On 12/25/2014 10:02 AM, Jason
Gerfen wrote:
Correct. I have to apologize for my short and totally
incoherent response. I received the question at near
midnight and know better than to respond to a fairly
technical question right before retiring for the
evening.
My assumption is that your /etc/pam.d/vsftpd matches
/etc/pam.d/sshd line for line except the line for
session triggering the pam_exec.so module.
I originally thought of that idea but didn't invoke it out
of fear that it could cause security issues since sshd is
built for sshd and vsftpd is built for vsftpd -- and not
being very well versed in pam didn't want to take any
risks. Are you sure it's a good idea to copy over the sshd
to vsftpd?
Does the user you are testing with have a valid shell
directive within the /etc/passwd file? I.E. /bin/bash,
/bin/sh etc?
etc/passwd for the specified user contains:
specifieduser:x:1000:1000:specifieduser,,,:/home/specifieduser:/bin/bash
only exists in chsh which I believe is not referenced in any
of this work
Can you add a debug directive to the line; i.e.
'session optional pam_exec.so debug'? According to the
documentation for pam_exec.so at
http://linux.die.net/man/8/pam_exec
you can also add a log directive and monitor that during
your tests.
When I tail auth.log after inserting "session optional
pam_exec.so" at the end of the sshd file (which properly
triggers the executable) I see this:
Dec 25 11:16:06 specifieduser sshd[6699]: Accepted password
for specifieduser from xx.xx.xx.xx port 50393 ssh2
Dec 25 11:16:06 specifieduser sshd[6699]:
pam_unix(sshd:session): session opened for user
specifieduser by (uid=0)
Dec 25 11:16:09 specifieduser sshd[6699]:
pam_exec(sshd:session): No path given as argument
Dec 25 11:16:09 specifieduser sshd[6699]: lastlog_openseek:
Couldn't stat /var/log/lastlog: No such file or directory
Dec 25 11:16:09 specifieduser sshd[6699]: lastlog_openseek:
Couldn't stat /var/log/lastlog: No such file or directory
However, inserting "session optional pam_exec.so" into the
vsftpd file at the end, produces no output. . . is pam not
seeing vsftpd or vica versa?
Those should help you further diagnose the actual
problem when it works for the sshd service.
Okay. I need a bit more explanation.
Glad to hear there might be hope but don't
completely understand "always that directive to
common session" . I think you mean place the
statement:
session optional pam_exec.so
Inside the common session file?
If so what is the theory behind why
that could work -- trying to teach myself the
reasons why that could be a solution.
Thank you.
On Dec 25, 2014 2:24 AM,
"Jason Gerfen" <
jason.gerfen@xxxxxxxx>
wrote:
You could always that directive to
common-session and try.
I've researched this feature
extensively and need help. PAM is a
difficult authentication program for me
to thoroughly understand although I'm
learning.
Running Debian Wheezy.
Have pam setup to trigger off an email
when users login using sshd -- that
works fine. No problem using this
command in the /etc/pam.d/sshd file:
session optional pam_exec.so
/usr/local/bin/notify.sh
However, I need it to work with vsftpd
and getting it to work with sshd was
just a test. However, I can't get it to
work with vsftpd, the contents of
/etc/pam.d/vsftpd are:
auth required pam_listfile.so
item=user sense=deny file=/etc/ftpusers
_onerr_=succeed
@include common-account
@include common-session
@include common-auth
session optional pam_exec.so
/usr/local/bin/notify-login.sh
What am I missing here? Is pam even
designed to work with vsftpd? Running
the following command indicates it's
hooked into vsftpd, but pam_exec.so
doesn't seem to want to play nicely with
vsftpd.
$ ldd /{,usr/}{bin,sbin}/* | grep -B 5
libpam | grep '^/'
/bin/login:
/bin/su:
/sbin/mkhomedir_helper:
/sbin/pam_tally2:
/usr/bin/chfn:
/usr/bin/chsh:
/usr/bin/c_rehash:
/usr/bin/crontab:
/usr/bin/passwd:
/usr/sbin/aspell-autobuildhash:
/usr/sbin/atd:
/usr/sbin/chpasswd:
/usr/sbin/cron:
/usr/sbin/newusers:
/usr/sbin/sshd:
/usr/sbin/vsftpd:
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list