[Comm-en] PAM with ALT Linux

[Comm-en] PAM with ALT Linux

[Daniel Rocher]

Hi,

I'm a developer and I have a problem with ALT Linux and PAM 
(authentification).

My program use PAM. this is PAM configuration file:

auth            required        pam_unix.so nullok
auth            required        pam_listfile.so 
file=/etc/qtsmbstatusd/qtsmbstatusd.users onerr=fail sense=allow item=user
account         required        pam_unix.so
session         required        pam_unix.so
password        required        pam_unix.so

It work very well with: Ubuntu, Mandriva, Fedora Core 6, Open Suse 10.2 ...

And I don't understand why not with Alt Linux (installed with 
lite-cd-20071106.iso) ?

Have you an idee ?

Thanks.


-- 

____________________________________________

   Daniel Rocher
   @ mail :  daniel.rocher@adella.org
   Jabber :  daniel.rocher@jabber.org
   web :     http://rocher.daniel.free.fr
   GPG ID :  0x19E0980E
____________________________________________

Re: [Comm-en] PAM with ALT Linux

[Dmitry V. Levin]

[-- Attachment #1: Type: text/plain, Size: 945 bytes --]

Hi,

On Fri, Nov 09, 2007 at 02:56:02PM +0100, Daniel Rocher wrote:
> I'm a developer and I have a problem with ALT Linux and PAM 
> (authentification).
> 
> My program use PAM. this is PAM configuration file:
> 
> auth            required        pam_unix.so nullok
> auth            required        pam_listfile.so 
> file=/etc/qtsmbstatusd/qtsmbstatusd.users onerr=fail sense=allow item=user
> account         required        pam_unix.so
> session         required        pam_unix.so
> password        required        pam_unix.so
> 
> It work very well with: Ubuntu, Mandriva, Fedora Core 6, Open Suse 10.2 ...
> 
> And I don't understand why not with Alt Linux (installed with 
> lite-cd-20071106.iso) ?
> 
> Have you an idee ?

Could you provide more details how it doesn't work, please?
Where it fails, how it fails, credentials of process which fails,
log message (in /var/log/auth/all) if any, etc.


-- 
ldv

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [Comm-en] PAM with ALT Linux

[Alexander Bokovoy]

Dmitry V. Levin пишет:
> Hi,
> 
> On Fri, Nov 09, 2007 at 02:56:02PM +0100, Daniel Rocher wrote:
>> I'm a developer and I have a problem with ALT Linux and PAM 
>> (authentification).
>>
>> My program use PAM. this is PAM configuration file:
>>
>> auth            required        pam_unix.so nullok
>> auth            required        pam_listfile.so 
>> file=/etc/qtsmbstatusd/qtsmbstatusd.users onerr=fail sense=allow item=user
>> account         required        pam_unix.so
>> session         required        pam_unix.so
>> password        required        pam_unix.so
>>
>> It work very well with: Ubuntu, Mandriva, Fedora Core 6, Open Suse 10.2 ...
>>
>> And I don't understand why not with Alt Linux (installed with 
>> lite-cd-20071106.iso) ?
>>
>> Have you an idee ?
> 
> Could you provide more details how it doesn't work, please?
> Where it fails, how it fails, credentials of process which fails,
> log message (in /var/log/auth/all) if any, etc.
Shouldn't it be related to TCB? This PAM config completely ignores the
fact that auth info in default ALT Linux installation is done through
TCB, therefore pam_tcb should be used instead of pam_unix. Below is our
system-auth-local which is included by default by other services:

#%PAM-1.0
auth     required       pam_tcb.so shadow fork prefix=$2a$ count=8 nullok
account  required       pam_tcb.so shadow fork
password required       pam_passwdqc.so min=disabled,24,12,8,7 max=40 
passphrase=3 match=4 similar=deny random=42 enforce=users retry=3
password required       pam_tcb.so use_authtok shadow fork prefix=$2a$ 
count=8 nullok write_to=tcb
session  required       pam_tcb.so
session  required       pam_mktemp.so
session  required       pam_limits.so

Daniel, you'd probably need to supply an ALTLinux-customized PAM config 
for your application made along these lines. Better, use the following 
(not tested):

#%PAM-1.0
auth     include        system-auth
auth     required       pam_listfile.so 
file=/etc/qtsmbstatusd/qtsmbstatusd.users onerr=fail sense=allow item=user
account  include        system-auth
password include        system-auth
session  include        system-auth

It relies on the fact that we have system-wide 'system-auth' PAM config 
which does common magic (like system-auth-local above).
-- 
/ Alexander Bokovoy
Samba Team                      http://www.samba.org/
ALT Linux Team                  http://www.altlinux.org/
Midgard Project Ry              http://www.midgard-project.org/

Re: [Comm-en] PAM with ALT Linux

[Daniel Rocher]

[-- Attachment #1.1: Type: text/plain, Size: 981 bytes --]

Le vendredi 9 novembre 2007, Dmitry V. Levin a écrit :

>
> Could you provide more details how it doesn't work, please?
> Where it fails, how it fails, credentials of process which fails,
> log message (in /var/log/auth/all) if any, etc.

QtSmbstatus was designed as a client/server. I use PAM to check 
login/password.

I Use this code since 2004: pam.cpp and pam.h (attached).
When I want to check a login/password, my prog return (only in Alt linux):

User could not be authenticated: Authentication service cannot retrieve 
authentication info

Yet the login and password are correct.

attached:
/etc/pam.d/qtsmbstatusd
/etc/qtsmbstatusd/qtsmbstatusd.users
/var/log/auth/all

greetings

-- 

____________________________________________

   Daniel Rocher
   @ mail :  daniel.rocher@adella.org
   Jabber :  daniel.rocher@jabber.org
   web :     http://rocher.daniel.free.fr
   GPG ID :  0x19E0980E
____________________________________________

[-- Attachment #1.2: pam.cpp --]
[-- Type: text/x-c++src, Size: 2852 bytes --]

#include "pam.h"

// most of this code I got from Rene Mayrhofer (rmayr@debian.org)
  
/* Global variables for PAM authentication. */
static char *pamUsername, *pamPassword;

/* This is the PAM conversation function, it uses the global variables
 pamUsername and pamPassword, they have to be initialized before using this
 function.
 It simply feeds the password to the PAM library in response to a
 PAM_PROMPT_ECHO_OFF message */
static int pamConversationFunction(int num_msg, const struct pam_message **msg,
				   struct pam_response **resp, void *appdata_ptr) {
    struct pam_response *r;
    int count;

    // alloc the response
    r = (struct pam_response*) malloc(sizeof(struct pam_response) * num_msg);
    if (r == NULL)
	return PAM_CONV_ERR;

    for (count=0; count<num_msg; count++) {
	switch ((*msg)[count].msg_style) {
	case PAM_PROMPT_ECHO_ON:
	    r[count].resp = (char*) malloc(PAM_MAX_RESP_SIZE);
	    strncpy(r->resp, pamUsername, PAM_MAX_RESP_SIZE);
	    break;

	case PAM_PROMPT_ECHO_OFF:
	    r[count].resp = (char*) malloc(PAM_MAX_RESP_SIZE);
	    strncpy(r[count].resp, pamPassword, PAM_MAX_RESP_SIZE);
	    r[count].resp_retcode = PAM_SUCCESS;
	    break;
	default:
	    free(r);
	    return PAM_CONV_ERR;
	}
    }
    *resp = r;

    return PAM_SUCCESS;
}

/* pamUsername and pamPassword must be set before calling this method.
 Returns 0 when not successful, 1 when successful; */
int checkUserPass_real() {
    struct pam_conv pam_conversation;
    pam_handle_t *pam_h;
    int pamretval, ret=0;

    pam_conversation.conv = pamConversationFunction;
    pam_conversation.appdata_ptr = NULL;
    pamretval = pam_start(PAM_SERVICE_NAME, pamUsername, &pam_conversation, &pam_h);
    if (pamretval != PAM_SUCCESS) {
	printf("Error initializing PAM library: %s\n", pam_strerror(pam_h, pamretval));
	return 0;
    }

    pamretval = pam_authenticate(pam_h, PAM_SILENT);
    if (pamretval != PAM_SUCCESS) {
	printf("User could not be authenticated: %s\n", pam_strerror(pam_h, pamretval));
	ret = 0;
    }
    else {
	pamretval = pam_acct_mgmt(pam_h, 0);
	if (pamretval != PAM_SUCCESS) {
	    printf("User not healthy: %s\n", pam_strerror(pam_h, pamretval));
	    ret = 0;
	}
	else
	    ret = 1;
    }

    if (pam_end(pam_h, pamretval) != PAM_SUCCESS) {
	printf("Error releasing PAM library: %s\n", pam_strerror(pam_h, pamretval));
	return 0;
    }
    return ret;
}

/* authenticate vs pam. Notice: PAM_SERVICE_NAME: pam service has to exist and be set up correctly*/
int auth(char *username, char *passwd) {
    if (!username)
        return 0;
    if (!passwd)
        return 0;

    pamUsername = strdup(username);
    pamPassword = strdup(passwd);
    if (checkUserPass_real())
        return 1;
    else
        return 0;
}


[-- Attachment #1.3: pam.h --]
[-- Type: text/x-chdr, Size: 258 bytes --]

#include <pwd.h>
#include <grp.h>
#include <sys/types.h>
#include <string.h>
#include <stdio.h>
extern "C" {
  #include <security/pam_appl.h>
  #include <security/pam_misc.h>
}
#define PAM_SERVICE_NAME "qtsmbstatusd"

int auth(char *username,char* passwd);


[-- Attachment #1.4: qtsmbstatusd --]
[-- Type: text/plain, Size: 293 bytes --]

