Re: PAM

From: Tim Frank <tfrank(at)registrar(dot)uoguelph(dot)ca>
To: pgsql-admin(at)postgresql(dot)org
Subject: Re: PAM
Date: 2002-12-06 18:38:28
Message-ID: asqqr7$2mqo$1@news.hub.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-admin pgsql-patches

Here is a bit of a follow up to the PAM setup. If you want to
authenticate against an LDAP source then creatinga /etc/pam.d/postgresql
file containing the following:

auth required /lib/security/pam_ldap.so
account required /lib/security/pam_ldap.so

This works fine and I love the feature :) The problem I am having is if
I try to use pam_unix.so. If I set it up similarly,

auth required /lib/security/pam_unix.so
account required /lib/security/pam_unix.so

I get a bunch of errors from the system and postgres. System errors are
always of the form,

postgresql(pam_unix)[28219]: auth could not identify password for [myuser]
postgresql(pam_unix)[28220]: authentication failure; logname= uid=40
euid=40 tty= ruser= rhost= user=myuser

And the postgres logs show,

DEBUG: BackendStartup: forked pid=28290 socket=8
LOG: CheckPAMAuth: pam_authenticate failed: 'Conversation error'
FATAL: PAM authentication failed for user "myuser"
DEBUG: proc_exit(0)
DEBUG: shmem_exit(0)
DEBUG: exit(0)
DEBUG: reaping dead processes
DEBUG: child process (pid 28290) exited with exit code 0
DEBUG: BackendStartup: forked pid=28291 socket=8
DEBUG: received PAM packet
LOG: CheckPAMAuth: pam_authenticate failed: 'Authentication failure'
FATAL: PAM authentication failed for user "myuser"
DEBUG: proc_exit(0)
DEBUG: shmem_exit(0)
DEBUG: exit(0)
DEBUG: reaping dead processes
DEBUG: child process (pid 28291) exited with exit code 0

If I try the same thing, but logging in as the "postgres" user rather
than a normal user I get the following in the system logs,

postgresql(pam_unix)[28284]: auth could not identify password for [postgres]

and this in the postgres logs,

DEBUG: BackendStartup: forked pid=28284 socket=8
LOG: CheckPAMAuth: pam_authenticate failed: 'Conversation error'
FATAL: PAM authentication failed for user "postgres"
DEBUG: proc_exit(0)
DEBUG: shmem_exit(0)
DEBUG: exit(0)
DEBUG: reaping dead processes
DEBUG: child process (pid 28284) exited with exit code 0
DEBUG: BackendStartup: forked pid=28285 socket=8
DEBUG: received PAM packet
LOG: CheckPAMAuth: pam_acct_mgmt failed: 'Authentication failure
service cannot retrieve authentication info.'
FATAL: PAM authentication failed for user "postgres"
DEBUG: proc_exit(0)
DEBUG: shmem_exit(0)
DEBUG: exit(0)
DEBUG: reaping dead processes
DEBUG: child process (pid 28285) exited with exit code 0

Now, the good news is that if I modify the PAM configuration as follows,

auth required /lib/security/pam_unix.so
account required /lib/security/pam_permit.so

I can at least log in as the postgres user. I still can't log in as a
regular system user. I think there is something to do with PAM not
liking a system uid=40 for any user except the postgres user, but I
really don't have any hard proof to base that on. Even when the
postgres user successfully logs in I still get "errors" in the system logs,

postgresql(pam_unix)[28315]: auth could not identify password for [postgres]

and "errors" in the postgres logs,

DEBUG: BackendStartup: forked pid=28315 socket=8
LOG: CheckPAMAuth: pam_authenticate failed: 'Conversation error'
FATAL: PAM authentication failed for user "postgres"
DEBUG: proc_exit(0)
DEBUG: shmem_exit(0)
DEBUG: exit(0)
DEBUG: reaping dead processes
DEBUG: child process (pid 28315) exited with exit code 0
DEBUG: BackendStartup: forked pid=28316 socket=8
DEBUG: received PAM packet
DEBUG: /usr/local/pgsql73/bin/postmaster child[28316]: starting with (
DEBUG: postgres
DEBUG: -v131072
DEBUG: -p
DEBUG: test
DEBUG: )
DEBUG: InitPostgres
[ rest of successful connection messages ]

I am not a PAM expert, but this is the furthest I could get the
pam_unix.so working. I don't really need the functionality, but it
would be nice to be able to funnel postgres PAM functionality through
the system-auth stack on my RedHat systems, which has components for
pam_unix.so instead of creating another authentication stream.

I did apply a crypt patch that Bruce sent me, so I can't comment if this
work exactly the same way on the official 7.3 release. I do know I had
the same issues on the 7.3beta5 release.

Sorry for the long post, hopefully this will be of use to someone with
some better knowledge of postgres authentication and PAM.

Tim Frank

In response to

  • Re: PAM at 2002-12-05 14:01:00 from Tim Frank

Browse pgsql-admin by date

  From Date Subject
Next Message Hugh Esco 2002-12-06 19:44:35 Do I need to re-install, was: Re: Problems invoking psql, was: Re: Troubles at
Previous Message Bruce Momjian 2002-12-06 17:41:07 Re: Rules/Trigges Trade-offs

Browse pgsql-patches by date

  From Date Subject
Next Message Vivek Khera 2002-12-06 20:55:27 Re: 7.3 on OS X HOWTO
Previous Message Tom Lane 2002-12-06 17:07:03 Re: Hierarchical queries a la Oracle patch. for 7.3rc1.