Switch to custom PAM file for FTP
authorGrant Slater <git@firefishy.com>
Fri, 14 Dec 2018 17:00:34 +0000 (17:00 +0000)
committerGrant Slater <git@firefishy.com>
Fri, 14 Dec 2018 17:00:34 +0000 (17:00 +0000)
cookbooks/ftp/recipes/default.rb
cookbooks/ftp/templates/default/pam-vsftpd.erb [new file with mode: 0644]

index 21153f4c440f49f1f0adac5db183edf194ae654b..53fc9423c9075ee235b0f67f84e5083a8bc86627 100644 (file)
 # limitations under the License.
 #
 
-package "vsftpd"
+package %w[
+  vsftpd
+  libpam-pwdfile
+]
 
 template "/etc/vsftpd.conf" do
   source "vsftpd.conf.erb"
@@ -26,10 +29,18 @@ template "/etc/vsftpd.conf" do
   mode 0o644
 end
 
+template "/etc/pam.d/vsftpd" do
+  source "pam-vsftpd.erb"
+  owner "root"
+  group "root"
+  mode 0o644
+end
+
 service "vsftpd" do
-  action [:enable] # Do not start the service as config may be broken from failed chef run
+  action [:enable, :start]
   supports :status => true, :restart => true, :reload => true
   subscribes :restart, "template[/etc/vsftpd.conf]"
+  subscribes :restart, "template[/etc/pam.d/vsftpd]"
 end
 
 firewall_rule "accept-ftp-tcp" do
diff --git a/cookbooks/ftp/templates/default/pam-vsftpd.erb b/cookbooks/ftp/templates/default/pam-vsftpd.erb
new file mode 100644 (file)
index 0000000..73b54ae
--- /dev/null
@@ -0,0 +1,2 @@
+auth           required        pam_pwdfile.so pwdfile=/etc/vsftpd_passwd
+account required  pam_permit.so