search for: pam_debug

Hi, The main (and probably the only) use case of this PAM module is to let sudo authenticate users via their ssh-agent, therefore without having to type any password and without being tempted to use the NOPASSWD sudo option for such convenience. The principle is originally implemented by an existing module [0][1] and many pages that explain how to use it for such purpose can be found online.

...mmended to check the resource limits. Is there anyway to fix this too many close() calls which results in performance degradation? Relavant part of tusc output for sshd is given below, ............... .............. set_userthreadid(1) ...................................... = 1 stat("/etc/pam_debug", 0x7ffff5b0) ....................... ERR#2 ENOENT stat("/tcb/files/auth/system/default", 0x7fffec70) ....... ERR#2 ENOENT getuid() ................................................. = 0 (0) getuid() ................................................. = 0 (0) getuid() .....................

...7 19080: open("/var/adm/utmpx", O_RDWR) = 8 19080: fstat64(8, 0xFFBEED58) = 0 19080: ioctl(8, TCGETA, 0xFFBEECE4) Err#25 ENOTTY 19080: read(8, "\0\0\0\0\0\0\0\0\0\0\0\0".., 8192) = 6696 19080: open("/etc/pam_debug", O_RDONLY) Err#2 ENOENT 19080: stat64("/etc/pam.conf", 0xFFBEEDF8) = 0 19080: open("/etc/pam.conf", O_RDONLY) = 9 19080: mmap(0x00000000, 3769, PROT_READ, MAP_PRIVATE, 9, 0) = 0xFF1E0000 19080: munmap(0xFF1E0000, 3769)...

Thank for your answer: But i dont know understand why is following not working: I want to restrict the ssh access for a special domain member: In my "sshd_config" i added: AllowGroups restrictaccess root With user2 im able to login via ssh! log: pam_krb5(sshd:auth): user user2 authenticated as user2 at ROOTRUDI.DE With user1 im not! log: User user1 from 192.168.0.100 not allowed

...r as I read that, I do not see any recovery from either of these errors worth retrying so I believe we should be fine handling them the same as expired account though. The attached is proposed patch, which should handle this use case as well as the original issue in #1188. Tested in Fedora 32 with pam_debug.so with respective return values as well as with expired user. -- You are receiving this mail because: You are watching the assignee of the bug.

...= 0 29981: fork1() (returning as child ...) = 29964 29981: getpid() = 29981 [29964] 29981: close(15) = 0 29981: lwp_schedctl(SC_STATE|SC_PREEMPT, 0, 0xFFBFF4A4) = 0 29981: open("/etc/pam_debug", O_RDONLY) Err#2 ENOENT 29981: stat64("/etc/pam.conf", 0xFFBFF4C0) = 0 29981: open("/etc/pam.conf", O_RDONLY) = 15 29981: mmap(0x00000000, 1893, PROT_READ, MAP_PRIVATE, 15, 0) = 0xFEBA0000 29981: munmap(0xFEBA0000, 1893)...

...ot;/var/adm/utmpx", O_RDONLY) = 3 llseek(3, 3720, SEEK_SET) = 3720 read(3, " s a p\0\0\0\0\0\0\0\0\0".., 372) = 372 close(3) = 0 open("/var/adm/sulog", O_WRONLY|O_APPEND|O_CREAT, 0600) = 3 close(3) = 0 chown("/var/adm/sulog", 0, 0) = 0 open("/etc/pam_debug", O_RDONLY) Err#2 ENOENT stat64("/etc/pam.conf", 0xFFBFEAE8) = 0 open("/etc/pam.conf", O_RDONLY) = 3 mmap(0x00000000, 3731, PROT_READ, MAP_PRIVATE, 3, 0) = 0xFF0C0000 munmap(0xFF0C0000, 3731) = 0 close(3) = 0 uname(0x000251C8) = 1 auditsys(BSM_AUDITCTL, 0x00000...