Re: Pam NIS authentication

Hi Andrey,

I tried to install a NIS server and a PostgreSQL server on Debian 12
virtual machines by using the configuration you shared. I managed to
reproduce the issue. :) And, the most valuable log came from the NIS
server. They are below:
Feb 03 22:03:44 nis ypserv[1191]: refused connect from 192.168.65.3 port
51101 to procedure ypproc_match (pam.test,shadow.byname;-1)
Feb 03 22:03:44 nis ypserv[1191]: refused connect from 192.168.65.3 port
38913 to procedure ypproc_match (pam.test,passwd.adjunct.byname;-1)
Feb 03 22:03:44 nis ypserv[1191]: refused connect from 192.168.65.3 port
37592 to procedure ypproc_match (pam.test,shadow.byname;-1)
Feb 03 22:03:44 nis ypserv[1191]: refused connect from 192.168.65.3 port
59311 to procedure ypproc_match (pam.test,passwd.adjunct.byname;-1)

Basically, all configuration on the database side seems correct. And the
all configuration on the NIS server side is sort of correct. The problem is
that the postgres user on the PostgreSQL server is not a privileged user.
The authentication process and the connection to the NIS server for
authentication are preceded by the unprivileged user. Therefore, the UDP
source port of the connection to the NIS server is initiated from a port
number >=1024. However, NIS server's default configuration denies access to
the shadow file if the source port is >= 1024. Because of that reason, when
you try to run pamtester as root, you do not observe any error. But, if you
run pamtester as the postgres user, you can see authentication failure
because of the same reason.
postgres(at)postgresql:~$ pamtester -v postgresql samed authenticate
pamtester: invoking pam_start(postgresql, samed, ...)
pamtester: performing operation - authenticate
Password:
pamtester: Authentication failure

The quickest solution is to allow requests from PostgreSQL server for ports
>= 1024. After I added the bolded line below to the NIS server's
configuration and restarted services, I successfully authenticated
PostgreSQL users through PAM against the NIS server.
root(at)nis:~# cat /etc/ypserv.conf |grep -Ev '^#|^\s*$'
files: 30
slp: no
slp_timeout: 3600
xfr_check_port: yes
*192.168.65.3 : * : shadow.byname : none*
* : * : shadow.byname : port
* : * : passwd.adjunct.byname : port
* : * : * : none

*Full disclaimer:* I'm not a NIS expert. This was the first time I
installed a NIS server. So, I highly recommend you to consult an expert in
this domain and take your own risk.

Best regards.
Samed YILDIRIM

On Wed, 31 Jan 2024 at 22:29, Andrey Glazunov <aag(at)aag(dot)sh> wrote:

> Hi Samed,
>
> I just tried dropping account mechanism to pam_permit as you suggested and
> unfortunately it did not help.
>
> There is an acl on shadow file so it readable by postgres user.
> And an empty or wrong password is an auth failure as expected.
>
> /etc/nsswitch.conf was generated by authselect:
> aliases: files nis
> automount: files nis
> ethers: files nis
> group: files nis systemd
> hosts: files nis dns myhostname
> initgroups: files nis
> netgroup: files nis
> networks: files nis
> passwd: files nis systemd
> protocols: files nis
> publickey: files nis
> rpc: files nis
> services: files nis
> shadow: files nis
> gshadow: files
>
> Looks okay to me. I can lookup, login or switch NIS users without issue,
> so I assume the setup is correct.
> One tring that comes to mind is that our NIS uids are somewhat big,
> starting around 50k. Could this be an issue?
>
> thanks,
>
> wbr,
> Andrey
>
> On 31/01/2024 19:46, Samed YILDIRIM wrote:
> > Hi Andrey,
> >
> > I haven't used Postgres with pam authentication for a long time. I
> cannot spot anything right away. However, your "All of this works fine for
> 'local' Linux accounts." sentence makes me confused. According to what I
> understand from the documentation and your explanation, it is not supposed
> to work.
> >
> >
> > Note
> >
> > If PAM is set up to read |/etc/shadow|, authentication will fail because
> the PostgreSQL server is started by a non-root user. However, this is not
> an issue when PAM is configured to use LDAP or other authentication methods.
> >
> > https://www.postgresql.org/docs/15/auth-pam.html <
> https://www.postgresql.org/docs/15/auth-pam.html>
> >
> > Have you tried to run pamtester as postgres user? Also testing with an
> empty password and with a wrong password may be helpful.
> >
> > Also, what does the /etc/nsswitch.conf file look like? There can be a
> configuration issue in that file. Following log line looks interesting. My
> first impression is that it could not find the user. Do you use the same
> users to log in the Linux server itself?
> > <nisuser>[566]: psql 10.65.31.25(40004) authentication:
> pam_unix(postgresql:auth): check pass; user unknown
> >
> > My gut says the passwd line is not configured correctly in the
> nsswitch.conf file. And, you may end up with changing the account line in
> the /etc/pam.d/postgresql file with the line below.
> > account required pam_permit.so
> >
> > Best regards.
> > Samed YILDIRIM
> >
> >
> > On Wed, 31 Jan 2024 at 19:08, Andrey Glazunov <aag(at)aag(dot)sh <mailto:
> aag(at)aag(dot)sh>> wrote:
> >
> > Hi,
> >
> > I'm trying to configure Postgres to authenticate NIS users through
> pam.
> >
> > Here is my setup:
> >
> > Server version:
> > PostgreSQL 15.2 on x86_64-redhat-linux-gnu, compiled by gcc (GCC)
> 8.5.0 20210514 (Red Hat 8.5.0-18), 64-bit
> >
> > Relevant pg_hba lines:
> > host all psql all md5
> > host all all all pam
> >
> > PAM:
> > /etc/pam.d/postgresql
> > #%PAM-1.0
> > auth include password-auth
> > account include password-auth
> >
> > /etc/pam.d/password-auth
> > # Generated by authselect on Wed Jan 31 12:48:13 2024
> > # Do not modify this file manually.
> >
> > auth required pam_env.so
> > auth required
> pam_faildelay.so delay=2000000
> > auth sufficient pam_unix.so
> nullok
> > auth required pam_deny.so
> >
> > account required pam_unix.so
> broken_shadow
> >
> > password requisite
> pam_pwquality.so local_users_only
> > password sufficient pam_unix.so
> sha512 shadow nullok use_authtok nis
> > password required pam_deny.so
> >
> > session optional
> pam_keyinit.so revoke
> > session required
> pam_limits.so
> > -session optional
> pam_systemd.so
> > session [success=1 default=ignore]
> pam_succeed_if.so service in crond quiet use_uid
> > session required pam_unix.so
> >
> > Pam service seems to be okay, ie if I provide the correct pass, it
> lets me through with both local and NIS accounts:
> > % pamtester -v postgresql <localuser> authenticate
> > pamtester: invoking pam_start(postgresql, <localuser>, ...)
> > pamtester: performing operation - authenticate
> > Password:
> > pamtester: successfully authenticated
> >
> > % pamtester -v postgresql <nisuser> authenticate
> > pamtester: invoking pam_start(postgresql, <nisuser>, ...)
> > pamtester: performing operation - authenticate
> > Password:
> > pamtester: successfully authenticated
> >
> >
> > Users exist in Postgres with login permission, required NIS daemons
> are up and running, tools like ypwhich or ypcat are working fine.
> > But when I try to connect to Postgres server using NIS account,
> authentication fails:
> > psql: error: connection to server at "<hostname>" (10.65.31.25),
> port 5432 failed: FATAL: PAM authentication failed for user "<nisuser>"
> >
> > Server logs:
> > [52] DEBUG: forked new backend, pid=564 socket=10
> > [564] DEBUG: InitPostgres
> > [564] DEBUG: my backend ID is 3
> > [564] DEBUG: StartTransaction(1) name: unnamed; blockState:
> DEFAULT; state: INPROGRESS, xid/subid/cid: 0/1/0
> > [564] DEBUG: shmem_exit(0): 4 before_shmem_exit callbacks to make
> > [564] DEBUG: shmem_exit(0): 6 on_shmem_exit callbacks to make
> > [564] DEBUG: proc_exit(0): 2 callbacks to make
> > [564] DEBUG: exit(0)
> > [564] DEBUG: shmem_exit(-1): 0 before_shmem_exit callbacks to make
> > [564] DEBUG: shmem_exit(-1): 0 on_shmem_exit callbacks to make
> > [564] DEBUG: proc_exit(-1): 0 callbacks to make
> > [52] DEBUG: reaping dead processes
> > [52] DEBUG: server process (PID 564) exited with exit code 0
> > [52] DEBUG: forked new backend, pid=566 socket=10
> > [566] DEBUG: InitPostgres
> > [566] DEBUG: my backend ID is 3
> > [566] DEBUG: StartTransaction(1) name: unnamed; blockState:
> DEFAULT; state: INPROGRESS, xid/subid/cid: 0/1/0
> > [566] DEBUG: received password packet
> > [566] LOG: pam_authenticate failed: Authentication failure
> > [566] FATAL: PAM authentication failed for user "<nisuser>"
> > [566] DETAIL: Connection matched pg_hba.conf line 105: "host
> all all all pam"
> > [566] DEBUG: shmem_exit(1): 4 before_shmem_exit callbacks to make
> > [566] DEBUG: shmem_exit(1): 6 on_shmem_exit callbacks to make
> > [566] DEBUG: proc_exit(1): 2 callbacks to make
> > [566] DEBUG: exit(1)
> > [566] DEBUG: shmem_exit(-1): 0 before_shmem_exit callbacks to make
> > [566] DEBUG: shmem_exit(-1): 0 on_shmem_exit callbacks to make
> > [566] DEBUG: proc_exit(-1): 0 callbacks to make
> > [52] DEBUG: reaping dead processes
> > [52] DEBUG: server process (PID 566) exited with exit code 1
> >
> > Secure log:
> > <nisuser>[564]: psql 10.65.31.25(39990) authentication:
> pam_unix(postgresql:auth): username [<nisuser>] obtained
> > <nisuser>[564]: psql 10.65.31.25(39990) authentication:
> pam_unix(postgresql:auth): conversation failed
> > <nisuser>[564]: psql 10.65.31.25(39990) authentication:
> pam_unix(postgresql:auth): auth could not identify password for [<nisuser>]
> > <nisuser>[566]: psql 10.65.31.25(40004) authentication:
> pam_unix(postgresql:auth): username [<nisuser>] obtained
> > <nisuser>[566]: psql 10.65.31.25(40004) authentication:
> pam_unix(postgresql:auth): check pass; user unknown
> > <nisuser>[566]: psql 10.65.31.25(40004) authentication:
> pam_unix(postgresql:auth): authentication failure; logname= uid=26 euid=26
> tty= ruser= rhost=10.65.31.25
> >
> > All of this works fine for 'local' Linux accounts.
> >
> > Am I missing something?
> >
> > thanks,
> >
> > --
> > wbr,
> > Andrey
> >
> >
> >
>
>