pam_ftp

`pam_ftp` is a PAM module configured in service files. Its typical usage within a PAM configuration file appears as:

auth <control_flag> pam_ftp.so [module_arguments]

Where `<control_flag>` can be `required`, `requisite`, `sufficient`, or `optional`, defining the module's criticality in the authentication stack. `[module_arguments]` are specific options passed to `pam_ftp.so` to customize its behavior.

db=<path>
    Specifies the path to a DBM database file (e.g., `/etc/ftpusers.db`) containing user or host entries to be checked.

file=<path>
    Specifies the path to a flat file (e.g., `/etc/ftpusers`) containing user or host entries to be checked. Each entry is typically on a new line.

ignore_missing_db
    If this option is present, the module will not fail if the specified DBM database file (`db` option) does not exist. It will simply act as if no entries were found in the database.

no_host_check
    Disables the module's ability to perform host-based checks. When enabled, only user-based checks are performed.

`pam_ftp` is a Pluggable Authentication Module (PAM) designed to control access for anonymous FTP users. It is not a standalone executable command but rather a shared library (`pam_ftp.so`) that is configured within PAM service files (e.g., `/etc/pam.d/ftp`). Its primary function is to deny or allow access based on a list of users or hostnames, typically stored in a flat file like `/etc/ftpusers` or a DBM database. When an anonymous FTP session attempts to authenticate, `pam_ftp` checks the provided credentials against its configured database or file, determining whether the connection should be permitted or denied according to predefined rules. This module helps enforce access policies, preventing specific users or hosts from connecting to an anonymous FTP server.

`pam_ftp` is specifically designed for controlling access to anonymous FTP accounts. It does not handle authentication for regular user accounts. Its usage might be less common in modern FTP server setups, which often provide more integrated and flexible access control mechanisms within the server software itself (e.g., `vsftpd`, `proftpd`). Ensuring the database or flat file it relies on is correctly maintained and secured is crucial for effective access control.

When configuring `pam_ftp` in a PAM service file (e.g., `/etc/pam.d/ftp`), it is typically placed in the `auth` stack. For example:

auth    required    pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth    required    pam_ftp.so file=/etc/ftpusers.db

The order and control flags (`required`, `sufficient`, etc.) of PAM modules are critical as they dictate the flow of authentication. `pam_ftp` provides a specific check within this sequence.

The flat file specified by the `file` option (commonly `/etc/ftpusers`) typically contains one user or hostname per line. Users listed in this file are usually denied access, though the exact interpretation can depend on the FTP server's configuration and other PAM modules.

The DBM database (`db` option) stores key-value pairs. Keys could be usernames or hostnames, and values might represent permissions or flags. The exact schema for this database depends on how `pam_ftp` expects to query it, often mapping to simple presence/absence for access control.

`pam_ftp` was developed as part of the Linux-PAM (Pluggable Authentication Modules) project. It emerged to provide a modular way for FTP daemons to manage access for anonymous users, particularly in environments where traditional `ftpusers` files or more complex DBM databases were used for access control. Its design aligns with the PAM philosophy of separating authentication policy from application logic, allowing system administrators to define and modify authentication schemes without recompiling applications. While still functional, its direct use for anonymous FTP control has sometimes been superseded by more comprehensive features built into modern FTP server software, which can handle similar access restrictions internally or via other PAM modules like `pam_listfile.so`.

pam(8), pam.conf(5), pam.d(5), vsftpd(8), proftpd(8), ftp(1)