problems with pam_pgsql
Yann.Conan at imc-fr.com
Yann.Conan at imc-fr.com
Tue Apr 24 17:38:30 UTC 2007
Hello,
I'am working on synchronize a user postgresql database with openssh using
pam_pgsql for authentication.
And it doesn't work.
I'am using a fedora core 6 OS.
First, I've created the database "unix" with 3 tables with postgresql:
unix=# select * from passwd_table;
username | passwd | uid | gid | gecos | homedir | shell
----------+----------+-----+-----+--------+-------------+-----------
user1 | password | 500 | 500 | user 1 | /home/user1 | /bin/bash
user2 | password | 501 | 500 | user 2 | /home/user2 | /bin/bash
select * from group_table;
gid | groupname | descr | passwd
-----+-----------+-------+--------
500 | util |
select * from usergroups;
gid | uid
-----+----- |
I've installed by compilation the libnss-pgsql
the getent passwd command works, I obtain the user1 an user2 à the end of
the list.
I am able to change the user and the group of un directy with chown
command :
# ls -l /home
total 8
drwxr-xr-x 2 user1 util 4096 avr 24 10:11 user1
then now i would like to login with ssh on this system with a user
existing in the database. To do that I ve installed pam-pgsql.so.
I've compiled this version of pam-pgsql : pam-pgsql-1.0.0.tgz find on
pgfoundry web site.
I've followed the README help to install it and configure it :
./configure; make; make install
the /etc/pam.d/sshd file is configured like that:
auth include system-auth-pg
account required pam_nologin.so
account include system-auth-pg
password include system-auth-pg
session optional pam_keyinit.so force revoke
session include system-auth-pg
session required pam_loginuid.so
and the /etc/pam.d/system-auth-pg is configured like that :
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_pgsql.so use_first_pass debug
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_pgsql.so debug
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password sufficient pam_pgsql.so debug
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
and the /etc/pam_pgsql.conf is configured like that:
connectionstring = user=postgres host=127.0.0.1 dbname=unix
getpassword = SELECT passwd FROM passwd_table WHERE username = $1
#changepw = UPDATE passwd_table SET password = $2 WHERE user = $1
#isexpired = SELECT 1 FROM passwd_table WHERE user = $1 AND isexpired <
NOW()
#newpassrequired = SELECT 1 FROM table WHERE user = $1 AND newpass < NOW()
I tried also this configuration
host = 127.0.0.1
database = unix
user = postgres
table = passwd_table
user_column = username
pwd_column = passwd
debug
pw_type = clear
the authentication with postgresql is for the moment in trust mode to not
use password (this system works with nsswitch)
then when i try this command on the server:
ssh user1 at 127.0.0.1
I've only this two messages in my log:
in /var/log/secure :
Apr 26 00:36:29 FC6-vm1 sshd[9067]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=fc6-vm1 user=user1
Apr 26 00:36:31 FC6-vm1 sshd[9067]: Failed password for user1 from
127.0.0.1 port 42067 ssh2
and in /var/log/messages :
Apr 26 00:36:29 FC6-vm1 PAM_pgsql[9067]: the database, table and
user_column options are required.
It's strange, it's like the pam_pgsql.conf was not read !?
Any idea ?
Kind regards,
Yann CONAN from Bordeaux
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20070424/75194d68/attachment.htm>
More information about the Pam-list
mailing list