1pure-authd(8) Pure-FTPd pure-authd(8)
2
3
4
6 pure-authd - External authentication agent for Pure-FTPd.
7
9 pure-authd [-p </path/to/pidfile>] [-u uid] [-g gid] [-B] <-s
10 /path/to/socket> -r /program/to/run
11
12
14 pure-authd is a daemon that forks an authentication program, waits for
15 an authentication reply, and feed them to an application server.
16
17 pure-authd listens to a local Unix socket. A new connection to that
18 socket should feed pure-authd the following structure:
19
20 account:xxx
21
22 password:xxx
23
24 localhost:xxx
25
26 localport:xxx
27
28 peer:xxx
29
30 end
31
32 (replace xxx with appropriate values) . localhost, localport and peer
33 are numeric IP addresses and ports. peer is the IP address of the re‐
34 mote client.
35
36 These arguments are passed to the authentication program, as environ‐
37 ment variables:
38
39 AUTHD_ACCOUNT
40
41 AUTHD_PASSWORD
42
43 AUTHD_LOCAL_IP
44
45 AUTHD_LOCAL_PORT
46
47 AUTHD_REMOTE_IP
48
49 AUTHD_ENCRYPTED
50
51 The authentication program should take appropriate actions to fetch ac‐
52 count info according to these arguments, and reply to the standard out‐
53 put a structure like the following one:
54
55 auth_ok:1
56
57 uid:42
58
59 gid:21
60
61 dir:/home/j
62
63 end
64
65
66 auth_ok:xxx
67 If xxx is 0, the user was not found (the next authentication
68 method passed to pure-ftpd will be tried) . If xxx is -1, the
69 user was found, but there was a fatal authentication error: user
70 is root, password is wrong, account has expired, etc (next au‐
71 thentication methods will not be tried) . If xxx is 1, the user
72 was found and successfully authenticated.
73
74 uid:xxx
75 The system uid to be assigned to that user. Must be > 0.
76
77 gid:xxx
78 The primary system gid. Must be > 0.
79
80 dir:xxx
81 The absolute path to the home directory. Can contain /./ for a
82 chroot jail.
83
84 slow_tilde_expansion:xxx (optional, default is 1)
85 When the command 'cd ~user' is issued, it's handy to go to that
86 user's home directory, as expected in a shell environment. But
87 fetching account info can be an expensive operation for non-sys‐
88 tem accounts. If xxx is 0, 'cd ~user' will expand to the system
89 user home directory. If xxx is 1, 'cd ~user' won't expand. You
90 should use 1 in most cases with external authentication, when
91 your FTP users don't match system users. You can also set xxx to
92 1 if you're using slow nss_* system authentication modules.
93
94 throttling_bandwidth_ul:xxx (optional)
95 The allocated bandwidth for uploads, in bytes per second.
96
97 throttling_bandwidth_dl:xxx (optional)
98 The allocated bandwidth for downloads, in bytes per second.
99
100 user_quota_size:xxx (optional)
101 The maximal total size for this account, in bytes.
102
103 user_quota_files:xxx (optional)
104 The maximal number of files for this account.
105
106 ratio_upload:xxx (optional)
107
108 radio_download:xxx (optional)
109 The user must match a ratio_upload:ratio_download ratio.
110
111 Only one authentication program is forked at a time. It must return
112 quickly.
113
115 -u <uid>
116 Have the daemon run with that uid.
117
118 -g <gid>
119 Have the daemon run with that gid.
120
121 -B Fork in background (daemonization).
122
123 -s </path/to/socket>
124 Set the full path to the local Unix socket.
125
126 -r </path/to/program>
127 Set the full path to the authentication program.
128
129 -h Output help information and exit.
130
132 To run this program the standard way type:
133
134 pure-authd -s /var/run/ftpd.sock -r /usr/bin/my-auth-program &
135
136 pure-ftpd -lextauth:/var/run/ftpd.sock &
137
138 /usr/bin/my-auth-program can be as simple as:
139 #! /bin/sh
140
141 echo 'auth_ok:1'
142
143 echo 'uid:42'
144
145 echo 'gid:21'
146
147 echo 'dir:/home/j'
148
149 echo 'end'
150
152 Frank DENIS <j at pureftpd dot org>
153
155 ftp(1), pure-ftpd(8) pure-ftpwho(8) pure-mrtginfo(8) pure-upload‐
156 script(8) pure-statsdecode(8) pure-pw(8) pure-quotacheck(8) pure-au‐
157 thd(8) pure-certd(8)
158
159 RFC 959, RFC 2389, RFC 2228 and RFC 2428.
160
161
162
163Frank Denis 1.0.51 pure-authd(8)