Thread: pam-linux, /etc/shadow : HOW-TO

pam-linux, /etc/shadow : HOW-TO

From
ahoward
Date:
note: i'm no sysad, nor do i even pretend to understand pam, the linux kernel,
or postgresql, but this setup is a safe, working, postgresql/linux/pam setup.

0) configure postgresql for pam, for example

      [root@omega tmp]# grep pam /usr/local/pgsql/data/pg_hba.conf
      host    all         all          137.75.0.0        255.255.0.0       pam

1) create a /etc/pam.d/postgresql entry, here's how i did mine

      [root@omega tmp]# cp /etc/pam.d/passwd /etc/pam.d/postgresql

  i don't know if it's the best setup, but it works!  mine looks like this

      [root@omega tmp]# cat /etc/pam.d/postgresql
      #%PAM-1.0
      auth       required     /lib/security/pam_stack.so service=system-auth
      account    required     /lib/security/pam_stack.so service=system-auth
      password   required     /lib/security/pam_stack.so service=system-auth

2) create a shadow group which will be used for user's needing read-access to
/etc/shadow, and add postgres (or whatever user the postmaster runs as) to
this entry.  i used vi to add this entry to /etc/group

      [root@omega tmp]# grep shadow /etc/group
      shadow:*:4002:root,postgres

  root probably does not *need* to be added.

  note the '*' v.s. an 'x' in the password field.  if you place an 'x' there
  you will also have to set up /etc/gshadow - i did not want to do this.  if
  you don't set up /etc/gshadow pam will NOT work if an 'x' is in the password
  field - at least with my linux system.

3) make /etc/shadow group shadow

      [root@omega tmp]# chgrp shadow /etc/shadow

4) chmod 0440 /etc/shadow


essentially, pam will not work with postgres since the daemon needs at some
point, no matter how many library calls deep, to open and read /etc/shadow
(assuming this is how your system is using pam).  you must have some solution
which allows postgres, but not everyone, to read /etc/shadow.  others probably
exist.

-a

--
  ====================================
  | Ara Howard
  | NOAA Forecast Systems Laboratory
  | Information and Technology Services
  | Data Systems Group
  | R/FST 325 Broadway
  | Boulder, CO 80305-3328
  | Email: ara.t.howard@fsl.noaa.gov
  | Phone:  303-497-7238
  | Fax:    303-497-7259
  ====================================

Re: pam-linux, /etc/shadow : HOW-TO

From
"Shridhar Daithankar"
Date:
Hi,

could you please make a smal writeup on this so that it canbe posted on
techdocs. A small HOWTO.. That would help a lot of people.

 Shridhar

On 20 May 2003 at 19:13, ahoward wrote:

>
> note: i'm no sysad, nor do i even pretend to understand pam, the linux kernel,
> or postgresql, but this setup is a safe, working, postgresql/linux/pam setup.
>
> 0) configure postgresql for pam, for example
>
>       [root@omega tmp]# grep pam /usr/local/pgsql/data/pg_hba.conf
>       host    all         all          137.75.0.0        255.255.0.0       pam
>
> 1) create a /etc/pam.d/postgresql entry, here's how i did mine
>
>       [root@omega tmp]# cp /etc/pam.d/passwd /etc/pam.d/postgresql
>
>   i don't know if it's the best setup, but it works!  mine looks like this
>
>       [root@omega tmp]# cat /etc/pam.d/postgresql
>       #%PAM-1.0
>       auth       required     /lib/security/pam_stack.so service=system-auth
>       account    required     /lib/security/pam_stack.so service=system-auth
>       password   required     /lib/security/pam_stack.so service=system-auth
>
> 2) create a shadow group which will be used for user's needing read-access to
> /etc/shadow, and add postgres (or whatever user the postmaster runs as) to
> this entry.  i used vi to add this entry to /etc/group
>
>       [root@omega tmp]# grep shadow /etc/group
>       shadow:*:4002:root,postgres
>
>   root probably does not *need* to be added.
>
>   note the '*' v.s. an 'x' in the password field.  if you place an 'x' there
>   you will also have to set up /etc/gshadow - i did not want to do this.  if
>   you don't set up /etc/gshadow pam will NOT work if an 'x' is in the password
>   field - at least with my linux system.
>
> 3) make /etc/shadow group shadow
>
>       [root@omega tmp]# chgrp shadow /etc/shadow
>
> 4) chmod 0440 /etc/shadow
>
>
> essentially, pam will not work with postgres since the daemon needs at some
> point, no matter how many library calls deep, to open and read /etc/shadow
> (assuming this is how your system is using pam).  you must have some solution
> which allows postgres, but not everyone, to read /etc/shadow.  others probably
> exist.
>
> -a
>
> --
>   ====================================
>   | Ara Howard
>   | NOAA Forecast Systems Laboratory
>   | Information and Technology Services
>   | Data Systems Group
>   | R/FST 325 Broadway
>   | Boulder, CO 80305-3328
>   | Email: ara.t.howard@fsl.noaa.gov
>   | Phone:  303-497-7238
>   | Fax:    303-497-7259
>   ====================================
>
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Don't 'kill -9' the postmaster



Re: pam-linux, /etc/shadow : HOW-TO

From
ahoward
Date:
On Wed, 21 May 2003, Shridhar Daithankar wrote:

> Hi,
>
> could you please make a smal writeup on this so that it canbe posted on
> techdocs. A small HOWTO.. That would help a lot of people.
>
>  Shridhar

sure.  html?

-a


>
> On 20 May 2003 at 19:13, ahoward wrote:
>
> >
> > note: i'm no sysad, nor do i even pretend to understand pam, the linux kernel,
> > or postgresql, but this setup is a safe, working, postgresql/linux/pam setup.
> >
> > 0) configure postgresql for pam, for example
> >
> >       [root@omega tmp]# grep pam /usr/local/pgsql/data/pg_hba.conf
> >       host    all         all          137.75.0.0        255.255.0.0       pam
> >
> > 1) create a /etc/pam.d/postgresql entry, here's how i did mine
> >
> >       [root@omega tmp]# cp /etc/pam.d/passwd /etc/pam.d/postgresql
> >
> >   i don't know if it's the best setup, but it works!  mine looks like this
> >
> >       [root@omega tmp]# cat /etc/pam.d/postgresql
> >       #%PAM-1.0
> >       auth       required     /lib/security/pam_stack.so service=system-auth
> >       account    required     /lib/security/pam_stack.so service=system-auth
> >       password   required     /lib/security/pam_stack.so service=system-auth
> >
> > 2) create a shadow group which will be used for user's needing read-access to
> > /etc/shadow, and add postgres (or whatever user the postmaster runs as) to
> > this entry.  i used vi to add this entry to /etc/group
> >
> >       [root@omega tmp]# grep shadow /etc/group
> >       shadow:*:4002:root,postgres
> >
> >   root probably does not *need* to be added.
> >
> >   note the '*' v.s. an 'x' in the password field.  if you place an 'x' there
> >   you will also have to set up /etc/gshadow - i did not want to do this.  if
> >   you don't set up /etc/gshadow pam will NOT work if an 'x' is in the password
> >   field - at least with my linux system.
> >
> > 3) make /etc/shadow group shadow
> >
> >       [root@omega tmp]# chgrp shadow /etc/shadow
> >
> > 4) chmod 0440 /etc/shadow
> >
> >
> > essentially, pam will not work with postgres since the daemon needs at some
> > point, no matter how many library calls deep, to open and read /etc/shadow
> > (assuming this is how your system is using pam).  you must have some solution
> > which allows postgres, but not everyone, to read /etc/shadow.  others probably
> > exist.
> >
> > -a
> >
> > --
> >   ====================================
> >   | Ara Howard
> >   | NOAA Forecast Systems Laboratory
> >   | Information and Technology Services
> >   | Data Systems Group
> >   | R/FST 325 Broadway
> >   | Boulder, CO 80305-3328
> >   | Email: ara.t.howard@fsl.noaa.gov
> >   | Phone:  303-497-7238
> >   | Fax:    303-497-7259
> >   ====================================
> >
> > ---------------------------(end of broadcast)---------------------------
> > TIP 4: Don't 'kill -9' the postmaster
>
>
>

--
  ====================================
  | Ara Howard
  | NOAA Forecast Systems Laboratory
  | Information and Technology Services
  | Data Systems Group
  | R/FST 325 Broadway
  | Boulder, CO 80305-3328
  | Email: ara.t.howard@fsl.noaa.gov
  | Phone:  303-497-7238
  | Fax:    303-497-7259
  ====================================