gmane.linux.pam

managing the /etc/pam.d files

Joseph Lutz — 2013-05-23T16:49:39

Is anyone aware of some opensource software that will manage a systems
/etc/pam.d configuration. I am looking for some software that I can tie
into our Web Management system that will take care of writing changes to
the pam.d files. Currently I am using come complected python programs that
work fine for the particular setup that we are running. But
I foresee changes needed in our setup. If I am going to rewrite part of the
pam file management code I want to check if there is something already
available to do at least part of the work.


Joseph Lutz
Software Developer
NovaTech, LLC
13555 W. 107th Street
Lenexa, KS 66215
_______________________________________________
Pam-list mailing list
Pam-list< at >redhat.com
https://www.redhat.com/mailman/listinfo/pam-list

Differences in Conversation function between distributions?

Mike Wham — 2013-04-30T18:09:36

Hello all,

I'm trying to determine why there seems to be a discrepancy between PAM on
Ubuntu and PAM on CentOS and Archlinux.

For example, a script that works nicely on Ubuntu ("pam_python") throws
errors on the other distributions, with errors like: "pam_conv() takes
exactly 3 arguments (2 given)."  Why would this be?  Are there different
versions of the conversation function present in each distribution? For the
record, I think the latest Ubuntu uses PAM 1.1.3, whereas the others use
1.1.6.

Best,
Mike
_______________________________________________
Pam-list mailing list
Pam-list< at >redhat.com
https://www.redhat.com/mailman/listinfo/pam-list

Question about 'session' in pam w/rt pam_env.so

L.A.Walsh — 2013-04-22T19:55:41


I was wondering how one is supposed to preserve env variables set when

one initially logs into a system (like the same time loginuuid is set). 
Specifically,
ENV vars 'DISPLAY' and 'REMOTEHOST'.  I use the 2nd to generate the first and
want it to last for the entire time I am logged in.

I have been setting it in pam_env, using a similar example.

Now I find that some see pam_env as a means to set the environment
*per session* -- meaning they call it again during the common-session phase,
in addition to the 'auth' phase.  This has the tendency to overwrite
those variables. 

I'm told that there's no way to prevent this as if the user
clears their env (e.g. 'env -i), and that means it has to be called at the
beginning of each session so it can reset env vars (this despite the fact,
that I know of no one using such functionality, whereas I had been using
it for 'auth' only on initial system entry.

I can see the need for a session-based pam_env to generate a new
user environment (though right now, in my dis

changing password prompt

Smith, Gina C. (MSFC-IS40)[NICS] — 2013-03-22T18:16:14

When sshing into a box that is set up to authenticate via radius using pam.  Is there a way to change the prompt from 'password' to 'passcode'??

Thanks
_______________________________________________
Pam-list mailing list
Pam-list< at >redhat.com
https://www.redhat.com/mailman/listinfo/pam-list

are there "session IDs"?

Seven Reeds — 2013-03-19T21:58:29

Hi,

I am running Ubuntu.

I am writing an executable that pam_exec will call in "session" mode.
It will respond to session open/close events.  It is almost completely
working.  This morning I was testing it using "su" and it was doing
what i expected.  I then started ssh-ing to the machine.  That's when
things became puzzling.

if I "su" while on the machine the PAM_TTY environment variable is
indeed a TTY string and is unique to the "session".  However, if I
treat "ssh" like "su" and try to ssh to a different user on the same
machine, ex:

        $ ssh otherUser< at >this.machine.com

then the PAM_TTY variable just shows "ssh".  If I were logged in
multiple times then all would appear to be on the same "line", so to
speak.

This does make sense I suppose.  The "su" continues to use the tty of
the caller.  The "ssh" will eventually have a new tty.  I am calling
my PAM_EXEC's program very late in the session stack so I assumed that
a tty would be available.

Since the tty is not available, is there a unique sess

pam modules and setuid actions

Seven Reeds — 2013-03-12T18:14:34

Hi,

I am very close to finishing a pam module that will log specific user
session activities to a database.  There could be situations though in
which the primary, remote DB is unavailable so I want to create a
local "cache" of loggable events.  Once remote DB access is regained I
will upload the cache records and be very happy.  There is an issue
though.

I want the cache to live in protected space.  I would like to open the
cache as "root" or some other dedicated user.  I do not want the
general public to inspect or edit the cache.  I have just tried
wrapping the cache "open" in setuid calls but that has not worked.  I
am using "su" as my testing tool but even though the "su" executable
is setuid by default the open section fails.

