Thread: PAM implementation in PG 9.2.3
Hi All,
I am trying to implement PAM on my local machine.
Below are the details of my setup:
OS: RHEL 6
PG: 9.2.3
/etc/pam.d/postgresql (PAM file)
#%PAM-1.0
auth required pam_unix.so
account required pam_unix.so
$PGDATA/pg_hba.conf
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all pam pamservice=postgresql
# IPv4 local connections:
host all all 127.0.0.1/32 pam pamservice=postgresql
Session 1 Session 2
-bash-4.1$ psql -U postgres
Password for user postgres:
-bash-4.1$ tail -f postgresql-2013-04-26_000000.log
2013-04-26 20:08:16.605 IST-13943-postgres-postgres-[local] LOG: pam_authenticate failed: Conversation error
2013-04-26 20:08:16.606 IST-13943-postgres-postgres-[local] FATAL: PAM authentication failed for user "postgres"
2013-04-26 20:08:16.606 IST-13943-postgres-postgres-[local] LOG: could not send data to client: Broken pipe
In OS logs(/var/log/secure)Apr 26 20:11:03 localhost res [local] authentication: pam_unix(postgresql:auth): conversation failedApr 26 20:11:03 localhost res [local] authentication: pam_unix(postgresql:auth): auth could not identify password for [postgres]
I have not entered password in session 1 which was waiting for my password to enter, but logs are printed beforehand in both logs (OS/DB) as you see in session 2.
When, I enter password in session 1 which was waiting for password, it will immediately takes me into the database without any error.
Couple of question's in mind on this scenario:
1. Why database server logs shows lines beforehand as pam_authentication failed even though I have not typed password ?
2. Though logs show as PAM authentication failed, still user's are allowed into the database ?
3. What above log entries mean precisely ?
4. Was my PAM setup successful ?
Sorry for my too many questions, I just lost all of my endeavors to understand the above scenario.
Any help will be highly appreciated.
Thanks in advance.
---
Regards,
Raghavendra
Hello Raghavendra, I think probably psql is a problem here. WIthout -W (force password before connect) option psql has no way knowing if this user needs a password to connect to the given database. So, psql first attempts a connection to the database without a password (if -W is not specified), which fails since server responds with "password needed" kind of message back to psql (this is because we have set 'pam' as the authentication method). This makes psql know that a password is needed for this user/database combination and it prompts for the password and subsequently connects successfully if correct password is specified. But this first unsuccessful attempt is indeed logged by the server as authentication failure just as what you see. So, this logged failure is just the kind of dummy connection attempt (indeed withoutn password) made by the psql. However, if you specify -W option, psql won't connect before it accepts password. You can try this (and see that no authentication failure is logged) I think log entries just mean the authentication has failed with PAM-specific error message. -- Amit Langote
On Wed, May 8, 2013 at 4:55 PM, Amit Langote <amitlangote09@gmail.com> wrote:
Hello Raghavendra,
I think probably psql is a problem here. WIthout -W (force password
before connect) option psql has no way knowing if this user needs a
password to connect to the given database. So, psql first attempts a
connection to the database without a password (if -W is not
specified), which fails since server responds with "password needed"
kind of message back to psql (this is because we have set 'pam' as the
authentication method). This makes psql know that a password is needed
for this user/database combination and it prompts for the password and
subsequently connects successfully if correct password is specified.
But this first unsuccessful attempt is indeed logged by the server as
authentication failure just as what you see. So, this logged failure
is just the kind of dummy connection attempt (indeed withoutn
password) made by the psql.
Firstly, Thank you for your insight explanation.
However, if you specify -W option, psql won't connect before it
accepts password. You can try this (and see that no authentication
failure is logged)
Affirmative, I have tried with -W option and it worked as expected and authentication passed as per PAM setup.
However, PG documentation doesn't highlight about this in psql or PAM section, because log entries written are slightly confusing.
I think log entries just mean the authentication has failed with
PAM-specific error message.
Yep... understood.
--
Amit Langote
> However, PG documentation doesn't highlight about this in psql or PAM > section, because log entries written are slightly confusing. > http://www.postgresql.org/docs/9.2/static/auth-methods.html > http://www.postgresql.org/docs/9.2/static/app-psql.html It turns out this logging is a bug in PAM authentication code in the backend that needs to resolved. This has been reported on pgsql-hackers. -- Amit Langote
On Mon, May 13, 2013 at 11:17 AM, Amit Langote <amitlangote09@gmail.com> wrote:
> However, PG documentation doesn't highlight about this in psql or PAMIt turns out this logging is a bug in PAM authentication code in the
> section, because log entries written are slightly confusing.
> http://www.postgresql.org/docs/9.2/static/auth-methods.html
> http://www.postgresql.org/docs/9.2/static/app-psql.html
backend that needs to resolved. This has been reported on
pgsql-hackers.
Thank you.
--Raghav