There are two problems linked to each other... 1. "...A vulnerability has been identified in [ftpd(8)] allowing malicious people to enumerate valid usernames..." (these words were said about exactly the same situation with another BSD-based FTP server) The problem is that if a valid username and invalid password is supplied, a delay in the response may be done with "help" of any PAM module, whereas a response is returned immidiately if an invalid username and any password is supplied. Also, if the account exists, but hasn't a valid shell from /etc/shells, the corresponding reply will be returned without asking for password at all, and no time metering is required in this case (see also http://www.freebsd.org/cgi/query-pr.cgi?pr=misc/34171). Note 1: /etc/ftpusers leads to the similar effect, but i think that it isn't a security breach, because sending of the cleartext password of the "root" user leads to more security compromise than the enumeration of existence of the account with the name "root"... Note 2: PAM modules from FreeBSD's base system don't do the delay in the described situation, but a third-party module, for example, from ports collection, may to do it. 2. ftpd.c, auth_pam(): "With PAM we support the concept of a "template" user. The user enters a login name which is authenticated by PAM, usually via a remote service such as RADIUS or TACACS+. ..."template" name is used for setting the credentials, shell, and home directory. The name the user enters need only exist on the remote authentication server, but the template name must be present in the local password database." But ftpd(8) checks the existence of an account with the name entered by the user before the authentication itself, and if it doesn't exist, the authentication will be failed without an attempt to use PAM or another authentication methods.
The first issue is discussed at length in <https://blog.des.no/2008/07/old-history/>. I will consider the second.
Keyword: patch or patch-ready – in lieu of summary line prefix: [patch] * bulk change for the keyword * summary lines may be edited manually (not in bulk). Keyword descriptions and search interface: <https://bugs.freebsd.org/bugzilla/describekeywords.cgi>