In linux.redhat.pam, msg id <002e01c024ca$0fca3e00$5004020a@mcld.net> you wrote: >> Hi all, >> >> I'm back to debugging my telnet not working with LDAP problem. >> We're using RedHat 6.2, OpenLDAP 1.2.10, pam_ldap-70, nss_ldap-113. >> >> When I attempt to telnet from machine bb to aa, /var/log/messages >> on the client machine (aa) looks like telnet is working, the >> session is opened and the messages look the same as if I was >> logging in at the console. Except the exit status 1 happens >> immediately and I get "Connection closed by foreign host." >> >> Looking into the code for pam_pwdb, the function opening the >> connection (pam_sm_open_session) has to be returning success. >> So, I'm looking for what initially calls pam_sm_open_session. >> Is it called directly from inetd? I'm trying to understand >> how PAM gets integrated into the OS. >> >> Thank you for any direction you can offer, >> Kelli >> ------------- >> Kind of difficult to troubleshoot this problem from where I sit, but I can at least answer a couple of your questions. pam_sm_open_session() is called from within a PAM module itself. The module must be written to contain the "session" component required to service any entries in /etc/pam.d/* that begin with the word session. A PAM-aware application linked with libpam.so.* tells the PAM library which "service name" it wants to be associated with via the pam_start() function call. For example: retval = pam_start("ftp", user, &conv, &pamh); This tells the PAM library to search /etc/pam.d for the file called "ftp" and to load the shared objects listed there using dlopen(). Each module (or stack of modules) listed in the file is executed but only the components which are required by the config file. For the "ftp" example: #%PAM-1.0 auth sufficient /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed auth required /lib/security/pam_pwdb.so shadow nullok auth required /lib/security/pam_shells.so account required /lib/security/pam_pwdb.so session required /lib/security/pam_pwdb.so When the PAM-aware ftp application calls the pam_authenticate() function, the PAM libraries cause the module stack that begins with "auth" to be run. Each respective module executes only its authorization component, even though they may also have account, session, and password components. Which modules can be used for which of the 4 main functions of the PAM framework depends on how the particular module was written. When an application calls the pam_acct_mgmt() function, the PAM libs execute the modules in the "account" entries of the config file. Only the account components of these modules are run. Follow the same logic for pam_chauthtok() - runs the "password" modules and pam_open_session() and pam_close_session() - "session" modules. Notice that pam_pwdb.so is listed for auth, account, and session. The implicit requirement here is that this module must contain authorization, account, and session components. A module need not be written to contain every component, but that means it can only be used for the component(s) it does have. In other words, if a module pam_bogus.so contains, for example, only the authorization and account components, it would be an error to create the following config entry: password required /lib/security/pam_bogus.so A call by the PAM application to pam_chauthtok() would try to run the password component of pam_bogus.so, which does not exist. I might be able to make more sense of your problem if you could provide a copy of your /etc/pam.d/login and /etc/pam.d/telnet (if it even exists). K. Bradford krb@cjsd.k12.az.us
