Dec 071999
 

proftpd and FreeBSD

This article describes how I got proftpd to work with FreeBSD 3-3 STABLE.

Background

I recently upgraded a box from 3.3-RELEASE to 3.3-STABLE.   In the process, I encountered problems with proftpd.  Specifically, anonymous login worked, but regular users could not log in.  The error message was:
Dec  6 23:00:15 synergy proftpd[346]: unable to resolve symbol: 
                pam_sm_close_session
Dec  6 23:00:16 synergy proftpd[346]: PAM(dan): Authentication failure
Dec  6 23:00:16 synergy proftpd[346]: USER dan: incorrect password 
             from yourbox.yourdomain.org [10.0.0.20] to 10.0.0.100:21

My first port of call was the proftpd homepage at http://www.proftpd.org/ and I checked the http://hamster.wibble.org/proftpd/ questions on PAM.  I followed the suggestions (found there and in the FreeBSD mailing list archives) and remove the entry from /etc/pam.conf (third line shown below):

ftp auth    required    pam_unix.so         try_first_pass
ftp account required    pam_unix.so         try_first_pass
#ftp session required    pam_unix.so         try_first_pass

But this didn’t allow the user to login.  However, if I add the following option to /usr/local/etc/proftpd.conf:

AuthPAMAuthoritative off

the logins work but these errors remain:

Dec 7 00:04:07 synergy proftpd[3779]: PAM(dan): Authentication failure

Solution

At the prompting of someone from the FreeBSD Questions mailing list, I went to archives at  http://www.proftpd.org/proftpd-l-archive/ and starting searching.  Eventually, I found http://www.proftpd.org/proftpd-l-archive/99-10/msg00632.html which mentioned proftpd-1.2.0pre9.  I checked the ftp site at ftp://ftp.tos.net/pub/proftpd/ and found the file in question.  I downloaded it, configured it, installed it, and it worked.

The install

First I fetched the tarball:
/usr/ports/ftp/
fetch -P ftp://ftp.tos.net/pub/proftpd/proftpd-1.2.0pre9.tar.gz
tar xvfz proftpd-1.2.0pre9.tar.gz
cd proftpd-1.2.0pre9

In the README file, you’ll find a reference to --enable-force-setpassent.   I eventually figured out that this refers to a command line parameter to ./configure.   You should also read INSTALL.

I ran the configure script like this:

install_user=nobody install_group=wheel ./configure 
                                          --enable-force-setpassent

This will run proftpd as user nobody in group wheel.

Note that the program will install to a different location than that of the port.

port /usr/local/libexec/proftpd this install /usr/local/sbin/proftpd

I had the port, so first I deinstalled the port:

pkg_delete proftpd-1.2.0p8

The next step was:

make
make install

Don’t forget to update your startup script to reflect the new location:

more /usr/local/etc/rc.d/proftpd.sh
#!/bin/sh
/bin/mkdir -p /var/run/proftpd
if [ -x /usr/local/sbin/proftpd ]; then
        /usr/local/sbin/proftpd && echo -n ' proftpd'
fi

With this new version, I removed:

AuthPAMAuthoritative No

from /usr/local/etc/proftpd.conf so proftpd would use PAM.   Actually, the logins worked with or without PAM.  So it’s your choice.