trAvis - MANAGER

Edit File: mod_auth.html

<html>
<head>
<title>ProFTPD module mod_auth</title>
</head>

<hr>
<center>
<h2>ProFTPD module <code>mod_auth</code></h2>
</center>
<hr>

This module is contained in the <code>mod_auth.c</code> file for
ProFTPD 1.3.x, and is compiled by default.

<h2>Directives</h2>
<ul>
 <li><a href="#AllowChrootSymlinks">AllowChrootSymlinks</a>
 <li><a href="#CreateHome">CreateHome</a>
 <li><a href="#DefaultRoot">DefaultRoot</a>
 <li><a href="#MaxLoginAttempts">MaxLoginAttempts</a>
 <li><a href="#RequireValidShell">RequireValidShell</a>
 <li><a href="#RewriteHome">RewriteHome</a>
 <li><a href="#RootLogin">RootLogin</a>
 <li><a href="#RootRevoke">RootRevoke</a>
 <li><a href="#TimeoutLogin">TimeoutLogin</a>
 <li><a href="#TimeoutSession">TimeoutSession</a>
 <li><a href="#UseFtpUsers">UseFtpUsers</a>
 <li><a href="#UserPassword">UserPassword</a>
</ul>

<hr>
<h2><a name="AllowChrootSymlinks">AllowChrootSymlinks</a></h2>
Syntax: AllowChrootSymlinks on|off 
Default: AllowChrootSymlinks on 
Context: server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code> 
Module: mod_auth 
Compatibility: 1.3.5rc1 and later

The <code>AllowChrootSymlinks</code> directive configures whether
<code>proftpd</code> will follow a symlink to the destination directory
when performing a <code>chroot(2)</code> call. This applies both to
<a href="#DefaultRoot"><code>DefaultRoot</code></a> directives and to
<code>&lt;Anonymous&gt;</code> sections.

Security note: If you permit your users the ability to remove
directories which might be FTP users' home directories (or
<code>&lt;Anonymous&gt;</code> directories) and create symlinks, then you
should use:
<pre>
 AllowChrootSymlinks off
</pre>
This includes sites which are hosting providers, i.e. which allow
users to run their untrusted webapps (e.g. PHP, Perl, Ruby, Python,
etc apps) on the servers.

<hr>
<h2><a name="CreateHome">CreateHome</a></h2>
Syntax: CreateHome off|on [mode] [skel path] [dirmode mode] 
Default: None 
Context: server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code> 
Module: mod_auth 
Compatibility: 1.2.8rc2 and later

The <code>CreateHome</code> directive configures the server to automatically
create a user's home directory, if that directory does not exist, during the
login process.

The mode parameter is used to configure the absolute mode of the home
directory created. If not specified, the mode will default to 700.

The optional skel path parameters can be used to configure an
<code>/etc/skel</code>-like directory containing account initialization files
and directories. The parameter must be the full path to the skeleton directory.
The directory must not be world-writeable. Files copied from this
directory into the new home directory will have ownership set to the UID and
GID of the logging-in user. Note that sockets and FIFOs in the skeleton
directory will not be copied; any setuid or setgid bits on files will be
removed from the copied files in the target home directory.

The optional dirmode parameter can be used to specify the mode for
intermediate directories that may need to be created in order to create the
target home directory. By default, the mode for such intermediate directories
will be 711. Note: using a mode that does not include the execute bit to
be enabled can cause havoc. You have been warned.

Examples:
<pre>
 # Use the CreateHome default settings
 CreateHome on

# Specify a skeleton directory
  CreateHome on skel /etc/ftpd/skel

# No skeleton, but make sure that intermediate directories have 755
  # permissions.
  CreateHome on dirmode 755

# Skeleton directory, with 700 intermediate directories
 CreateHome on skel /etc/ftpd/skel dirmode 700
</pre>

A fuller description of the <code>CreateHome</code> directive and its uses,
with more examples, can be read <a href="../howto/CreateHome.html">here</a>.

<hr>
<h2><a name="DefaultRoot">DefaultRoot</a></h2>
Syntax: DefaultRoot path [group-expression] 
Default: None 
Context: server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code> 
Module: mod_auth 
Compatibility: 1.2.0rc1

The <code>DefaultRoot</code> directive is used to <code>chroot()</code> the
session process for the connecting client. A fuller explanation can be
found in the <a href="../howto/Chroot.html">Chroot</a> howto.

<hr>
<h2><a name="MaxLoginAttempts">MaxLoginAttempts</a></h2>
Syntax: MaxLoginAttempts count 
Default: 3 
Context: server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code> 
Module: mod_auth 
Compatibility: 0.99.0 and later

The <code>MaxLoginAttempts</code> directive configures the maximum number of
times a client may attempt to authenticate to the server on the same TCP
connection. After the number of attempts exceeds the configured
count, the client is disconnected and an appropriate message is
logged.

