| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150 |
- ------------------------ AUTHENTICATION MODULES ------------------------
- Anybody can add new custom authentication methods to Pure-FTPd without
- recompiling anything, using "authentication modules".
- To enable it, you must ./configure with --with-extauth, or
- --with-everything. Linux binary packages have it enabled by default.
- Here's how they work:
- 1) A client connects to the FTP server and issues a login/password pair.
- 2) The FTP server connects to a local separate daemon, called 'pure-authd'.
- Data transmitted to that daemon is: user's login, user's password, the IP
- address that user connected to, the local port that user connected to and
- the user's remote IP address.
- 3) pure-authd spawns an authentication program. It can be anything,
- including a shell script. The program is given the collected info (login,
- password, IP addresses, etc) as environment variables.
- 4) The authentication program replies (to the standard output) with the
- user's home directory, quota, ratio, bandwidth and if authentication was
- successful or not.
- 5) pure-authd relays this info to pure-ftpd.
- This method is a bit slower than built-in authentication methods. But it's
- very flexible as anyone can easily write his own authentication programs.
- And they can run non-root, chrooted, with limited capabilities, etc.
- Communication between pure-ftpd and pure-authd is done through a local Unix
- socket. It's recommended to put that socket in a directory where non-trusted
- users have no write access to.
- Authentication programs can read the following environment variables to get
- info about the user trying to authenticate:
- AUTHD_ACCOUNT
- AUTHD_PASSWORD
- AUTHD_LOCAL_IP
- AUTHD_LOCAL_PORT
- AUTHD_REMOTE_IP
- AUTHD_ENCRYPTED
- AUTHD_CLIENT_SNI_NAME
- They are self-explanatory. Previous global environment variables aren't
- cleared when the script is called. The content of these variables is
- _not_ quoted. They may contain special characters. They are under the
- control of a possibly malicious remote user.
- The program must respond on the standard output with lines like:
- auth_ok:1
- uid:42
- gid:21
- dir:/home/j
- end
- Note the final 'end' keyword. It's mandatory.
- Here's the list of recognized tokens ('xxx' has of course to be filled):
- * auth_ok:xxx
- If xxx is 0, the user was not found (the next authentication method passed
- to pure\-ftpd will be tried) . If xxx is \-1, the user was found, but there
- was a fatal authentication error: user is root, password is wrong, account
- has expired, etc (next authentication methods will not be tried) . If xxx is
- 1, the user was found and successfully authenticated.
-
- * uid:xxx
- The system uid to be assigned to that user. Must be > 0.
-
- * gid:xxx
- The primary system gid. Must be > 0.
-
- * dir:xxx
- The absolute path to the home directory. Can contain /./ for a chroot jail.
-
- *slow_tilde_expansion:xxx (optional, default is 1)
- When the command 'cd ~user' is issued, it's handy to go to that user's home
- directory, as expected in a shell environment. But fetching account info can
- be an expensive operation for non-system accounts. If xxx is 0, 'cd ~user'
- will expand to the system user home directory. If xxx is 1, 'cd ~user' won't
- expand. You should use 1 in most cases with external authentication, when
- your FTP users don't match system users. You can also set xxx to 1 if you're
- using slow nss_* system authentication modules.
-
- * throttling_bandwidth_ul:xxx (optional)
- The allocated bandwidth for uploads, in bytes per second.
-
- * throttling_bandwidth_dl:xxx (optional)
- The allocated bandwidth for downloads, in bytes per second.
-
- *user_quota_size:xxx (optional)
- The maximal total size for this account, in bytes.
-
- * user_quota_files:xxx (optional)
- The maximal number of files for this account.
-
- * ratio_upload:xxx and radio_download:xxx (optional)
- The user must match a ratio_upload:ratio_download ratio.
- * per_user_max:xxx (optional)
- The maximal authorized number of concurrent sessions.
- ------------------------ EXAMPLE ------------------------
-
-
- Here's a very basic example. Our sample authentication program will only
- accept user 'john' with any password and return a fixed home directory and
- uid/gid.
- #! /bin/sh
- if test "$AUTHD_ACCOUNT" = "john"; then
- echo 'auth_ok:1'
- echo 'uid:69'
- echo 'gid:42'
- echo 'dir:/tmp'
- else
- echo 'auth_ok:0'
- fi
- echo 'end'
- Let's say we save this file as /usr/bin/ftp-auth-handler
- Now, we have to run pure-authd and pure-ftpd, to connect them through a
- local socket and to tell pure-ftpd to use our external authentication module:
- pure-authd -s /var/run/ftpd.sock -r /usr/bin/ftp-auth-handler &
- pure-ftpd -lextauth:/var/run/ftpd.sock &
- That's all. Now, we can only log in as 'john', as all FTP authentication is
- done by the shell script.
|
