<!-- $Id: mod_sftp_pam.html,v 1.1 2009/02/13 21:45:12 castaglia Exp $ --> <!-- $Source: /cvsroot/proftp/proftpd/doc/contrib/mod_sftp_pam.html,v $ --> <html> <head> <title>ProFTPD module mod_sftp_pam</title> </head> <body bgcolor=white> <hr> <center> <h2><b>ProFTPD module <code>mod_sftp_pam</code></b></h2> </center> <hr><br> <p> The <code>mod_sftp_pam</code> module provides support for the "SSH Keyboard-Interactive Authentication" RFC (<a href="http://www.faqs.org/rfcs/rfc4256.html">RFC4256</a>). How is <code>mod_sftp_pam</code> different from ProFTPD's existing PAM support, in the form of <code>mod_auth_pam</code>? The difference is that the <code>mod_auth_pam</code> module does <b>not</b> echo the prompt, provided by the underlying PAM library/modules, back to the FTP client; this <code>mod_sftp_pam</code> module will echo any prompt back to the connecting SSH2 client. This makes using onetime-password PAM modules, for example, work very easily for authenticating SSH2 logins. <p> This module is contained in the <code>mod_sftp_pam.c</code> file for ProFTPD 1.3.<i>x</i>, and is not compiled by default. Installation instructions are discussed <a href="#Installation">here</a>; a discussion on <a href="#Usage">usage</a> is also available. <p> The most current version of <code>mod_sftp_pam</code> can be found at: <pre> <a href="http://www.castaglia.org/proftpd/">http://www.castaglia.org/proftpd/</a> </pre> <h2>Author</h2> <p> Please contact TJ Saunders <tj <i>at</i> castaglia.org> with any questions, concerns, or suggestions regarding this module. <h2>Directives</h2> <ul> <li><a href="#SFTPPAMEngine">SFTPPAMEngine</a> <li><a href="#SFTPPAMOptions">SFTPPAMOptions</a> <li><a href="#SFTPPAMServiceName">SFTPPAMServiceName</a> </ul> <hr> <h2><a name="SFTPPAMEngine">SFTPPAMEngine</a></h2> <strong>Syntax:</strong> SFTPPAMEngine <em>on|off</em><br> <strong>Default:</strong> Off<br> <strong>Context:</strong> "server config", <VirtualHost>, <Global><br> <strong>Module:</strong> mod_sftp_pam<br> <strong>Compatibility:</strong> 1.3.2rc2 and later <p> The <code>SFTPPAMEngine</code> directive toggles the use of the PAM library for supporting a keyboard-interactive authentication mechanism for SSH2 logins. By default <code>mod_sftp_pam</code> is disabled for both the main server and all configured virtual hosts. <p> <hr> <h2><a name="SFTPPAMOptions">SFTPPAMOptions</a></h2> <strong>Syntax:</strong> SFTPPAMOptions <em>opt1 opt2 ... optN</em><br> <strong>Default:</strong> None<br> <strong>Context:</strong> "server config", <VirtualHost>, <Global><br> <strong>Module:</strong> mod_sftp_pam<br> <strong>Compatibility:</strong> 1.3.2rc2 and later <p> The <code>SFTPPAMOptions</code> directive is used to configure various optional behaviors of <code>mod_sftp_pam</code>; it is directly analogous to <code>mod_auth_pam</code>'s <code>AuthPAMOptions</code> directive, and supports the exact same range of options. See the <code>mod_auth_pam</code> documentation for more information. <p> <hr> <h2><a name="SFTPPAMServiceName">SFTPPAMServiceName</a></h2> <strong>Syntax:</strong> SFTPPAMServiceName <em>service</em><br> <strong>Default:</strong> SFTPPAMServiceName sshd<br> <strong>Context:</strong> "server config", <VirtualHost>, <Global><br> <strong>Module:</strong> mod_sftp_pam<br> <strong>Compatibility:</strong> 1.3.2rc2 and later <p> The <code>SFTPPAMConfig</code> directive is used to specify the name of the service used when performing the PAM check; PAM configurations can vary depending on the service. By default, the "sshd" service is used. <p> Here's an example of changing the <em>service</em> used: <pre> <IfModule mod_sftp_pam.c> SFTPPAMEngine on SFTPPAMServiceName ftpd </IfModule> </pre> <p> The <code>SFTPPAMServiceName</code> directive is directly analogous to <code>mod_auth_pam</code>'s <code>AuthPAMConfig</code> directive. <p> <hr> <h2><a name="Installation">Installation</a></h2> To install <code>mod_sftp_pam</code>, copy the <code>mod_sftp_pam.c</code> file into: <pre> <i>proftpd-dir</i>/contrib/ </pre> after unpacking the latest proftpd-1.3.<i>x</i> source code. Then follow the usual steps for using third-party modules in proftpd, making sure to include the <code>mod_sftp</code> module, which <code>mod_sftp_pam</code> requires: <pre> ./configure --with-modules=mod_sftp:mod_sftp_pam ... make make install </pre> <p> <hr><br> <h2><a name="Usage">Usage</a></h2> To use <code>mod_sftp_pam</code>, simply enable the module, and configure it to use the correct PAM service name, <i>e.g.</i>: <pre> <IfModule mod_sftp_pam.c> SFTPPAMEngine on SFTPPAMServiceName sftp </IfModule> </pre> There is no requirement that <code>mod_sftp_pam</code> use the same PAM service name as the <code>mod_auth_pam</code> module; this allows you to have different PAM configurations for FTP versus SSH2 logins. <p> <hr><br> Author: <i>$Author: castaglia $</i><br> Last Updated: <i>$Date: 2009/02/13 21:45:12 $</i><br> <br><hr> <font size=2><b><i> © Copyright 2008 TJ Saunders<br> All Rights Reserved<br> </i></b></font> <hr><br> </body> </html>