Intrusion Detection FAQ: I am seeing a PAM error message, what does it mean?

Feb 28 17:31:25 ernie ftpd[18380]: open_pam_conf: stat(/etc/pam.conf)
failed: No such file or directory
Feb 28 17:33:01 ernie ftpd[18383]: open_pam_conf: stat(/etc/pam.conf)
failed: No such file or directory


The message is a basic symptom of a mis-installed PAM and/or ftpd. What is happening is that the ftpd is linked with PAM libraries (i.e. -lpam) and there is either no PAM installed or the config file is missing.

PAM, Pluggable Authentication Module, is meant to be a common authentication platform taking the place of the various /etc/passwd lookup, NIS, etc. and configured entirely my modules to which the services then "subscribe", i.e. if you want ftpd to use MD5 for passwords instead of the good ol' crypt() then you would set up the PAM config file for ftpd to use the MD5 module (assuming you have it installed).

This is meant to remove the choice of authentication from the individual programs and allow you to strengthen all or some of them by simply reconfiguring the relevant PAM for the program. Overall a very neat idea.
Unfortunately often distributions have very broken PAM
 configs or ship some daemons with PAM and some without.
 I don't know if any distributions have been immune from this.
 The soon-to-be-released Debian 2.2 now uses PAM exclusively.
 This has meant, for example, that the old secure-su package
 (allowing su only to members of a specific group) has disappeared
 since it is now taken care of by a PAM module. For example:


bakunin:~$ cat /etc/pam.d/su 
#
# The PAM configuration file for the Shadow `su' service
#
# Uncomment this to force users to be a member of group root
# before than can use `su'. You can also add "group=foo" to
# to the end of this line if you want to use a group other
# than the default "root".
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
auth required pam_wheel.so
[...]
# This allows root to su without passwords (normal operation)
auth sufficient pam_rootok.so


and so on. This basically means that pam_wheel.so, a module which checks if the user is a member of the "root" group ("wheel" on other boxes where the true origin of the name is remembered) is required for authentication to take place and that it is sufficient to be root to be allowed in without any further password. As a mathematician I would have had necessary_and_sufficient but never mind :-)

Arrigo