Is there a general PAM related solution to this?

thanks
Seven

Using PAM in setuid processes

Simon McVittie — 2013-01-24T19:22:34

Hi,
I've recently been looking at the security properties of various setuid
executables, many of which use PAM for authentication.

What is PAM's policy on the extent to which modules may trust the
process' execution environment, particularly environment variables?

I can see three options for a consistent policy:

1) PAM is considered safe to use in a setuid process, even if the
   environment has not been "cleaned". Modules must not use libraries
   or execute helper programs that can be adversely affected by
   environment variables.

2) PAM is only considered safe to use in a setuid process if the
   environment has been "cleaned" against a whitelist. Modules may use
   any library, or execute any helper program; privileged processes
   that are run with a potentially-attacker-controlled environment
   must "clean" it before using PAM. If the process intends to use the
   original environment later, it can save a copy before cleaning it,
   and pass that copy to execle or similar.

3) There is some mecha

Can I set the user to authenticate as?

Dylan Martin — 2013-01-05T00:13:27

Hi all, thanks for reading.

I'm trying to set up authentication against a remote imap server that
I don't run.  I've got pam_imap working, so everything is fine as long
as the username on my box is the same as the username on imap server.
I'd like to somehow make it possible for someone to log in as a
different name than is submitted to the imap server.  The fact that
I'm using imap really shouldn't matter.

I run a web server for a community college.  We have an email server
run by the district.  I work at one of the campuses.  I have zero
control over the email server at district.  I want to authenticate
users on my web server with their imap accounts (because I hate
resetting passwords).  Unfortunately, most web server account names
are different from the imap account names.  For example 'english' or
'lab' might be reasonable account names on my web server but that web
account will be managed by a human with an email account (and IMAP
username) like 'jdoe'.

What I need is for someone to log in as 'lab'

dlopen not able to open shared object file, even though it is existing

2012-12-08T06:01:06

Hello pam-list members,

We had written a customized PAM authentication module (in C) named vauth.so to be used for sshd. We had changed the sshd file in /etc/pam.d to include the following line

authenticate sufficient vauth.so

We were able to have ssh session using PuTTY successfully. vauth.so gets called and authentication gets completed.

After this, we wanted to use some java components for our authentication through vauth.so. So, we used some JNI calls from the c code, and created vauth.so.

These were the commands used to create vauth.so (which is finally placed in /lib64/security)

gcc -fPIC -fno-stack-protector -I/usr/java/jdk1.7.0_07/include -I/usr/java/jdk1.7.0_07/include/linux -c vauth.c -L/usr/java/jdk1.7.0_07/jre/lib/amd64/server

ld -x --shared -o /lib64/security/vauth.so vauth.o /usr/java/jdk1.7.0_07/jre/lib/amd64/server/libjvm.so

We had also copied "libjvm.so" to /lib64/security.

Now, when we do an authentication using PuTTY, we see the following error.


Dec  6 11:23:10 localhost sshd[86

shared library loading flags

Artur Artamonov — 2012-12-06T19:23:55

Is there some specific explanations why modules is loaded with flags
RTLD_NOW?

pam_dynamic.c:67:       return dlopen(mod_path, RTLD_NOW);

There was issue when i was using myown PAM module that uses others
shared libraries. I was calling this module from dropbear and there
allways was some unresolved symbols from shared librarires after i added
flag RTLD_GLOBAL 

pam_dynamic.c:67:       return dlopen(mod_path, RTLD_NOW|RTLD_GLOBAL);


Is there possible that this flag will added in next LinuxPAM realise?

pam-1.1.1-10.el6_2.1.x86_64 and pam_tty_audit

Shawn Wells — 2012-11-21T01:56:31

Hello,

     I'm using pam-1.1.1-10.el6_2.1.x86_64 on RHEL6 and was hoping to 
gain some knowledge about how the pam_tty_audit works.

     Specifically,
- I have "enable=*" in my pam.d config files, however only keystrokes 
from root are logged
- When sudo'ing from a non-privileged account the users password is 
logged and viewable from "aureport --tty" however I can't find where 
this information is logged to disk. Or is it?

