forked from jedisct1/pure-ftpd
-
Notifications
You must be signed in to change notification settings - Fork 0
/
README.Authentication-Modules
149 lines (97 loc) · 4.64 KB
/
README.Authentication-Modules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
------------------------ AUTHENTICATION MODULES ------------------------
Anybody can add new custom authentication methods to Pure-FTPd without
recompiling anything, using "authentication modules".
To enable it, you must ./configure with --with-extauth, or
--with-everything. Linux binary packages have it enabled by default.
Here's how they are working:
1) A client connects to the FTP server and issues a login/password pair.
2) The FTP server connects to a local separate daemon, called 'pure-authd'.
Data transmitted to that daemon is: user's login, user's password, the IP
address that user connected to, the local port that user connected to and
the user's remote IP address.
3) pure-authd spawns an authentication program. It can be anything,
including a shell script. The program is given the collected info (login,
password, IP addresses, etc) as environment variables.
4) The authentication program replies (to the standard output) with the
user's home directory, quota, ratio, bandwidth and if authentication was
successful or not.
5) pure-authd relays this info to pure-ftpd.
This method is a bit slower than built-in authentication methods. But it's
very flexible as anyone can easily write his own authentication programs.
And they can run non-root, chrooted, with limited capabilities, etc.
Communication between pure-ftpd and pure-authd is done through a local Unix
socket. It's recommended to put that socket in a directory where non-trusted
users have no write access to.
Authentication programs can read the following environment variables to get
info about the user trying to authenticate:
AUTHD_ACCOUNT
AUTHD_PASSWORD
AUTHD_LOCAL_IP
AUTHD_LOCAL_PORT
AUTHD_REMOTE_IP
AUTHD_ENCRYPTED
They are self-explanatory. Previous global environment variables aren't
cleared when the script is called. The content of these variables is
_not_ quoted. They may contain special characters. They are under the
control of a possibly malicious remote user.
The program must respond on the standard output with lines like:
auth_ok:1
uid:42
gid:21
dir:/home/j
end
Note the final 'end' keyword. It's mandatory.
Here's the list of recognized tokens ('xxx' has of course to be filled):
* auth_ok:xxx
If xxx is 0, the user was not found (the next authentication method passed
to pure\-ftpd will be tried) . If xxx is \-1, the user was found, but there
was a fatal authentication error: user is root, password is wrong, account
has expired, etc (next authentication methods will not be tried) . If xxx is
1, the user was found and successfully authenticated.
* uid:xxx
The system uid to be assigned to that user. Must be > 0.
* gid:xxx
The primary system gid. Must be > 0.
* dir:xxx
The absolute path to the home directory. Can contain /./ for a chroot jail.
*slow_tilde_expansion:xxx (optional, default is 1)
When the command 'cd ~user' is issued, it's handy to go to that user's home
directory, as expected in a shell environment. But fetching account info can
be an expensive operation for non-system accounts. If xxx is 0, 'cd ~user'
will expand to the system user home directory. If xxx is 1, 'cd ~user' won't
expand. You should use 1 in most cases with external authentication, when
your FTP users don't match system users. You can also set xxx to 1 if you're
using slow nss_* system authentication modules.
* throttling_bandwidth_ul:xxx (optional)
The allocated bandwidth for uploads, in bytes per second.
* throttling_bandwidth_dl:xxx (optional)
The allocated bandwidth for downloads, in bytes per second.
*user_quota_size:xxx (optional)
The maximal total size for this account, in bytes.
* user_quota_files:xxx (optional)
The maximal number of files for this account.
* ratio_upload:xxx and radio_download:xxx (optional)
The user must match a ratio_upload:ratio_download ratio.
* per_user_max:xxx (optional)
The maximal authorized number of concurrent sessions.
------------------------ EXAMPLE ------------------------
Here's a very basic example. Our sample authentication program will only
accept user 'john' with any password and return a fixed home directory and
uid/gid.
#! /bin/sh
if test "$AUTHD_ACCOUNT" = "john"; then
echo 'auth_ok:1'
echo 'uid:69'
echo 'gid:42'
echo 'dir:/tmp'
else
echo 'auth_ok:0'
fi
echo 'end'
Let's say we save this file as /usr/bin/ftp-auth-handler
Now, we have to run pure-authd and pure-ftpd, to connect them through a
local socket and to tell pure-ftpd to use our external authentication module:
pure-authd -s /var/run/ftpd.sock -r /usr/bin/ftp-auth-handler &
pure-ftpd -lextauth:/var/run/ftpd.sock &
That's all. Now, we can only log in as 'john', as all FTP authentication is
done by the shell script.