ProFTPd mit mod_sql authentifiziert auch Shell-User?

[aule]

Ich habe auf Debian Sarge ProFTPd von den offiziellen Mirrors installiert.

Der Server authentifieziert aber sowohl die "normlen" Linux-Benutzer, als auch die Benutzer aus der SQL-Datenbank.

Meine /etc/proftpd.conf:

Code: Select all

#
# /etc/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes reload proftpd after modifications.
# 

ServerName			"mrg.fadi.at"
ServerType			standalone
DeferWelcome			off

MultilineRFC2228		on
DefaultServer			on
ShowSymlinks			on

TimeoutNoTransfer		600
TimeoutStalled			600
TimeoutIdle			1200

DisplayLogin                    welcome.msg
DisplayFirstChdir               .message
ListOptions                	"-l"

DenyFilter			*.*/

# Uncomment this if you are using NIS or LDAP to retrieve passwords:
#PersistentPasswd		off

# Uncomment this if you would use TLS module:
#TLSEngine 			on

# Uncomment this if you would use quota module:
#Quotas				on

# Uncomment this if you would use ratio module:
#Ratios				on

# Port 21 is the standard FTP port.
Port				21

# Try to speed up the login sequence
UseReverseDNS off 
IdentLookups  off 

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances			30

# Set the user and group that the server normally runs at.
User				nobody
Group				nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask				027  027
# Normally, we want files to be overwriteable.
AllowOverwrite			on

DefaultRoot ~

# Delay engine reduces impact of the so-called Timing Attack described in
# http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
# It is on by default. 
#DelayEngine 			off

# A basic anonymous configuration, no upload directories.

# <Anonymous ~ftp>
#   User				ftp
#   Group				nogroup
#   # We want clients to be able to login with "anonymous" as well as "ftp"
#   UserAlias			anonymous ftp
#   # Cosmetic changes, all files belongs to ftp user
#   DirFakeUser	on ftp
#   DirFakeGroup on ftp
# 
#   RequireValidShell		off
# 
#   # Limit the maximum number of anonymous logins
#   MaxClients			10
# 
#   # We want 'welcome.msg' displayed at login, and '.message' displayed
#   # in each newly chdired directory.
#   DisplayLogin			welcome.msg
#   DisplayFirstChdir		.message
# 
#   # Limit WRITE everywhere in the anonymous chroot
#   <Directory *>
#     <Limit WRITE>
#       DenyAll
#     </Limit>
#   </Directory>
# 
#   # Uncomment this if you're brave.
#   # <Directory incoming>
#   #   # Umask 022 is a good standard umask to prevent new files and dirs
#   #   # (second parm) from being group and world writable.
#   #   Umask				022  022
#   #            <Limit READ WRITE>
#   #            DenyAll
#   #            </Limit>
#   #            <Limit STOR>
#   #            AllowAll
#   #            </Limit>
#   # </Directory>
# 
# </Anonymous>

SQLAuthenticate users*
SQLAuthTypes Plaintext
SQLConnectInfo provider@db.mrg.fadi.at provider SECRET
SQLDefaultGID 65534
SQLDefaultUID 65534
SQLMinUserGID  1000
SQLMinUserUID  1000
SQLUserInfo users username password uid gid home shell
SQLLogFile /var/log/proftpd/sql.log

Code: Select all

mrg:/var/log/proftpd# proftpd -vv
 - ProFTPD Version: 1.2.10 (stable)
 -   Scoreboard Version: 01040002
 -   Built: do mrt 22 18:28:32 CET 2001
 -     Module: mod_core.c
 -     Module: mod_xfer.c
 -     Module: mod_auth_unix.c
 -     Module: mod_auth_file.c
 -     Module: mod_auth.c
 -     Module: mod_ls.c
 -     Module: mod_log.c
 -     Module: mod_site.c
 -     Module: mod_auth_pam.c
 -     Module: mod_quotatab.c
 -     Module: mod_sql.c
 -     Module: mod_sql_mysql.c
 -     Module: mod_quotatab_sql.c
 -     Module: mod_ratio.c
 -     Module: mod_tls.c
 -     Module: mod_rewrite.c
 -     Module: mod_radius.c
 -     Module: mod_wrap.c
 -     Module: mod_quotatab_file.c
 -     Module: mod_delay/0.4
 -     Module: mod_readme.c
 -     Module: mod_ifsession.c
 -     Module: mod_cap/1.0