     I'm on RHEL 6.3 and used the following command to config my box for 
pam_tty_audit:
echo "session    required    pam_tty_audit.so enable=*" 
/etc/pam.d/{su,sudo,sudo-i,su-l,login,system-auth}

     I also tried:
session    required    pam_tty_audit.so enable=root,shawn

     And also:
session    required    pam_tty_audit.so disable=* enable=root,shawn

     None of those three configurations seem to be auditing the user 
"shawn."

     I just downloaded the latest stable source and have started going 
through modules/pam_tty_audit/pam_tty_audit.c to better understand how 
event d

pam-1.1.1-10.el6_2.1.x86_64 and pam_tty_audit

Shawn Wells — 2012-11-21T01:56:31

Hello,

     I'm using pam-1.1.1-10.el6_2.1.x86_64 on RHEL6 and was hoping to 
gain some knowledge about how the pam_tty_audit works.

     Specifically,
- I have "enable=*" in my pam.d config files, however only keystrokes 
from root are logged
- When sudo'ing from a non-privileged account the users password is 
logged and viewable from "aureport --tty" however I can't find where 
this information is logged to disk. Or is it?

     I'm on RHEL 6.3 and used the following command to config my box for 
pam_tty_audit:
echo "session    required    pam_tty_audit.so enable=*" 
/etc/pam.d/{su,sudo,sudo-i,su-l,login,system-auth}

     I also tried:
session    required    pam_tty_audit.so enable=root,shawn

     And also:
session    required    pam_tty_audit.so disable=* enable=root,shawn

     None of those three configurations seem to be auditing the user 
"shawn."

     I just downloaded the latest stable source and have started going 
through modules/pam_tty_audit/pam_tty_audit.c to better understand how 
event d

How can I know the PAM version?

Bhushan Rane — 2012-11-06T05:34:23

Hi,

Bhushan Rane here from GSLab, Pune, IN. We are doing some basic testing 
for integration of PAM auth with our product, for which we require to 
know PAM version on which we are doing testing.
We didn't found any command or any other way to know PAM version.

Could you please let us know how to check PAM version?

Please let us know for any concerns.

Get the service which succeeds.

Stef Bon — 2012-09-22T08:50:04

Hi,

I'm working on construction which gives access to various resources
like audio cd's, but also
remote resources like FTP servers and SMB shares.

See:

 https://github.com/stefbon/fuse-workspace

Important is that the user does not have to configure anything, well
as less as possible.

One of the things when accessing smb shares for example is the uid:gid
reported by the remote server
has any meaning on this local machine. If no, then they are
overwritten by local ones. This is right now done
using settings, the administrator has to adjust.

I wonder, is it possible to detect automatically the service which has
succeeded doing the auth? When it's for example pam_ldap, pam_winbind
etc then the "userid" base is remote.

Well knowing this is not enough, it's still required to know the
remote server uses the same uid base if it's remote...

But first, is it possible with pam to get the service which succeeded?

Stef

Get access to my pictures and more

Prathap Maha — 2012-09-20T03:02:34

Hey,

I have created a Netlog profile with my pictures, videos, blogs and events and I want to add you as a friend so you can see it. You first need to register on Netlog! When you log in, you can create your own profile.

Take a look:
http://en.netlog.com/go/mailurl/-bT0zMjU2MDY4MTMxJmw9MSZnbT0xMiZ1PSUyRmdvJTJGcmVnaXN0ZXIlMkZpZCUzRC1jR0Z0TFd4cGMzUkFjbVZrYUdGMExtTnZiUV9fJTI2dWlkJTNEMTQzMDU0Nzk_

Cheers,
Prathap

----------------------------------------------------------------
Don't want to receive invitations from your friends anymore?
http://en.netlog.com/go/mailurl/-bT0zMjU2MDY4MTMxJmw9MiZnbT0xMiZ1PSUyRmdvJTJGbm9tYWlscyUyRmludml0ZSUyRmVtYWlsJTNELWNHRnRMV3hwYzNSQWNtVmthR0YwTG1OdmJRX18lMjZjb2RlJTNEMDU3NzM2MTQ_
_______________________________________________
Pam-list mailing list
Pam-list< at >redhat.com
https://www.redhat.com/mailman/listinfo/pam-list

..:: VSFTP - PAM - RADIUS ::..

Alfonso Alejandro Reyes Jiménez — 2012-09-17T22:30:37

Hi everyone.

I'm trying to use PAM and my radius server in order to authenticate de 
users of our vsftp server, right now I'm able to get the access accept 
from the radius but PAM seems not to understand it.

