<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 12/25/2014 10:02 AM, Jason Gerfen
wrote:<br>
</div>
<blockquote
cite="mid:ABF5C9F8E8FF6C4BB3CBB71604C534F95502A7FE@X-MB4.xds.umail.utah.edu"
type="cite">
<meta http-equiv="Context-Type" content="text/html;
charset=iso-8859-1">
<div>Correct. I have to apologize for my short and totally
incoherent response. I received the question at near midnight
and know better than to respond to a fairly technical question
right before retiring for the evening.<br>
<br>
My assumption is that your /etc/pam.d/vsftpd matches
/etc/pam.d/sshd line for line except the line for session
triggering the pam_exec.so module.<br>
</div>
</blockquote>
<br>
I originally thought of that idea but didn't invoke it out of fear
that it could cause security issues since sshd is built for sshd and
vsftpd is built for vsftpd -- and not being very well versed in pam
didn't want to take any risks. Are you sure it's a good idea to
copy over the sshd to vsftpd?<br>
<blockquote
cite="mid:ABF5C9F8E8FF6C4BB3CBB71604C534F95502A7FE@X-MB4.xds.umail.utah.edu"
type="cite">
<div> <br>
Does the user you are testing with have a valid shell directive
within the /etc/passwd file? I.E. /bin/bash, /bin/sh etc?<br>
</div>
</blockquote>
etc/passwd for the specified user contains: <br>
specifieduser:x:1000:1000:specifieduser,,,:/home/specifieduser:/bin/bash<br>
<br>
<blockquote
cite="mid:ABF5C9F8E8FF6C4BB3CBB71604C534F95502A7FE@X-MB4.xds.umail.utah.edu"
type="cite">
<div> <br>
And if so, does pam_shells.so exist anywhere within the common
includes for the /etc/pam.d/vsftpd file? I ask these questions
due to this particular configuration <a
class="moz-txt-link-freetext"
href="http://unix.stackexchange.com/questions/37539/vsftpd-fails-pam-authentication">http://unix.stackexchange.com/questions/37539/vsftpd-fails-pam-authentication</a>.<br>
<br>
</div>
</blockquote>
only exists in chsh which I believe is not referenced in any of this
work<br>
<br>
<blockquote
cite="mid:ABF5C9F8E8FF6C4BB3CBB71604C534F95502A7FE@X-MB4.xds.umail.utah.edu"
type="cite">
<div> Can you add a debug directive to the line; i.e. 'session
optional pam_exec.so debug'? According to the documentation for
pam_exec.so at <a moz-do-not-send="true"
href="http://linux.die.net/man/8/pam_exec" target="_blank">http://linux.die.net/man/8/pam_exec</a>
you can also add a log directive and monitor that during your
tests.<br>
</div>
</blockquote>
<br>
When I tail auth.log after inserting "session optional pam_exec.so"
at the end of the sshd file (which properly triggers the executable)
I see this:<br>
<br>
Dec 25 11:16:06 specifieduser sshd[6699]: Accepted password for
specifieduser from xx.xx.xx.xx port 50393 ssh2<br>
Dec 25 11:16:06 specifieduser sshd[6699]: pam_unix(sshd:session):
session opened for user specifieduser by (uid=0)<br>
Dec 25 11:16:09 specifieduser sshd[6699]: pam_exec(sshd:session): No
path given as argument<br>
Dec 25 11:16:09 specifieduser sshd[6699]: lastlog_openseek: Couldn't
stat /var/log/lastlog: No such file or directory<br>
Dec 25 11:16:09 specifieduser sshd[6699]: lastlog_openseek: Couldn't
stat /var/log/lastlog: No such file or directory<br>
<br>
However, inserting "session optional pam_exec.so" into the vsftpd
file at the end, produces no output. . . is pam not seeing vsftpd or
vica versa?<br>
<br>
<blockquote
cite="mid:ABF5C9F8E8FF6C4BB3CBB71604C534F95502A7FE@X-MB4.xds.umail.utah.edu"
type="cite">
<div> <br>
Those should help you further diagnose the actual problem when
it works for the sshd service.<br>
<div>
<hr tabindex="-1">
<div id="divRpF711942"><b>From:</b> <a
class="moz-txt-link-abbreviated"
href="mailto:pam-list-bounces@redhat.com">pam-list-bounces@redhat.com</a>
[<a class="moz-txt-link-abbreviated"
href="mailto:pam-list-bounces@redhat.com">pam-list-bounces@redhat.com</a>]
on behalf of Jeffrey Starin [<a
class="moz-txt-link-abbreviated"
