Bug 159745 - vsftpd fails to reverse dns before passing rhost to pam
vsftpd fails to reverse dns before passing rhost to pam
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: vsftpd (Show other bugs)
3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Radek Vokal
Mike McLean
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-06-07 14:31 EDT by Dan Hollis
Modified: 2008-05-09 11:32 EDT (History)
1 user (show)

See Also:
Fixed In Version: 2.0.3-10
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-09 06:18:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dan Hollis 2005-06-07 14:31:35 EDT
Description of problem:
vsftpd never does reverse dns before passing hosts to pam_access.so

Version-Release number of selected component (if applicable):
vsftpd 2.0.1-5

How reproducible:
always

Steps to Reproduce:
1.setup vsftpd with pam_access.so
2.try to make an access list using partial domain matching (eg  .bla.com)
3.watch it fail
  
Actual results:
vsftpd only ever sends in numeric IPs as the rhost to pam_access.so

Expected results:
it should try to reverse dns and send in hostnames if it resolves.

Additional info:
Comment 1 Dan Hollis 2005-06-17 20:20:10 EDT
it is impossible to use vsftpd and pam_access for domain based ACLs until this
bug is fixed.
Comment 2 Radek Vokal 2005-08-31 08:59:14 EDT
Can I get some more accurate steps how to reproduce this issue? I'm not sure how
to create such a ACL. 
Comment 3 Dan Hollis 2005-09-01 15:55:32 EDT
this lets you setup the equivalent of user-specific hosts.allow / hosts.deny
ACLs. very useful. do something like:

/etc/pam.d/vsftpd:
#%PAM-1.0
auth       required     pam_listfile.so item=user sense=deny
file=/etc/vsftpd.ftpusers onerr=succeed
auth       required     pam_stack.so service=system-auth
auth       required     pam_shells.so
account    required     pam_access.so accessfile=/etc/security/access-ftp.conf
account    required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth

/etc/security/access-ftp.conf:
-:root:ALL EXCEPT LOCAL host1.bla.com .domain.com 192.168.1.2
-:user1:ALL EXCEPT LOCAL somehost.somwhere.com .someotherdomain.com
-:user2:ALL EXCEPT .bla.com

none of the name based entries will work because vsftpd does not do rdns before
calling pam. so you can only do ip based access lists.

i have reported this bug to the vsftpd development team but they have not responded.
Comment 4 Dan Hollis 2005-09-01 15:59:19 EDT
you can also do something like:

/etc/pam.d/vsftpd:
#%PAM-1.0
auth       required     pam_listfile.so item=user sense=deny
file=/etc/vsftpd.ftpusers onerr=succeed
auth       required     pam_stack.so service=system-auth-ftp
auth       required     pam_shells.so
account    required     pam_stack.so service=system-auth-ftp
session    required     pam_stack.so service=system-auth-ftp

/etc/pam.d/system-auth-ftp:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_access.so
accessfile=/etc/security/access-ftp.conf
account     required      /lib/security/$ISA/pam_unix.so

password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5
shadow
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so

wu-ftpd works perfectly since it does rdns before calling pam. vsftpd fails
because it does not.
Comment 5 Radek Vokal 2005-09-09 06:18:55 EDT
Ok, thanks a lot for configuration files. The bug is fixed in vsftpd-2.0.3-10.
There's just one thing in pam_access module that you have to note. If an IP
adress is set in /etc/security/access-ftp.conf it has to have an additional dot
at the end. Eg. the correct line from your configuration file should look like

-:root:ALL EXCEPT LOCAL host1.bla.com .domain.com 192.168.1.2.

This is pam_access feature and I'm going to open a feature request for removing
this spare dot for IP adresses. 
Comment 6 Dan Hollis 2005-12-01 18:23:57 EST
can this fix be rolled to FC3 as well? it's still stuck with 2.0.1-5 :(
Comment 7 Andrey 2008-04-06 15:42:51 EDT
Please, make configurable the reverse DNS. Sometimes we can have the delays 
with this patch. PAM does the request of AAAA and A with this patch also. At 
the same time no any request to DNS without the patch. Very often It have the 
delay with the request of AAAA record.
Comment 8 Martin Nagy 2008-05-09 11:32:55 EDT
(In reply to comment #7)
Andrey, Radek Vokal is no longer maintainer of vsftpd. If you'd like any change,
please file a new bug, if it does have something to do with this bug report,
mention it in the description.
Please know that writing requests to a closed bug (especially 3 years old one)
will probably fall through the cracks. Thanks.

Note You need to log in before you can comment on or make changes to this bug.