Gecko [ thearyasamaj.org ]

Name	Size	Permission
index.html	4.66 KB	-rw-r--r--
mod_auth.html	39.51 KB	-rw-r--r--
mod_auth_file.html	9.21 KB	-rw-r--r--
mod_auth_pam.html	5.79 KB	-rw-r--r--
mod_auth_unix.html	10.76 KB	-rw-r--r--
mod_cap.html	8.1 KB	-rw-r--r--
mod_core.html	126.18 KB	-rw-r--r--
mod_ctrls.html	11.58 KB	-rw-r--r--
mod_delay.html	11.43 KB	-rw-r--r--
mod_dso.html	16.33 KB	-rw-r--r--
mod_facl.html	2.22 KB	-rw-r--r--
mod_facts.html	10.83 KB	-rw-r--r--
mod_ident.html	2.78 KB	-rw-r--r--
mod_lang.html	11.19 KB	-rw-r--r--
mod_log.html	20.14 KB	-rw-r--r--
mod_ls.html	8.95 KB	-rw-r--r--
mod_memcache.html	5.05 KB	-rw-r--r--
mod_redis.html	13.45 KB	-rw-r--r--
mod_rlimit.html	9.55 KB	-rw-r--r--
mod_site.html	905 B	-rw-r--r--
mod_xfer.html	24.84 KB	-rw-r--r--

Code Editor : mod_auth_pam.html

<!DOCTYPE html>
<html>
<head>
<title>ProFTPD module mod_auth_pam</title>
</head>

<hr>
<center>
<h2>ProFTPD module <code>mod_auth_pam</code></h2>
</center>
<hr>

PAM stands for Pluggable Authentication Modules,
and is used to configure ways for authenticating users. Now
&quot;authenticating&quot; a user usually means comparing a password they
give with some other information, and returning a &quot;yes/no&quot;-style
answer. PAM does not provide all of the other information for a user,
such as UID, GID, home, and shell. This means that <code>mod_auth_pam</code>
cannot be used, by itself, as an auth module for <code>proftpd</code>;
<code>mod_auth_pam</code> is used to supplement other auth modules by
providing access to PAM's additional authentication checks.

Installation instructions for <code>mod_auth_pam</code> can be found
<a href="#Installation">here</a>.

The most current version of <code>mod_auth_pam</code> is distributed in the
ProFTPD source distribution.

<h2>Directives</h2>
<ul>
 <li><a href="#AuthPAM">AuthPAM</a>
 <li><a href="#AuthPAMConfig">AuthPAMConfig</a>
 <li><a href="#AuthPAMOptions">AuthPAMOptions</a>
</ul>

<hr>
<h3><a name="AuthPAM">AuthPAM</a></h3>
Syntax: AuthPAM on|off 
Default: AuthPAM on 
Context: server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code> 
Module: mod_auth_pam 
Compatibility: 1.2.8rc2 and later

The <code>AuthPAM</code> directive enables or disables the module's runtime
PAM check. If it is set to off this module does not consult PAM
when authenticating a user.

<hr>
<h3><a name="AuthPAMConfig">AuthPAMConfig</a></h3>
Syntax: AuthPAMConfig service 
Default: AuthPAMConfig ftp 
Context: server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code> 
Module: mod_auth_pam 
Compatibility: 1.2.8rc2 and later

The <code>AuthPAMConfig</code> directive is used to specify the name of
the service used when performing the PAM check; PAM configurations can
vary depending on the service. By default, the &quot;ftp&quot; service
is used. Note that on some platforms, e.g. FreeBSD, this may
need to be set to &quot;ftpd&quot;, depending on the PAM configuration
involved.

Here's an example of changing the service used:
<pre>
 &lt;IfModule mod_auth_pam.c&gt;
 AuthPAMConfig ftpd
 &lt;/IfModule&gt;
</pre>

<hr>
<h3><a name="AuthPAMOptions">AuthPAMOptions</a></h3>
Syntax: AuthPAMOptions opt1 opt2 ... optN 
Default: None 
Context: server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code> 
Module: mod_auth_pam 
Compatibility: 1.3.2rc1 and later

The <code>AuthPAMOptions</code> directive is used to configure various optional
behavior of <code>mod_auth_pam</code>.

Example:
<pre>
 &lt;IfModule mod_auth_pam.c&gt;
 # Do not set the PAM_TTY token when authenticating via PAM
 AuthPAMOptions NoTTY
 &lt;/IfModule&gt;
</pre>

The currently implemented options are:
<ul>
 <li><code>NoTTY</code> 
 
 By default, <code>mod_auth_pam</code> will use the <code>PAM_TTY</code>
 PAM API item, and will use a value of "/dev/ftpdPID". The item
 can be used by PAM modules for filtering access, for example. This
 "NoTTY" option tells <code>mod_auth_pam</code> to not set the
 <code>PAM_TTY</code> item.

Note: On Solaris platforms, the use of this <code>PAM_TTY</code>
 token is mandatory, and cannot be disabled. This is due to 
 Solaris Bug ID 4250887.
 </li>
</ul>

<hr>
<h2><a name="Installation">Installation</a></h2>
The <code>mod_auth_pam</code> module is automatically included when
<code>proftpd</code> is built on a system that supports PAM. To disable
this automatic inclusion, use the <code>--disable-auth-pam</code> configure
option.

Logging 
The <code>mod_auth_pam</code> module supports <a href="../howto/Tracing.html">trace logging</a>, via the module-specific log channels:
<ul>
 <li>auth.pam
</ul>
Thus for trace logging, to aid in debugging, you would use the following in
your <code>proftpd.conf</code>:
<pre>
 TraceLog /path/to/ftpd/trace.log
 Trace auth.pam:20
</pre>
This trace logging can generate large files; it is intended for debugging use
only, and should be removed from any production configuration.

<a name="FAQ">
Frequently Asked Questions

<a name="AuthPAMAuthoritative">
Question: I need to use PAM for enforcing the
handling of aged/expired passwords on my Unix system. How do I make sure
that PAM does the right thing? 
Answer: For this sort of requirement, you are
probably already using ProFTPD's default authentication modules, which include
<code>mod_auth_unix</code> and <code>mod_auth_pam</code>. But to make sure
that the PAM rules are enforced, you need to make <code>mod_auth_pam</code>
be "authoritative", i.e. have the final say on whether a given password
is acceptable. Use the <code>AuthOrder</code> directive to accomplish this,
using:
<pre>
 # It is important that mod_auth_pam appear before mod_auth_unix, and
 # that the asterisk appear after the name, not before.
 AuthOrder mod_auth_pam.c* mod_auth_unix.c
</pre>
The asterisk ("*") after a module name in the <code>AuthOrder</code> directive
is what tells <code>proftpd</code> to treat that module's results as
authoritative.

</body>
</html>

${this.title}

Code Editor : mod_auth_pam.html