PAM not playing nicely with vsftpd and pam_exec.so
Chip
jeffschips at gmail.com
Thu Dec 25 17:14:05 UTC 2014
Thank you Jason for your help. I've placed it in the common-session in
various locations -- top, middle, end -- as well as in the vsftpd file
-- top, middle, end -- and still no joy.
For some reason pam is not being invoked . . .
On 12/25/2014 11:55 AM, Jason Gerfen wrote:
> Strange. It seems like it is not using the /etc/pam.d/vsftpd file. Or
> it is exiting early due to the current stack; i.e. required,
> sufficient directives that may exist in the /etc/pam.d/common-session
> file.
>
> That is why I suggested to place it in the common-session to trigger
> the pam_exec.so for all services. Perhaps place it higher in the stack
> vs. the end.
>
> ------------------------------------------------------------------------
> *From:* pam-list-bounces at redhat.com [pam-list-bounces at redhat.com] on
> behalf of Chip [jeffschips at gmail.com]
> *Sent:* Thursday, December 25, 2014 9:27 AM
> *To:* Pluggable Authentication Modules
> *Subject:* Re: PAM not playing nicely with vsftpd and pam_exec.so
>
>
> On 12/25/2014 10:02 AM, Jason Gerfen wrote:
>> Correct. I have to apologize for my short and totally incoherent
>> response. I received the question at near midnight and know better
>> than to respond to a fairly technical question right before retiring
>> for the evening.
>>
>> My assumption is that your /etc/pam.d/vsftpd matches /etc/pam.d/sshd
>> line for line except the line for session triggering the pam_exec.so
>> module.
>
> I originally thought of that idea but didn't invoke it out of fear
> that it could cause security issues since sshd is built for sshd and
> vsftpd is built for vsftpd -- and not being very well versed in pam
> didn't want to take any risks. Are you sure it's a good idea to copy
> over the sshd to vsftpd?
>>
>> Does the user you are testing with have a valid shell directive
>> within the /etc/passwd file? I.E. /bin/bash, /bin/sh etc?
> etc/passwd for the specified user contains:
> specifieduser:x:1000:1000:specifieduser,,,:/home/specifieduser:/bin/bash
>
>>
>> And if so, does pam_shells.so exist anywhere within the common
>> includes for the /etc/pam.d/vsftpd file? I ask these questions due to
>> this particular configuration
>> http://unix.stackexchange.com/questions/37539/vsftpd-fails-pam-authentication.
>>
> only exists in chsh which I believe is not referenced in any of this work
>
>> Can you add a debug directive to the line; i.e. 'session optional
>> pam_exec.so debug'? According to the documentation for pam_exec.so at
>> http://linux.die.net/man/8/pam_exec you can also add a log directive
>> and monitor that during your tests.
>
> When I tail auth.log after inserting "session optional pam_exec.so" at
> the end of the sshd file (which properly triggers the executable) I
> see this:
>
> Dec 25 11:16:06 specifieduser sshd[6699]: Accepted password for
> specifieduser from xx.xx.xx.xx port 50393 ssh2
> Dec 25 11:16:06 specifieduser sshd[6699]: pam_unix(sshd:session):
> session opened for user specifieduser by (uid=0)
> Dec 25 11:16:09 specifieduser sshd[6699]: pam_exec(sshd:session): No
> path given as argument
> Dec 25 11:16:09 specifieduser sshd[6699]: lastlog_openseek: Couldn't
> stat /var/log/lastlog: No such file or directory
> Dec 25 11:16:09 specifieduser sshd[6699]: lastlog_openseek: Couldn't
> stat /var/log/lastlog: No such file or directory
>
> However, inserting "session optional pam_exec.so" into the vsftpd file
> at the end, produces no output. . . is pam not seeing vsftpd or vica
> versa?
>
>>
>> Those should help you further diagnose the actual problem when it
>> works for the sshd service.
>> ------------------------------------------------------------------------
>> *From:* pam-list-bounces at redhat.com [pam-list-bounces at redhat.com] on
>> behalf of Jeffrey Starin [jeffschips at gmail.com]
>> *Sent:* Thursday, December 25, 2014 12:48 AM
>> *To:* Pluggable Authentication Modules
>> *Subject:* Re: PAM not playing nicely with vsftpd and pam_exec.so
>>
>> Okay. I need a bit more explanation. Glad to hear there might be hope
>> but don't completely understand "always that directive to common
>> session" . I think you mean place the statement:
>>
>> session optional pam_exec.so
>>
>> Inside the common session file?
>>
>> If so what is the theory behind why that could work -- trying to
>> teach myself the reasons why that could be a solution.
>>
>> Thank you.
>>
>> On Dec 25, 2014 2:24 AM, "Jason Gerfen" <jason.gerfen at utah.edu
>> <mailto:jason.gerfen at utah.edu>> wrote:
>>
>> You could always that directive to common-session and try.
>>
>>
>> On Dec 24, 2014, at 11:01 PM, "Chip" <jeffschips at gmail.com
>> <mailto:jeffschips at gmail.com>> wrote:
>>
>>> I've researched this feature extensively and need help. PAM is a
>>> difficult authentication program for me to thoroughly understand
>>> although I'm learning.
>>>
>>> Running Debian Wheezy.
>>>
>>> Have pam setup to trigger off an email when users login using
>>> sshd -- that works fine. No problem using this command in the
>>> /etc/pam.d/sshd file:
>>>
>>> session optional pam_exec.so /usr/local/bin/notify.sh
>>>
>>> However, I need it to work with vsftpd and getting it to work
>>> with sshd was just a test. However, I can't get it to work with
>>> vsftpd, the contents of /etc/pam.d/vsftpd are:
>>>
>>>
>>> auth required pam_listfile.so item=user sense=deny
>>> file=/etc/ftpusers onerr=succeed
>>> @include common-account
>>> @include common-session
>>> @include common-auth
>>> session optional pam_exec.so /usr/local/bin/notify-login.sh
>>>
>>> What am I missing here? Is pam even designed to work with
>>> vsftpd? Running the following command indicates it's hooked
>>> into vsftpd, but pam_exec.so doesn't seem to want to play nicely
>>> with vsftpd.
>>>
>>> $ ldd /{,usr/}{bin,sbin}/* | grep -B 5 libpam | grep '^/'
>>> /bin/login:
>>> /bin/su:
>>> /sbin/mkhomedir_helper:
>>> /sbin/pam_tally2:
>>> /usr/bin/chfn:
>>> /usr/bin/chsh:
>>> /usr/bin/c_rehash:
>>> /usr/bin/crontab:
>>> /usr/bin/passwd:
>>> /usr/sbin/aspell-autobuildhash:
>>> /usr/sbin/atd:
>>> /usr/sbin/chpasswd:
>>> /usr/sbin/cron:
>>> /usr/sbin/newusers:
>>> /usr/sbin/sshd:
>>> /usr/sbin/vsftpd:
>>>
>>>
>>> _______________________________________________
>>> Pam-list mailing list
>>> Pam-list at redhat.com <mailto:Pam-list at redhat.com>
>>> https://www.redhat.com/mailman/listinfo/pam-list
>>
>> _______________________________________________
>> Pam-list mailing list
>> Pam-list at redhat.com <mailto:Pam-list at redhat.com>
>> https://www.redhat.com/mailman/listinfo/pam-list
>>
>>
>>
>> _______________________________________________
>> Pam-list mailing list
>> Pam-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/pam-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20141225/5990dc99/attachment.htm>
More information about the Pam-list
mailing list