Description of problem: vsftpd never does reverse dns before passing hosts to pam_access.so Version-Release number of selected component (if applicable): vsftpd 2.0.1-5 How reproducible: always Steps to Reproduce: 1.setup vsftpd with pam_access.so 2.try to make an access list using partial domain matching (eg .bla.com) 3.watch it fail Actual results: vsftpd only ever sends in numeric IPs as the rhost to pam_access.so Expected results: it should try to reverse dns and send in hostnames if it resolves. Additional info:
it is impossible to use vsftpd and pam_access for domain based ACLs until this bug is fixed.
Can I get some more accurate steps how to reproduce this issue? I'm not sure how to create such a ACL.
this lets you setup the equivalent of user-specific hosts.allow / hosts.deny ACLs. very useful. do something like: /etc/pam.d/vsftpd: #%PAM-1.0 auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed auth required pam_stack.so service=system-auth auth required pam_shells.so account required pam_access.so accessfile=/etc/security/access-ftp.conf account required pam_stack.so service=system-auth session required pam_stack.so service=system-auth /etc/security/access-ftp.conf: -:root:ALL EXCEPT LOCAL host1.bla.com .domain.com 192.168.1.2 -:user1:ALL EXCEPT LOCAL somehost.somwhere.com .someotherdomain.com -:user2:ALL EXCEPT .bla.com none of the name based entries will work because vsftpd does not do rdns before calling pam. so you can only do ip based access lists. i have reported this bug to the vsftpd development team but they have not responded.
you can also do something like: /etc/pam.d/vsftpd: #%PAM-1.0 auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed auth required pam_stack.so service=system-auth-ftp auth required pam_shells.so account required pam_stack.so service=system-auth-ftp session required pam_stack.so service=system-auth-ftp /etc/pam.d/system-auth-ftp: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_access.so accessfile=/etc/security/access-ftp.conf account required /lib/security/$ISA/pam_unix.so password required /lib/security/$ISA/pam_cracklib.so retry=3 type= password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so wu-ftpd works perfectly since it does rdns before calling pam. vsftpd fails because it does not.
Ok, thanks a lot for configuration files. The bug is fixed in vsftpd-2.0.3-10. There's just one thing in pam_access module that you have to note. If an IP adress is set in /etc/security/access-ftp.conf it has to have an additional dot at the end. Eg. the correct line from your configuration file should look like -:root:ALL EXCEPT LOCAL host1.bla.com .domain.com 192.168.1.2. This is pam_access feature and I'm going to open a feature request for removing this spare dot for IP adresses.
can this fix be rolled to FC3 as well? it's still stuck with 2.0.1-5 :(
Please, make configurable the reverse DNS. Sometimes we can have the delays with this patch. PAM does the request of AAAA and A with this patch also. At the same time no any request to DNS without the patch. Very often It have the delay with the request of AAAA record.
(In reply to comment #7) Andrey, Radek Vokal is no longer maintainer of vsftpd. If you'd like any change, please file a new bug, if it does have something to do with this bug report, mention it in the description. Please know that writing requests to a closed bug (especially 3 years old one) will probably fall through the cracks. Thanks.