Обсуждение: PAM

Does anyone show me a sample of PAM authenticate file?

I want to use pam for client authentication, and I create pg_hba.cnf as,

>host    all         all         127.0.0.1         255.255.255.255   trust
>host    all         all         192.168.0.0        255.255.0.0   pam postgresql

and /etc/pam.d/postgresql as
>auth       required     /lib/security/pam_stack.so service=system-auth
>account    required     /lib/security/pam_stack.so service=system-auth

I tried to connect to the server, but failed. The messages I received were follows;

>[CLIENT]
>% psql -h dgpc1 db1 -U emo
>Password:
>psql: FATAL:  PAM authentication failed for user "emo"
>
>[SERVER]
>DEBUG:  reaping dead processes
>DEBUG:  child process (pid 15642) exited with exit code 0
>DEBUG:  BackendStartup: forked pid=15643 socket=8
>DEBUG:  received PAM packet
>LOG:  CheckPAMAuth: pam_authenticate failed: 'Authentication failure'
>FATAL:  PAM authentication failed for user "emo"
>DEBUG:  proc_exit(0)
>DEBUG:  shmem_exit(0)
>DEBUG:  exit(0)
>DEBUG:  reaping dead processes

The user account exists in the database, and I typed the system password.


Environment:
OS : Linux Kernel 2.4.19
PostgreSQL 7.3


By the way, what really I want to do is to configure the server behave like FTP servers;
All the users except the guest (anonymous) requires the password authentication.
The guest user can only read the data, and cannot alter the data.
Are there any solutions to do this?


                                                        --- EMOTO Masahiko ---

I was testing this on a 7.3 beta the other week to try to make it work
with LDAP authentication, and I think I only got it working if I bypased
the system-auth PAM file that everything was normally funneled through.
  I don't know exactly why it wasn't working, but whenever I put a line
that used pam_unix.so it would fail with the same error you are
encountering.

I didn't invest a huge amount of time figuring out why pam_unix.so was
causing a problem because I wanted to use pam_ldap.so anyways.

There doesn't seem to be many examples out there that I could find that
I got to work.  FYI I am testing on RedHat 7.x and 8.0 machines.

Tim

EMOTO Masahiko wrote:
> Does anyone show me a sample of PAM authenticate file?
>
> I want to use pam for client authentication, and I create pg_hba.cnf as,
>
>
>>host    all         all         127.0.0.1         255.255.255.255   trust
>>host    all         all         192.168.0.0        255.255.0.0   pam postgresql
>
>
> and /etc/pam.d/postgresql as
>
>>auth       required     /lib/security/pam_stack.so service=system-auth
>>account    required     /lib/security/pam_stack.so service=system-auth
>
>
> I tried to connect to the server, but failed. The messages I received were follows;
>
>
>>[CLIENT]
>>% psql -h dgpc1 db1 -U emo
>>Password:
>>psql: FATAL:  PAM authentication failed for user "emo"
>>
>>[SERVER]
>>DEBUG:  reaping dead processes
>>DEBUG:  child process (pid 15642) exited with exit code 0
>>DEBUG:  BackendStartup: forked pid=15643 socket=8
>>DEBUG:  received PAM packet
>>LOG:  CheckPAMAuth: pam_authenticate failed: 'Authentication failure'
>>FATAL:  PAM authentication failed for user "emo"
>>DEBUG:  proc_exit(0)
>>DEBUG:  shmem_exit(0)
>>DEBUG:  exit(0)
>>DEBUG:  reaping dead processes
>
>
> The user account exists in the database, and I typed the system password.
>
>
> Environment:
> OS : Linux Kernel 2.4.19
> PostgreSQL 7.3
>
>
> By the way, what really I want to do is to configure the server behave like FTP servers;
> All the users except the guest (anonymous) requires the password authentication.
> The guest user can only read the data, and cannot alter the data.
> Are there any solutions to do this?
>
>
>                                                         --- EMOTO Masahiko ---
>
> ---------------------------(end of broadcast)---------------------------
> TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org

Here is a bit of a follow up to the PAM setup.  If you want to
authenticate against an LDAP source then creatinga /etc/pam.d/postgresql
file containing the following:

auth        required    /lib/security/pam_ldap.so
account     required    /lib/security/pam_ldap.so

This works fine and I love the feature :) The problem I am having is if
I try to use pam_unix.so. If I set it up similarly,

auth        required    /lib/security/pam_unix.so
account     required    /lib/security/pam_unix.so

I get a bunch of errors from the system and postgres.  System errors are
always of the form,

postgresql(pam_unix)[28219]: auth could not identify password for [myuser]
postgresql(pam_unix)[28220]: authentication failure; logname= uid=40
euid=40 tty= ruser= rhost=  user=myuser

And the postgres logs show,

DEBUG:  BackendStartup: forked pid=28290 socket=8
LOG:  CheckPAMAuth: pam_authenticate failed: 'Conversation error'
FATAL:  PAM authentication failed for user "myuser"
DEBUG:  proc_exit(0)
DEBUG:  shmem_exit(0)
DEBUG:  exit(0)
DEBUG:  reaping dead processes
DEBUG:  child process (pid 28290) exited with exit code 0
DEBUG:  BackendStartup: forked pid=28291 socket=8
DEBUG:  received PAM packet
LOG:  CheckPAMAuth: pam_authenticate failed: 'Authentication failure'
FATAL:  PAM authentication failed for user "myuser"
DEBUG:  proc_exit(0)
DEBUG:  shmem_exit(0)
DEBUG:  exit(0)
DEBUG:  reaping dead processes
DEBUG:  child process (pid 28291) exited with exit code 0



If I try the same thing, but logging in as the "postgres" user rather
than a normal user I get the following in the system logs,

postgresql(pam_unix)[28284]: auth could not identify password for [postgres]

and this in the postgres logs,

DEBUG:  BackendStartup: forked pid=28284 socket=8
LOG:  CheckPAMAuth: pam_authenticate failed: 'Conversation error'
FATAL:  PAM authentication failed for user "postgres"
DEBUG:  proc_exit(0)
DEBUG:  shmem_exit(0)
DEBUG:  exit(0)
DEBUG:  reaping dead processes
DEBUG:  child process (pid 28284) exited with exit code 0
DEBUG:  BackendStartup: forked pid=28285 socket=8
DEBUG:  received PAM packet
LOG:  CheckPAMAuth: pam_acct_mgmt failed: 'Authentication failure
service cannot retrieve authentication info.'
FATAL:  PAM authentication failed for user "postgres"
DEBUG:  proc_exit(0)
DEBUG:  shmem_exit(0)
DEBUG:  exit(0)
DEBUG:  reaping dead processes
DEBUG:  child process (pid 28285) exited with exit code 0


Now, the good news is that if I modify the PAM configuration as follows,

auth        required    /lib/security/pam_unix.so
account     required    /lib/security/pam_permit.so

I can at least log in as the postgres user.  I still can't log in as a
regular system user.  I think there is something to do with PAM not
liking a system uid=40 for any user except the postgres user, but I
really don't have any hard proof to base that on.  Even when the
postgres user successfully logs in I still get "errors" in the system logs,

postgresql(pam_unix)[28315]: auth could not identify password for [postgres]

and "errors" in the postgres logs,

DEBUG:  BackendStartup: forked pid=28315 socket=8
LOG:  CheckPAMAuth: pam_authenticate failed: 'Conversation error'
FATAL:  PAM authentication failed for user "postgres"
DEBUG:  proc_exit(0)
DEBUG:  shmem_exit(0)
DEBUG:  exit(0)
DEBUG:  reaping dead processes
DEBUG:  child process (pid 28315) exited with exit code 0
DEBUG:  BackendStartup: forked pid=28316 socket=8
DEBUG:  received PAM packet
DEBUG:  /usr/local/pgsql73/bin/postmaster child[28316]: starting with (
DEBUG:          postgres
DEBUG:          -v131072
DEBUG:          -p
DEBUG:          test
DEBUG:  )
DEBUG:  InitPostgres
[ rest of successful connection messages ]

I am not a PAM expert, but this is the furthest I could get the
pam_unix.so working.  I don't really need the functionality, but it
would be nice to be able to funnel postgres PAM functionality through
the system-auth stack on my RedHat systems, which has components for
pam_unix.so instead of creating another authentication stream.

I did apply a crypt patch that Bruce sent me, so I can't comment if this
work exactly the same way on the official 7.3 release.  I do know I had
the same issues on the 7.3beta5 release.

Sorry for the long post, hopefully this will be of use to someone with
some better knowledge of postgres authentication and PAM.

Tim Frank