Bug 235843 - vsftpd issue with pam auth error
vsftpd issue with pam auth error
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: vsftpd (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Martin Nagy
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-04-10 10:33 EDT by Matthias Saou
Modified: 2016-07-26 19:46 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-09 04:12:34 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
.src.rpm of patched subversion files for pam_abl. (819.14 KB, application/x-rpm)
2008-01-02 13:35 EST, Kev 'Kyrian' Green
no flags Details
binary RPM of SVN fixed code for pam_abl (53.12 KB, application/x-rpm)
2008-01-02 13:36 EST, Kev 'Kyrian' Green
no flags Details

  None (edit)
Description Matthias Saou 2007-04-10 10:33:08 EDT
I think there is a bug in vsftpd's pam code. Below is the email body I sent to
the author (over a week ago, and got no answer yet). It happened on RHEL4, but
also happens with the latest FC devel package.

--

I've been trying to use the pam_abl (auto black list) module with
vsftpd, but it doesn't seem to work. This is on RHEL4, but the pam_abl
debug seems to indicate that this might be a problem with how vsftpd
does things. Maybe just an exit status of some kind which isn't right?

With sshd for instance :

Apr  2 15:34:25 w1 pam_abl[18779]: In cleanup, err is 00000007
Apr  2 15:34:25 w1 pam_abl[18779]: Recording failed attempt

With vsftpd and the same bad login/password :

Apr  2 15:37:07 w1 pam_abl[20319]: In cleanup, err is 00000000

And no "Recording failed attempt" line, although the configuration I
use should block sshd and vsftpd in the same way.

I'm not familiar with pam in any way, but since I've configured pam_abl
to be used from the system-auth pam entry, which both sshd and vsftpd
are configured in the same way to use... I can't help but suspect that
the "err" value set to 0 with vsftpd and 7 with sshd has something to
do.

FWIW, on success, both sshd and vsftpd have pam_abl print :

"In cleanup, err is 20000000"

Looking at the PAM headers :

#define PAM_SUCCESS 0           /* Successful function return */
#define PAM_OPEN_ERR 1          /* dlopen() failure when dynamically */
                                /* loading a service module */
#define PAM_SYMBOL_ERR 2        /* Symbol not found */
#define PAM_SERVICE_ERR 3       /* Error in service module */
#define PAM_SYSTEM_ERR 4        /* System error */
#define PAM_BUF_ERR 5           /* Memory buffer error */
#define PAM_PERM_DENIED 6       /* Permission denied */
#define PAM_AUTH_ERR 7          /* Authentication failure */
[...]

So maybe pam_abl gets 0 (PAM_SUCCESS) while it should get 7
(PAM_AUTH_ERR) from vsftpd?
Comment 1 Martin Nagy 2007-11-09 04:12:34 EST
Fixed in vsftpd-2_0_5-20_fc9
Comment 2 Kev 'Kyrian' Green 2008-01-02 13:34:49 EST
I have investigated this in some depth, and it appears on pretty much all
versions of Fedora Core I've tried it with. It is most likely an inter-relation
issue between the way pam_abl is implemented, and the way vsftpd references it
(whether it's "simple" like the session part not being dealt with etc. or
"complicated" to do with crashes in the library references I don't know, and I
have not had time or inclination to delve that deep into debugging).

Although I can't pinpoint the problem, I've used the 'this is fixed in CVS'
solution from the upstream website, and created an RPM and source RPM based on
the existing FC ones, and this updated code, pruning out various Fedora patches
to the source code, while keeping the documentation based ones, and it seems to
work now. This is on Fedora Core 5, with vsftpd vsftpd-2.0.4-1.2. I will test it
on other FC versions I have kicking around, and report back results if there is
interest in doing so.

I'll attach the files if bugzilla lets me.

Fedora/Redhat etc. may do with this fixed stuff as they wish. They may hire me
as a developer too if they wish ;-)
Comment 3 Kev 'Kyrian' Green 2008-01-02 13:35:39 EST
Created attachment 290673 [details]
.src.rpm of patched subversion files for pam_abl.
Comment 4 Kev 'Kyrian' Green 2008-01-02 13:36:10 EST
Created attachment 290674 [details]
binary RPM of SVN fixed code for pam_abl
Comment 5 Martin Nagy 2008-01-02 16:22:37 EST
The vsftpd part was fixed in rawhide, but the pam_abl was broken anyway. If you
have a fix for that, you should make a new bug report against appropriate
component with a patch attached (probably better than src rpm or binary rpm).
Thanks.

Note You need to log in before you can comment on or make changes to this bug.