<hr>
<h2><a name="RequireValidShell">RequireValidShell</a></h2>
Syntax: RequireValidShell on|off 
Default: RequireValidShell on 
Context: server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code>, <code>&lt;Anonymous&gt;</code> 
Module: mod_auth 
Compatibility: 0.99.0 and later

The <code>RequireValidShell</code> directive configures the server, virtual
host or anonymous login to allow or deny logins which do not have a shell
listed in <code>/etc/shells</code>. By default, <code>proftpd</code>
will not allow a login unless the user's default shell is listed in
<code>/etc/shells</code>. If <code>/etc/shells</code> cannot be found, all
default shells are assumed to be valid.

<hr>
<h2><a name="RewriteHome">RewriteHome</a></h2>
Syntax: RewriteHome on|off 
Default: None 
Context: server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code>
Module: mod_auth 
Compatibility: 1.3.3rc1 and later

The <code>RewriteHome</code> directive can be used to support rewriting the
home directory for a user, based on regular expression rules. One such use
case is where some portion of the home directory is retrieved e.g.
from an LDAP directory, but you need to apply some custom prefix to the LDAP
attribute. Note that this feature requires that the
<code>mod_rewrite</code> module also be present in your <code>proftpd</code>
daemon.

To enable this feature, first you need to add the following to your
<code>proftpd.conf</code>:
<pre>
 RewriteHome on
</pre>
Next, you need to configure the mod_rewrite rules for rewriting your home
directory; this feature depends on the <code>mod_rewrite</code> module for the
rewriting. The pseudo-command used by <code>mod_rewrite</code> for rewriting
home directories is "REWRITE_HOME". Thus would you use:
<pre>
 &lt;IfModule mod_rewrite.c&gt;
 RewriteEngine on
 RewrlteLog /path/to/rewrite.log

RewriteCondition %m REWRITE_HOME
 RewriteRule (.*) /my/new/prefix$1
 &lt;/IfModule&gt;
</pre>

<hr>
<h2><a name="RootLogin">RootLogin</a></h2>
Syntax: RootLogin on|off 
Default: RootLogin off 
Context: server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code>, <code>&lt;Anonymous&gt;</code> 
Module: mod_auth 
Compatibility: 1.1.5 and later

Normally, <code>proftpd</code> does not allow root logins under any
circumstance. If a client attempts to login as root, using the correct
password, a special security message is logged:
<pre>
 SECURITY VIOLATION: root login attempted. 
</pre>

When <code>RootLogin on</code> is used, the root user may authenticate just as
any other user could (assuming no other access control measures deny
access); however the root login security message is still logged:
<pre>
 ROOT FTP login successful.
</pre>
Obviously, extreme care should be taken when using this directive.

The use of <code>RootLogin</code> in the <code>&lt;Anonymous&gt;</code>
context is only valid when the <code>User</code>/<code>Group</code> defined
in the <code>&lt;Anonymous&gt;</code> section is set to 'root'.

<hr>
<h2><a name="RootRevoke">RootRevoke</a></h2>
Syntax: RootRevoke on|off|UseNonCompliantActiveTransfers 
Default: None 
Context: server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code>, <code>&lt;Anonymous&gt;</code> 
Module: mod_auth 
Compatibility: 1.2.9rc1 and later

The <code>RootRevoke</code> directive causes all root privileges to be dropped
once a user is authenticated. This will also cause active data transfers
(e.g. via the <code>PORT</code>/<code>EPRT</code> FTP commands) to be
disabled if the server is listening on a port less than 1024. Note that
this only affects active data transfers; passive transfers will not be
blocked.

The reason for rejecting active data transfers in these cases is because of
a requirement in RFC 959 (which defines the File Transfer Protocol) that for
active data transfers, the data connection must have a source port of
L-1, where L is the control connection port (see RFC 959, Section 3.2 "Establishing Data Connections"). Thus if the FTP server listens on
port 21, then a client requesting an active data transfer from that server
will have a data connection whose source port (on the server) is port 20
(L = 21, L-1 = 20).

Even though passive data transfers are highly preferable, many FTP clients
may still require/expect to be able to do an active data transfer. One
question, though, is how many FTP clients actually check that the
source port of the active data transfer connection is actually L-1.
Or how many networking appliances along the way (i.e. firewalls, NATs,
routers, etc) enforce this restriction as well.

If not for that requirement, then with "RootRevoke on" in the
<code>proftpd.conf</code>, <code>proftpd</code> would not be required
to use root privileges for binding to a privileged port like port 20.

