Module testing
Dan Field
dof at llgc.org.uk
Wed Jul 4 11:30:29 UTC 2007
I've written a web service in PHP5 using ext/SOAP and I've forged a basic
PAM module from web snippets I've found around the web and everythng
appears to work at a glance but in practice I am having a problem.
I'm trying to use the sshd application config in /etc/pam.d/sshd to test
my module but can I get it to authenticate? can I buggery!
The code where I send my PAM_SUCCESS is here:
/* now we have parsed the entire document we can return the PAM result */
if (soapResult == 1) {
authres = PAM_SUCCESS;
syslog(LOG_INFO, "User %s will be authenticated with password %s",
user, password);
return PAM_SUCCESS;
} else {
authres = PAM_AUTH_ERR;
syslog(LOG_INFO, "User %s failed to authenticate.", user);
return PAM_AUTH_ERR;
}
This works. Or at least I get the syslog entry showing both my username
and password as typed on the console and ssh clients request. You would
think that this would be all that was required no?
However, in my syslog I get:
Jul 3 16:30:12 caywdev pam_virtua_soap[20490]: User S10523 will be
authenticated with password MyPassword
Jul 3 16:30:14 caywdev sshd[20488]: error: PAM: Authentication failure
for S10523 from virtualfedora3.llgc.org.uk
my sshd config is set as follows:
# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes
Perhaps SSHD is not the best way to test this. Can anyone either solve my
sshd problem or provide an alternative method of testing my PAM module?
Oh and my /etc/pam.d/sshd looks like this:
#%PAM-1.0
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
auth sufficient pam_virtua_soap.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_loginuid.so
Any help would be much appreciated.
--
Dan Field <dof at llgc.org.uk> Tel. +44 1970 632 582
Datblygwr Systemau Systems Developer
Llyfrgell Genedlaethol Cymru National Library of Wales
More information about the Pam-list
mailing list