Oberon || Compiler & Tools || Library || Module Index || Search Engine

Ulm's Oberon System:
adis-ftplogin

NAME

adis-ftplogin - checkpassword plug-in for FTP logins

SYNOPSIS

adis-ftplogin command

DESCRIPTION

adis-ftplogin is a plug-in that conforms to the checkpassword interface by Dan J. Bernstein that may be used in the context of adis-ftpup and adis-ftpsession(1).

adis-ftplogin

extracts a user name and a password from file descriptor 3,
derives a login name from the user name by taking the part before the first dash in it,
checks the login for existance and retrieves its passwd entry using getpwnam(3c),
verifies that the given password does not match that of the passwd entry,
denies further proceeding for UIDs less than 100,
changes effective and real user and group IDs to those of the passwd entry,
honors all further groups like initgroups(3c),
tries to open .ftppasswd in the home directory specified in the passwd entry,
looks for an entry inside .ftppasswd for the given user name (consisting of the login name, a dash, and an extension part),
checks the password against that of the .ftppasswd entry, and
if all checks succeeded, invokes command with the options and the root directory found in the third field of the matching .ftppasswd entry.

DIAGNOSTICS

adis-ftplogin does not touch the bidirectional network connection inherited through file descriptor 0. The network connection, however, is closed in case of failures as adis-ftplogin is (in a typical setup) the only process keeping it. Hence, FTP clients will just see a drop of the connection instead of an error message in case of authentication failures.

An exit code of 1 indicates a permanent authorization failure, an exit code of 111 is used for temporary problems.

A log entry is provided to syslog with priority auth.info for each invocation that

documents the parameters passed to command in case of success, or
provide an error message otherwise.

The password is not logged.

An email message to root is generated

if a password was provided that matches the login password, and
on tries to login as root or other accounts with a UID less than 100.

SECURITY CONSIDERATIONS

As long no encrypting network layers are involved, login credentials for FTP are passed as clear text over network connections. Therefore protocols like that of ssh and scp are to be preferred. In many contexts, however, FTP with all its inherent insecurities is the only convenient option to exchange data. The idea of adis-ftplogin is to minimize the risk of clear text passwords for FTP by

enforcing other passwords than the fully privileged password that allows to login to a ordinary shell, and by
allowing an unrestricted number of FTP logins to make individual FTP accesses as restrictive as possible.

It may be wise, however, to apply periodical checks on the root directories and options specified in the user's .ftppasswd files if they match the local policy. The security considerations of FTPUnixFileSystems apply here.