Code: Select all

-- 
-- Tabellenstruktur für Tabelle `users`
-- 

CREATE TABLE `users` (
  `username` varchar(20) collate latin1_german1_ci NOT NULL default '',
  `email` varchar(80) collate latin1_german1_ci NOT NULL default '',
  `password` varchar(20) collate latin1_german1_ci NOT NULL default '',
  `uid` int(6) NOT NULL default '0',
  `gid` int(6) NOT NULL default '0',
  `home` varchar(250) collate latin1_german1_ci NOT NULL default '',
  `shell` varchar(60) collate latin1_german1_ci NOT NULL default '',
  PRIMARY KEY  (`username`),
  UNIQUE KEY `email` (`email`),
  UNIQUE KEY `uid` (`uid`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 COLLATE=latin1_german1_ci;

Ich hab keine Ahnung, was da falschlaufen könnte

Aule

[alexander newald]

Warum sollte das flasch sein?

[thrawn1024]

weil diese konfig eigentlich nur die benutzer aus der sql db zulassen sollte...

users[*]
If this option is present, user lookups will take place. Appending an asterisk to users will cause mod_sql to become authoritiative for user lookups. All other user authentication methods will be ignored. If this option is not included, mod_sql will not perform any user lookups.

warum es bei Aule nicht geht, kann ich aber leider nicht sagen..

Chris

[aule]

Ich verwende MySQL 4.1 (4.1.9-Debian_2-log), könnte das eventuell ein Problem sein?

Aule

[aule]

Ich habe jetzt ein wenig herumexperimentiert.
Zuerst habe ich nur AuthOrder verwendet (die Methode mit dem * ist offiziell veraltet), der Server hat dann aber Nutzer auf den Server gelassen, die sowohl in /etc/passwd als auch in der DB verfügbar waren. Mit einem AuthPAM off ist jetzt auch das behoben.

Hier nocheinmal die Konfig:

Code: Select all

#
# /etc/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes reload proftpd after modifications.
#

ServerName         "mrg.fadi.at"
ServerType         standalone
DeferWelcome         off

MultilineRFC2228      on
DefaultServer         on
ShowSymlinks          off

TimeoutNoTransfer      600
TimeoutStalled         600
TimeoutIdle            1200

DisplayLogin                    welcome.msg
DisplayFirstChdir               .message
ListOptions                   "-l"

DenyFilter         *.*/

# Try to speed up the login sequence
UseReverseDNS off
IdentLookups  off

# I don't know, why I need this, but otherwise only-MySQL users cannot log in
AuthPAM off

# Only auth users that are listed in the MySQL-db
AuthOrder mod_sql.c

# SQL Authentication setup
SQLAuthenticate users
SQLAuthTypes Plaintext
SQLConnectInfo provider@db.mrg.fadi.at provider SECRET
SQLDefaultGID 65534
SQLDefaultUID 65534
SQLMinUserGID  1000
SQLMinUserUID  1000
SQLUserInfo users username password uid gid home shell

# Uncomment this if you are using NIS or LDAP to retrieve passwords:
#PersistentPasswd      off

# Uncomment this if you would use TLS module:
#TLSEngine          on

# Uncomment this if you would use quota module:
#Quotas            on

# Uncomment this if you would use ratio module:
#Ratios            on

# Port 21 is the standard FTP port.
Port            21

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances         30

# Set the user and group that the server normally runs at.
User            nobody
Group            nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask            027  027
# Normally, we want files to be overwriteable.
AllowOverwrite         on

DefaultRoot ~

# Delay engine reduces impact of the so-called Timing Attack described in
# http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
# It is on by default.
#DelayEngine          off

ProFTPd MySQL mod_sql mod_sql_mysql

Aule