From owner-freebsd-questions  Tue Mar  5 15:47: 5 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from dns2.digitalglobe.com (dns2.digitalglobe.com [205.166.175.35])
	by hub.freebsd.org (Postfix) with ESMTP id 568CC37B400
	for <freebsd-questions@freebsd.org>; Tue,  5 Mar 2002 15:46:59 -0800 (PST)
Received: from lohr.digitalglobe.com (lohr.digitalglobe.com [10.10.11.18])
	by dns2.digitalglobe.com (8.11.4/8.11.4) with ESMTP id g25Nkss20032
	for <freebsd-questions@freebsd.org>; Tue, 5 Mar 2002 16:46:54 -0700 (MST)
Subject: pw EXPIRE field not honored by FTP/PAM (again)?
From: John-David Childs <freebsd@nterprise.net>
To: freebsd-questions@freebsd.org
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
X-Mailer: Evolution/1.0.2-4mdk 
Date: 05 Mar 2002 16:46:54 -0700
Message-Id: <1015372014.14115.188.camel@lohr>
Mime-Version: 1.0
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

PR bin/20952 seems to have reared its ugly head again.  I'm using
password *and* account expire on an FTP server...but neither the
standard ftpd NOR proftpd honor an expired account, even though
sshd/login do.

Relevant entries in /etc/pam.conf

# If the user can authenticate with S/Key, that's sufficient; allow
# clear password. Try kerberos, then try plain unix password.
login   auth    sufficient      pam_skey.so
login   auth    requisite       pam_cleartext_pass_ok.so
#login  auth    sufficient      pam_kerberosIV.so              
try_first_pass

login   auth    required        pam_unix.so                    
try_first_pass

login   account required        pam_unix.so
login   password required       pam_permit.so
login   session required        pam_permit.so

# Same requirement for ftpd as login
ftpd    auth    sufficient      pam_skey.so
ftpd    auth    requisite       pam_cleartext_pass_ok.so
#ftpd   auth    sufficient      pam_kerberosIV.so              
try_first_pass
ftpd    auth    required        pam_unix.so                    
try_first_pass

THE NEXT THREE LINES are the only diff to /etc/pam.conf version 1.6.2.13
(RELENG_4 and RELEASE-4-5-0).  I was trying to set ftpd up *exactly* as
login.  I've tried with and without these lines:

ftpd    account required        pam_unix.so
ftpd    password required       pam_permit.so
ftpd    session required        pam_permit.so

I've also tried adding "ftp" (in addition to "ftpd") lines in
/etc/pam.conf (for proftpd, even though the ports version changes
mod_pam.c to use "ftpd").

Heres the user I'm testing with:

taliacyn:/usr/local/libexec>pw usershow xfertest -P
Login Name: xfertest          #100          Group: users            
#100
 Full Name: Xfertest
      Home: /home/xfertest                  Class: 
     Shell: /bin/sh                        Office: [None]
Work Phone: [None]                     Home Phone: [None]
Acc Expire: Tue Mar  5 2002 00:00:00   Pwd Expire: Mon Mar  4 2002
15:45:19

Before I submit a PR, I want to double-check with this list that I'm not
doing something wrong...and/or that someone else can verify this report.




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message