pam_pwdfile

Timo Weingärtner has graciously offered to take over the maintenance of pam_pwdfile. Its development will henceforth be hosted at https://github.com/tiwe-de/libpam-pwdfile.

Old page contents follows

PAM, or pluggable authentication modules, is a very effective method by which applications can abstract the way that they authenticate and authorize users. Using PAM for example, a whole system can be switched from normal /etc/passwd to shadow passwords without recompiling a single binary, as was the case with older *ix systems. Linux being my OS of choice, I have had most contact with Linux-PAM, as maintained by Andrew Morgan. Please see the Linux PAM pages at http://www.us.kernel.org/pub/linux/libs/pam/.

We required a Linux PAM module for authenticating using arbitrary password files containing username:crypted_password pairs, and this was not yet available for Linux PAM. As is the way with nicely open operating systems, I was able to put one together quickly, and you can get the source here. Since then, patches for extending functionality have also been contributed and integrated with pam_pwdfile. You can use this module to have different sets of passwords for each of the PAM-based services on your systems.

This module is available as part of Debian, where it is known as libpam-pwdfile. It also exists in the FreeBSD ports collection.

Warwick Duncan has written a very useful utility (command-line and CGI) to manage password files that can be used by pam_pwdfile. You can read all about chpwdfile and download it from the chpwdfile homepage! (Hmmm, it seems that the chpwdfile site has dropped off the edge of the internet. I’ve mirrored the source tarball of chpwdfile here. Remember that you can also use the apache htpasswd utility to manage your password files from the command line.)

23 Comments

  • [...] VSFTPD2. if you are compiling from source, then ensure you enable PAM support, as we will be using PAM (or pluggable authentication modules) to handle the virtual users.3. If any problem check out this post for porting vsftpd on ARM4. We [...]

  • Is there a newer version of pam_pwdfile that works with newer versions of the pam source? I tried compiling with Linux-PAM-1.1.0 and it would appear some slight changed have been made in the structure of the source directory that are not compatible with the pam_pwdfile-0.99 source.

    • I have not tested it with that version of Linux PAM yet. Have you checked any distributions that use Linux-PAM-1.1.0 and pam_pwdfile?

  • Same problem here – Centos 5.2 doesn’t provide an RPM for pam_pwdfile and it won’t build:

    make
    Makefile:8: ../../Make.Rules: No such file or directory
    make: *** No rule to make target `../../Make.Rules’. Stop.

    • I’ll take a look at this as soon as I can.

    • Forgot to ask: What version of PAM is Centos 5.2 using?

    • try the following:

      copy pam_pwdfile-0.99/contrib/Makefile.standalone
      into the top level and run
      make -f Makefile.standalone
      copy pam_pwdfile.so to /lib64/security , in my case

      http://www.centos.org/modules/newbb/viewtopic.php?topic_id=21232

      • Great Eric, thank you very much for that tip!

        I’d forgotten about that standalone Makefile. It should also solve Tory and Mike’s problems.

      • Thanks – that sort of helps me though I now get:

        vsftpd: PAM adding faulty module: /lib64/security/pam_pwdfile.so

      • I tried that, but I get the following instead of that Make.Rules error:

        make: *** No rule to make target `pam_pwdfile.c', needed by `pam_pwdfile.o'. Stop.

        Help?

  • Hi! I can’t find pam_pwdb, it seems that pwdb no longer exists?

  • If anyone is looking for pam_pwdfile.so for Centos 5.2, you can successfully build it from PAM 0.77 source and pam_pwdfile-0.99 as outlined at http://www.productionmonkeys.net/guides/ftp-server/vsftpd

    P.S. For the x86_64 version I found I had to do an additional fix to get it to build :
    edit configure.in and add -fPIC to the OS_CFLAGS so that it reads
    case $OS in
    linux) OS_CFLAGS=”-ansi …. -pedantic -fPIC”

  • Hi there,

    you might be interested in htpasswd_editor (http://benjamin-schweizer.de/htpasswd_editor.html) which is a python/newt/ncurses interface to edit .htpasswd files (as used by pam_pwdfile).

    Greetings

  • [...] setup virtual users on the FTP server and that seems to involve building pam_pwdfile from source ( http://cpbotha.net/software/pam_pwdfile/ ) So I've downloaded it and followed the instrucions in post #8 at [...]

  • [...] my experience, you are forced to use PAM to authenticate users using SSH. You may want to look into pam_pwdfile if you wish to keep things simple for storing users and create a /etc/pam.d/ssh file [...]

  • [...] my experience, you are forced to use PAM to authenticate users using SSH. You may want to look into pam_pwdfile if you wish to keep things simple for storing users and create a /etc/pam.d/ssh file [...]

  • I should note that htpasswd (from the Debian Squeeze package “apache2-utils”, Apache version 2.2) uses its very own “Apache MD5″ when told to use MD5 hashing. Among other things, this results in the “$apr1$” prefix rather than “$1″, which pam_pwdfile expects (judging from its source code at trunk). Manifestations of this problem are, for instance, [1] and [2].

    TL;TR: it seems there’s no way to use current htpasswd to generate files with MD5 hashes suitable for pam_pwdfile to consume. chpwdfile worked just fine.

    1. http://mail-archives.apache.org/mod_mbox/httpd-users/200801.mbox/%3C0FBAE769-5163-4126-8991-D1252F6A7A73@mac.com%3E
    2. http://www.php.net/manual/en/function.crypt.php#73619

    • Thanks for the your comment on this issue.

      Patches to the pam_pwdfile README (or even code) are of course more than welcome if you feel so inclined. :)

  • Is this project abandoned?

    • It’s in maintenance mode. The module does what it should do, no more no less.

      I am open to patches, forks and ambitious new maintainers of course. :)

  • […] my experience, you are forced to use PAM to authenticate users using SSH. You may want to look into pam_pwdfile if you wish to keep things simple for storing users and create a /etc/pam.d/ssh file […]

Join the Discussion

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>