<table><tr><td bgcolor=#ffffff><font color=#000000><pre>
</pre></font></td></tr></table>
<br><font size=2 face="sans-serif">Hello,</font>
<br>
<br><font size=2 face="sans-serif">I'am working on synchronize a user postgresql
database with openssh using pam_pgsql for authentication.</font>
<br><font size=2 face="sans-serif">And it doesn't work.</font>
<br><font size=2 face="sans-serif">I'am using a fedora core 6 OS.</font>
<br><font size=2 face="sans-serif">First, I've created the database "unix"
with 3 tables with postgresql:</font>
<br>
<br><font size=2 face="sans-serif">unix=# select * from passwd_table;</font>
<br><font size=2 face="sans-serif">username | passwd | uid
| gid | gecos | homedir | shell </font>
<br><font size=2 face="sans-serif">----------+----------+-----+-----+--------+-------------+-----------</font>
<br><font size=2 face="sans-serif"> user1 | password
| 500 | 500 | user 1 | /home/user1 | /bin/bash</font>
<br><font size=2 face="sans-serif"> user2 | password
| 501 | 500 | user 2 | /home/user2 | /bin/bash</font>
<br>
<br><font size=2 face="sans-serif">select * from group_table;</font>
<br><font size=2 face="sans-serif"> gid | groupname | descr | passwd
</font>
<br><font size=2 face="sans-serif">-----+-----------+-------+--------</font>
<br><font size=2 face="sans-serif"> 500 | util |
</font>
<br>
<br><font size=2 face="sans-serif">select * from usergroups;</font>
<br><font size=2 face="sans-serif"> gid | uid </font>
<br><font size=2 face="sans-serif">-----+----- | </font>
<br>
<br><font size=2 face="sans-serif">I've installed by compilation the libnss-pgsql</font>
<br><font size=2 face="sans-serif">the getent passwd command works, I obtain
the user1 an user2 à the end of the list.</font>
<br>
<br><font size=2 face="sans-serif">I am able to change the user and the
group of un directy with chown command :</font>
<br><font size=2 face="sans-serif"># ls -l /home</font>
<br><font size=2 face="sans-serif">total 8</font>
<br><font size=2 face="sans-serif">drwxr-xr-x 2 user1 util 4096 avr 24
10:11 user1</font>
<br>
<br><font size=2 face="sans-serif">then now i would like to login with
ssh on this system with a user existing in the database. To do that I ve
installed pam-pgsql.so.</font>
<br>
<br><font size=2 face="sans-serif">I've compiled this version of pam-pgsql
: pam-pgsql-1.0.0.tgz find on pgfoundry web site.</font>
<br><font size=2 face="sans-serif">I've followed the README help to install
it and configure it :</font>
<br>
<br><font size=2 face="sans-serif">./configure; make; make install</font>
<br>
<br><font size=2 face="sans-serif">the /etc/pam.d/sshd file is configured
like that:</font>
<br>
<br><font size=2 face="sans-serif">auth include
system-auth-pg</font>
<br><font size=2 face="sans-serif">account required
pam_nologin.so</font>
<br><font size=2 face="sans-serif">account include
system-auth-pg</font>
<br><font size=2 face="sans-serif">password include
system-auth-pg</font>
<br><font size=2 face="sans-serif">session optional
pam_keyinit.so force revoke</font>
<br><font size=2 face="sans-serif">session include
system-auth-pg</font>
<br><font size=2 face="sans-serif">session required
pam_loginuid.so</font>
<br>
<br><font size=2 face="sans-serif">and the /etc/pam.d/system-auth-pg is
configured like that :</font>
<br><font size=2 face="sans-serif">#%PAM-1.0</font>
<br><font size=2 face="sans-serif"># This file is auto-generated.</font>
<br><font size=2 face="sans-serif"># User changes will be destroyed the
next time authconfig is run.</font>
<br><font size=2 face="sans-serif">auth required
pam_env.so</font>
<br><font size=2 face="sans-serif">auth sufficient
pam_pgsql.so use_first_pass debug</font>
<br><font size=2 face="sans-serif">auth sufficient
