# Pure-FTPd with PAM - default deny

## plat0nic

I have Pure-FTPd installed and plan on using PAM for authentication.

ftpbase provided /etc/pam.d/ftp, which has the following line:

```
auth     required  pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
```

I don't like this method. It requires ensuring /etc/ftpusers is updated with anyone that shouldn't be explicitly allowed FTP access.

Besides the fact that the file 'ftpusers' in this context has an entirely different meaning (which I've thought about reporting to the bugtracker), this method is not entirely secure.

What I want to do is set the following:

```
auth     required  pam_listfile.so item=user sense=allow file=/etc/ftpallow onerr=fail
```

If I am correct in my thinking, this should automatically deny FTP access to anyone not listed in /etc/ftpallow.

Are there any repercussions I'm unaware of to having this type of setup?

If not, why isn't this the default way of doing it?

----------

## plat0nic

So changing the PAM rule like above has been working fine without any side effects,

but I'm eager for some enlightenment as to why this isn't the default way.

----------

## plat0nic

>100 views and nobody has a single thing to say? Really?

----------

## cach0rr0

well, the issue is solved, and I don't know that anyone else has a ton to say with regards to why that's not the default other than "not sure, good question"

proftpd took a really, really major reputation hit a while back when a backdoor was slipped into its published source. The user base was already dwindling, that seems to have been somewhat of a nail.

by the by, non-anonymous ftp itself has gone the way of the dodo - aside from shared hosts, things of that nature, nothing that cares all that much about auth/security nowadays relies on ftp

----------

## plat0nic

I don't rely on it, but I have it available for use by trusted friends who have been given space on the server (I suppose that puts me in the shared host category).

Even still, FTP is a viable file transfer mechanism, and I would think something as trivial as setting up PAM to deny by default

is in the best interest of the community.

I suppose you are right though, there's such a strong stigma associated with FTP in general, and honestly it's a shame.

Thanks at least for replying.

----------

