<!-- $Id: mod_sftp_pam.html,v 1.1 2009/02/13 21:45:12 castaglia Exp $ -->
<!-- $Source: /cvsroot/proftp/proftpd/doc/contrib/mod_sftp_pam.html,v $ -->

<html>
<head>
<title>ProFTPD module mod_sftp_pam</title>
</head>

<body bgcolor=white>

<hr>
<center>
<h2><b>ProFTPD module <code>mod_sftp_pam</code></b></h2>
</center>
<hr><br>

<p>
The <code>mod_sftp_pam</code> module provides support for the "SSH Keyboard-Interactive Authentication" RFC (<a href="http://www.faqs.org/rfcs/rfc4256.html">RFC4256</a>).  How is <code>mod_sftp_pam</code> different from ProFTPD's existing
PAM support, in the form of <code>mod_auth_pam</code>?  The difference is
that the <code>mod_auth_pam</code> module does <b>not</b> echo the prompt,
provided by the underlying PAM library/modules, back to the FTP client;
this <code>mod_sftp_pam</code> module will echo any prompt back to the
connecting SSH2 client.  This makes using onetime-password PAM modules, for
example, work very easily for authenticating SSH2 logins.

<p>
This module is contained in the <code>mod_sftp_pam.c</code> file for
ProFTPD 1.3.<i>x</i>, and is not compiled by default.  Installation
instructions are discussed <a href="#Installation">here</a>; a discussion
on <a href="#Usage">usage</a> is also available.

<p>
The most current version of <code>mod_sftp_pam</code> can be found at:
<pre>
  <a href="http://www.castaglia.org/proftpd/">http://www.castaglia.org/proftpd/</a>
</pre>

<h2>Author</h2>
<p>
Please contact TJ Saunders &lt;tj <i>at</i> castaglia.org&gt; with any
questions, concerns, or suggestions regarding this module.

<h2>Directives</h2>
<ul>
  <li><a href="#SFTPPAMEngine">SFTPPAMEngine</a>
  <li><a href="#SFTPPAMOptions">SFTPPAMOptions</a>
  <li><a href="#SFTPPAMServiceName">SFTPPAMServiceName</a>
</ul>

<hr>
<h2><a name="SFTPPAMEngine">SFTPPAMEngine</a></h2>
<strong>Syntax:</strong> SFTPPAMEngine <em>on|off</em><br>
<strong>Default:</strong> Off<br>
<strong>Context:</strong> &quot;server config&quot;, &lt;VirtualHost&gt;, &lt;Global&gt;<br>
<strong>Module:</strong> mod_sftp_pam<br>
<strong>Compatibility:</strong> 1.3.2rc2 and later

<p>
The <code>SFTPPAMEngine</code> directive toggles the use of the PAM library
for supporting a keyboard-interactive authentication mechanism for SSH2 logins.
By default <code>mod_sftp_pam</code> is disabled for both the main server and
all configured virtual hosts.

<p>
<hr>
<h2><a name="SFTPPAMOptions">SFTPPAMOptions</a></h2>
<strong>Syntax:</strong> SFTPPAMOptions <em>opt1 opt2 ... optN</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> &quot;server config&quot;, &lt;VirtualHost&gt;, &lt;Global&gt;<br>
<strong>Module:</strong> mod_sftp_pam<br>
<strong>Compatibility:</strong> 1.3.2rc2 and later

<p>
The <code>SFTPPAMOptions</code> directive is used to configure various
optional behaviors of <code>mod_sftp_pam</code>; it is directly analogous
to <code>mod_auth_pam</code>'s <code>AuthPAMOptions</code> directive, and
supports the exact same range of options.  See the <code>mod_auth_pam</code>
documentation for more information.

<p>
<hr>
<h2><a name="SFTPPAMServiceName">SFTPPAMServiceName</a></h2>
<strong>Syntax:</strong> SFTPPAMServiceName <em>service</em><br>
<strong>Default:</strong> SFTPPAMServiceName sshd<br>
<strong>Context:</strong> &quot;server config&quot;, &lt;VirtualHost&gt;, &lt;Global&gt;<br>
<strong>Module:</strong> mod_sftp_pam<br>
<strong>Compatibility:</strong> 1.3.2rc2 and later

<p>
The <code>SFTPPAMConfig</code> directive is used to specify the name of the
service used when performing the PAM check; PAM configurations can vary
depending on the service.  By default, the &quot;sshd&quot; service is used.

<p>
Here's an example of changing the <em>service</em> used:
<pre>
  &lt;IfModule mod_sftp_pam.c&gt;
    SFTPPAMEngine on
    SFTPPAMServiceName ftpd
  &lt;/IfModule&gt;
</pre>

<p>
The <code>SFTPPAMServiceName</code> directive is directly analogous to
<code>mod_auth_pam</code>'s <code>AuthPAMConfig</code> directive.

<p>
<hr>
<h2><a name="Installation">Installation</a></h2>
To install <code>mod_sftp_pam</code>, copy the <code>mod_sftp_pam.c</code> file
into:
<pre>
  <i>proftpd-dir</i>/contrib/
</pre>
after unpacking the latest proftpd-1.3.<i>x</i> source code.  Then follow the
usual steps for using third-party modules in proftpd, making sure to include
the <code>mod_sftp</code> module, which <code>mod_sftp_pam</code> requires:
<pre>
  ./configure --with-modules=mod_sftp:mod_sftp_pam ...
  make
  make install
</pre>

<p>
<hr><br>
<h2><a name="Usage">Usage</a></h2>
To use <code>mod_sftp_pam</code>, simply enable the module, and configure
it to use the correct PAM service name, <i>e.g.</i>:
<pre>
  &lt;IfModule mod_sftp_pam.c&gt;
    SFTPPAMEngine on
    SFTPPAMServiceName sftp
  &lt;/IfModule>
</pre>
There is no requirement that <code>mod_sftp_pam</code> use the same PAM
service name as the <code>mod_auth_pam</code> module; this allows you to have
different PAM configurations for FTP versus SSH2 logins.

<p>
<hr><br>

Author: <i>$Author: castaglia $</i><br>
Last Updated: <i>$Date: 2009/02/13 21:45:12 $</i><br>

<br><hr>

<font size=2><b><i>
&copy; Copyright 2008 TJ Saunders<br>
 All Rights Reserved<br>
</i></b></font>

<hr><br>

</body>
</html>