pam_unix.so nullok try_first_pass</font>
<br><font size=2 face="sans-serif">auth requisite
pam_succeed_if.so uid >= 500 quiet</font>
<br><font size=2 face="sans-serif">auth required
pam_deny.so</font>
<br>
<br><font size=2 face="sans-serif">account required pam_pgsql.so
debug</font>
<br><font size=2 face="sans-serif">account required
pam_unix.so</font>
<br><font size=2 face="sans-serif">account sufficient
pam_succeed_if.so uid < 500 quiet</font>
<br><font size=2 face="sans-serif">account required
pam_permit.so</font>
<br>
<br><font size=2 face="sans-serif">password sufficient pam_pgsql.so
debug</font>
<br><font size=2 face="sans-serif">password requisite
pam_cracklib.so try_first_pass retry=3</font>
<br><font size=2 face="sans-serif">password sufficient
pam_unix.so md5 shadow nullok try_first_pass use_authtok</font>
<br><font size=2 face="sans-serif">password required
pam_deny.so</font>
<br>
<br><font size=2 face="sans-serif">session optional
pam_keyinit.so revoke</font>
<br><font size=2 face="sans-serif">session required
pam_limits.so</font>
<br><font size=2 face="sans-serif">session [success=1 default=ignore]
pam_succeed_if.so service in crond quiet use_uid</font>
<br><font size=2 face="sans-serif">session required
pam_unix.so</font>
<br>
<br><font size=2 face="sans-serif">and the /etc/pam_pgsql.conf is configured
like that:</font>
<br>
<br><font size=2 face="sans-serif">connectionstring = user=postgres host=127.0.0.1
dbname=unix</font>
<br><font size=2 face="sans-serif">getpassword = SELECT passwd FROM passwd_table
WHERE username = $1</font>
<br><font size=2 face="sans-serif">#changepw = UPDATE passwd_table SET
password = $2 WHERE user = $1</font>
<br><font size=2 face="sans-serif">#isexpired = SELECT 1 FROM passwd_table
WHERE user = $1 AND isexpired < NOW()</font>
<br><font size=2 face="sans-serif">#newpassrequired = SELECT 1 FROM table
WHERE user = $1 AND newpass < NOW()</font>
<br>
<br><font size=2 face="sans-serif">I tried also this configuration</font>
<br>
<br><font size=2 face="sans-serif">host = 127.0.0.1</font>
<br><font size=2 face="sans-serif">database = unix</font>
<br><font size=2 face="sans-serif">user = postgres</font>
<br><font size=2 face="sans-serif">table = passwd_table</font>
<br><font size=2 face="sans-serif">user_column = username</font>
<br><font size=2 face="sans-serif">pwd_column = passwd</font>
<br><font size=2 face="sans-serif">debug</font>
<br><font size=2 face="sans-serif">pw_type = clear</font>
<br>
<br><font size=2 face="sans-serif">the authentication with postgresql is
for the moment in trust mode to not use password (this system works
with nsswitch)</font>
<br>
<br><font size=2 face="sans-serif">then when i try this command on the
server:</font>
<br><font size=2 face="sans-serif">ssh user1@127.0.0.1 </font>
<br>
<br><font size=2 face="sans-serif">I've only this two messages in my log:</font>
<br>
<br><font size=2 face="sans-serif">in /var/log/secure :</font>
<br><font size=2 face="sans-serif">Apr 26 00:36:29 FC6-vm1 sshd[9067]:
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh
ruser= rhost=fc6-vm1 user=user1</font>
<br><font size=2 face="sans-serif">Apr 26 00:36:31 FC6-vm1 sshd[9067]:
Failed password for user1 from 127.0.0.1 port 42067 ssh2</font>
<br>
<br><font size=2 face="sans-serif">and in /var/log/messages :</font>
<br><font size=2 face="sans-serif">Apr 26 00:36:29 FC6-vm1 PAM_pgsql[9067]:
the database, table and user_column options are required.</font>
<br>
<br><font size=2 face="sans-serif">It's strange, it's like the pam_pgsql.conf
was not read !?</font>
<br>
<br><font size=2 face="sans-serif">Any idea ?</font>
<br>
<br><font size=2 face="sans-serif">Kind regards,</font>
<br>
<br><font size=2 face="sans-serif">Yann CONAN from Bordeaux</font>
<br>