Tuesday, August 03, 2010

Gotcha of the Day: ProFTP server claims password is wrong when it isn't

I was trying to do something really simple: add a new FTP user to a server. Everything went great, except, I couldn't actually FTP using the new user credentials.

Whenever I did, I got the following error in /var/log/auth.log:

Aug  3 09:28:30 XXX proftpd[7352]: a.b.c.d (a.b.c.d[a.b.c.d]) - USER foo (Login failed): Incorrect password. 
Aug  3 09:28:30 XXX proftpd[7352]: a.b.c.d (a.b.c.d[a.b.c.d]) - FTP session closed. 

I tried resetting the password, ssh'ing as the new user, and su'ing as the new user -- these all worked, yet I kept getting the above Incorrect password message.

Poking around on the web, I was inspired by this article to check the PAM configuration. I opened up /etc/pam.d/ftpd and my problem immediately became obvious:

# PAM configuration for the "ftpd" service
auth            required        pam_group.so            group=xftp
auth            required        pam_nologin.so          no_warn
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            required        pam_unix.so             no_warn try_first_pass
account         required        pam_unix.so
session         required        pam_permit.so

The first line was the critical one -- it says that any user logging in is required to be in the xftp group.

I edited /etc/group and added the new user to the xftp group - and bam! it was working. Just like that.

So the lesson of the day: when in doubt check the PAM configuration.

No comments:

Post a Comment