Intro
vsftpd is a useful daemon which I use to run an ftps service (ftp which uses TLS encryption). Since I am not part of the group that administers the server, it makes sense for me to maintain my own userlist rather than rely on the system password database. vsftpd has a convenient feature which allows this known as virtual users.
More details
In /etc/pam.d/vsftpd.virtual I have:
auth required pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user account required pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user session required pam_loginuid.so |
In the file /etc/vsftpd-virtual-user.db I have my Berkeley database of users and passwords. See references on how to set this up.
The point is that I had this all working last year – 2019 – on my SLES 12SP4 server.
Then it all broke
Then in early May, 2020, all the FTPs stopped working. The status of the vsftpd service hinted that the file /lib64/security/pam_userdb.so could not be loaded. Sure enough, it was missing! I checked some of my other SLES12SP4 servers, some of which are on a different patch schedule. It was missing on some, and present on one. So I “borrowed” pam_userdb.so from the one server which still had it and put it onto my server in /lib64/security. All good. Service restored. But clearly that is a hack.
What’s going on
So I asked a Linux expert what’s going on and got a good explanation.
pam_userdb has been moved to a separate package, named pam-extra 1) http://lists.suse.com/pipermail/sle-security-updates/2020-April/006661.html 2) https://www.suse.com/support/update/announcement/2020/suse-ru-20200822-1/ Advisory ID: SUSE-RU-2020:917-1 Released: Fri Apr 3 15:02:25 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for pam fixes the following issues: - Moved pam_userdb into a separate package pam-extra. (bsc#1166510) Installing the package pam-extra should resolve your issue. |
I installed the pam-extra package using zypper, and, yes, it creates a /lib64/security/pam_userdb.so file!
And vsftpd works once more using supported packages.
Conclusion
Virtual users with vsftpd requires pam_userdb.so. However, PAM wished to decouple itself from dependency on external databases, etc, so they bundled this kind of thing into a separate package, pam-extra, more-or-less in the middle of a patch cycle. So if you had the problem I had, the solution may be as simple as installing the pam-extra package on your system. Although I experienced this on SLES, I believe it has or will happen on other Linux flavors as well.
This problem is poorly documented on the Internet.
References and related
https://www.cyberciti.biz/tips/centos-redhat-vsftpd-ftp-with-virtual-users.html