On Tue, 2006-02-28 at 21:24 +0100, Marcel Janssen wrote: > Hi Les, > > I haven't used proftpd for a while. Does it have any security > > options (like not running as root or living in a chroot jail) > > that would keep it from reading your shadow password file? > > Yes, it doesn't run as root and can live in a chroot jail. Here's what I use: In proftpd.conf: ... # Use pam to authenticate (default) and be authoritative AuthPAMConfig proftpd AuthOrder mod_auth_pam.c* mod_auth_unix.c # Do not perform ident lookups (hangs when the port is filtered) IdentLookups off # Turn off reverse DNS lookups # Not having this option can cause problems for chrooted users e.g. anonymous #UseReverseDNS off # This sometimes helps too PersistentPasswd off ... And in /etc/pam.d/proftpd #%PAM-1.0 auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed auth required pam_stack.so service=system-auth auth required pam_shells.so account required pam_stack.so service=system-auth session required pam_stack.so service=system-auth Paul.
