PAM not playing nicely with vsftpd and pam_exec.so

Chip jeffschips at gmail.com
Thu Dec 25 17:14:05 UTC 2014 

Thank you Jason for your help.  I've placed it in the common-session in 
various locations -- top, middle, end  -- as well as in the vsftpd file 
-- top, middle, end -- and still no joy.

For some reason pam is not being invoked . . .

On 12/25/2014 11:55 AM, Jason Gerfen wrote:
> Strange. It seems like it is not using the /etc/pam.d/vsftpd file. Or 
> it is exiting early due to the current stack; i.e. required, 
> sufficient directives that may exist in the /etc/pam.d/common-session 
> file.
>
> That is why I suggested to place it in the common-session to trigger 
> the pam_exec.so for all services. Perhaps place it higher in the stack 
> vs. the end.
>
> ------------------------------------------------------------------------
> *From:* pam-list-bounces at redhat.com [pam-list-bounces at redhat.com] on 
> behalf of Chip [jeffschips at gmail.com]
> *Sent:* Thursday, December 25, 2014 9:27 AM
> *To:* Pluggable Authentication Modules
> *Subject:* Re: PAM not playing nicely with vsftpd and pam_exec.so
>
>
> On 12/25/2014 10:02 AM, Jason Gerfen wrote:
>> Correct. I have to apologize for my short and totally incoherent 
>> response. I received the question at near midnight and know better 
>> than to respond to a fairly technical question right before retiring 
>> for the evening.
>>
>> My assumption is that your /etc/pam.d/vsftpd matches /etc/pam.d/sshd 
>> line for line except the line for session triggering the pam_exec.so 
>> module.
>
> I originally thought of that idea but didn't invoke it out of fear 
> that it could cause security issues since sshd is built for sshd and 
> vsftpd is built for vsftpd -- and not being very well versed in pam 
> didn't want to take any risks.  Are you sure it's a good idea to copy 
> over the sshd to vsftpd?
>>
>> Does the user you are testing with have a valid shell directive 
>> within the /etc/passwd file? I.E. /bin/bash, /bin/sh etc?
> etc/passwd for the specified user contains:
> specifieduser:x:1000:1000:specifieduser,,,:/home/specifieduser:/bin/bash
>
>>
>> And if so, does pam_shells.so exist anywhere within the common 
>> includes for the /etc/pam.d/vsftpd file? I ask these questions due to 
>> this particular configuration 
>> http://unix.stackexchange.com/questions/37539/vsftpd-fails-pam-authentication.
>>
> only exists in chsh which I believe is not referenced in any of this work
>
>> Can you add a debug directive to the line; i.e. 'session optional 
>> pam_exec.so debug'? According to the documentation for pam_exec.so at 
>> http://linux.die.net/man/8/pam_exec you can also add a log directive 
>> and monitor that during your tests.
>
> When I tail auth.log after inserting "session optional pam_exec.so" at 
> the end of the sshd file (which properly triggers the executable) I 
> see this:
>
> Dec 25 11:16:06 specifieduser sshd[6699]: Accepted password for 
> specifieduser from xx.xx.xx.xx port 50393 ssh2
> Dec 25 11:16:06 specifieduser sshd[6699]: pam_unix(sshd:session): 
> session opened for user specifieduser by (uid=0)
> Dec 25 11:16:09 specifieduser sshd[6699]: pam_exec(sshd:session): No 
> path given as argument
> Dec 25 11:16:09 specifieduser sshd[6699]: lastlog_openseek: Couldn't 
> stat /var/log/lastlog: No such file or directory
> Dec 25 11:16:09 specifieduser sshd[6699]: lastlog_openseek: Couldn't 
> stat /var/log/lastlog: No such file or directory
>
> However, inserting "session optional pam_exec.so" into the vsftpd file 
> at the end, produces no output. . . is pam not seeing vsftpd or vica 
