I think there is a bug in vsftpd's pam code. Below is the email body I sent to the author (over a week ago, and got no answer yet). It happened on RHEL4, but also happens with the latest FC devel package. -- I've been trying to use the pam_abl (auto black list) module with vsftpd, but it doesn't seem to work. This is on RHEL4, but the pam_abl debug seems to indicate that this might be a problem with how vsftpd does things. Maybe just an exit status of some kind which isn't right? With sshd for instance : Apr 2 15:34:25 w1 pam_abl[18779]: In cleanup, err is 00000007 Apr 2 15:34:25 w1 pam_abl[18779]: Recording failed attempt With vsftpd and the same bad login/password : Apr 2 15:37:07 w1 pam_abl[20319]: In cleanup, err is 00000000 And no "Recording failed attempt" line, although the configuration I use should block sshd and vsftpd in the same way. I'm not familiar with pam in any way, but since I've configured pam_abl to be used from the system-auth pam entry, which both sshd and vsftpd are configured in the same way to use... I can't help but suspect that the "err" value set to 0 with vsftpd and 7 with sshd has something to do. FWIW, on success, both sshd and vsftpd have pam_abl print : "In cleanup, err is 20000000" Looking at the PAM headers : #define PAM_SUCCESS 0 /* Successful function return */ #define PAM_OPEN_ERR 1 /* dlopen() failure when dynamically */ /* loading a service module */ #define PAM_SYMBOL_ERR 2 /* Symbol not found */ #define PAM_SERVICE_ERR 3 /* Error in service module */ #define PAM_SYSTEM_ERR 4 /* System error */ #define PAM_BUF_ERR 5 /* Memory buffer error */ #define PAM_PERM_DENIED 6 /* Permission denied */ #define PAM_AUTH_ERR 7 /* Authentication failure */ [...] So maybe pam_abl gets 0 (PAM_SUCCESS) while it should get 7 (PAM_AUTH_ERR) from vsftpd?
Fixed in vsftpd-2_0_5-20_fc9
I have investigated this in some depth, and it appears on pretty much all versions of Fedora Core I've tried it with. It is most likely an inter-relation issue between the way pam_abl is implemented, and the way vsftpd references it (whether it's "simple" like the session part not being dealt with etc. or "complicated" to do with crashes in the library references I don't know, and I have not had time or inclination to delve that deep into debugging). Although I can't pinpoint the problem, I've used the 'this is fixed in CVS' solution from the upstream website, and created an RPM and source RPM based on the existing FC ones, and this updated code, pruning out various Fedora patches to the source code, while keeping the documentation based ones, and it seems to work now. This is on Fedora Core 5, with vsftpd vsftpd-2.0.4-1.2. I will test it on other FC versions I have kicking around, and report back results if there is interest in doing so. I'll attach the files if bugzilla lets me. Fedora/Redhat etc. may do with this fixed stuff as they wish. They may hire me as a developer too if they wish ;-)
Created attachment 290673 [details] .src.rpm of patched subversion files for pam_abl.
Created attachment 290674 [details] binary RPM of SVN fixed code for pam_abl
The vsftpd part was fixed in rawhide, but the pam_abl was broken anyway. If you have a fix for that, you should make a new bug report against appropriate component with a patch attached (probably better than src rpm or binary rpm). Thanks.