Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 159745 - vsftpd fails to reverse dns before passing rhost to pam
Summary: vsftpd fails to reverse dns before passing rhost to pam
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: vsftpd
Version: 3
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Radek Vokal
QA Contact: Mike McLean
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-06-07 18:31 UTC by Dan Hollis
Modified: 2008-05-09 15:32 UTC (History)
1 user (show)

Fixed In Version: 2.0.3-10
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-09-09 10:18:55 UTC


Attachments (Terms of Use)

Description Dan Hollis 2005-06-07 18:31:35 UTC
Description of problem:
vsftpd never does reverse dns before passing hosts to pam_access.so

Version-Release number of selected component (if applicable):
vsftpd 2.0.1-5

How reproducible:
always

Steps to Reproduce:
1.setup vsftpd with pam_access.so
2.try to make an access list using partial domain matching (eg  .bla.com)
3.watch it fail
  
Actual results:
vsftpd only ever sends in numeric IPs as the rhost to pam_access.so

Expected results:
it should try to reverse dns and send in hostnames if it resolves.

Additional info:

Comment 1 Dan Hollis 2005-06-18 00:20:10 UTC
it is impossible to use vsftpd and pam_access for domain based ACLs until this
bug is fixed.

Comment 2 Radek Vokal 2005-08-31 12:59:14 UTC
Can I get some more accurate steps how to reproduce this issue? I'm not sure how
to create such a ACL. 

Comment 3 Dan Hollis 2005-09-01 19:55:32 UTC
this lets you setup the equivalent of user-specific hosts.allow / hosts.deny
ACLs. very useful. do something like:

/etc/pam.d/vsftpd:
#%PAM-1.0
auth       required     pam_listfile.so item=user sense=deny
file=/etc/vsftpd.ftpusers onerr=succeed
auth       required     pam_stack.so service=system-auth
auth       required     pam_shells.so
account    required     pam_access.so accessfile=/etc/security/access-ftp.conf
account    required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth

/etc/security/access-ftp.conf:
-:root:ALL EXCEPT LOCAL host1.bla.com .domain.com 192.168.1.2
-:user1:ALL EXCEPT LOCAL somehost.somwhere.com .someotherdomain.com
-:user2:ALL EXCEPT .bla.com

none of the name based entries will work because vsftpd does not do rdns before
calling pam. so you can only do ip based access lists.

i have reported this bug to the vsftpd development team but they have not responded.

Comment 4 Dan Hollis 2005-09-01 19:59:19 UTC
you can also do something like:

/etc/pam.d/vsftpd:
#%PAM-1.0
auth       required     pam_listfile.so item=user sense=deny
file=/etc/vsftpd.ftpusers onerr=succeed
auth       required     pam_stack.so service=system-auth-ftp
auth       required     pam_shells.so
account    required     pam_stack.so service=system-auth-ftp
session    required     pam_stack.so service=system-auth-ftp

/etc/pam.d/system-auth-ftp:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_access.so
accessfile=/etc/security/access-ftp.conf
account     required      /lib/security/$ISA/pam_unix.so

password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5
shadow
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so

wu-ftpd works perfectly since it does rdns before calling pam. vsftpd fails
because it does not.

Comment 5 Radek Vokal 2005-09-09 10:18:55 UTC
Ok, thanks a lot for configuration files. The bug is fixed in vsftpd-2.0.3-10.
There's just one thing in pam_access module that you have to note. If an IP
adress is set in /etc/security/access-ftp.conf it has to have an additional dot
at the end. Eg. the correct line from your configuration file should look like

-:root:ALL EXCEPT LOCAL host1.bla.com .domain.com 192.168.1.2.

This is pam_access feature and I'm going to open a feature request for removing
this spare dot for IP adresses. 

Comment 6 Dan Hollis 2005-12-01 23:23:57 UTC
can this fix be rolled to FC3 as well? it's still stuck with 2.0.1-5 :(

Comment 7 Andrey 2008-04-06 19:42:51 UTC
Please, make configurable the reverse DNS. Sometimes we can have the delays 
with this patch. PAM does the request of AAAA and A with this patch also. At 
the same time no any request to DNS without the patch. Very often It have the 
delay with the request of AAAA record.

Comment 8 Martin Nagy 2008-05-09 15:32:55 UTC
(In reply to comment #7)
Andrey, Radek Vokal is no longer maintainer of vsftpd. If you'd like any change,
please file a new bug, if it does have something to do with this bug report,
mention it in the description.
Please know that writing requests to a closed bug (especially 3 years old one)
will probably fall through the cracks. Thanks.


Note You need to log in before you can comment on or make changes to this bug.