Here's my pam configuration:

#%PAM-1.0
auth sufficient pam_radius_auth.so debug
account sufficient pam_radius_auth.so debug
session    optional     pam_keyinit.so    force revoke
auth       required     pam_listfile.so item=user sense=deny 
file=/etc/vsftpd/ftpusers onerr=succeed
auth       required     pam_shells.so
auth       include      password-auth
account    include      password-auth
session    required     pam_loginuid.so
session    include      password-auth

Here's the PAM debug log:

Sep 14 10:59:10 CRM vsftpd[9643]: pam_radius_auth: Sending RADIUS 
request code 1
Sep 14 10:59:10 CRM vsftpd[9643]: pam_radius_auth: DEBUG: 
getservbyname(radius, udp) returned 10657568.
Sep 14 10:59:10 CRM vsftpd[9643]: pam_radius_auth: Got RADIUS response 
code 2
Sep 14 10:59:10 CRM vsftpd[9643]: pam_radius

mod_auth_pam and httpd 2.4.2

Harald Falkenberg — 2012-09-12T16:26:22

Hello,

does somebody  know if mod_auth_pam (mod_auth_pam-2.0-1.1.1.tar.gz) fits 
together with httpd 2.4.2?

I'm able to compile and link it against 2.4.2, but have some problem 
during execution time. the corresponding httpd process seems to crash, 
when mod_auth_pam is needed.

kind regards
 Harald

Pam_access and netgroups

Patrick Kile — 2012-08-27T21:46:02

I'm trying to get restricted ssh login working and running into an issue
with pam_access.so and how it interprets netgroups.

Pam 1.1.3 on Ubuntu 12.04

Netgroup:
UserDev ( ,alloweduser, )
SystemDev (host.sub.domain.com,,)

Here is the /etc/security/access.conf file:
+ : root :ALL
+ : < at >UserDev< at >< at >SystemDev : ALL

Relevant /etc/pam.d/sshd config:
account required pam_access.so debug

And here is what happens when alloweduser logs in via ssh:

login_access: user=alloweduser, from=192.168.1.10,
file=/etc/security/access.conf
line 1: +  :  root : ALL
list_match: list= root , item=alloweduser
user_match: tok=root, item=alloweduser
string_match: tok=root, item=alloweduser
user_match=0, "alloweduser"
line 2: +  :  < at >UserDev< at >< at >SystemDev  :  ALL
list_match: list= < at >UserDev< at >< at >SystemDev , item=alloweduser
user_match: tok=< at >UserDev< at >< at >SystemDev, item=alloweduser
netgroup_match: 0 (netgroup=UserDev< at >< at >SystemDev, machine=NULL,
user=alloweduser, domain=)
user_match=0, "alloweduser"
line 3: -  :  ALL  :  ALL
list_match: list= ALL , it

pam_unix.so and unix_chkpw setgid - does it work for regular users?

Wolfgang Draxinger — 2012-08-02T15:36:55

Hi,

I'm currently trying to configure user authentication on a webserver,
that shall use the normal system user names and passwords. I'm using
Nginx as webserver, together with the auth_pam module, as packages by
Debian wheezy.

I expected that since unix_chkpw is set setgid shadow I could use
pam_unix.so for the webserver service just as is. However it turned
out, that the user for the webserver process must be in the group
"shadow" for authentication to work. If the webserver can't read shadow
it doesn't work.

I was under the impression the idea of unix_chkpw was to have process
separation and by having a thoroughly audited helper program, that can
be setgid safely so that a regular user can perform pam_unix.so tests.

Did I miss something here?


Regards,

Wolfgang

libpam-ldapd and group restriction

Frank Van Damme — 2012-07-06T12:56:03

Hi,

libpam-ldap had an option to restrict succesful authentications to
members of a vertain ldap group. It's configured with pam_groupdn. I
don't know of an equivalent option for pam_groupdn, however. Is it
possible to limit ldap logins to a select group of people without
locking out local users in case the ldap server goes down (given that
the group is an ldap group and not a local one).

libpam-ldapd and group restriction

Frank Van Damme — 2012-07-06T12:56:03

Hi,

libpam-ldap had an option to restrict succesful authentications to
members of a vertain ldap group. It's configured with pam_groupdn. I
don't know of an equivalent option for pam_groupdn, however. Is it
possible to limit ldap logins to a select group of people without
locking out local users in case the ldap server goes down (given that
the group is an ldap group and not a local one).