PostgreSQL user authentication against PAM
Posted
by
elmuerte
on Server Fault
See other posts from Server Fault
or by elmuerte
Published on 2014-08-25T14:51:23Z
Indexed on
2014/08/25
16:22 UTC
Read the original article
Hit count: 332
I am trying to set up authentication via PAM for PostgreSQL 9.3. I already managed to get this working on an Ubuntu 12.04 server, but I am unable to get this working on a Centos-6 install.
The relevant pg_hba.conf
line:
host all all 0.0.0.0/0 pam pamservice=postgresql93
The pam.d/postgressql93
is the default config shipped with the official postgresql 9.3 package:
#%PAM-1.0
auth include password-auth
account include password-auth
When a user tries to authenticate the following is reported in secure
log:
hostname unix_chkpwd[31807]: check pass; user unknown
hostname unix_chkpwd[31808]: check pass; user unknown
hostname unix_chkpwd[31808]: password check failed for user (myuser)
hostname postgres 10.1.0.1(61459) authentication: pam_unix(postgresql93:auth):
authentication failure; logname= uid=26 euid=26 tty= ruser= rhost= user=myuser
The relevant content of password-auth
config is:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
The problem is with the pam_unix.so
. It is unable to validate the password, and unable to retrieve the user info (when I remove the auth
entry of pam_unix.so
).
The Centos-6 install is only 5 days old, so it does not have a lot of baggage.
The unix_chkpwd
is suid and has execute rights for everybody, so it should be able to check the shadow file (which has no privileges at all?).
© Server Fault or respective owner