Bug 159745 - vsftpd fails to reverse dns before passing rhost to pam
Summary: vsftpd fails to reverse dns before passing rhost to pam
Alias: None
Product: Fedora
Classification: Fedora
Component: vsftpd   
(Show other bugs)
Version: 3
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Radek Vokal
QA Contact: Mike McLean
Depends On:
TreeView+ depends on / blocked
Reported: 2005-06-07 18:31 UTC by Dan Hollis
Modified: 2008-05-09 15:32 UTC (History)
1 user (show)

Fixed In Version: 2.0.3-10
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-09-09 10:18:55 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Dan Hollis 2005-06-07 18:31:35 UTC
Description of problem:
vsftpd never does reverse dns before passing hosts to pam_access.so

Version-Release number of selected component (if applicable):
vsftpd 2.0.1-5

How reproducible:

Steps to Reproduce:
1.setup vsftpd with pam_access.so
2.try to make an access list using partial domain matching (eg  .bla.com)
3.watch it fail
Actual results:
vsftpd only ever sends in numeric IPs as the rhost to pam_access.so

Expected results:
it should try to reverse dns and send in hostnames if it resolves.

Additional info:

Comment 1 Dan Hollis 2005-06-18 00:20:10 UTC
it is impossible to use vsftpd and pam_access for domain based ACLs until this
bug is fixed.

Comment 2 Radek Vokal 2005-08-31 12:59:14 UTC
Can I get some more accurate steps how to reproduce this issue? I'm not sure how
to create such a ACL. 

Comment 3 Dan Hollis 2005-09-01 19:55:32 UTC
this lets you setup the equivalent of user-specific hosts.allow / hosts.deny
ACLs. very useful. do something like:

auth       required     pam_listfile.so item=user sense=deny
file=/etc/vsftpd.ftpusers onerr=succeed
auth       required     pam_stack.so service=system-auth
auth       required     pam_shells.so
account    required     pam_access.so accessfile=/etc/security/access-ftp.conf
account    required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth

-:root:ALL EXCEPT LOCAL host1.bla.com .domain.com
-:user1:ALL EXCEPT LOCAL somehost.somwhere.com .someotherdomain.com
-:user2:ALL EXCEPT .bla.com

none of the name based entries will work because vsftpd does not do rdns before
calling pam. so you can only do ip based access lists.

i have reported this bug to the vsftpd development team but they have not responded.

Comment 4 Dan Hollis 2005-09-01 19:59:19 UTC
you can also do something like:

auth       required     pam_listfile.so item=user sense=deny
file=/etc/vsftpd.ftpusers onerr=succeed
auth       required     pam_stack.so service=system-auth-ftp
auth       required     pam_shells.so
account    required     pam_stack.so service=system-auth-ftp
session    required     pam_stack.so service=system-auth-ftp

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_access.so
account     required      /lib/security/$ISA/pam_unix.so

password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so

wu-ftpd works perfectly since it does rdns before calling pam. vsftpd fails
because it does not.

Comment 5 Radek Vokal 2005-09-09 10:18:55 UTC
Ok, thanks a lot for configuration files. The bug is fixed in vsftpd-2.0.3-10.
There's just one thing in pam_access module that you have to note. If an IP
adress is set in /etc/security/access-ftp.conf it has to have an additional dot
at the end. Eg. the correct line from your configuration file should look like

-:root:ALL EXCEPT LOCAL host1.bla.com .domain.com

This is pam_access feature and I'm going to open a feature request for removing
this spare dot for IP adresses. 

Comment 6 Dan Hollis 2005-12-01 23:23:57 UTC
can this fix be rolled to FC3 as well? it's still stuck with 2.0.1-5 :(

Comment 7 Andrey 2008-04-06 19:42:51 UTC
Please, make configurable the reverse DNS. Sometimes we can have the delays 
with this patch. PAM does the request of AAAA and A with this patch also. At 
the same time no any request to DNS without the patch. Very often It have the 
delay with the request of AAAA record.

Comment 8 Martin Nagy 2008-05-09 15:32:55 UTC
(In reply to comment #7)
Andrey, Radek Vokal is no longer maintainer of vsftpd. If you'd like any change,
please file a new bug, if it does have something to do with this bug report,
mention it in the description.
Please know that writing requests to a closed bug (especially 3 years old one)
will probably fall through the cracks. Thanks.

Note You need to log in before you can comment on or make changes to this bug.