[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: calling pam_sm_open_session

In linux.redhat.pam, msg id <002e01c024ca$0fca3e00$5004020a@mcld.net> you wrote:
 >> Hi all,
 >> I'm back to debugging my telnet not working with LDAP problem.
 >> We're using RedHat 6.2, OpenLDAP 1.2.10, pam_ldap-70, nss_ldap-113.
 >> When I attempt to telnet from machine bb to aa, /var/log/messages
 >> on the client machine (aa) looks like telnet is working, the
 >> session is opened and the messages look the same as if I was
 >> logging in at the console.  Except the exit status 1 happens
 >> immediately and I get "Connection closed by foreign host."
 >> Looking into the code for pam_pwdb, the function opening the
 >> connection (pam_sm_open_session) has to be returning success.
 >> So, I'm looking for what initially calls pam_sm_open_session.
 >> Is it called directly from inetd?  I'm trying to understand
 >> how PAM gets integrated into the OS.
 >> Thank you for any direction you can offer,
 >> Kelli
 >> -------------

Kind of difficult to troubleshoot this problem from where I sit,
but I can at least answer a couple of your questions.

pam_sm_open_session() is called from within a PAM module itself.
The module must be written to contain the "session" component
required to service any entries in /etc/pam.d/* that begin with
the word session.  

A PAM-aware application linked with libpam.so.*  tells the PAM
library which "service name" it wants to be associated with via the
pam_start() function call.  For example:

retval = pam_start("ftp", user, &conv, &pamh);

This tells the PAM library to search /etc/pam.d for the file
called "ftp" and to load the shared objects listed there using

Each module (or stack of modules) listed in the file is executed
but only the components which are required by the config file.
For the "ftp" example:

auth       sufficient	/lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth       required	/lib/security/pam_pwdb.so shadow nullok
auth       required	/lib/security/pam_shells.so
account    required	/lib/security/pam_pwdb.so
session    required	/lib/security/pam_pwdb.so

When the PAM-aware ftp application calls the pam_authenticate()
function, the PAM libraries cause the module stack that begins with
"auth" to be run.  Each respective module executes only its authorization
component, even though they may also have account, session, and password
components.  Which modules can be used for which of the 4 main functions
of the PAM framework depends on how the particular module was written.

When an application calls the pam_acct_mgmt() function, the PAM libs
execute the modules in the "account" entries of the config file.
Only the account components of these modules are run.

Follow the same logic for pam_chauthtok() - runs the "password" modules
and pam_open_session() and pam_close_session() - "session" modules.

Notice that pam_pwdb.so is listed for auth, account, and session.
The implicit requirement here is that this module must contain
authorization, account, and session components.  A module need
not be written to contain every component, but that means it can only
be used for the component(s) it does have.  In other words, if a module
pam_bogus.so contains, for example, only the authorization and account 
components, it would be an error to create the following config entry:

password  required  /lib/security/pam_bogus.so

A call by the PAM application to pam_chauthtok() would try to run
the password component of pam_bogus.so, which does not exist.

I might be able to make more sense of your problem if you could
provide a copy of your /etc/pam.d/login and /etc/pam.d/telnet
(if it even exists).

K. Bradford

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []