PostgreSQL user authentication against PAM

Posted by elmuerte on Server Fault See other posts from Server Fault or by elmuerte
Published on 2014-08-25T14:51:23Z Indexed on 2014/08/25 16:22 UTC
Read the original article Hit count: 332

Filed under:
|
|

I am trying to set up authentication via PAM for PostgreSQL 9.3. I already managed to get this working on an Ubuntu 12.04 server, but I am unable to get this working on a Centos-6 install.

The relevant pg_hba.conf line:

host    all             all             0.0.0.0/0               pam     pamservice=postgresql93

The pam.d/postgressql93 is the default config shipped with the official postgresql 9.3 package:

#%PAM-1.0

auth            include         password-auth
account         include         password-auth

When a user tries to authenticate the following is reported in secure log:

hostname unix_chkpwd[31807]: check pass; user unknown
hostname unix_chkpwd[31808]: check pass; user unknown
hostname unix_chkpwd[31808]: password check failed for user (myuser)
hostname  postgres 10.1.0.1(61459) authentication: pam_unix(postgresql93:auth): 
    authentication failure; logname= uid=26 euid=26 tty= ruser= rhost=  user=myuser

The relevant content of password-auth config is:

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

The problem is with the pam_unix.so. It is unable to validate the password, and unable to retrieve the user info (when I remove the auth entry of pam_unix.so).

The Centos-6 install is only 5 days old, so it does not have a lot of baggage.

The unix_chkpwd is suid and has execute rights for everybody, so it should be able to check the shadow file (which has no privileges at all?).

© Server Fault or respective owner

Related posts about postgresql

Related posts about centos6