Thus the <code>RootRevoke</code> directive also accepts (as of <code>proftpd-1.3.5rc1</code>) a parameter of "UseNonCompliantActiveTransfers", e.g.:
<pre>
 # Drop root privs, but allow active data tranfers (only use a non-standard
 # source port for the active data connection).
 RootRevoke UseNonCompliantActiveTranfers
</pre>
With this configuration, <code>proftpd</code> will drop root privileges,
but would not reject <code>PORT</code>/<code>EPRT</code>
commands at all. Instead, the active data transfers would be allowed as per
normal, except that <code>proftpd</code> would not try to bind to the
L-1 port for those active transfers.

This <code>RootRevoke</code> parameter is valuable because it helps in
getting <code>proftpd</code> to drop root privileges for sessions more often,
which is a far more secure configuration. Exploits such as the
"Roaring Beast" attack would not be possible in a session where root privileges
have been dropped completely.

<hr>
<h2><a name="TimeoutLogin">TimeoutLogin</a></h2>
Syntax: TimeoutLogin seconds 
Default: 300 seconds 
Context: server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code> 
Module: mod_auth 
Compatibility: 0.99.0 and later

The <code>TimeoutLogin</code> directive configures the maximum number of
seconds a client is allowed to spend authenticating, i.e.
from the time when the client connects to the time when the client has
successfully authenticated. The login timer is not reset when a client
transmits data, and is only removed once a client has transmitted an
acceptable combination of <code>USER</code>/<code>PASS</code> commands.
The maximum allowed seconds value is 65535 (108 minutes).

See also: <a href="mod_core.html#TimeoutIdle"><code>TimeoutIdle</code></a>,
<a href="mod_xfer.html#TimeoutNoTransfer"><code>TimeoutNoTransfer</code></a>,
<a href="mod_xfer.html#TimeoutStalled"><code>TimeoutStalled</code></a>

<hr>
<h2><a name="TimeoutSession">TimeoutSession</a></h2>
Syntax: TimeoutSessions seconds 
Default: None 
Context: server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code>, <code>&lt;Anonymous&gt;</code> 
Module: mod_auth 
Compatibility: 1.2.6rc1 and later

The <code>TimeoutSession</code> directive sets the maximum number of
seconds a control connection between the proftpd server and client
can exist, after the client has successfully authenticated. If the
seconds argument is set to zero, sessions are allowed to last
indefinitely; this is the default. There is no maxium value for the
seconds parameter.

<hr>
<h2><a name="UseFtpUsers">UseFtpUsers</a></h2>
Syntax: UseFtpUsers on|off 
Default: UseFtpUsers on 
Context: server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code>, <code>&lt;Anonymous&gt;</code> 
Module: mod_auth 
Compatibility: 0.99.0 and later

Legacy FTP servers generally check a special authorization file (typically
<code>/etc/ftpusers</code>) when a client attempts to authenticate.
If the user's name is found in this file, FTP access is
denied. For compatibility of behavior, <code>proftpd</code> defaults to
checking this same file during authentication. This behavior can be suppressed
using the <code>UseFtpUsers</code> directive, e.g.:
<pre>
 # Do not check /etc/ftpusers
 UseFtpUsers off
</pre>

<hr>
<h2><a name="UserPassword">UserPassword</a></h2>
Syntax: UserPassword user encrypted-password 
Default: None 
Context: server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code>, <code>&lt;Anonymous&gt;</code> 
Module: mod_auth 
Compatibility: 0.99.0pl5 and later

The <code>UserPassword</code> directive creates a password for a particular
user; this configured password will override the user's normal
password in <code>/etc/passwd</code> (or whichever auth module handles that
user). Note that the user configured is a real user, and
not a <code>UserAlias</code>.

The encrypted-password parameter is a string which has been passed
through the standard Unix <code>crypt(3)</code> function. Do not use a
cleartext password. To obtain this encrypted-password value,
you can use the <a href="../utils/ftpasswd.html"><code>ftpasswd</code></a>
script's <code>--hash</code> option, e.g.:
<pre>
 # ftpasswd --hash

Password: 
  Re-type password:

ftpasswd: $1$EsnXxyD6$tsO2YwTAT/Tl5u1NYPHIw1
</pre>

Example configuration:
<pre>
 # Override user bob's password with a hash version of "password"
 UserPassword bob $1$EsnXxyD6$tsO2YwTAT/Tl5u1NYPHIw1
</pre>

<hr>
<h2><a name="Installation">Installation</a></h2>
The <code>mod_auth</code> module is compiled by default.

<hr>

Author: $Author: castaglia $ 
Last Updated: $Date: 2013-08-19 16:28:23 $

<hr>

<hr>

</body>
</html>