Re: pam authentification trouble ...
От | Oliver Elphick |
---|---|
Тема | Re: pam authentification trouble ... |
Дата | |
Msg-id | 1089281361.29038.8.camel@braydb обсуждение исходный текст |
Ответ на | pam authentification trouble ... (Hervé Piedvache <herve@elma.fr>) |
Список | pgsql-general |
On Tue, 2004-07-06 at 15:13, Hervé Piedvache wrote: > Dear all, > > I have a trouble with the pam authentification for PostgreSQL. > > I have add in the pg_hba.conf the good line ... and I have create > a /etc/pam.d/postresql file which contains : > > auth required pam_unix.so nullok_secure > account required pam_unix.so > > Now like this ... impossible for me to connect to the dabase ... I have > message like this : > Jul 6 13:26:44 zoot arr [local] authentication: (pam_unix) auth could not > identify password for [herve] > Jul 6 13:26:47 zoot arr [local] authentication: (pam_unix) authentication > failure; logname= uid=31 euid=31 tty= ruser= rhost= user=herve > > The only solution I have found to make it running is to put the postgres user > in the shadow group ... to be able to read the /etc/shadow file ... > > I think this is not normal ... so please if you have any idea to solve my > trouble ... I'll be very pleased ... Yes, it's normal: the password is in /etc/shadow, so you MUST be in the shadow group to be able to check it; otherwise the security of /etc/shadow is useless. Almost every other password checking process runs as root; since postmaster does not, there is a problem. Putting postgres in the shadow group decreases its security somewhat; however, if postgres itself has no valid password ("*" in the password field in /etc/shadow) it can only be accessed by doing su from root, which reduces the security problem to checking that C functions and insecure PL functions do not try to read /etc/shadow. Oliver Elphick
В списке pgsql-general по дате отправления: