth	required	pam_unix.so		try_first_pass
account	required	pam_permit.so
account         required        /usr/local/lib/pam_ldap.so      debug
ignore_authinfo_unavail ignore_unknown_user

session	required	pam_permit.so


but this does not work, either.

Aug 14 11:21:29 mysrv pure-ftpd: (?@127.0.0.1) [DEBUG] Command [user][myuser] 
Aug 14 11:21:37 mysrv pure-ftpd: (?@127.0.0.1) [DEBUG] Command [pass]
[<*>] 
Aug 14 11:21:37 mysrv pure-ftpd: in openpam_dispatch(): calling
pam_sm_authenticate() in /usr/local/lib/pam_ldap.so 
Aug 14 11:21:37 mysrv pure-ftpd: in pam_get_user(): entering
Aug 14 11:21:37 mysrv pure-ftpd: in pam_get_item(): entering: PAM_USER 
Aug 14 11:21:37 mysrv pure-ftpd: in pam_get_item(): returning
PAM_SUCCESS 
Aug 14 11:21:37 mysrv pure-ftpd: in pam_get_user(): returning
PAM_SUCCESS Aug 
14 11:21:37 mysrv pure-ftpd: in pam_get_data(): entering:
'PADL-LDAP-SESSION-DATA' 
Aug 14 11:21:37 mysrv pure-ftpd: in pam_get_data(): returning
PAM_NO_MODULE_DATA 
Aug 14 11:21:37 mysrv pure-ftpd: in pam_set_data(): entering:
'PADL-LDAP-SESSION-DATA'
Aug 14 11:21:37 mysrv pure-ftpd: in pam_set_data(): returning
PAM_SUCCESS 
Aug 14 11:21:37 mysrv pure-ftpd: in pam_get_item(): entering:
PAM_AUTHTOK
Aug 14 11:21:37 mysrv pure-ftpd: in pam_get_item(): returning
PAM_SUCCESS 
Aug 14 11:21:37 mysrv pure-ftpd: in pam_get_item(): entering: PAM_CONV 
Aug 14 11:21:37 mysrv pure-ftpd: in pam_get_item(): returning
PAM_SUCCESS 
Aug 14 11:21:37 mysrv pure-ftpd: in pam_set_item(): entering:
PAM_AUTHTOK 
Aug 14 11:21:37 mysrv pure-ftpd: in pam_set_item(): returning
PAM_SUCCESS 
Aug 14 11:21:37 mysrv pure-ftpd: in pam_get_item(): entering:
PAM_AUTHTOK 
Aug 14 11:21:37 mysrv pure-ftpd: in pam_get_item(): returning
PAM_SUCCESS 
Aug 14 11:21:37 mysrv pure-ftpd: in pam_set_data(): entering:
'PADL-LDAP-AUTH-DATA' 
Aug 14 11:21:37 mysrv pure-ftpd: in pam_set_data(): returning
PAM_SUCCESS 
Aug 14 11:21:37 mysrv pure-ftpd: in pam_set_item(): entering: PAM_USER
Aug 14 11:21:37 mysrv pure-ftpd: in pam_set_item(): returning
PAM_SUCCESS 
Aug 14 11:21:37 mysrv pure-ftpd: in openpam_dispatch(): 
/usr/local/lib/pam_ldap.so: pam_sm_authenticate(): success 
Aug 14 11:21:37 mysrv pure-ftpd: in openpam_dispatch(): calling
pam_sm_setcred() in /usr/local/lib/pam_ldap.so 
Aug 14 11:21:37 mysrv pure-ftpd: in openpam_dispatch(): 
/usr/local/lib/pam_ldap.so: pam_sm_setcred(): success 
Aug 14 11:21:45 mysrv pure-ftpd: (?@127.0.0.1) [DEBUG] Command [quit] []


What changed between FreeBSD 9.1 and FreeBSD 9.2?
How can I fix this?


Best Regards,
Rainer

More information about the freebsd-stable mailing list