Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 235843

Summary: vsftpd issue with pam auth error
Product: [Fedora] Fedora Reporter: Matthias Saou <matthias>
Component: vsftpdAssignee: Martin Nagy <mnagy>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: hripps, mbarabas, mnagy
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-11-09 09:12:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Description Flags
.src.rpm of patched subversion files for pam_abl.
binary RPM of SVN fixed code for pam_abl none

Description Matthias Saou 2007-04-10 14:33:08 UTC
I think there is a bug in vsftpd's pam code. Below is the email body I sent to
the author (over a week ago, and got no answer yet). It happened on RHEL4, but
also happens with the latest FC devel package.


I've been trying to use the pam_abl (auto black list) module with
vsftpd, but it doesn't seem to work. This is on RHEL4, but the pam_abl
debug seems to indicate that this might be a problem with how vsftpd
does things. Maybe just an exit status of some kind which isn't right?

With sshd for instance :

Apr  2 15:34:25 w1 pam_abl[18779]: In cleanup, err is 00000007
Apr  2 15:34:25 w1 pam_abl[18779]: Recording failed attempt

With vsftpd and the same bad login/password :

Apr  2 15:37:07 w1 pam_abl[20319]: In cleanup, err is 00000000

And no "Recording failed attempt" line, although the configuration I
use should block sshd and vsftpd in the same way.

I'm not familiar with pam in any way, but since I've configured pam_abl
to be used from the system-auth pam entry, which both sshd and vsftpd
are configured in the same way to use... I can't help but suspect that
the "err" value set to 0 with vsftpd and 7 with sshd has something to

FWIW, on success, both sshd and vsftpd have pam_abl print :

"In cleanup, err is 20000000"

Looking at the PAM headers :

#define PAM_SUCCESS 0           /* Successful function return */
#define PAM_OPEN_ERR 1          /* dlopen() failure when dynamically */
                                /* loading a service module */
#define PAM_SYMBOL_ERR 2        /* Symbol not found */
#define PAM_SERVICE_ERR 3       /* Error in service module */
#define PAM_SYSTEM_ERR 4        /* System error */
#define PAM_BUF_ERR 5           /* Memory buffer error */
#define PAM_PERM_DENIED 6       /* Permission denied */
#define PAM_AUTH_ERR 7          /* Authentication failure */

So maybe pam_abl gets 0 (PAM_SUCCESS) while it should get 7
(PAM_AUTH_ERR) from vsftpd?

Comment 1 Martin Nagy 2007-11-09 09:12:34 UTC
Fixed in vsftpd-2_0_5-20_fc9

Comment 2 Kev 'Kyrian' Green 2008-01-02 18:34:49 UTC
I have investigated this in some depth, and it appears on pretty much all
versions of Fedora Core I've tried it with. It is most likely an inter-relation
issue between the way pam_abl is implemented, and the way vsftpd references it
(whether it's "simple" like the session part not being dealt with etc. or
"complicated" to do with crashes in the library references I don't know, and I
have not had time or inclination to delve that deep into debugging).

Although I can't pinpoint the problem, I've used the 'this is fixed in CVS'
solution from the upstream website, and created an RPM and source RPM based on
the existing FC ones, and this updated code, pruning out various Fedora patches
to the source code, while keeping the documentation based ones, and it seems to
work now. This is on Fedora Core 5, with vsftpd vsftpd-2.0.4-1.2. I will test it
on other FC versions I have kicking around, and report back results if there is
interest in doing so.

I'll attach the files if bugzilla lets me.

Fedora/Redhat etc. may do with this fixed stuff as they wish. They may hire me
as a developer too if they wish ;-)

Comment 3 Kev 'Kyrian' Green 2008-01-02 18:35:39 UTC
Created attachment 290673 [details]
.src.rpm of patched subversion files for pam_abl.

Comment 4 Kev 'Kyrian' Green 2008-01-02 18:36:10 UTC
Created attachment 290674 [details]
binary RPM of SVN fixed code for pam_abl

Comment 5 Martin Nagy 2008-01-02 21:22:37 UTC
The vsftpd part was fixed in rawhide, but the pam_abl was broken anyway. If you
have a fix for that, you should make a new bug report against appropriate
component with a patch attached (probably better than src rpm or binary rpm).