[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: debugging postgres/pam

On Sat, Dec 27, 2003 at 02:47:48PM +1100, Paul Sorenson wrote:
> I have postgresql (7.3.2) set to use pam.  When I use the pam_permit module:
>     auth    required    pam_permit.so
>     auth    required    pam_warn.so
>     account    required    pam_permit.so
> it authenticates as expected.

> When I use pam_unix:
>     auth    required    pam_unix.so
>     account    required    pam_unix.so

> After getting prompted for a password I get "PAM authentication failure for
> user".  I am using my own login and credentials.  I get a single line in
> /var/log/messages:

> Dec 27 11:55:03 beastie postgresql(pam_unix)[10496]: authentication failure;
> logname= uid=26 euid=26 tty= ruser= rhost=  user=pms

> uid=26 is for the postgresql user, user=pms is the account for which I am
> entering the password.

> I tried adding debug/audit at the end of the pam_unix.so line but the
> message appearing in /var/log/messages remained the same.

> I found lots of hits on google relating to postgresql with PAM but so far I
> haven't found one with a solution to this.

The postgresql daemon process doesn't have access to read /etc/shadow.  The
standard unix_chkpwd helper binary only lets processes authenticate users
corresponding to their own uid.

If you really want this functionality, you will need to add the postgresql
user to the shadow group (or get a unix_chkpwd command that lets the
postgresql daemon authenticate arbitrary users, but I don't know of a
generally available one that does this).

Steve Langasek
postmodern programmer

Attachment: pgp00005.pgp
Description: PGP signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]