href="mailto:jeffschips@gmail.com">jeffschips@gmail.com</a>]<br>
<b>Sent:</b> Thursday, December 25, 2014 12:48 AM<br>
<b>To:</b> Pluggable Authentication Modules<br>
<b>Subject:</b> Re: PAM not playing nicely with vsftpd and
pam_exec.so<br>
<br>
</div>
<div>
<p dir="ltr">Okay. I need a bit more explanation. Glad to
hear there might be hope but don't completely understand
"always that directive to common session" . I think you
mean place the statement:</p>
<blockquote>
<p dir="ltr">session optional pam_exec.so </p>
<p dir="ltr">Inside the common session file?</p>
<p dir="ltr">If so what is the theory behind why that
could work -- trying to teach myself the reasons why
that could be a solution. </p>
<p dir="ltr">Thank you. <br>
</p>
</blockquote>
<div class="gmail_quote">On Dec 25, 2014 2:24 AM, "Jason
Gerfen" <<a moz-do-not-send="true"
href="mailto:jason.gerfen@utah.edu" target="_blank">jason.gerfen@utah.edu</a>>
wrote:<br type="attribution">
<blockquote class="gmail_quote">
<div dir="auto">
<div>You could always that directive to common-session
and try. <br>
<br>
</div>
<div><br>
On Dec 24, 2014, at 11:01 PM, "Chip" <<a
moz-do-not-send="true"
href="mailto:jeffschips@gmail.com" target="_blank">jeffschips@gmail.com</a>>
wrote:<br>
<br>
</div>
<blockquote type="cite">
<div>
<p> I've researched this feature extensively and
need help. PAM is a difficult authentication
program for me to thoroughly understand although
I'm learning.</p>
<p> Running Debian Wheezy.<br>
</p>
<p> Have pam setup to trigger off an email when
users login using sshd -- that works fine. No
problem using this command in the
/etc/pam.d/sshd file:<br>
</p>
<p> session optional pam_exec.so
/usr/local/bin/notify.sh<br>
</p>
<p> However, I need it to work with vsftpd and
getting it to work with sshd was just a test.
However, I can't get it to work with vsftpd, the
contents of /etc/pam.d/vsftpd are:<br>
</p>
<p> <br>
auth required pam_listfile.so
item=user sense=deny file=/etc/ftpusers
onerr=succeed<br>
@include common-account<br>
@include common-session<br>
@include common-auth<br>
session optional pam_exec.so
/usr/local/bin/notify-login.sh</p>
<p> What am I missing here? Is pam even designed
to work with vsftpd? Running the following
command indicates it's hooked into vsftpd, but
pam_exec.so doesn't seem to want to play nicely
with vsftpd.<br>
</p>
<p> $ ldd /{,usr/}{bin,sbin}/* | grep -B 5 libpam
| grep '^/'<br>
/bin/login:<br>
/bin/su:<br>
/sbin/mkhomedir_helper:<br>
/sbin/pam_tally2:<br>
/usr/bin/chfn:<br>
/usr/bin/chsh:<br>
/usr/bin/c_rehash:<br>
/usr/bin/crontab:<br>
/usr/bin/passwd:<br>
/usr/sbin/aspell-autobuildhash:<br>
/usr/sbin/atd:<br>
/usr/sbin/chpasswd:<br>
/usr/sbin/cron:<br>
/usr/sbin/newusers:<br>
/usr/sbin/sshd:<br>
/usr/sbin/vsftpd:<br>
<br>
</p>
<br>
</div>
</blockquote>
<blockquote type="cite">
<div><span>_______________________________________________</span><br>
<span>Pam-list mailing list</span><br>
<span><a moz-do-not-send="true"
href="mailto:Pam-list@redhat.com"
target="_blank">Pam-list@redhat.com</a></span><br>
<span><a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/pam-list"
target="_blank">https://www.redhat.com/mailman/listinfo/pam-list</a></span></div>
</blockquote>
</div>
<br>
_______________________________________________<br>
Pam-list mailing list<br>
<a moz-do-not-send="true"
href="mailto:Pam-list@redhat.com" target="_blank">Pam-list@redhat.com</a><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/pam-list"
target="_blank">https://www.redhat.com/mailman/listinfo/pam-list</a><br>
</blockquote>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Pam-list mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Pam-list@redhat.com">Pam-list@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pam-list">https://www.redhat.com/mailman/listinfo/pam-list</a></pre>
</blockquote>
<br>
</body>
</html>