> versa?
>
>>
>> Those should help you further diagnose the actual problem when it 
>> works for the sshd service.
>> ------------------------------------------------------------------------
>> *From:* pam-list-bounces at redhat.com [pam-list-bounces at redhat.com] on 
>> behalf of Jeffrey Starin [jeffschips at gmail.com]
>> *Sent:* Thursday, December 25, 2014 12:48 AM
>> *To:* Pluggable Authentication Modules
>> *Subject:* Re: PAM not playing nicely with vsftpd and pam_exec.so
>>
>> Okay. I need a bit more explanation. Glad to hear there might be hope 
>> but don't completely understand "always that directive to common 
>> session" .  I think you mean place the statement:
>>
>>     session    optional     pam_exec.so
>>
>>     Inside the common session file?
>>
>>     If so what is the theory behind why that could work -- trying to
>>     teach myself the reasons why that could be a solution.
>>
>>     Thank you.
>>
>> On Dec 25, 2014 2:24 AM, "Jason Gerfen" <jason.gerfen at utah.edu 
>> <mailto:jason.gerfen at utah.edu>> wrote:
>>
>>     You could always that directive to common-session and try.
>>
>>
>>     On Dec 24, 2014, at 11:01 PM, "Chip" <jeffschips at gmail.com
>>     <mailto:jeffschips at gmail.com>> wrote:
>>
>>>     I've researched this feature extensively and need help. PAM is a
>>>     difficult authentication program for me to thoroughly understand
>>>     although I'm learning.
>>>
>>>     Running Debian Wheezy.
>>>
>>>     Have pam setup to trigger off an email when users login using
>>>     sshd -- that works fine.  No problem using this command in the
>>>     /etc/pam.d/sshd file:
>>>
>>>     session    optional     pam_exec.so /usr/local/bin/notify.sh
>>>
>>>     However, I need it to work with vsftpd and getting it to work
>>>     with sshd was just a test.  However, I can't get it to work with
>>>     vsftpd, the contents of /etc/pam.d/vsftpd are:
>>>
>>>
>>>     auth    required        pam_listfile.so item=user sense=deny
>>>     file=/etc/ftpusers onerr=succeed
>>>     @include common-account
>>>     @include common-session
>>>     @include common-auth
>>>     session    optional     pam_exec.so /usr/local/bin/notify-login.sh
>>>
>>>     What am I missing here?  Is pam even designed to work with
>>>     vsftpd?  Running the following command indicates it's hooked
>>>     into vsftpd, but pam_exec.so doesn't seem to want to play nicely
>>>     with vsftpd.
>>>
>>>     $ ldd /{,usr/}{bin,sbin}/* | grep -B 5 libpam | grep '^/'
>>>     /bin/login:
>>>     /bin/su:
>>>     /sbin/mkhomedir_helper:
>>>     /sbin/pam_tally2:
>>>     /usr/bin/chfn:
>>>     /usr/bin/chsh:
>>>     /usr/bin/c_rehash:
>>>     /usr/bin/crontab:
>>>     /usr/bin/passwd:
>>>     /usr/sbin/aspell-autobuildhash:
>>>     /usr/sbin/atd:
>>>     /usr/sbin/chpasswd:
>>>     /usr/sbin/cron:
>>>     /usr/sbin/newusers:
>>>     /usr/sbin/sshd:
>>>     /usr/sbin/vsftpd:
>>>
>>>
>>>     _______________________________________________
>>>     Pam-list mailing list
>>>     Pam-list at redhat.com <mailto:Pam-list at redhat.com>
>>>     https://www.redhat.com/mailman/listinfo/pam-list
>>
>>     _______________________________________________
>>     Pam-list mailing list
>>     Pam-list at redhat.com <mailto:Pam-list at redhat.com>
>>     https://www.redhat.com/mailman/listinfo/pam-list
>>
>>
>>
>> _______________________________________________
>> Pam-list mailing list
>> Pam-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/pam-list
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20141225/5990dc99/attachment.htm>

More information about the Pam-list mailing list