PAM not playing nicely with vsftpd and pam_exec.so
Chip
jeffschips at gmail.com
Thu Dec 25 16:27:27 UTC 2014
On 12/25/2014 10:02 AM, Jason Gerfen wrote:
> Correct. I have to apologize for my short and totally incoherent
> response. I received the question at near midnight and know better
> than to respond to a fairly technical question right before retiring
> for the evening.
>
> My assumption is that your /etc/pam.d/vsftpd matches /etc/pam.d/sshd
> line for line except the line for session triggering the pam_exec.so
> module.
I originally thought of that idea but didn't invoke it out of fear that
it could cause security issues since sshd is built for sshd and vsftpd
is built for vsftpd -- and not being very well versed in pam didn't want
to take any risks. Are you sure it's a good idea to copy over the sshd
to vsftpd?
>
> Does the user you are testing with have a valid shell directive within
> the /etc/passwd file? I.E. /bin/bash, /bin/sh etc?
etc/passwd for the specified user contains:
specifieduser:x:1000:1000:specifieduser,,,:/home/specifieduser:/bin/bash
>
> And if so, does pam_shells.so exist anywhere within the common
> includes for the /etc/pam.d/vsftpd file? I ask these questions due to
> this particular configuration
> http://unix.stackexchange.com/questions/37539/vsftpd-fails-pam-authentication.
>
only exists in chsh which I believe is not referenced in any of this work
> Can you add a debug directive to the line; i.e. 'session optional
> pam_exec.so debug'? According to the documentation for pam_exec.so at
> http://linux.die.net/man/8/pam_exec you can also add a log directive
> and monitor that during your tests.
When I tail auth.log after inserting "session optional pam_exec.so" at
the end of the sshd file (which properly triggers the executable) I see
this:
Dec 25 11:16:06 specifieduser sshd[6699]: Accepted password for
specifieduser from xx.xx.xx.xx port 50393 ssh2
Dec 25 11:16:06 specifieduser sshd[6699]: pam_unix(sshd:session):
session opened for user specifieduser by (uid=0)
Dec 25 11:16:09 specifieduser sshd[6699]: pam_exec(sshd:session): No
path given as argument
Dec 25 11:16:09 specifieduser sshd[6699]: lastlog_openseek: Couldn't
stat /var/log/lastlog: No such file or directory
Dec 25 11:16:09 specifieduser sshd[6699]: lastlog_openseek: Couldn't
stat /var/log/lastlog: No such file or directory
However, inserting "session optional pam_exec.so" into the vsftpd file
at the end, produces no output. . . is pam not seeing vsftpd or vica versa?
>
> Those should help you further diagnose the actual problem when it
> works for the sshd service.
> ------------------------------------------------------------------------
> *From:* pam-list-bounces at redhat.com [pam-list-bounces at redhat.com] on
> behalf of Jeffrey Starin [jeffschips at gmail.com]
> *Sent:* Thursday, December 25, 2014 12:48 AM
> *To:* Pluggable Authentication Modules
> *Subject:* Re: PAM not playing nicely with vsftpd and pam_exec.so
>
> Okay. I need a bit more explanation. Glad to hear there might be hope
> but don't completely understand "always that directive to common
> session" . I think you mean place the statement:
>
> session optional pam_exec.so
>
> Inside the common session file?
>
> If so what is the theory behind why that could work -- trying to
> teach myself the reasons why that could be a solution.
>
> Thank you.
>
> On Dec 25, 2014 2:24 AM, "Jason Gerfen" <jason.gerfen at utah.edu
> <mailto:jason.gerfen at utah.edu>> wrote:
>
> You could always that directive to common-session and try.
>
>
> On Dec 24, 2014, at 11:01 PM, "Chip" <jeffschips at gmail.com
> <mailto:jeffschips at gmail.com>> wrote:
>
>> I've researched this feature extensively and need help. PAM is a
>> difficult authentication program for me to thoroughly understand
>> although I'm learning.
>>
>> Running Debian Wheezy.
>>
>> Have pam setup to trigger off an email when users login using
>> sshd -- that works fine. No problem using this command in the
>> /etc/pam.d/sshd file:
>>
>> session optional pam_exec.so /usr/local/bin/notify.sh
>>
>> However, I need it to work with vsftpd and getting it to work
>> with sshd was just a test. However, I can't get it to work with
>> vsftpd, the contents of /etc/pam.d/vsftpd are:
>>
>>
>> auth required pam_listfile.so item=user sense=deny
>> file=/etc/ftpusers onerr=succeed
>> @include common-account
>> @include common-session
>> @include common-auth
>> session optional pam_exec.so /usr/local/bin/notify-login.sh
>>
>> What am I missing here? Is pam even designed to work with
>> vsftpd? Running the following command indicates it's hooked into
>> vsftpd, but pam_exec.so doesn't seem to want to play nicely with
>> vsftpd.
>>
>> $ ldd /{,usr/}{bin,sbin}/* | grep -B 5 libpam | grep '^/'
>> /bin/login:
>> /bin/su:
>> /sbin/mkhomedir_helper:
>> /sbin/pam_tally2:
>> /usr/bin/chfn:
>> /usr/bin/chsh:
>> /usr/bin/c_rehash:
>> /usr/bin/crontab:
>> /usr/bin/passwd:
>> /usr/sbin/aspell-autobuildhash:
>> /usr/sbin/atd:
>> /usr/sbin/chpasswd:
>> /usr/sbin/cron:
>> /usr/sbin/newusers:
>> /usr/sbin/sshd:
>> /usr/sbin/vsftpd:
>>
>>
>> _______________________________________________
>> Pam-list mailing list
>> Pam-list at redhat.com <mailto:Pam-list at redhat.com>
>> https://www.redhat.com/mailman/listinfo/pam-list
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com <mailto:Pam-list at redhat.com>
> https://www.redhat.com/mailman/listinfo/pam-list
>
>
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20141225/777d85ec/attachment.htm>
More information about the Pam-list
mailing list