Package: pure-ftpd Version: 1.0.30-1 When attempting to use pam_access in combination with pure-ftpd, I get the following odd behaviour:
My /etc/pam.d/pure-ftpd file contains this line: account required pam_access.so My /etc/security/access.conf file contains these lines: # Allow logins only from 192.168.1.2 and 192.168.1.3 +:ALL:192.168.1.2 192.168.1.3 -:ALL:ALL When a connection starts, and the source ip address can be reverse lookup'ed, then everything works as expected. However, when the ip address cannot be reverse lookup'ed, pam_access complains with the following message in /var/log/auth.log: pure-ftpd: pam_access(pure-ftpd:account): access denied for user `testuser' from `pure-ftpd' pam_access seems to have received the string 'pure-ftpd' as the remote host. Since that's not 192.168.1.2 nor 192.168.1.3, it denies access. Looking at the debian patch for pure-ftpd, I can see the following within pure-ftpd-1.0.30/src/log_pam.c (near line 167): hent = gethostbyaddr(&STORAGE_SIN_ADDR(*peer), sizeof(STORAGE_SIN_ADDR(*peer)), AF_INET); ... if (!hent) (void)pam_set_item(pamh, PAM_RHOST, NULL); else (void)pam_set_item(pamh, PAM_RHOST, hent->h_name); So this looks like whenever the ip address cannot be resolved to a hostname, NULL is submitted back to pam as the remote host. (Presumably, pam is interpreting this as the service name, ie 'pure-ftpd'.) However, if the above code is changed to this: hent = gethostbyaddr(&STORAGE_SIN_ADDR(*peer), sizeof(STORAGE_SIN_ADDR(*peer)), AF_INET); ... if (!hent) { struct in_addr tmp; tmp.s_addr = STORAGE_SIN_ADDR(*peer); (void)pam_set_item(pamh, PAM_RHOST, inet_ntoa(tmp)); } else (void)pam_set_item(pamh, PAM_RHOST, hent->h_name); Then pam receives the ip address (in this case, the string "192.168.1.2") and accepts the connection as expected. This seems to resolve the problem for me. I'm not an expert at pam programming though, so I don't know if this is even legit or if I'm violating some pam rule by passing the ip address as the hostname. Additionally, some extra stuff will definitely need to be added to allow it to work with ipv6 (which I've completely ignored here). Thanks, Rich. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org