FAQ
Hi folks,

I'm trying to use PAM auth on PostgreSQL, but I still cannot
get success on PAM auth (with PG813 and RHEL3).

pg_hba.conf has
host pamtest all 0.0.0.0/0 pam
/etc/pam.d/postgresql is
#%PAM-1.0
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
And I've changed user password with "ALTER USER ... PASSWORD".

However, my postmaster always denies my login.
---------------------------------------------------------
% /usr/local/pgsql813/bin/psql -h localhost -W -U hoge pamtest
Password for user hoge:
LOG: pam_authenticate failed: Authentication failure
FATAL: PAM authentication failed for user "hoge"
psql: FATAL: PAM authentication failed for user "hoge"
---------------------------------------------------------
What's wrong with that?

BTW, I found an empty password ("") is passed to CheckPAMAuth()
function in auth.c.
---------------------------------------------------------
#ifdef USE_PAM
case uaPAM:
pam_port_cludge = port;
status = CheckPAMAuth(port, port->user_name, "");
break;
#endif /* USE_PAM */
---------------------------------------------------------
/*
* Check authentication against PAM.
*/
static int
CheckPAMAuth(Port *port, char *user, char *password)
{
int retval;
pam_handle_t *pamh = NULL;

/*
* Apparently, Solaris 2.6 is broken, and needs ugly static variable
* workaround
*/
pam_passwd = password;

/*
* Set the application data portion of the conversation struct This is
* later used inside the PAM conversation to pass the password to the
* authentication module.
*/
pam_passw_conv.appdata_ptr = (char *) password; /* from password above,
* not allocated */
---------------------------------------------------------
What does it mean? I'm not familiar with PAM, so I can't get
why the password can be empty here.

Any suggestion?

Thanks.
--
NAGAYASU Satoshi <nagayasus@nttdata.co.jp>

Search Discussions

  • Albe Laurenz at Jun 20, 2006 at 8:02 am

    satoshi nagayasu wrote:
    I'm trying to use PAM auth on PostgreSQL, but I still cannot
    get success on PAM auth (with PG813 and RHEL3).

    pg_hba.conf has
    host pamtest all 0.0.0.0/0 pam
    /etc/pam.d/postgresql is
    #%PAM-1.0
    auth required pam_stack.so service=system-auth
    account required pam_stack.so service=system-auth
    password required pam_stack.so service=system-auth
    And I've changed user password with "ALTER USER ... PASSWORD".

    However, my postmaster always denies my login.
    /etc/pam.d/system-auth probably uses pam_unix.so to authenticate.

    Does the user exist on the machine and have the password you try?

    You could add 'debug' to the pam_unix.so lines in /etc/pam.d/system-auth
    and capture what PAM logs to syslog, maybe that will help.

    Yours,
    Laurenz Albe
  • Satoshi Nagayasu at Jun 20, 2006 at 8:43 am
    Albe,

    Albe Laurenz wrote:
    /etc/pam.d/system-auth probably uses pam_unix.so to authenticate.

    Does the user exist on the machine and have the password you try?
    Yes, I have same user name on my linux box and postgresql,
    and they have same password (now).
    You could add 'debug' to the pam_unix.so lines in /etc/pam.d/system-auth
    and capture what PAM logs to syslog, maybe that will help.
    Finally, by my small program, I found the PAM module is attempting
    to read /etc/shadow to authenticate, but /etc/shadow can't be read
    by non-superuser privilege.

    I know, the postmaster is running under "postgres" user privilege,
    so PAM auth will always cause 'permission denied' around /etc/shadow.

    How can I solve this? Any ideas?

    Thanks.
    --
    NAGAYASU Satoshi <nagayasus@nttdata.co.jp>
    Phone: +81-3-3523-8122
  • Andrew Dunstan at Jun 20, 2006 at 11:07 am

    Satoshi Nagayasu wrote:
    Albe,

    Albe Laurenz wrote:

    /etc/pam.d/system-auth probably uses pam_unix.so to authenticate.

    Does the user exist on the machine and have the password you try?
    Yes, I have same user name on my linux box and postgresql,
    and they have same password (now).


    You could add 'debug' to the pam_unix.so lines in /etc/pam.d/system-auth
    and capture what PAM logs to syslog, maybe that will help.
    Finally, by my small program, I found the PAM module is attempting
    to read /etc/shadow to authenticate, but /etc/shadow can't be read
    by non-superuser privilege.

    I know, the postmaster is running under "postgres" user privilege,
    so PAM auth will always cause 'permission denied' around /etc/shadow.

    How can I solve this? Any ideas?

    don't use system auth. PAM can authenticate from many sources, not just
    the system password files. LDAP is a commonly used source.

    cheers

    andrew
  • Satoshi Nagayasu at Jun 20, 2006 at 11:14 am

    Andrew Dunstan wrote:
    don't use system auth. PAM can authenticate from many sources, not just
    the system password files. LDAP is a commonly used source.
    The reason why I'm trying to use PAM, is I need a feature
    to account lock-out after N-times login failures on PG,
    like pam_tally module.

    I'm going to try LDAP next.

    Thanks.
    --
    NAGAYASU Satoshi <nagayasus@nttdata.co.jp>
    Phone: +81-3-3523-8122
  • Alvaro Herrera at Jun 20, 2006 at 1:05 pm

    Satoshi Nagayasu wrote:
    Andrew Dunstan wrote:
    don't use system auth. PAM can authenticate from many sources, not just
    the system password files. LDAP is a commonly used source.
    The reason why I'm trying to use PAM, is I need a feature
    to account lock-out after N-times login failures on PG,
    like pam_tally module.
    I think Andrew is suggesting using LDAP atop PAM, so you'd be able to
    use pam_tally anyway -- just switch away from "system-auth".

    --
    Alvaro Herrera http://www.CommandPrompt.com/
    PostgreSQL Replication, Consulting, Custom Development, 24x7 support

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppgsql-hackers @
categoriespostgresql
postedJun 20, '06 at 2:46a
activeJun 20, '06 at 1:05p
posts6
users4
websitepostgresql.org...
irc#postgresql

People

Translate

site design / logo © 2022 Grokbase