Package: proftpd Version: 1.2.10-15sarge4 Severity: grave I have proftpd installed on one of our production server. It seems like any user registered with the system can initiate a ftp session whether he correctly enters his password. I've been investigating this for a while without finding any explanation. Here is /etc/pam.d/proftd:
#%PAM-1.0 auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed @include common-auth # This is disabled because anonymous logins will fail otherwise, # unless you give the 'ftp' user a valid shell, or /bin/false and add # /bin/false to /etc/shells. auth required pam_shells.so and /etc/pam.d/common-auth: auth sufficient pam_unix.so nullok_secure auth sufficient pam_ldap.so try_first_pass Would that explain why a registered unix user can initiate a session without providing any password ? Greetings, Eric. -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.6.10-1-686 Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15) Versions of packages proftpd depends on: ii adduser 3.63 Add and remove users and groups ii debconf 1.4.30.13 Debian configuration management sy ii libc6 2.3.2.ds1-22sarge4 GNU C Library: Shared libraries an ii libcap1 1:1.10-14 support for getting/setting POSIX. ii libpam0g 0.76-22 Pluggable Authentication Modules l ii libssl0.9.7 0.9.7e-3sarge4 SSL shared libraries ii libwrap0 7.6.dbs-8 Wietse Venema's TCP wrappers libra ii netbase 4.21 Basic TCP/IP networking system ii proftpd-common 1.2.10-15sarge4 Versatile, virtual-hosting FTP dae ii ucf 1.17 Update Configuration File: preserv -- debconf information: shared/proftpd/warning: * shared/proftpd/inetd_or_standalone: standalone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]