headers
Allen Van Der Ross | 1 Mar 2003 07:14
Picon

Re: pam samba password expiration

Hi Joe,

> From: joe.morin <at> dominiondiagnostics.com
> To: pam-list <at> redhat.com
> Subject: pam samba password expiration
> Date: 27 Feb 2003 18:28:40 -0500
> 
> I have samba running on a Redhat 7.3 machine acting as a PDC with Win2k
> machines logging into the network.
> I have samba using pam for authentication (set 'obey pam restrictions =
> yes' and 'pam password change = yes' in my smb.conf file), My question
> concerns password aging.  How do I configure this using pam? Is this
> possible?
> It looks as if the /etc/pam.d/samba file calls system-auth which looks like
> this:
> 
> #%PAM-1.0
> 
> auth        required    /lib/security/pam_env.so
> auth        sufficient  /lib/security/pam_unix.so likeauth nullok
> auth        sufficient  /lib/security/pam_smb_auth.so use_first_pass
> nolocal
> auth        required    /lib/security/pam_deny.so
> 
> account           required    /lib/security/pam_unix.so
> 
> password    required    /lib/security/pam_cracklib.so retry=3 type=
> password    sufficient  /lib/security/pam_unix.so nullok use_authtok md5
> shadow
> password    required    /lib/security/pam_deny.so
(Continue reading)

Permalink | Reply | 0 comments |
headers
Igmar Palsenberg | 1 Mar 2003 17:11
Picon
Favicon

Re: Pam and chrooted bind9 zone transfer problem


Hi,

> I'm pretty new to linux (saw my first linux box last November).  I have 
> set up master and slave DNS servers which have bind9 chrooted into a 
> directory called "named" owned by user "named."  This arrangement used 
> to work, but I have been hardening the boxes, and one step included 
> installing PAM.  The zone transfer between the master and slave can no 
> longer be accomplished.  I am considering copying all the PAM files into 
> my "named" directory.  Does this sound reasonable, or is there something 
> that I am missing?

Bind doesn't use PAM. Making the directory owned ny a non-root user makes 
the chroot pretty useless, so change that to user / group root.

Most of the times the slaves fail because they can't write their zone 
files. It is also required to setup an environment in the chroot dir 
(config files, libs, etc).

	Regards,

		Igmar
Permalink | Reply | 0 comments |
headers
Nathan Yocom | 3 Mar 2003 04:20

pam_chauthtok crash in solaris

A couple questions on using pam_chauthtok in Solaris (I am
testing/developing in 8).  Please let me know if for some reason this is not
an appropriate list, but it seems to be the only active one I can find ;)

When I setup and call pam_chauthtok in a PAM aware app like:

if( (ret = pam_start("passwd", NULL, &changeconv, &pamh)) == PAM_SUCCESS )
			if( (ret = pam_chauthtok(pamh, PAM_SILENT)) == PAM_SUCCESS )
					changed = 1;

It seems to crash before even getting to my conversation function (which is
included below just in case) - it just segfaults.  The same exact code works
fine in linux, so I am guessing it is a quirk with Solaris.  All I want to
do is force a change of the users password (regardless of expiration etc) as
this is for an application that manages users.

Any ideas? suggestions?  Let me know if I need to provide more, the app is
to be GPL'd so I can share source as necessary etc.

Thanks in advance!
Nathan Yocom
nate <at> yocom.org

my conversation function (where new_pass and gl_username are globals):

/** PAM Conversation for changing a users password */
int change_conv(int num_msg,const struct pam_message **msg, struct
pam_response **response, void *appdata_ptr)
{
	struct pam_response *reply_with = NULL;
(Continue reading)

Permalink | Reply | 2 comments |
headers
Anders Strandberg | 4 Mar 2003 11:55

mod_auth_pam on Solaris 8 with nis

Hi,

I have set up an Apache 1.3.26 with mod_auth_pam and edited /etc/pam.conf :

#
# Apache httpd
#
httpd auth required /usr/lib/security/$ISA/pam_unix.so
httpd account required /usr/lib/security/$ISA/pam_unix.so

When I try to access a proteced page I get a password dialog box allright, but I
can't get authenticated. After runnning some investigations (snoop and truss) I
found that pam_unix.so is called which subsequentially results in some NIS-traffic:

1 0.00000 www -> nisslave NIS C MATCH myuser in passwd.byname
2 0.00111 nisslave -> www NIS R MATCH OK
3 0.00229 www -> nisslave NIS C MATCH myuser in passwd.adjunct.byname
4 0.01974 nisslave -> www NIS R MATCH No such map

In the truss output I can find that probably the user running the webserver is
the effective user (found the user id in the output) when issueing the
passwd.adjunct.byname request, which probably is denied. I can also mention that
a local user is authenticated when chmoding the shadow file to be readable for
the webservers group (but I am not really interested in that ) .

nssswitch.conf contains "nis files" at the moment .

