From: Grant Slater <git@firefishy.com>
Date: Fri, 14 Dec 2018 17:00:34 +0000 (+0000)
Subject: Switch to custom PAM file for FTP
X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/4e9f478944695246f83b4173794c36855770b821

Switch to custom PAM file for FTP
---

diff --git a/cookbooks/ftp/recipes/default.rb b/cookbooks/ftp/recipes/default.rb
index 21153f4c4..53fc9423c 100644
--- a/cookbooks/ftp/recipes/default.rb
+++ b/cookbooks/ftp/recipes/default.rb
@@ -17,7 +17,10 @@
 # limitations under the License.
 #
 
-package "vsftpd"
+package %w[
+  vsftpd
+  libpam-pwdfile
+]
 
 template "/etc/vsftpd.conf" do
   source "vsftpd.conf.erb"
@@ -26,10 +29,18 @@ template "/etc/vsftpd.conf" do
   mode 0o644
 end
 
+template "/etc/pam.d/vsftpd" do
+  source "pam-vsftpd.erb"
+  owner "root"
+  group "root"
+  mode 0o644
+end
+
 service "vsftpd" do
-  action [:enable] # Do not start the service as config may be broken from failed chef run
+  action [:enable, :start]
   supports :status => true, :restart => true, :reload => true
   subscribes :restart, "template[/etc/vsftpd.conf]"
+  subscribes :restart, "template[/etc/pam.d/vsftpd]"
 end
 
 firewall_rule "accept-ftp-tcp" do
diff --git a/cookbooks/ftp/templates/default/pam-vsftpd.erb b/cookbooks/ftp/templates/default/pam-vsftpd.erb
new file mode 100644
index 000000000..73b54ae09
--- /dev/null
+++ b/cookbooks/ftp/templates/default/pam-vsftpd.erb
@@ -0,0 +1,2 @@
+auth		required	pam_pwdfile.so pwdfile=/etc/vsftpd_passwd
+account required  pam_permit.so