Pluggable Authentication Modules (PAM)

PAM has become a standard method of providing secure authentication services within the UNIX environment in the past few years. PAM acts as the interface between the program or system daemon and the underlying authentication methods. It's great strengths are the higher levels of security it affords to the system administrator and it's flexability. As the name suggests the coding interface is common for all PAM supported methods, however behind the scenes many different methods of authentication can be supported. Even to the extent of (for example) supporting RADIUS for ftp access and /etc/shadow for telnet.

ProFTPD requires PAM version 0.59 or better. The pam_sm_open_session system call is not provided in earlier versions and is a requirement of the PAM implementation within Proftpd.

Why is PAM the default authentication system?

Security, pure and simple. PAM is the most secure (or securable) of the available authentication systems. Many of the issues and configuration hints for PAM are contained in README.PAM which is bundled with the server source and in the various packaged builds. To use /etc/passwd manual compilation will be required with the configure script being run with the --without-pam flag. Unless the PAM subsystem is properly configured authentication will fail.


AuthPAMAuthorative defaults to "off"" allowing other authentication methods to get a look in at authentication time. Setting this to "on" will break support for external files such as AuthUserFile.


If these don't fit in with your system then writing a custom module or using such as the '' approach to intercept getpwbynam() system calls works happily with ProFTPD.

Typical PAM configuration

Proftpd itself should need little or no configuration to support PAM, however some configuration of the PAM subsystem may be required. One of the most common problems encountered when configuring and using Proftpd is a missing /etc/pam.d/ftp file, if this file isn't installed the authentication requests will fail.

There is a README.Pam in the top directory of the ProFTPD install directory :


Most of the development of Proftpd is done on Redhat based systems, however this should not prevent users of other distributions running the daemon without problems.

Example 8-1. Generic Linux PAM config

auth       required     /lib/security/ item=user
sense=deny file=/etc/ftpusers onerr=succeed
auth       required     /lib/security/ shadow nullok
account    required     /lib/security/
session    required     /lib/security/

Redhat Linux

Example 8-2. Redhat 6.* configuration

auth       required     /lib/security/ item=user
sense=deny file=/etc/ftpusers onerr=succeed
auth       required     /lib/security/ shadow nullok
account    required     /lib/security/
session    required     /lib/security/


SuSE appears to uses pam_unix rather than pam_pwdb which is the Redhat approach. All references to pam_pwdb should be replaced with "pam_unix" on SuSE systems.

Example 8-3. SuSe configuration


# Uncomment this to achieve what used to be ftpd -A.
# auth       required     /lib/security/ item=user sense=allow file=/etc/ftpchroot onerr=fail

auth     required       /lib/security/ item=user
sense=deny file=/etc/ftpusers onerr=succeed
auth     sufficient     /lib/security/
auth     required       /lib/security/
auth     required       /lib/security/
account  required       /lib/security/
password required       /lib/security/
session  required       /lib/security/


FreeBSD does not support PAM session directives. If you remove the following line from the FreeBSD section of README.PAM, PAM should work properly under recent versions of FreeBSD.

Example 8-4. FreeBSD configuration

ftp session required         try_first_pass

pam_sm_open_session errors

ProFTPD requires PAM version 0.59 or better. pam_sm_open_session is not part of previous versions.

Conficts with PAM authentication

Generally these problems will be cured by either disabling PAM completely or by ensuring that these directives are set

PersistentPasswd   off
AuthPAMAuthorative off