I think there is a bug in vsftpd's pam code. Below is the email body I sent to
the author (over a week ago, and got no answer yet). It happened on RHEL4, but
also happens with the latest FC devel package.
I've been trying to use the pam_abl (auto black list) module with
vsftpd, but it doesn't seem to work. This is on RHEL4, but the pam_abl
debug seems to indicate that this might be a problem with how vsftpd
does things. Maybe just an exit status of some kind which isn't right?
With sshd for instance :
Apr 2 15:34:25 w1 pam_abl: In cleanup, err is 00000007
Apr 2 15:34:25 w1 pam_abl: Recording failed attempt
With vsftpd and the same bad login/password :
Apr 2 15:37:07 w1 pam_abl: In cleanup, err is 00000000
And no "Recording failed attempt" line, although the configuration I
use should block sshd and vsftpd in the same way.
I'm not familiar with pam in any way, but since I've configured pam_abl
to be used from the system-auth pam entry, which both sshd and vsftpd
are configured in the same way to use... I can't help but suspect that
the "err" value set to 0 with vsftpd and 7 with sshd has something to
FWIW, on success, both sshd and vsftpd have pam_abl print :
"In cleanup, err is 20000000"
Looking at the PAM headers :
#define PAM_SUCCESS 0 /* Successful function return */
#define PAM_OPEN_ERR 1 /* dlopen() failure when dynamically */
/* loading a service module */
#define PAM_SYMBOL_ERR 2 /* Symbol not found */
#define PAM_SERVICE_ERR 3 /* Error in service module */
#define PAM_SYSTEM_ERR 4 /* System error */
#define PAM_BUF_ERR 5 /* Memory buffer error */
#define PAM_PERM_DENIED 6 /* Permission denied */
#define PAM_AUTH_ERR 7 /* Authentication failure */
So maybe pam_abl gets 0 (PAM_SUCCESS) while it should get 7
(PAM_AUTH_ERR) from vsftpd?
Fixed in vsftpd-2_0_5-20_fc9
I have investigated this in some depth, and it appears on pretty much all
versions of Fedora Core I've tried it with. It is most likely an inter-relation
issue between the way pam_abl is implemented, and the way vsftpd references it
(whether it's "simple" like the session part not being dealt with etc. or
"complicated" to do with crashes in the library references I don't know, and I
have not had time or inclination to delve that deep into debugging).
Although I can't pinpoint the problem, I've used the 'this is fixed in CVS'
solution from the upstream website, and created an RPM and source RPM based on
the existing FC ones, and this updated code, pruning out various Fedora patches
to the source code, while keeping the documentation based ones, and it seems to
work now. This is on Fedora Core 5, with vsftpd vsftpd-2.0.4-1.2. I will test it
on other FC versions I have kicking around, and report back results if there is
interest in doing so.
I'll attach the files if bugzilla lets me.
Fedora/Redhat etc. may do with this fixed stuff as they wish. They may hire me
as a developer too if they wish ;-)
Created attachment 290673 [details]
.src.rpm of patched subversion files for pam_abl.
Created attachment 290674 [details]
binary RPM of SVN fixed code for pam_abl
The vsftpd part was fixed in rawhide, but the pam_abl was broken anyway. If you
have a fix for that, you should make a new bug report against appropriate
component with a patch attached (probably better than src rpm or binary rpm).