#
# The PAM configuration file for the qtsmbstatusd daemon
#

auth 		required	pam_unix.so nullok
auth		required	pam_listfile.so file=/etc/qtsmbstatusd/qtsmbstatusd.users onerr=fail sense=allow item=user
account		required	pam_unix.so
session		required	pam_unix.so
password	required	pam_unix.so

[-- Attachment #1.5: qtsmbstatusd.users --]
[-- Type: text/plain, Size: 5 bytes --]

root

[-- Attachment #1.6: all --]
[-- Type: text/plain, Size: 342 bytes --]


Nov 9 20:32:12 localhost qtsmbstatusd: pam_unix(qtsmbstatusd:auth): Credentials for user root unknown
Nov 9 20:32:13 localhost qtsmbstatusd: pam_unix(qtsmbstatusd:auth): Authentication failed for UNKNOWN USER from (uid=0)
Nov 9 20:35:49 localhost qtsmbstatusd: pam_unix(qtsmbstatusd:auth): Authentication failed for UNKNOWN USER from (uid=0)

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [Comm-en] PAM with ALT Linux

[Daniel Rocher]

[-- Attachment #1: Type: text/plain, Size: 1250 bytes --]

Le vendredi 9 novembre 2007, Alexander Bokovoy a écrit :
>Daniel, you'd probably need to supply an ALTLinux-customized PAM config 
>for your application made along these lines. Better, use the following 
>(not tested):
> #%PAM-1.0
> auth     include        system-auth
> auth     required       pam_listfile.so
> file=/etc/qtsmbstatusd/qtsmbstatusd.users onerr=fail sense=allow item=user
> account  include        system-auth
> password include        system-auth
> session  include        system-auth

It's work perfectly !

I have changed /etc/pam.d/qtsmbstatusd by your config and I have tested:
- a bad login /bad password
- a good login /bad password
- a good login /good password
- a good login/null password

all ok  :-)


>It relies on the fact that we have system-wide 'system-auth' PAM config 
>which does common magic (like system-auth-local above).

I understand. Perhaps directly in ALT Linux rpm packages (by  Drool).

Thank you very much.

-- 

____________________________________________

   Daniel Rocher
   @ mail :  daniel.rocher@adella.org
   Jabber :  daniel.rocher@jabber.org
   web :     http://rocher.daniel.free.fr
   GPG ID :  0x19E0980E
____________________________________________

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [Comm-en] PAM with ALT Linux

[Michael Shigorin]

On Fri, Nov 09, 2007 at 09:21:30PM +0100, Daniel Rocher wrote:
> >Daniel, you'd probably need to supply an ALTLinux-customized
> >PAM config for your application made along these lines.

BTW it's relevant at least for Owl GNU/*/Linux by default too.

> >Better, use the following (not tested):
> > auth include system-auth
> It's work perfectly !

[snip]

> >It relies on the fact that we have system-wide 'system-auth'
> >PAM config which does common magic (like system-auth-local
> >above).
> I understand. Perhaps directly in ALT Linux rpm packages

Or you might want to follow best practices (that is, reusing
configuration in this case) and include system-auth on other
distros instead of relying on particular scheme in your snippet:
there are other auth modules (someone would use e.g. pam_ldap).

PS: I've checked nearby VPSes with Mandriva 2007.1, FC6,
CentOS 4.4 -- all of them do provide /etc/pam.d/system-auth.
Only Debian Etch would diverge calling that "common-auth".

-- 
 ---- WBR, Michael Shigorin <mike@altlinux.ru>
  ------ Linux.Kiev http://www.linux.kiev.ua/

[Comm-en] Help Unsubbing

[Rachel Ramey]

Help!  I can't figure out how to unsubscribe, and Linux is not a current 
"project" in our household at the moment.

Be blessed!
~Rachel R. <><
http://www.titus2homemaker.com
http://blog.titus2homemaker.com
"Those who would give up essential Liberty, to purchase a little temporary 
Safety, deserve neither Liberty nor Safety." -Benjamin Franklin 

Re: [Comm-en] PAM with ALT Linux

[Daniel Rocher]

[-- Attachment #1: Type: text/plain, Size: 828 bytes --]

Le vendredi 9 novembre 2007, Michael Shigorin a écrit :

> Or you might want to follow best practices (that is, reusing
> configuration in this case) and include system-auth on other
> distros instead of relying on particular scheme in your snippet:
> there are other auth modules (someone would use e.g. pam_ldap).
>
> PS: I've checked nearby VPSes with Mandriva 2007.1, FC6,
> CentOS 4.4 -- all of them do provide /etc/pam.d/system-auth.
> Only Debian Etch would diverge calling that "common-auth".

Yes, I understand. I'll change that.

Thanks

-- 

____________________________________________

   Daniel Rocher
   @ mail :  daniel.rocher@adella.org
   Jabber :  daniel.rocher@jabber.org
   web :     http://rocher.daniel.free.fr
   GPG ID :  0x19E0980E
____________________________________________

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]