# Issues Authenticating VSFTPD With PAM



## TankedThomas (Feb 1, 2021)

First, I'm fairly new to FreeBSD. I'm more experienced with Linux (over 10 years), though I'd still consider myself a beginner in the grand scheme of things.
I'm also (obviously) new here, so I apologise if this is posted in the wrong place but I wasn't completely sure where else to put it (since this is primarily an authentication issue unrelated to the purpose of the server). Seems mods decided it _does_ belong under Web and Network Services. Should have gone with my gut instinct!

I'm working on setting up a server with FreeBSD on a VPS. I'm trying to keep it as secure as possible whilst still convenient to use. Also, please keep in mind that when I say "FTP", I'm referring to "SFTP". I know they're different, it's just what I'm used to calling it, so please bear with me.

I'm authenticating my account, we'll call it "main" (not root, but has sudo access), with SSH keys, PasswordAuthentication disabled. This account should NOT be allowed to FTP (but it currently can, using keys).
I have a separate user account, we'll call it "virtualftp", set up for FTP with no shell, and this user is set up under VSFTPD (more on that shortly). This should be the only account allowed for FTP.
In /etc/passwd, it looks like this: 

```
virtualftp:*:1234:1234:FTP User:/var/ftp:/usr/sbin/nologin
```
 (please note, in case it's not clear, I've changed the usernames and UIDs/GIDs for the sake of security, even though I realise it's not strictly necessary).

First of all, here's my sshd_config (all comments removed for brevity):

```
PermitRootLogin no
MaxAuthTries 3
MaxSessions 10
AllowUsers main virtualftp
PubkeyAuthentication yes
AuthorizedKeysFile	.ssh/authorized_keys
PasswordAuthentication no
ChallengeResponseAuthentication yes
KerberosAuthentication no
GSSAPIAuthentication no
UsePAM yes
X11Forwarding no
PrintMotd yes
UseDNS no
Subsystem	sftp	/usr/libexec/sftp-server
```

My understanding is that PAM requires ChallengeResponseAuthentication, which enables the "interactive-keyboard" authentication type, but that PasswordAuthentication can be left disabled.

Then, I installed VSFTPD and pam_pwdfile (from ports). VSFTPD's config defaults to /usr/local/etc/vsftpd.conf and I have not changed this (not sure how, though I would like it at /usr/local/etc/vsftpd/vsftpd.conf as per Linux, but either way is fine). 
I have added a drop-in file at /etc/pam.d/vsftpd as well as creating a virtual user database with htpasswd at /usr/local/vsftpd/login.db - if it matters, I created login.db with bcrypt at max (17) cost.

Here are my configuration files for vsftpd.conf:

```
anonymous_enable=NO
guest_enable=YES
guest_username=virtualftp
user_sub_token=$USER
local_root=/home/ftp/$USER
local_enable=YES
write_enable=YES
local_umask=022
anon_upload_enable=NO
anon_mkdir_write_enable=NO
dirmessage_enable=YES
xferlog_enable=YES
listen_port=21
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
async_abor_enable=YES
ftpd_banner=Welcome to FTP
chroot_local_user=YES
allow_writeable_chroot=YES
secure_chroot_dir=/usr/local/share/vsftpd/empty
listen=YES
background=YES
max_clients=20
max_per_ip=10
text_userdb_names=YES
use_localtime=YES
force_dot_files=NO
userlist_deny=NO
userlist_enable=YES
userlist_file=/usr/local/etc/vsftpd/userlist
pam_service_name=vsftpd
```
(note that the userlist contains user "virtualftp", but I have tried disabling the list as well)

and for /etc/pam.d/vsftpd:

```
auth		required /usr/local/lib/pam_pwdfile.so	pwdfile		/usr/local/etc/vsftpd/login.db
account		required /usr/lib/pam_permit.so
```

Because user virtualftp's shell is nologin, that obviously causes issues without using virtual users. Virtual users are meant to work around this via PAM... but it doesn't seem to be working. My understanding is that PAM, with ChallengeResponseAuthentication enabled in sshd_config, should be used as secondary authentication, effectively skirting around "PasswordAuthentication no" for the allowed user(s). For the record, "virtualftp" can't log in with SSH keys either.

I can confirm that vsftpd.conf is being read, as I tried changing listenport to 22, which killed VSFTPD, and then instead killed SSH upon restarting the server. Obviously not a great idea, but at least I know the configuration is being read.
The PAM drop-in seems to be working, as I was previously having issues with nologin and pam_shells.so before removing the latter (because there's no way I'm adding nologin to shells).

Looking at the logs, vsftpd.log is completely empty and never seems to be written to, whereas auth.log gives me a fairly generic PAM authentication error:

```
Feb  1 00:00:00 myserver sshd[12345]: error: PAM: Authentication error for virtualftp from 123.456.78.910
Feb  1 00:00:00 myserver sshd[12345]: Postponed keyboard-interactive for virtualftp from 123.456.78.910 port 51644 ssh2 [preauth]
Feb  1 00:00:00 myserver sshd[12345]: Connection closed by authenticating user virtualftp 123.456.78.910 port 51644 [preauth]
```

Finally, I should mention that, because I'm inexperienced with this setup, I had a look for some guides to get me up to speed.
Red Hat's is probably the most comprehensive but is obviously geared towards Linux. Note that you need a subscription to view the article (free developer accounts work, it turns out).
I also looked at this article from 2010 and this one from 2020, neither of which seem to be perfect but are geared more towards FreeBSD than RHEL's guide.

Okay, I think I've given all the info I can possibly conjure up. I've been at this for a few days now and I'm honestly stumped. No amount of loosening security and trying different options seems to work. 
I would be really grateful to anyone and everyone who can help me with this conundrum, please and thank you!


----------

