Fedora 9: Pure-ftpd authentication with pam ??

fedora fedora at ayni.com
Wed May 28 10:12:29 UTC 2008

Hi listers
you may tell me that this is ot for this list, but the pure-ftpd mailing 
list is as inactive as can be.

I installed Fedora 9 from the live-CD. then, using 
System/Administration/Add-Remove Software, I installed pure-ftpd.

Here, all authentication uses pam-ldap which works fine for login, ssh, ...

But with pure-ftpd it just does not work.

in ldap I created a user called taxi just to be flexible to change 

[taxi at vidigal ~]$ id taxi
uid=1084(taxi) gid=1000(webdesign) groups=1000(webdesign)
[taxi at vidigal ~]$

when i do an ssh logon to taxi:

[myuser at rosetta ~]$ ssh taxi at vidigal
taxi at vidigal.lan's password:
Last login: Wed May 28 13:02:29 2008
[taxi at vidigal ~]$

that is: pam-ldap for user taxi works fine. user taxi also has a valid 
home-directory on the ftp-server.

when, however, I do an ftp-login I get:

[myuser at rosetta ~]$ ftp vidigal.lan
Connected to vidigal.lan (
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 11:39. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
Name (vidigal.lan:cellino): taxi
331 User taxi OK. Password required
530 Login authentication failed
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.

[taxi at vidigal ~]$ cat /etc/pam.d/pure-ftpd

# Sample PAM configuration file for Pure-FTPd.
# Install it in /etc/pam.d/pure-ftpd or add to /etc/pam.conf

auth       required     pam_listfile.so item=user sense=deny 
file=/etc/ftpusers onerr=succeed
auth       include      system-auth
auth       required     pam_shells.so
auth       required     pam_nologin.so

account    include      system-auth

password   include      system-auth

session    include      system-auth

[taxi at vidigal ~]$

we do not use the /etc/ftpusers file sofar, the file does not exist. so 
the first step in the auth-sequence must succeed.

[taxi at vidigal ~]$ cat /etc/pam.d/system-auth
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so sha512 shadow nullok 
try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in 
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so
[taxi at vidigal ~]$

I checked to see if the pure-ftpd does an ldap-request, when I try to 
ftp-login: yes he does and he gets a positive reply from the 
ldap-server, when doing the bind with the authentication parameters for 

the login failure then must be caused by additional pam.d/pure-ftpd 

so I checked to see, whether the shell of taxi (/bin/bash) is in 
/etc/shells. yes it is.
and there is no /etc/nologin file on the ftp-server.

has anyone got an idea, how I have to change the environment in order to 
make pure-ftpd accept pam authentication?

changing to another ftp-server is no option, because i need the 
virtual-ftp-accounts provided by pure-ftpd.

thanks for any information


More information about the users mailing list