From owner-freebsd-stable@FreeBSD.ORG  Thu Apr 21 16:48:43 2005
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9C64F16A4CE
	for <stable@freebsd.org>; Thu, 21 Apr 2005 16:48:43 +0000 (GMT)
Received: from pinus.cc.fer.hr (pinus.cc.fer.hr [161.53.73.18])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E3FBE43D4C
	for <stable@freebsd.org>; Thu, 21 Apr 2005 16:48:42 +0000 (GMT)
	(envelope-from ivoras@fer.hr)
Received: from [161.53.72.113] (lara.cc.fer.hr [161.53.72.113])
	by pinus.cc.fer.hr (8.12.2/8.12.2) with ESMTP id j3LGnXhE004511;
	Thu, 21 Apr 2005 18:49:33 +0200 (MEST)
Message-ID: <4267D957.2010606@fer.hr>
Date: Thu, 21 Apr 2005 18:48:23 +0200
From: Ivan Voras <ivoras@fer.hr>
User-Agent: Mozilla Thunderbird 1.0 (X11/20041213)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Scot Hetzel <swhetzel@gmail.com>
References: <4267C5C5.5070206@fer.hr>
	<790a9fff0504210837239894b0@mail.gmail.com>
In-Reply-To: <790a9fff0504210837239894b0@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
cc: stable@freebsd.org
Subject: Re: ftpd & PAM
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Production branch of FreeBSD source code
	<freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Apr 2005 16:48:43 -0000

Scot Hetzel wrote:

> Which version of FreeBSD, and what does your PAM configuration for
> ftpd look like?

Oh yes, thanks, I forgot not all services had pam_ldap line added when 
we switched to LDAP :)

(it works now)

A related question: for some reasons, I want to allow FTP only from+to 
localhost. I know how to do it with firewalls, but wanted to experiment 
with hosts.allow.

This is how the start of my hosts.allow looks like:

"""
# Start by allowing everything (this prevents the rest of the file
# from working, so remove it when you need protection).
# The rules here work on a "First match wins" basis.

in.ftpd: LOCAL: allow
in.ftpd: ALL: deny

ALL : ALL : allow
"""

I constructed the in.ftpd lines by looking at other examples and the man 
page, but it doesn't seem to work - I can login from another machine on 
the same network. ALl machines have proper (global) DNS entries so I 
don't think this should fall under the manual excerpt:

        LOCAL  Matches any host whose name does not contain a dot character.

... or does it?