PAM
PAM (Pluggable Authentication Modules)
The use of PAM by proftpd is very specific: the server only
uses PAM to check whether a given user should or should not be allowed to
login. This means that the necessary information for a user must be defined
some other source (e.g. /etc/passwd, an
AuthUserFile, mod_sql, mod_ldap, etc)
before PAM comes into play. The PAM API does not allow for information such
as UID, GID, home directory, etc to be passed by PAM modules, and since
proftpd requires this information in order to setup an FTP
session properly, an auth module other than mod_auth_pam is
needed.
The PAM check only happens during the dispatching of the auth_authenticate() request; mod_auth_pam registers only one authentication
handler for this. The following pseudocode from mod_auth's
_do_auth()
function shows the sequence of events:
check for UserPassword
if present, and if user exists, call auth_check()
done
call auth_authenticate()
As this function is only called after auth_getpwnam() has been
called, the user must exist in other sources before that user will be
checked using PAM.