Re: pam authentification trouble ...

On Tue, 2004-07-06 at 15:13, Hervé Piedvache wrote:
> Dear all,
>
> I have a trouble with the pam authentification for PostgreSQL.
>
> I have add in the pg_hba.conf the good line ... and I have create
> a /etc/pam.d/postresql file which contains :
>
> auth required pam_unix.so nullok_secure
> account required pam_unix.so
>
> Now like this ... impossible for me to connect to the dabase ... I have
> message like this :
> Jul 6 13:26:44 zoot arr [local] authentication: (pam_unix) auth could not
> identify password for [herve]
> Jul 6 13:26:47 zoot arr [local] authentication: (pam_unix) authentication
> failure; logname= uid=31 euid=31 tty= ruser= rhost= user=herve
>
> The only solution I have found to make it running is to put the postgres user
> in the shadow group ... to be able to read the /etc/shadow file ...
>
> I think this is not normal ... so please if you have any idea to solve my
> trouble ... I'll be very pleased ...

Yes, it's normal: the password is in /etc/shadow, so you MUST be in the
shadow group to be able to check it; otherwise the security of
/etc/shadow is useless. Almost every other password checking process
runs as root; since postmaster does not, there is a problem.

Putting postgres in the shadow group decreases its security somewhat;
however, if postgres itself has no valid password ("*" in the password
field in /etc/shadow) it can only be accessed by doing su from root,
which reduces the security problem to checking that C functions and
insecure PL functions do not try to read /etc/shadow.

Oliver Elphick