<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font face="Helvetica, Arial, sans-serif">Thank you Jason for your
help. I've placed it in the common-session in various locations
-- top, middle, end -- as well as in the vsftpd file -- top,
middle, end -- and still no joy.<br>
<br>
For some reason pam is not being invoked . . . <br>
<br>
</font>
<div class="moz-cite-prefix">On 12/25/2014 11:55 AM, Jason Gerfen
wrote:<br>
</div>
<blockquote
cite="mid:ABF5C9F8E8FF6C4BB3CBB71604C534F95502A825@X-MB4.xds.umail.utah.edu"
type="cite">
<meta http-equiv="Context-Type" content="text/html;
charset=iso-8859-1">
<div>Strange. It seems like it is not using the /etc/pam.d/vsftpd
file. Or it is exiting early due to the current stack; i.e.
required, sufficient directives that may exist in the
/etc/pam.d/common-session file.<br>
<br>
That is why I suggested to place it in the common-session to
trigger the pam_exec.so for all services. Perhaps place it
higher in the stack vs. the end.<br>
<br>
<div>
<hr tabindex="-1">
<div id="divRpF316997"><b>From:</b>
<a class="moz-txt-link-abbreviated" href="mailto:pam-list-bounces@redhat.com">pam-list-bounces@redhat.com</a> [<a class="moz-txt-link-abbreviated" href="mailto:pam-list-bounces@redhat.com">pam-list-bounces@redhat.com</a>] on
behalf of Chip [<a class="moz-txt-link-abbreviated" href="mailto:jeffschips@gmail.com">jeffschips@gmail.com</a>]<br>
<b>Sent:</b> Thursday, December 25, 2014 9:27 AM<br>
<b>To:</b> Pluggable Authentication Modules<br>
<b>Subject:</b> Re: PAM not playing nicely with vsftpd and
pam_exec.so<br>
<br>
</div>
<div><br>
<div class="moz-cite-prefix">On 12/25/2014 10:02 AM, Jason
Gerfen wrote:<br>
</div>
<blockquote type="cite">
<div>Correct. I have to apologize for my short and totally
incoherent response. I received the question at near
midnight and know better than to respond to a fairly
technical question right before retiring for the
evening.<br>
<br>
My assumption is that your /etc/pam.d/vsftpd matches
/etc/pam.d/sshd line for line except the line for
session triggering the pam_exec.so module.<br>
</div>
</blockquote>
<br>
I originally thought of that idea but didn't invoke it out
of fear that it could cause security issues since sshd is
built for sshd and vsftpd is built for vsftpd -- and not
being very well versed in pam didn't want to take any
risks. Are you sure it's a good idea to copy over the sshd
to vsftpd?<br>
<blockquote type="cite">
<div><br>
Does the user you are testing with have a valid shell
directive within the /etc/passwd file? I.E. /bin/bash,
/bin/sh etc?<br>
</div>
</blockquote>
etc/passwd for the specified user contains: <br>
specifieduser:x:1000:1000:specifieduser,,,:/home/specifieduser:/bin/bash<br>
<br>
<blockquote type="cite">
<div><br>
And if so, does pam_shells.so exist anywhere within the
common includes for the /etc/pam.d/vsftpd file? I ask
these questions due to this particular configuration
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://unix.stackexchange.com/questions/37539/vsftpd-fails-pam-authentication"
target="_blank">
http://unix.stackexchange.com/questions/37539/vsftpd-fails-pam-authentication</a>.<br>
<br>
</div>
</blockquote>
only exists in chsh which I believe is not referenced in any
of this work<br>
<br>
<blockquote type="cite">
<div>Can you add a debug directive to the line; i.e.
'session optional pam_exec.so debug'? According to the
documentation for pam_exec.so at
<a moz-do-not-send="true"
href="http://linux.die.net/man/8/pam_exec"
target="_blank">http://linux.die.net/man/8/pam_exec</a>
you can also add a log directive and monitor that during
your tests.<br>
</div>
</blockquote>
<br>
When I tail auth.log after inserting "session optional
pam_exec.so" at the end of the sshd file (which properly
triggers the executable) I see this:<br>
<br>
Dec 25 11:16:06 specifieduser sshd[6699]: Accepted password
for specifieduser from xx.xx.xx.xx port 50393 ssh2<br>
Dec 25 11:16:06 specifieduser sshd[6699]:
pam_unix(sshd:session): session opened for user
specifieduser by (uid=0)<br>
Dec 25 11:16:09 specifieduser sshd[6699]:
pam_exec(sshd:session): No path given as argument<br>
Dec 25 11:16:09 specifieduser sshd[6699]: lastlog_openseek:
Couldn't stat /var/log/lastlog: No such file or directory<br>
Dec 25 11:16:09 specifieduser sshd[6699]: lastlog_openseek:
Couldn't stat /var/log/lastlog: No such file or directory<br>
<br>
However, inserting "session optional pam_exec.so" into the
vsftpd file at the end, produces no output. . . is pam not
seeing vsftpd or vica versa?<br>
<br>
<blockquote type="cite">
<div><br>
Those should help you further diagnose the actual
problem when it works for the sshd service.<br>
<div>
<hr tabindex="-1">
<div id="divRpF711942"><b>From:</b> <a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:pam-list-bounces@redhat.com"
target="_blank">
pam-list-bounces@redhat.com</a> [<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:pam-list-bounces@redhat.com"
target="_blank">pam-list-bounces@redhat.com</a>]
on behalf of Jeffrey Starin [<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:jeffschips@gmail.com" target="_blank">jeffschips@gmail.com</a>]<br>
<b>Sent:</b> Thursday, December 25, 2014 12:48 AM<br>
<b>To:</b> Pluggable Authentication Modules<br>
<b>Subject:</b> Re: PAM not playing nicely with
vsftpd and pam_exec.so<br>
<br>
</div>
<div>
<p dir="ltr">Okay. I need a bit more explanation.
