HTTPS/FTP/SFTP-combined service using PAM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello all PAM-people!

I'm creating a special service that allows users access to a chrooted file-area through 3 different protocols, and I need some suggestions from you experts.

The goal is to let users use any of these protocols : HTTPS/FTP/SSH2(sftp only) to get access to the same chrooted file-area (/), where they can do uploads/downloads.
The users don't have any shell access at all (I'm using restrictedshell(rssh)) to deny shell access to ssh-users.

At the moment, each service has different account databases, namely:
/etc/passwd for proftpd (with chroot-function), deny users are set in /etc/ftpusers
/data/etc/passwd (for chrooted sftp-users), deny users are set in /etc/ssh/sshd_config, DenyUsers
/opt/apache/.htpasswd-users for apache users.

Now as you can see, administering users is not trivial.
I have made a special script that uses useradd to add the user to the local system, and it automatically edits these configuration files to disable/enable access for each service (ftp,https,sftp)

As another option for sftp-users, they can choose between using asymmetric key login (public/private key) or password (for manual logins). Since most of the users have system-batch jobs accessing the sftp-service, they need keylogins to authenticate, since adding ssh-passwords arent supported in scripts (for safety reasons). 

It has turned out this user-administration is bad because a single edit-error could destroy a whole userdatabase.

Another issue is that having /etc/passwd as a userdatabase allows system accounts to be exposed and brute-force attacked.

So I have been looking for a new way to implement this service, and came to the conclusion PAM would solve this!

Something like this:

Apache service (HTTPS) -> login form -> PAM module 1 -> central password database
Proftpd service (FTP) -> login prompt -> PAM module 2 -> central password database
SSH service (SFTP only) -> login prompt -> PAM module 3 -> central password database

A future service is FTP over SSL:
FTP SSL service -> login prompt -> PAM module 4 -> central password database

Central password database could be a Cisco Secure RADIUS or LDAP-server or mysql-database, depends which will work best :-)

A requirement is that the database would have to contain a access-column for each user , HTTPS/FTP/SFTP and that all logins are logged in a single log.

Is there ANY way to implement this without having to add local user unix-accounts?

As I have understood most of the PAM-auth modules give 0 or 1 for answer, 1 for login successful. It does not say which rights the user has.

Also I wonder if ssh-sftp-public-key login will work without a local user??

Can anyone guide me on this?

Sorry for a very long post, I hope anyone has time to help. I will quickly answer all your replies.

I have been looking at: pam_radius, pam_tacplus,  pam_mysql, mod_auth_shadow for apache and php-pam (for PHP)

Cheers,

Magnus

System:
Solaris 8
Apache 1.3.x
OpenSSH 3.7.1p2 with my own sftp-chroot-patch
Proftpd 1.2.8


_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux