Hi All, I had PAM rules for my own service as below: auth required /lib/security/pam_securetty.so auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_deny.so This used to work properly in my older PAM libraries. For successfull authentication, it used to return from pam_stack.so as system-auth has sufficient in its rules as below and it doesnt pass below the stack to pam_deny.so auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth required /lib/security/$ISA/pam_deny.so Now, after upgrading PAM modules (pam_unix.so, pam_stack.so..) and library, It doesnt work, To make it work, I need to remove the last one, pam_deny.so as below. auth required pam_stack.so service=system-auth auth required pam_nologin.so Can any one please let me know if you have seen similar problem. Any suggestions/comments, please advice.
Ivan Grover <ivangrvr299@gmail.com> writes:> Now, after upgrading PAM modules (pam_unix.so, pam_stack.so..) and > library [...]Upgrading from what to what? Have you tried the standard debugging procedure? DES -- Dag-Erling Sm?rgrav - des@des.no
Hi, Iam sorry my observation was wrong. I debugged the problem, it looks strange, these are my findings : I have my PAM rules for my service as auth required /lib/security/pam_securetty.so auth required pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so The pam_unix module returns authentication failure from pam_unix.so from pam_stack.so , hence the control reaches pam_nologin.so. The same rules work well with telnet/ftp , but fails for my service I have checked the username, password passed to PAM module by changing the sources of pam_nologin.so, they are proper. I didnt had sources for pam_unix, so iam not able to detect the exact problem. My suspect is that my application using my PAM service might have done some fd leaks or any other problem. But the max fds open by my application are 185 which is still below max limit(OPEN_MAX) Restarting the application resolves the problem and iam able to authenticate user can anyone help me what could be the problem. Thanks and Best Regards, On Wed, Feb 25, 2009 at 1:11 AM, Dag-Erling Sm?rgrav <des@des.no> wrote:> Ivan Grover <ivangrvr299@gmail.com> writes: > > Now, after upgrading PAM modules (pam_unix.so, pam_stack.so..) and > > library [...] > > Upgrading from what to what? > > Have you tried the standard debugging procedure? > > DES > -- > Dag-Erling Sm?rgrav - des@des.no >
I debugged pam_unix aswell, it looks like crypt function is giving different strings for telnet and my application with same passwd string and salt. So i think the issue could be with crypt library linked telnet and my application. please let me know your thoughts crypt(plaintext_ptr, salt); On Fri, Feb 27, 2009 at 7:48 PM, Ivan Grover <ivangrvr299@gmail.com> wrote:> Hi, > Iam sorry my observation was wrong. > > I debugged the problem, it looks strange, these are my findings : > > I have my PAM rules for my service as > > auth required /lib/security/pam_securetty.so > auth required pam_stack.so service=system-auth > auth required /lib/security/pam_nologin.so > > The pam_unix module returns authentication failure from pam_unix.so from > pam_stack.so , hence the control reaches pam_nologin.so. > > The same rules work well with telnet/ftp , but fails for my service > > I have checked the username, password passed to PAM module by changing the > sources of pam_nologin.so, they are proper. I didnt had sources for > pam_unix, so iam not able to detect the exact problem. > > My suspect is that my application using my PAM service might have done some > fd leaks or any other problem. But the max fds open by my application are > 185 which is still below max limit(OPEN_MAX) > > Restarting the application resolves the problem and iam able to > authenticate user > > > can anyone help me what could be the problem. > > > Thanks and Best Regards, > > > > On Wed, Feb 25, 2009 at 1:11 AM, Dag-Erling Sm?rgrav <des@des.no> wrote: > >> Ivan Grover <ivangrvr299@gmail.com> writes: >> > Now, after upgrading PAM modules (pam_unix.so, pam_stack.so..) and >> > library [...] >> >> Upgrading from what to what? >> >> Have you tried the standard debugging procedure? >> >> DES >> -- >> Dag-Erling Sm?rgrav - des@des.no >> > >
Ivan Grover <ivangrvr299@gmail.com> writes:> Dag-Erling Sm?rgrav <des@des.no> writes: > > Ivan Grover <ivangrvr299@gmail.com> writes: > > > I will plan to upgrade the PAM library and see how it goes. > > Upgrade what from what to what? > from Linux-PAM-0.78 to Linux-PAM-1.0.3.Uh, so, why did you post to a FreeBSD mailing list? This has nothing to do with FreeBSD, since FreeBSD does not use Linux-PAM (not since 5.1 came out). And why didn't you answer this question the first time I asked it? Why did you not tell us right away which version of which library you were using, on which operating system? How can we answer your question if you won't tell us what the question is? Suggested reading: http://www.gerv.net/hacking/how-to-ask-good-questions/ DES -- Dag-Erling Sm?rgrav - des@des.no