Glad to hear there might be hope but don't
completely understand "always that directive to
common session" . I think you mean place the
statement:</p>
<blockquote>
<p dir="ltr">session optional pam_exec.so </p>
<p dir="ltr">Inside the common session file?</p>
<p dir="ltr">If so what is the theory behind why
that could work -- trying to teach myself the
reasons why that could be a solution.
</p>
<p dir="ltr">Thank you. <br>
</p>
</blockquote>
<div class="gmail_quote">On Dec 25, 2014 2:24 AM,
"Jason Gerfen" <<a moz-do-not-send="true"
href="mailto:jason.gerfen@utah.edu"
target="_blank">jason.gerfen@utah.edu</a>>
wrote:<br type="attribution">
<blockquote class="gmail_quote">
<div dir="auto">
<div>You could always that directive to
common-session and try. <br>
<br>
</div>
<div><br>
On Dec 24, 2014, at 11:01 PM, "Chip" <<a
moz-do-not-send="true"
href="mailto:jeffschips@gmail.com"
target="_blank">jeffschips@gmail.com</a>>
wrote:<br>
<br>
</div>
<blockquote type="cite">
<div>
<p>I've researched this feature
extensively and need help. PAM is a
difficult authentication program for me
to thoroughly understand although I'm
learning.</p>
<p>Running Debian Wheezy.<br>
</p>
<p>Have pam setup to trigger off an email
when users login using sshd -- that
works fine. No problem using this
command in the /etc/pam.d/sshd file:<br>
</p>
<p>session optional pam_exec.so
/usr/local/bin/notify.sh<br>
</p>
<p>However, I need it to work with vsftpd
and getting it to work with sshd was
just a test. However, I can't get it to
work with vsftpd, the contents of
/etc/pam.d/vsftpd are:<br>
</p>
<p><br>
auth required pam_listfile.so
item=user sense=deny file=/etc/ftpusers
onerr=succeed<br>
@include common-account<br>
@include common-session<br>
@include common-auth<br>
session optional pam_exec.so
/usr/local/bin/notify-login.sh</p>
<p>What am I missing here? Is pam even
designed to work with vsftpd? Running
the following command indicates it's
hooked into vsftpd, but pam_exec.so
doesn't seem to want to play nicely with
vsftpd.<br>
</p>
<p>$ ldd /{,usr/}{bin,sbin}/* | grep -B 5
libpam | grep '^/'<br>
/bin/login:<br>
/bin/su:<br>
/sbin/mkhomedir_helper:<br>
/sbin/pam_tally2:<br>
/usr/bin/chfn:<br>
/usr/bin/chsh:<br>
/usr/bin/c_rehash:<br>
/usr/bin/crontab:<br>
/usr/bin/passwd:<br>
/usr/sbin/aspell-autobuildhash:<br>
/usr/sbin/atd:<br>
/usr/sbin/chpasswd:<br>
/usr/sbin/cron:<br>
/usr/sbin/newusers:<br>
/usr/sbin/sshd:<br>
/usr/sbin/vsftpd:<br>
<br>
</p>
<br>
</div>
</blockquote>
<blockquote type="cite">
<div><span>_______________________________________________</span><br>
<span>Pam-list mailing list</span><br>
<span><a moz-do-not-send="true"
href="mailto:Pam-list@redhat.com"
target="_blank">Pam-list@redhat.com</a></span><br>
<span><a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/pam-list"
target="_blank">https://www.redhat.com/mailman/listinfo/pam-list</a></span></div>
</blockquote>
</div>
<br>
_______________________________________________<br>
Pam-list mailing list<br>
<a moz-do-not-send="true"
href="mailto:Pam-list@redhat.com"
target="_blank">Pam-list@redhat.com</a><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/pam-list"
target="_blank">https://www.redhat.com/mailman/listinfo/pam-list</a><br>
</blockquote>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader" target="_blank"></fieldset>
<br>
<pre>_______________________________________________
Pam-list mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Pam-list@redhat.com" target="_blank">Pam-list@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pam-list" target="_blank">https://www.redhat.com/mailman/listinfo/pam-list</a></pre>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>