Re: PostgreSQL 7.2 + PAM = authentication failure? - Mailing list pgsql-admin
| From | Charles Hornberger |
|---|---|
| Subject | Re: PostgreSQL 7.2 + PAM = authentication failure? |
| Date | |
| Msg-id | 1045007579.1629.33.camel@chornberger-0 Whole thread Raw |
| In response to | PostgreSQL 7.2 + PAM = authentication failure? (Charles Hornberger <charlie@hss.caltech.edu>) |
| List | pgsql-admin |
I'm just following up on my begging last Friday re PAM and PostgreSQL from ... with more begging. As I mentioned last time, I've seen this problem mentioned before but have never seen it solved. Is there simply no solution? Is there some obvious, stupid mistake I'm making? Has anyone out there actually managed to get PAM authentication (via pam_unix.so) working? Thanks (again) in advance for any help, hints, tips, advice, words of sympathy, etc. -Charlie On Fri, 2003-02-07 at 17:12, Charles Hornberger wrote: > Hello -- > > I'm trying to get PostgreSQL to use PAM for authentication and hitting a > big, blank brick wall. I'd appreciate any advice anyone can give. (What > I'm trying to accomplish is to allow regular users to connect to the > database server from elsewhere on the network using their existing > system password on the server.) > > The database server (192.168.0.1) is running PostgreSQL 7.2.1 on Solaris > 7. In pg_hba.conf, the relevant line is: > > hostssl all 192.168.0.2 255.255.255.255 pam > > and /etc/pam.conf contains the following: > > other auth required /usr/lib/security/pam_unix.so.1 > other account required /usr/lib/security/pam_unix.so.1 > other session required /usr/lib/security/pam_unix.so.1 > other password required /usr/lib/security/pam_unix.so.1 > > (I've tried using 'postgresql' instead of 'other' as the service name; > it makes no difference.) > > When I try to connect from the client (192.168.0.2), I get the > following: > > $ psql -h 192.168.0.1 -U charlie template1 > Password: > psql: FATAL 1: PAM authentication failed for user "charlie" > > In the postmaster's logfile on the server, I get: > > 2003-02-07 14:49:57 [24198] DEBUG: BackendStartup: forked pid=24558 > socket=8 > CheckPAMAuth: pam_authenticate failed: 'Conversation failure' > 2003-02-07 14:49:57 [24558] FATAL 1: PAM authentication failed for > user "charlie" > 2003-02-07 14:49:57 [24558] DEBUG: proc_exit(0) > 2003-02-07 14:49:57 [24558] DEBUG: shmem_exit(0) > 2003-02-07 14:49:57 [24558] DEBUG: exit(0) > 2003-02-07 14:49:57 [24198] DEBUG: reaping dead processes > 2003-02-07 14:49:57 [24198] DEBUG: child process (pid 24558) exited > with exit code 0 > 2003-02-07 14:50:01 [24198] DEBUG: BackendStartup: forked pid=24562 > socket=8 > CheckPAMAuth: pam_authenticate failed: 'Authentication failed' > 2003-02-07 14:50:01 [24562] FATAL 1: PAM authentication failed for > user "charlie" > 2003-02-07 14:50:01 [24562] DEBUG: proc_exit(0) > 2003-02-07 14:50:01 [24562] DEBUG: shmem_exit(0) > 2003-02-07 14:50:01 [24562] DEBUG: exit(0) > 2003-02-07 14:50:01 [24198] DEBUG: reaping dead processes > 2003-02-07 14:50:01 [24198] DEBUG: child process (pid 24562) exited > with exit code 0 > > I see identical behaviour with a Debian 3.0 box (this one running > 7.2.3), with one difference: If I change pam_unix.so to pam_permit.so, > it works just fine. So it seems the PAM is working fine, but that > pam_unix.so is not. (There's no pam_permit.so module installed on the > Solaris box, so I can't test this to see if -- as I suspect -- it's true > there, too.) > > On the Debian box, I see the following messages in /var/log/auth.log > when using pam_unix.so: > > Feb 7 15:10:42 chornberger-0 su(pam_unix)[29522]: authentication > failure; logname= uid=1000 euid=0 tty=pts/4 ruser=charlie > rhost= user=root > Feb 7 15:10:44 chornberger-0 su[29522]: pam_authenticate: > Authentication failure > > Alas, I get no such feedback on the Solaris box. > > Thanks in avance for any help ... > > -Charlie > > P.S. I see that this question has been asked before, recently and > repeatedly: > > http://archives.postgresql.org/pgsql-admin/2002-05/msg00075.php > http://archives.postgresql.org/pgsql-admin/2002-05/msg00233.php > http://archives.postgresql.org/pgsql-admin/2002-06/msg00110.php > http://archives.postgresql.org/pgsql-admin/2002-08/msg00281.php > http://archives.postgresql.org/pgsql-admin/2002-10/msg00066.php > > But I have yet to stumble across anything that seemed like a solution. > (One person suggested using pam_ftp.so instead of pam_unix.so ... which > doesn't seem like such a hot prospect to me.) > > There was another suggestion at > > http://archives.postgresql.org/pgsql-patches/2002-12/msg00033.php > > that PAM authentication failures might have something to do with > MD5-encrypted passwords in pg_shadow, but I can't understand how the > contents of pg_shadow would affect PAM authentication. In any case, I > haven't tried applying the patch that was provided there. Should I? -- Charles Hornberger <charlie@hss.caltech.edu>
pgsql-admin by date: