PAM has become a standard method of providing secure authentication services within the UNIX environment in the past few years. PAM acts as the interface between the program or system daemon and the underlying authentication methods. It's great strengths are the higher levels of security it affords to the system administrator and it's flexability. As the name suggests the coding interface is common for all PAM supported methods, however behind the scenes many different methods of authentication can be supported. Even to the extent of (for example) supporting RADIUS for ftp access and /etc/shadow for telnet.
ProFTPD requires PAM version 0.59 or better. The pam_sm_open_session system call is not provided in earlier versions and is a requirement of the PAM implementation within Proftpd.
Security, pure and simple. PAM is the most secure (or securable) of the available authentication systems. Many of the issues and configuration hints for PAM are contained in README.PAM which is bundled with the server source and in the various packaged builds. To use /etc/passwd manual compilation will be required with the configure script being run with the --without-pam flag. Unless the PAM subsystem is properly configured authentication will fail.
AuthPAMAuthorative defaults to "off"" allowing other authentication methods to get a look in at authentication time. Setting this to "on" will break support for external files such as AuthUserFile.
If these don't fit in with your system then writing a custom module or using such as the 'ld.so.preload' approach to intercept getpwbynam() system calls works happily with ProFTPD.
Proftpd itself should need little or no configuration to support PAM, however some configuration of the PAM subsystem may be required. One of the most common problems encountered when configuring and using Proftpd is a missing /etc/pam.d/ftp file, if this file isn't installed the authentication requests will fail.
There is a README.Pam in the top directory of the ProFTPD install directory :
Most of the development of Proftpd is done on Redhat based systems, however this should not prevent users of other distributions running the daemon without problems.
Example 8-1. Generic Linux PAM config
#%PAM-1.0 auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed auth required /lib/security/pam_pwdb.so shadow nullok account required /lib/security/pam_pwdb.so session required /lib/security/pam_pwdb.so
SuSE appears to uses pam_unix rather than pam_pwdb which is the Redhat approach. All references to pam_pwdb should be replaced with "pam_unix" on SuSE systems.
Example 8-3. SuSe configuration
/etc/pam.d/ftpd #%PAM-1.0 # Uncomment this to achieve what used to be ftpd -A. # auth required /lib/security/pam_listfile.so item=user sense=allow file=/etc/ftpchroot onerr=fail auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed auth sufficient /lib/security/pam_ftp.so auth required /lib/security/pam_unix.so auth required /lib/security/pam_shells.so account required /lib/security/pam_unix.so password required /lib/security/pam_unix.so session required /lib/security/pam_unix.so
ProFTPD requires PAM version 0.59 or better. pam_sm_open_session is not part of previous versions.