Could anybody please explain to me if it is possible to get this setup working
and how ? As far as I can see it should be, if it is not the case that
pam_unix.so is called by the user running the web server when asking for
(Continue reading)

Permalink | Reply | 1 comment |
headers
John Manko | 4 Mar 2003 15:28
Picon

Re: pam_chauthtok crash in solaris

Is that the exact format of the code?  also, what is before and after?
Nathan Yocom wrote:

>A couple questions on using pam_chauthtok in Solaris (I am
>testing/developing in 8).  Please let me know if for some reason this is not
>an appropriate list, but it seems to be the only active one I can find ;)
>
>When I setup and call pam_chauthtok in a PAM aware app like:
>
>if( (ret = pam_start("passwd", NULL, &changeconv, &pamh)) == PAM_SUCCESS )
>			if( (ret = pam_chauthtok(pamh, PAM_SILENT)) == PAM_SUCCESS )
>					changed = 1;
>
>It seems to crash before even getting to my conversation function (which is
>included below just in case) - it just segfaults.  The same exact code works
>fine in linux, so I am guessing it is a quirk with Solaris.  All I want to
>do is force a change of the users password (regardless of expiration etc) as
>this is for an application that manages users.
>
>Any ideas? suggestions?  Let me know if I need to provide more, the app is
>to be GPL'd so I can share source as necessary etc.
>
>Thanks in advance!
>Nathan Yocom
>nate <at> yocom.org
>
>my conversation function (where new_pass and gl_username are globals):
>
>/** PAM Conversation for changing a users password */
>int change_conv(int num_msg,const struct pam_message **msg, struct
(Continue reading)

Permalink | Reply | 1 comment |
headers
Nathan Yocom | 4 Mar 2003 18:00

RE: pam_chauthtok crash in solaris

> Is that the exact format of the code?  also, what is before and after?

Pretty much is yes.  The annoying thing is that it works without a problem
in linux, but crashes before even entering the conversation function (as far
as I can tell) in solaris.  One thing I did notice is that in solaris I had
to define the conversation function as:

int change_conv(int, struct pam_message **, struct pam_response **, void *);

instead of:

int change_conv(int, const struct pam_message **, struct pam_response **,
void *);

as g++ wouldn't compile it with the second because of the const modifier.
Could this contribute?

Here are all the particulars (without pasting the whole file - if having all
the source would be helpful I can email that to you as its quite large) -
putting just my conversation stuff and the code that calls it (all included
below) into a program running it behaves the same, so I suspect something I
have missed, rather than something odd elsewhere in the code.  I appreciate
the help!

Nate

=== code ===
// Global data (as passing data in solaris via the pam_conv structure doesnt
work):
char *gl_username, *gl_password;
(Continue reading)

Permalink | Reply | 0 comments |
headers
Allen Van Der Ross | 6 Mar 2003 09:27
Picon

PAM on HP-UX

Hi,

When comparing entries for /usr/bin/passwd
PAM modules between Linux (/etc/pam.d/passwd +
system-auth) and HPUX11 (/etc/pam.conf).

I see that HPUX's passwd only has a
passwd management entry.
Where Linux's passwd has 3:
auth, account and passwd.

I just wonder where in the HP case,
does the user changing his password,
get authenticated, since there is no
auth module called?

Or is this handled in the passwd module?
Or maybe even the application itself?!

Thanks,
Allen.
Permalink | Reply | 0 comments |
headers
Milan Krčmář | 6 Mar 2003 10:36
Picon
Favicon

Access based on group membership

Hello,

I've been reading Linux PAM documentation several times and haven't found
any simple way to accomplish access restrictions based on group membership,
i. e. to allow access only to members of signle group XXX.

There is a (from my point of view) slightly complicated way when you use
pam_listfile module and a file containing only single line with group XXX.

Is this the best one? Or do I miss anythoing else?

TIA

Milan
Permalink | Reply | 1 comment |
headers
David Lee | 6 Mar 2003 12:41
Picon
Picon

Re: Access based on group membership

On Thu, 6 Mar 2003, Milan [iso-8859-2] Krm wrote:

> I've been reading Linux PAM documentation several times and haven't found
> any simple way to accomplish access restrictions based on group membership,
> i. e. to allow access only to members of signle group XXX.
>
> There is a (from my point of view) slightly complicated way when you use
> pam_listfile module and a file containing only single line with group XXX.
>
> Is this the best one? Or do I miss anythoing else?

Have you tried the "pam_access" module?

--

-- 

:  David Lee                                I.T. Service          :
:  Systems Programmer                       Computer Centre       :
:                                           University of Durham  :
:  http://www.dur.ac.uk/t.d.lee/            South Road            :
:                                           Durham                :
:  Phone: +44 191 374 2882                  U.K.                  :
Permalink | Reply | 0 comments |
headers
Thomas M. Payerle | 6 Mar 2003 19:14
Picon

Re: Access based on group membership

In addition to the listfile module that someone mentioned, I have a PAM
module pam_netgroups, available at
http://www2.physics.umd.edu/~payerle/Software/PAM/

that can do authorization (account management group) based on assorted
types of group membership.  It may be overkill for your situation, as the
name implies it is mainly for NIS/hesiod netgroups, but it can handle the
standard Unix /etc/group also (maptype=unix, which then disables about half
of the other options).

Tom Payerle
Dept of Physics				payerle <at> physics.umd.edu
University of Maryland			(301) 405-6973
College Park, MD 20742-4111		Fax: (301) 314-9525
Permalink | Reply | 3 comments |

Gmane