Author Topic: ProFTPD "Deprecated pam_stack"  (Read 9696 times)

Offline artm

  • New user
  • *
  • Posts: 4
    • View Profile
ProFTPD "Deprecated pam_stack"
« on: June 29, 2008, 10:58:56 am »
I see a lot of entries in /var/log/secure like this:

Jun 22 09:14:51 proftpd: Deprecated pam_stack module called from service "proftpd"
Jun 22 09:14:51 proftpd: pam_succeed_if(proftpd:session): error retrieving information about user 0

Any idea what triggers this and how I can fix it?

As far as I can tell FTP is working find for all users, but I'd like to get to the bottom of this error. I am on RHEL5

- ProFTPD Version: 1.3.1 (stable)
 -   Scoreboard Version: 01040002
 -   Built: Fri Apr 25 21:11:01 NOVST 2008
 -     Module: mod_core.c
 -     Module: mod_xfer.c
 -     Module: mod_auth_unix.c
 -     Module: mod_auth_file/0.8.3
 -     Module: mod_auth.c
 -     Module: mod_ls.c
 -     Module: mod_log.c
 -     Module: mod_site.c
 -     Module: mod_delay/0.6
 -     Module: mod_codeconv.c
 -     Module: mod_auth_pam/1.0.1
 -     Module: mod_ratio.c
 -     Module: mod_readme.c
 -     Module: mod_quota.c
 -     Module: mod_tls/2.1.2
 -     Module: mod_cap/1.0

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5081
    • View Profile
    • http://www.castaglia.org/
Re: ProFTPD "Deprecated pam_stack"
« Reply #1 on: June 30, 2008, 04:19:00 pm »
Check your PAM configuration file (usually /etc/pam.d/<service> or /etc/pam.conf); it sounds like the PAM configuration for "ftpd" (or "proftpd") reference some "pam_stack" PAM module that has been deprecated.

Offline artm

  • New user
  • *
  • Posts: 4
    • View Profile
Re: ProFTPD "Deprecated pam_stack"
« Reply #2 on: June 30, 2008, 05:05:40 pm »
Thanks castaglia!

I have this:

#%PAM-1.0
auth       required   pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth       required   pam_stack.so service=system-auth
auth       required   pam_shells.so
account    required   pam_stack.so service=system-auth
session    required   pam_stack.so service=system-auth

So I should delete "auth required pam_stack.so service=system-auth" you reckon? (I found https://www.redhat.com/archives/fedora-devel-list/2005-October/msg00050.html which may be relevant)

And restart ProFTPD? ('scuse my igonrance, "service proftpd restart" or "/etc/rc.d/init.d/proftpd restart" do not work!)

Offline artm

  • New user
  • *
  • Posts: 4
    • View Profile
Re: ProFTPD "Deprecated pam_stack"
« Reply #3 on: July 02, 2008, 12:47:34 pm »
OK - some progress!

These lines in /etc/pam.d/proftpd need to change:
auth       required   pam_stack.so service=system-auth
account    required   pam_stack.so service=system-auth
session    required   pam_stack.so service=system-auth

To:
auth       include      system-auth
account    include      system-auth
session    include      system-auth

No restart required after that.

However yet another problem remains that I would like to get to the bottom of. When an FTP session ends I get this in the log file:

Jul  2 13:18:09 my.domain proftpd: pam_env(proftpd:setcred): Unable to open config file: /etc/security/pam_env.conf: No such file or directory
Jul  2 13:18:09 my.domain proftpd: pam_succeed_if(proftpd:session): error retrieving information about user 0

But /etc/security/pam_env.conf DOES exist (owned by root) and is set with permissions 644.

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5081
    • View Profile
    • http://www.castaglia.org/
Re: ProFTPD "Deprecated pam_stack"
« Reply #4 on: July 02, 2008, 04:15:49 pm »
It sounds like your FTP session has been chrooted (in which case, system files expected by stupid libraries like PAM, which cannot deal with chroots, will not be found), either via an <Anonymous> login or via the DefaultRoot directive.

Offline artm

  • New user
  • *
  • Posts: 4
    • View Profile
Re: ProFTPD "Deprecated pam_stack"
« Reply #5 on: July 02, 2008, 04:23:45 pm »
Yes I see. That makes sense - thanks!

I probably need to give up on this - or try to find out where the request for "/etc/security/pam_env.conf" gets made and block it (the conf is empty anyway!).

I hate my log files filling up with crap!