proftpd works fine but lots of pam_env warnings in /var/log/secure

[Stephen_Stephen]

/var/log/secure:
May 27 10:12:57 proftpd: pam_unix(proftpd:session): session opened for user rambo by (uid=0)
May 27 10:12:57 proftpd[15153]: xx.xx.xx.xx (xx.xxx.xxx.xxx[xx.xxx.xxx.xxx]) - USER rambo: Login successful.
May 27 10:13:30 proftpd: pam_env(proftpd:setcred): Unable to open config file: /etc/security/pam_env.conf: Permission denied
May 27 10:13:30 proftpd: pam_unix(proftpd:session): session closed for user rambo

this warning comes every time the ftp session disconnected: pam_env(proftpd:setcred): Unable to open config file: /etc/security/pam_env.conf: Permission denied

my system is 2.6.32-504.8.1.el6.x86_64 and plesk12.0.18#47

thanks
GD

 

[Linulex]

try changing /etc/pam.d/proftp to

#%PAM-1.0M-1.0
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth required pam_shells.so
auth include system-auth
account include system-auth
session required pam_loginuid.so


But dont forget to make a copy first in the event something goes wrong.

regards
Jan

 

[Stephen_Stephen]

try changing /etc/pam.d/proftp to

#%PAM-1.0M-1.0
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth required pam_shells.so
auth include system-auth
account include system-auth
session required pam_loginuid.so


But dont forget to make a copy first in the event something goes wrong.

regards
Jan

Thanks. I've tried that. now when ftp connects the following log message has gone:

proftpd: pam_unix(proftpd:session): session opened for user rambo by (uid=0)

and when ftp disconnects the are no logs. the pam_unix(proftpd:session) message has gone too:

proftpd: pam_unix(proftpd:session): session closed for user rambo

would the suggested changs create any side effect? should the original proftpd setting be there for a reason?

thanks

 

[Linulex]

I have never noticed that. And to be honest, i don't really care when someone is disconnected, maybe thats why i never noticed it. It are the users that are connected that interest me.

 

[Stephen_Stephen]

Not just the disconnected one but also the connected log msg of pam_unix has gone too, something like below
proftpd: pam_unix(proftpd:session): session opened for user rambo by (uid=0)

which might make me think if the changes could lead to any possible risk as the original setting is there for a reason. any idea what pam_unix is?

 

[UFHH01]

Hi Stephen_Dai,

pam_unix is: Module for traditional password authentication ( http://linux.die.net/man/8/pam_unix )

 

[Stephen_Stephen]

Hi Thanks for the info.So does that mean the layer of pam_unix get lifted and it becomes less secure? The pam_unix log msg do not look like warnings at all I haven't got a problem with pam_unix and it's not what I want to get rid of anyway.


Say I want to undo the changes: Originally before I made the changes to /etc/pam.d/proftpd the log of /var/log/secure creates the following warning every time ftp disconnects:
...
proftpd: pam_env(proftpd:setcred): Unable to open config file: /etc/security/pam_env.conf: Permission denied
...
This is the one I am concerned. does anyone know what it does/means too? I've checked /etc/security/pam_env.conf is an equivalence of an empty file.

 

[Linulex]

Not just the disconnected one but also the connected log msg of pam_unix has gone too, something like below
proftpd: pam_unix(proftpd:session): session opened for user rambo by (uid=0)

which might make me think if the changes could lead to any possible risk as the original setting is there for a reason. any idea what pam_unix is?

The logs now show

May 30 10:18:28 res2 proftpd[28580]: xxxx.xxx.xx.xx (92.70.34.26[92.70.34.26]) - USER king: Login successful

at what time they logged in
from what ip they logged in
Who logged in

That is all the information i need in a login log.

Have a look at this thread http://talk.plesk.com/threads/deprecated-pam_stack-module-called-from-service-proftpd.283465/

the session message will be back again, but so will the error.

kind regards
Jan

 

[Stephen_Stephen]

would the change of /etc/pam.d/proftpd creates any security risk?

 

[madadam]

I tried the above changes to /etc/pam.d/proftpd but still see the following issue:

Feb 10 09:47:40 a proftpd: pam_listfile(proftpd:auth): Couldn't open /etc/ftpusers
Feb 10 09:47:40 a proftpd[3618]: xxx.xxx.xxx.xxx (174.123.136.2[174.123.136.2]) - USER fredblogs: Login successful.
Feb 10 09:47:40 a proftpd: pam_env(proftpd:setcred): Unable to open config file: /etc/security/pam_env.conf: Permission denied

My proftpd file is as follows:

#%PAM-1.0M-1.0
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth required pam_shells.so
auth include system-auth
account include system-auth
session required pam_loginuid.so

OS ‪CentOS 6.6 (Final)‬
Plesk version 12.5.30 Update #20, last updated at Feb 8, 2016 05:07 PM

Can anyone help / advise how to get rid of the errors?