Open oz123 opened 5 years ago
troglobit
commented
5 years ago Any user:pass combo is allowed, e.g. anonymous:a@b, but there is no per-user specific authentication. I have no personal interest in adding this to uftpd, since the major reason for its existence is to serve FTP read-only on a LAN.
However, if someone has a good idea and is willing to implement/debug/test it thoroughly I will consider the PR.
oz123
commented
5 years ago Maybe q as hione can add simple pam support (with compile option)?
troglobit
commented
5 years ago It's very tricky to get right, even if you use libpam, and opens up for a lot of potential security bugs. Having a compile time option (configure) to disable/enable is only one strong requirement from my side.
I'd prefer not to do it at all and instead recommend folks to use vsftpd for such use-cases, but like I said, if someone has a good PR I'll consider it.
oz123
commented
2 years ago It's been a terrible long time, but I am feeling more comfortable with C. So I might give it a shot soon. If someone feels like tackling this, here is where I would start:
https://github.com/troglobit/uftpd/blob/011d652d6e600c1fd82dce7c6787952ca964eef4/src/ftpcmd.c#L262
One could implement httaccess file for access, it's a well known format and IMHO easier to use than libpam.
90% of the code for this can be taken from apache2 own code for managing the file. Specifically, look at how the flag -v works:
https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/support/htpasswd.c?view=markup
Some (bad) clients can't work with FTP without user:pass combination. But sometimes we must use them. Is there a change that this can be added to uftpd?