Pam configuration help for freebsd-ftpd under 15.0

[rrsum]

I have a an old camera which ftp's data to my newly updated freebsd box (15.0). Since the standard ftpd is no longer on freebsd, I loaded freebsd-ftpd from ports. Now I'm getting pam errors in messages:

ftpd[37074]: in openpam_load_file(): /etc/pam.d/ftpd: Too many open files
ftpd[37074]: pam_start: System error
ftpd[37078]: in openpam_load_file(): /etc/pam.d/ftpd: Too many open files
ftpd[37078]: pam_start: System error

Could someone point me to a solution to resolve these errorrs? I've read pam.conf but am in need of examples.

 

[SirDice]

Is the FTP accessible from the internet? You might be getting hammered with bruteforce attacks.

 

[SirDice]

Well, this is funky:

# cat /etc/pam.d/ftpd
#
# PAM configuration for the "ftp" service.  This is not used by the FreeBSD
# ftpd(8), but is provided for compatibility with FTP servers from ports.
#

# auth
auth            include         ftpd

# account
account         include         ftpd

# session
session         include         ftpd

It tries to include itself, this probably keeps looping until you run out of file handles.

 

[SirDice]

Had a look on an older 13 server, /etc/pam.d/ftpd should look like this:

% cat /etc/pam.d/ftpd
#
#
# PAM configuration for the "ftpd" service
#

# auth
#auth           sufficient      pam_krb5.so             no_warn
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass

# account
account         required        pam_nologin.so
#account        required        pam_krb5.so
account         required        pam_unix.so

# session
session         required        pam_permit.so

But it seems the contents of /etc/pam.d/ftp (it only contains include ftpd) got copied to /etc/pam.d/ftpd thereby creating an infinite loop.

 

[rrsum]

Had a look on an older 13 server, /etc/pam.d/ftpd should look like this:

% cat /etc/pam.d/ftpd
#
#
# PAM configuration for the "ftpd" service
#

# auth
#auth           sufficient      pam_krb5.so             no_warn
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass

# account
account         required        pam_nologin.so
#account        required        pam_krb5.so
account         required        pam_unix.so

# session
session         required        pam_permit.so

But it seems the contents of /etc/pam.d/ftp (it only contains include ftpd) got copied to /etc/pam.d/ftpd thereby creating an infinite loop.

Thanks for the input, the error messages appear to have stopped and ftpd seems to work out of inetd. Can't say that I understand everything, especially the no_login.so for the account section, but everything appears to work, and I even think I understand the reason for the error messages, so thanks again.

 

[SirDice]

ftpd seems to work out of inetd.

It can be configured to run that way, yes. It can also run as a "stand-alone" daemon.

especially the no_login.so for the account section

It's basically a check to verify the account hasn't been disabled (nologin(5)). If it is it shows the contents of /var/run/nologin, or whatever file the nologin capability (login.conf(5)) is pointing to.

I even think I understand the reason for the error messages

ftpd has a line that includes itself, so /etc/pam.d/ftpd includes /etc/pam.d/ftpd which includes /etc/pam.d/ftpd which includes /etc/pam.d/ftpd, this goes on and on until the system runs out of resources. Kind of troubling actually, I'm wondering why PAM does nothing to prevent this from happening in the first place.