Module testing

Dan Field dof at llgc.org.uk
Wed Jul 4 11:30:29 UTC 2007 

I've written a web service in PHP5 using ext/SOAP and I've forged a basic
PAM module from web snippets I've found around the web and everythng
appears to work at a glance but in practice I am having a problem.

I'm trying to use the sshd application config in /etc/pam.d/sshd to test
my module but can I get it to authenticate? can I buggery!

The code where I send my PAM_SUCCESS is here:

    /* now we have parsed the entire document we can return the PAM result */
    if (soapResult == 1) {
        authres = PAM_SUCCESS;
        syslog(LOG_INFO, "User %s will be authenticated with password %s",
user, password);
        return PAM_SUCCESS;
    } else {
        authres = PAM_AUTH_ERR;
        syslog(LOG_INFO, "User %s failed to authenticate.", user);
        return PAM_AUTH_ERR;
    }

This works. Or at least I get the syslog entry showing both my username
and password as typed on the console and ssh clients request. You would
think that this would be all that was required no?

However, in my syslog I get:

Jul  3 16:30:12 caywdev pam_virtua_soap[20490]: User S10523 will be
authenticated with password MyPassword
Jul  3 16:30:14 caywdev sshd[20488]: error: PAM: Authentication failure
for S10523 from virtualfedora3.llgc.org.uk

my sshd config is set as follows:

# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes

Perhaps SSHD is not the best way to test this. Can anyone either solve my
sshd problem or provide an alternative method of testing my PAM module?

Oh and my /etc/pam.d/sshd looks like this:

#%PAM-1.0
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
auth       sufficient   pam_virtua_soap.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    required     pam_loginuid.so

Any help would be much appreciated.

-- 
Dan Field <dof at llgc.org.uk>                        Tel. +44 1970  632 582
Datblygwr Systemau                                     Systems  Developer
Llyfrgell Genedlaethol Cymru                  National Library of  Wales

More information about the Pam-list mailing list