PAM, or pluggable authentication modules, is a very effective method by which applications can abstract the way that they authenticate and authorize users. Using PAM for example, a whole system can be switched from normal /etc/passwd to shadow passwords without recompiling a single binary, as was the case with older *ix systems. Linux being my OS of choice, I have had most contact with Linux-PAM, as maintained by Andrew Morgan. Please see the Linux PAM pages at http://www.us.kernel.org/pub/linux/libs/pam/.
We required a Linux PAM module for authenticating using arbitrary password files containing username:crypted_password pairs, and this was not yet available for Linux PAM. As is the way with nicely open operating systems, I was able to put one together quickly, and you can get the source here. Since then, patches for extending functionality have also been contributed and integrated with pam_pwdfile. You can use this module to have different sets of passwords for each of the PAM-based services on your systems.
Download the pam_pwdfile (version 0.99) module source from this site at http://cpbotha.net/files/pam_pwdfile/pam_pwdfile-0.99.tar.gz. You can read the changelog by clicking here.
This module is also packaged by Greg Norris for Debian and is available as libpam-pwdfile. It also exists in the FreeBSD ports collection.
Warwick Duncan has written a very useful utility (command-line and CGI) to manage password files that can be used by pam_pwdfile. You can read all about chpwdfile and download it from the chpwdfile homepage! (Hmmm, it seems that the chpwdfile site has dropped off the edge of the internet. I’ve mirrored the source tarball of chpwdfile here. Remember that you can also use the apache htpasswd utility to manage your password files from the command line.)
Development
I’ve recently (August 16, 2009) moved the pam_pwdfile source code repository to a new Google Code Project site, if you’re interested in grabbing the absolute latest updates. SVN r41 is the 0.99 release.
How to Set up vsftpd Virtual Users-ARM-Target-Board // Jan 29, 2009 at 11:00
[...] VSFTPD2. if you are compiling from source, then ensure you enable PAM support, as we will be using PAM (or pluggable authentication modules) to handle the virtual users.3. If any problem check out this post for porting vsftpd on ARM4. We [...]
Is there a newer version of pam_pwdfile that works with newer versions of the pam source? I tried compiling with Linux-PAM-1.1.0 and it would appear some slight changed have been made in the structure of the source directory that are not compatible with the pam_pwdfile-0.99 source.
I have not tested it with that version of Linux PAM yet. Have you checked any distributions that use Linux-PAM-1.1.0 and pam_pwdfile?
Same problem here – Centos 5.2 doesn’t provide an RPM for pam_pwdfile and it won’t build:
make
Makefile:8: ../../Make.Rules: No such file or directory
make: *** No rule to make target `../../Make.Rules’. Stop.
I’ll take a look at this as soon as I can.
Forgot to ask: What version of PAM is Centos 5.2 using?
try the following:
copy pam_pwdfile-0.99/contrib/Makefile.standalone
into the top level and run
make -f Makefile.standalone
copy pam_pwdfile.so to /lib64/security , in my case
http://www.centos.org/modules/newbb/viewtopic.php?topic_id=21232
Great Eric, thank you very much for that tip!
I’d forgotten about that standalone Makefile. It should also solve Tory and Mike’s problems.
Thanks – that sort of helps me though I now get:
vsftpd: PAM adding faulty module: /lib64/security/pam_pwdfile.so
Hi! I can’t find pam_pwdb, it seems that pwdb no longer exists?
If anyone is looking for pam_pwdfile.so for Centos 5.2, you can successfully build it from PAM 0.77 source and pam_pwdfile-0.99 as outlined at http://www.productionmonkeys.net/guides/ftp-server/vsftpd
P.S. For the x86_64 version I found I had to do an additional fix to get it to build :
edit configure.in and add -fPIC to the OS_CFLAGS so that it reads
case $OS in
linux) OS_CFLAGS=”-ansi …. -pedantic -fPIC”