proftpd+pam的问题，要实现基于用户IP限制的访问策略，可是配置不生效？

和兴和红棍

服务器器环境CentOS 3.6，软件版本proftpd1.2.10+系统默认PAM
在proftpd.conf文件中加入如下3行：
AuthPAM on
AuthPAMConfig ftp
AuthPAMAuthoritative on
/etc/pam.d/ftp 文件内容如下：

[root@plesk root]# more /etc/pam.d/ftp
#%PAM-1.0
account    required     /lib/security/pam_access.so
auth       required     /lib/security/pam_listfile.so item=user sense=allow file=/etc/ftpusers onerr=fail
auth       required     /lib/security/pam_pwdb.so shadow nullok

# If this is enabled, anonymous logins will fail because the 'ftp' user does
# not have a "valid" shell, as listed in /etc/shells.
#
# If you enable this, it is recommended that you do *not* give the 'ftp'
# user a real shell. Instead, give the 'ftp' user /bin/false for a shell and
# add /bin/false to /etc/shells.
#auth       required    /lib/security/pam_shells.so

account    required     /lib/security/pam_pwdb.so
session    required     /lib/security/pam_pwdb.so

/etc/pam.d/login文件内容如下：
[root@plesk root]# more /etc/pam.d/login
#%PAM-1.0
account    required     pam_access.so
auth       required     pam_securetty.so
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    optional     pam_console.so

/etc/security/access.conf文件内容如下:
+:root:ALL
-:usera:ALL
-:userb:ALL

可是我现在的配置并不生效,usera 和userb还是可以正常登陆.
我在/var/log/message文件中找到如下几行:
Feb  2 21:19:27 plesk proftpd[1702]: ns5.dns-diy.NET (192.168.1.32[192.168.1.32]) - FTP session opened.
Feb  2 21:19:27 plesk proftpd: PAM-listfile: Refused user usera for service ftp
Feb  2 21:19:28 plesk proftpd[1702]: ns5.dns-diy.NET (192.168.1.32[192.168.1.32]) - PAM(usera): Authentication failure.
Feb  2 21:19:30 plesk proftpd[1702]: ns5.dns-diy.NET (192.168.1.32[192.168.1.32]) - FTP session closed.
Feb  2 21:19:31 plesk proftpd[1703]: ns5.dns-diy.NET (192.168.1.32[192.168.1.32]) - FTP session opened.
Feb  2 21:19:31 plesk proftpd: PAM-listfile: Refused user userb for service ftp
Feb  2 21:19:32 plesk proftpd[1703]: ns5.dns-diy.NET (192.168.1.32[192.168.1.32]) - PAM(userb): Authentication failure.
Feb  2 21:19:34 plesk proftpd[1703]: ns5.dns-diy.NET (192.168.1.32[192.168.1.32]) - FTP session closed.

请教哪里出了问题啊?

晨想

proftpd 自己不能做基于IP的限制的么？为啥要 pam？

和兴和红棍

proftpd只能实现基于IP的限制策略，我现在需要实现基于用户IP的限制策略
比如：有两个用户A和B，A用户只能够从A的IP来访问，B一样，如果A用户从B的IP访问，就禁止登陆