Re: PostgreSQL 7.2 + PAM = authentication failure? - Mailing list pgsql-admin

From Charles Hornberger
Subject Re: PostgreSQL 7.2 + PAM = authentication failure?
Date
Msg-id 1045611742.31590.36.camel@chornberger-0
Whole thread Raw
In response to PostgreSQL 7.2 + PAM = authentication failure?  (Charles Hornberger <charlie@hss.caltech.edu>)
List pgsql-admin
Hi Stef,

Thanks very much for your response ... but I'm sad to report that I'm
still at a dead-end. I've tried upgrading to 7.3.2 on the Debian box,
but authentication still fails. I've been trying to solve it myself (by
adding a bunch of debugging output into src/backend/libpq/auth.c) but I
don't think I'm making much progress. I still get authentication errors
every time, and I still don't know why. (I haven't tried upgrading the
Solaris machine; given that Solaris uses some kind of klugy global
variable to store the user password -- or so the comments in auth.c
claim -- maybe it'd actually work there.)

Did you ever get pam_unix.so to work with PostgreSQL? This whole thing
strikes me as very strange -- especially since every other pam
application on my system -- login, su, ssh, etc. -- works just fine, and
since pam_permit.so also causes no problems.

Anyway, thanks again ... and I'll let you know if I ever discover what's
up.

-Charlie

On Thu, 2003-02-13 at 00:06, Stef wrote:
> Hi Charles,
>
> I can't post to the list due to the smtp checks.
> I've had the same problem before, and the most
> information I could gather, was that it was a bug
> in the 7.2.1 libpq auth.c
>
> Well , I assume when you go pg_config --configure,
> you will have "--with-pam" there, which means your
> postgres was compiled with pam support.
>
> Well, even if it wasn't, I don't think you will be able to
> fix this without recompiling postgres. You will need to replace
> from the 7.2.1 source :
> ...src/backend/libpq/auth.c
> with the auth.c in 7.3.1, or you can hack it yourself.
> It is quite easy if you look at the pam manpages in solaris
> etc. You can either reinstall postgres, or you can just compile
> it and change the libpq library. The latter being something
> not even I would try :)
>
> Well anyway, good luck!!
>
> On 11 Feb 2003 15:53:00 -0800
> Charles Hornberger <charlie@hss.caltech.edu> wrote:
>
> => I'm just following up on my begging last Friday re PAM and PostgreSQL
> => from ... with more begging. As I mentioned last time, I've seen this
> => problem mentioned before but have never seen it solved. Is there simply
> => no solution? Is there some obvious, stupid mistake I'm making? Has
> => anyone out there actually managed to get PAM authentication (via
> => pam_unix.so) working?
> =>
> => Thanks (again) in advance for any help, hints, tips, advice, words of
> => sympathy, etc.
> =>
> => -Charlie
> =>
> => On Fri, 2003-02-07 at 17:12, Charles Hornberger wrote:
> => > Hello --
> => >
> => > I'm trying to get PostgreSQL to use PAM for authentication and hitting a
> => > big, blank brick wall. I'd appreciate any advice anyone can give. (What
> => > I'm trying to accomplish is to allow regular users to connect to the
> => > database server from elsewhere on the network using their existing
> => > system password on the server.)
> => >
> => > The database server (192.168.0.1) is running PostgreSQL 7.2.1 on Solaris
> => > 7. In pg_hba.conf, the relevant line is:
> => >
> => >    hostssl    all         192.168.0.2       255.255.255.255  pam
> => >
> => > and /etc/pam.conf contains the following:
> => >
> => >    other   auth     required   /usr/lib/security/pam_unix.so.1
> => >    other   account  required   /usr/lib/security/pam_unix.so.1
> => >    other   session  required   /usr/lib/security/pam_unix.so.1
> => >    other   password required   /usr/lib/security/pam_unix.so.1
> => >
> => > (I've tried using 'postgresql' instead of 'other' as the service name;
> => > it makes no difference.)
> => >
> => > When I try to connect from the client (192.168.0.2), I get the
> => > following:
> => >
> => >    $ psql -h 192.168.0.1 -U charlie template1
> => >    Password:
> => >    psql: FATAL 1:  PAM authentication failed for user "charlie"
> => >
> => > In the postmaster's logfile on the server, I get:
> => >
> => >    2003-02-07 14:49:57 [24198]  DEBUG:  BackendStartup: forked pid=24558
> => >         socket=8
> => >    CheckPAMAuth: pam_authenticate failed: 'Conversation failure'
> => >    2003-02-07 14:49:57 [24558]  FATAL 1:  PAM authentication failed for
> => >         user "charlie"
> => >    2003-02-07 14:49:57 [24558]  DEBUG:  proc_exit(0)
> => >    2003-02-07 14:49:57 [24558]  DEBUG:  shmem_exit(0)
> => >    2003-02-07 14:49:57 [24558]  DEBUG:  exit(0)
> => >    2003-02-07 14:49:57 [24198]  DEBUG:  reaping dead processes
> => >    2003-02-07 14:49:57 [24198]  DEBUG:  child process (pid 24558) exited
> => >         with exit code 0
> => >    2003-02-07 14:50:01 [24198]  DEBUG:  BackendStartup: forked pid=24562
> => >         socket=8
> => >    CheckPAMAuth: pam_authenticate failed: 'Authentication failed'
> => >    2003-02-07 14:50:01 [24562]  FATAL 1:  PAM authentication failed for
> => >         user "charlie"
> => >    2003-02-07 14:50:01 [24562]  DEBUG:  proc_exit(0)
> => >    2003-02-07 14:50:01 [24562]  DEBUG:  shmem_exit(0)
> => >    2003-02-07 14:50:01 [24562]  DEBUG:  exit(0)
> => >    2003-02-07 14:50:01 [24198]  DEBUG:  reaping dead processes
> => >    2003-02-07 14:50:01 [24198]  DEBUG:  child process (pid 24562) exited
> => >         with exit code 0
> => >
> => > I see identical behaviour with a Debian 3.0 box (this one running
> => > 7.2.3), with one difference: If I change pam_unix.so to pam_permit.so,
> => > it works just fine. So it seems the PAM is working fine, but that
> => > pam_unix.so is not. (There's no pam_permit.so module installed on the
> => > Solaris box, so I can't test this to see if -- as I suspect -- it's true
> => > there, too.)
> => >
> => > On the Debian box, I see the following messages in /var/log/auth.log
> => > when using pam_unix.so:
> => >
> => >    Feb  7 15:10:42 chornberger-0 su(pam_unix)[29522]: authentication
> => >         failure; logname= uid=1000 euid=0 tty=pts/4 ruser=charlie
> => >         rhost=  user=root
> => >    Feb  7 15:10:44 chornberger-0 su[29522]: pam_authenticate:
> => >         Authentication failure
> => >
> => > Alas, I get no such feedback on the Solaris box.
> => >
> => > Thanks in avance for any help ...
> => >
> => > -Charlie
> => >
> => > P.S. I see that this question has been asked before, recently and
> => > repeatedly:
> => >
> => >   http://archives.postgresql.org/pgsql-admin/2002-05/msg00075.php
> => >   http://archives.postgresql.org/pgsql-admin/2002-05/msg00233.php
> => >   http://archives.postgresql.org/pgsql-admin/2002-06/msg00110.php
> => >   http://archives.postgresql.org/pgsql-admin/2002-08/msg00281.php
> => >   http://archives.postgresql.org/pgsql-admin/2002-10/msg00066.php
> => >
> => > But I have yet to stumble across anything that seemed like a solution.
> => > (One person suggested using pam_ftp.so instead of pam_unix.so ... which
> => > doesn't seem like such a hot prospect to me.)
> => >
> => > There was another suggestion at
> => >
> => >   http://archives.postgresql.org/pgsql-patches/2002-12/msg00033.php
> => >
> => > that PAM authentication failures might have something to do with
> => > MD5-encrypted passwords in pg_shadow, but I can't understand how the
> => > contents of pg_shadow would affect PAM authentication. In any case, I
> => > haven't tried applying the patch that was provided there. Should I?
> => --
> => Charles Hornberger <charlie@hss.caltech.edu>
> =>
> =>
> => ---------------------------(end of broadcast)---------------------------
> => TIP 4: Don't 'kill -9' the postmaster
--
Charles Hornberger <charlie@hss.caltech.edu>


pgsql-admin by date:

Previous
From: Jeremy Buchmann
Date:
Subject: Install error: invalid value for option 'LC_TIME'
Next
From: Tom Lane
Date:
Subject: Re: uppercase = lowercase