ProFTPD Developer's Guide: PAM

ProFTPD Version 1.2

Table of Contents

PAM (Pluggable Authentication Modules)
The use of PAM by proftpd is very specific: the server only uses PAM to check whether a given user should or should not be allowed to login. This means that the necessary information for a user must be defined some other source (e.g. /etc/passwd, an AuthUserFile, mod_sql, mod_ldap, etc) before PAM comes into play. The PAM API does not allow for information such as UID, GID, home directory, etc to be passed by PAM modules, and since proftpd requires this information in order to setup an FTP session properly, an auth module other than mod_auth_pam is needed.

The PAM check only happens during the dispatching of the auth_authenticate() request; mod_auth_pam registers only one authentication handler for this. The following pseudocode from mod_auth's _do_auth() function shows the sequence of events:

  check for UserPassword
    if present, and if user exists, call auth_check()
  call auth_authenticate()
As this function is only called after auth_getpwnam() has been called, the user must exist in other sources before that user will be checked using PAM.

Table of Contents

Author: $Author: castaglia $
Last Updated: $Date: 2003/04/24 23:18:08 $

© Copyright 2000-2003 TJ Saunders
All Rights Reserved