problems with pam_pgsql

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Hello,

I'am working on synchronize a user postgresql database with openssh using pam_pgsql for authentication.
And it doesn't work.
I'am using a fedora core 6 OS.
First, I've created the database "unix" with 3 tables  with postgresql:

unix=# select * from passwd_table;
username |  passwd  | uid | gid | gecos  |   homedir   |   shell  
----------+----------+-----+-----+--------+-------------+-----------
 user1    | password | 500 | 500 | user 1 | /home/user1 | /bin/bash
 user2    | password | 501 | 500 | user 2 | /home/user2 | /bin/bash

select * from group_table;
 gid | groupname | descr | passwd
-----+-----------+-------+--------
 500 | util      |    

select * from usergroups;
 gid | uid
-----+-----  |

I've installed by compilation the libnss-pgsql
the getent passwd command works, I obtain the user1 an user2 à the end of the list.

I am able to change the user and the group of un directy with chown command :
# ls -l /home
total 8
drwxr-xr-x 2 user1 util 4096 avr 24 10:11 user1

then now i would like to login with ssh on this system with a user existing in the database. To do that I ve installed pam-pgsql.so.

I've compiled this version of pam-pgsql : pam-pgsql-1.0.0.tgz find on pgfoundry web site.
I've followed the README help to install it and configure it :

./configure; make; make install

the /etc/pam.d/sshd file is configured like that:

auth       include      system-auth-pg
account    required     pam_nologin.so
account    include      system-auth-pg
password   include      system-auth-pg
session    optional     pam_keyinit.so force revoke
session    include      system-auth-pg
session    required     pam_loginuid.so

and the /etc/pam.d/system-auth-pg is configured like that :
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_pgsql.so use_first_pass debug
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required pam_pgsql.so debug
account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    sufficient pam_pgsql.so debug
password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

and the /etc/pam_pgsql.conf is configured like that:

connectionstring = user=postgres host=127.0.0.1 dbname=unix
getpassword = SELECT passwd FROM passwd_table WHERE username = $1
#changepw = UPDATE passwd_table SET password = $2 WHERE user = $1
#isexpired = SELECT 1 FROM passwd_table WHERE user = $1 AND isexpired < NOW()
#newpassrequired = SELECT 1 FROM table WHERE user = $1 AND newpass < NOW()

I tried also this configuration

host = 127.0.0.1
database = unix
user = postgres
table = passwd_table
user_column = username
pwd_column = passwd
debug
pw_type = clear

the authentication with postgresql is for the moment  in trust mode to not use password (this system works with nsswitch)

then when i try this command on the server:
ssh user1@xxxxxxxxx

I've only this two messages in my log:

in /var/log/secure :
Apr 26 00:36:29 FC6-vm1 sshd[9067]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=fc6-vm1  user=user1
Apr 26 00:36:31 FC6-vm1 sshd[9067]: Failed password for user1 from 127.0.0.1 port 42067 ssh2

and in /var/log/messages :
Apr 26 00:36:29 FC6-vm1 PAM_pgsql[9067]: the database, table and user_column options are required.

It's strange, it's like the pam_pgsql.conf was not read !?

Any idea ?

Kind regards,

Yann CONAN from Bordeaux
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux