Обсуждение: PAM auth
Hi folks,
I'm trying to use PAM auth on PostgreSQL, but I still cannot
get success on PAM auth (with PG813 and RHEL3).
pg_hba.conf has
> host pamtest all 0.0.0.0/0 pam
/etc/pam.d/postgresql is
> #%PAM-1.0
> auth required pam_stack.so service=system-auth
> account required pam_stack.so service=system-auth
> password required pam_stack.so service=system-auth
And I've changed user password with "ALTER USER ... PASSWORD".
However, my postmaster always denies my login.
---------------------------------------------------------
% /usr/local/pgsql813/bin/psql -h localhost -W -U hoge pamtest
Password for user hoge:
LOG: pam_authenticate failed: Authentication failure
FATAL: PAM authentication failed for user "hoge"
psql: FATAL: PAM authentication failed for user "hoge"
---------------------------------------------------------
What's wrong with that?
BTW, I found an empty password ("") is passed to CheckPAMAuth()
function in auth.c.
---------------------------------------------------------
#ifdef USE_PAM case uaPAM: pam_port_cludge = port; status = CheckPAMAuth(port,
port->user_name,""); break;
#endif /* USE_PAM */
---------------------------------------------------------
/** Check authentication against PAM.*/
static int
CheckPAMAuth(Port *port, char *user, char *password)
{ int retval; pam_handle_t *pamh = NULL;
/* * Apparently, Solaris 2.6 is broken, and needs ugly static variable * workaround */ pam_passwd =
password;
/* * Set the application data portion of the conversation struct This is * later used inside the PAM
conversationto pass the password to the * authentication module. */ pam_passw_conv.appdata_ptr = (char *)
password; /* from password above, * not allocated */
---------------------------------------------------------
What does it mean? I'm not familiar with PAM, so I can't get
why the password can be empty here.
Any suggestion?
Thanks.
--
NAGAYASU Satoshi <nagayasus@nttdata.co.jp>
satoshi nagayasu wrote: > I'm trying to use PAM auth on PostgreSQL, but I still cannot > get success on PAM auth (with PG813 and RHEL3). > > pg_hba.conf has > > host pamtest all 0.0.0.0/0 pam > > /etc/pam.d/postgresql is > > #%PAM-1.0 > > auth required pam_stack.so service=system-auth > > account required pam_stack.so service=system-auth > > password required pam_stack.so service=system-auth > > And I've changed user password with "ALTER USER ... PASSWORD". > > However, my postmaster always denies my login. /etc/pam.d/system-auth probably uses pam_unix.so to authenticate. Does the user exist on the machine and have the password you try? You could add 'debug' to the pam_unix.so lines in /etc/pam.d/system-auth and capture what PAM logs to syslog, maybe that will help. Yours, Laurenz Albe
Albe, Albe Laurenz wrote: > /etc/pam.d/system-auth probably uses pam_unix.so to authenticate. > > Does the user exist on the machine and have the password you try? Yes, I have same user name on my linux box and postgresql, and they have same password (now). > You could add 'debug' to the pam_unix.so lines in /etc/pam.d/system-auth > and capture what PAM logs to syslog, maybe that will help. Finally, by my small program, I found the PAM module is attempting to read /etc/shadow to authenticate, but /etc/shadow can't be read by non-superuser privilege. I know, the postmaster is running under "postgres" user privilege, so PAM auth will always cause 'permission denied' around /etc/shadow. How can I solve this? Any ideas? Thanks. -- NAGAYASU Satoshi <nagayasus@nttdata.co.jp> Phone: +81-3-3523-8122
Satoshi Nagayasu wrote: >Albe, > >Albe Laurenz wrote: > > >>/etc/pam.d/system-auth probably uses pam_unix.so to authenticate. >> >>Does the user exist on the machine and have the password you try? >> >> > >Yes, I have same user name on my linux box and postgresql, >and they have same password (now). > > > >>You could add 'debug' to the pam_unix.so lines in /etc/pam.d/system-auth >>and capture what PAM logs to syslog, maybe that will help. >> >> > >Finally, by my small program, I found the PAM module is attempting >to read /etc/shadow to authenticate, but /etc/shadow can't be read >by non-superuser privilege. > >I know, the postmaster is running under "postgres" user privilege, >so PAM auth will always cause 'permission denied' around /etc/shadow. > >How can I solve this? Any ideas? > don't use system auth. PAM can authenticate from many sources, not just the system password files. LDAP is a commonly used source. cheers andrew
Andrew Dunstan wrote: > don't use system auth. PAM can authenticate from many sources, not just > the system password files. LDAP is a commonly used source. The reason why I'm trying to use PAM, is I need a feature to account lock-out after N-times login failures on PG, like pam_tally module. I'm going to try LDAP next. Thanks. -- NAGAYASU Satoshi <nagayasus@nttdata.co.jp> Phone: +81-3-3523-8122
Satoshi Nagayasu wrote: > Andrew Dunstan wrote: > >don't use system auth. PAM can authenticate from many sources, not just > >the system password files. LDAP is a commonly used source. > > The reason why I'm trying to use PAM, is I need a feature > to account lock-out after N-times login failures on PG, > like pam_tally module. I think Andrew is suggesting using LDAP atop PAM, so you'd be able to use pam_tally anyway -- just switch away from "system-auth". -- Alvaro Herrera http://www.CommandPrompt.com/ PostgreSQL Replication, Consulting, Custom Development, 24x7 support