headers
Russell N. Price | 5 Mar 2008 02:57

PAM and su behavior

Hello,

I'm experiencing unexpected PAM behavior under RHEL4.6 
(pam-0.77-66.23). When I su to an account as a non-root user, 
the login failure counter is always updated for the account 
being su'd to, even when the su is successful.

/etc/pam.d/su:

#%PAM-1.0
auth       sufficient   /lib/security/$ISA/pam_rootok.so
# Uncomment the following line to implicitly trust users in 
the "wheel" group.
#auth       sufficient   /lib/security/$ISA/pam_wheel.so trust 
use_uid
# Uncomment the following line to require a user to be in the 
"wheel" group.
#auth       required     /lib/security/$ISA/pam_wheel.so 
use_uid
auth       required     /lib/security/$ISA/pam_stack.so 
service=system-auth
account    sufficient   /lib/security/$ISA/pam_succeed_if.so 
uid=0 use_uid quiet
account    required     /lib/security/$ISA/pam_stack.so 
service=system-auth
password   required     /lib/security/$ISA/pam_stack.so 
service=system-auth
# pam_selinux.so close must be first session rule
session    required     /lib/security/$ISA/pam_selinux.so 
close
(Continue reading)

Permalink | Reply | 0 comments |
headers
Russell N. Price | 5 Mar 2008 20:52

su and PAM: follow-up

Don't everyone chime in with solutions at once :-)

Another couple of pieces to the puzzle:

1) This behavior seems to have begun after
    our last update cycle (Feb '08)

2) I can fix the problem with the "su" file
    from RH AS 3:

auth       sufficient   /lib/security/$ISA/pam_rootok.so
# Uncomment the following line to implicitly trust users in 
the "wheel" group.
#auth       sufficient   /lib/security/$ISA/pam_wheel.so trust 
use_uid
# Uncomment the following line to require a user to be in the 
"wheel" group.
#auth       required     /lib/security/$ISA/pam_wheel.so 
use_uid
auth       required     /lib/security/$ISA/pam_stack.so 
service=system-auth
account    required     /lib/security/$ISA/pam_stack.so 
service=system-auth
password   required     /lib/security/$ISA/pam_stack.so 
service=system-auth
session    required     /lib/security/$ISA/pam_stack.so 
service=system-auth
session    optional     /lib/security/$ISA/pam_xauth.so

With this file in place, su behaves as expected:
(Continue reading)

Permalink | Reply | 0 comments |
headers
P. | 6 Mar 2008 00:35

Pam-mysql

After nearly three days sweating on this im now stuck. Read out.

I want apache to authenticate access solely via mysql. The new
mod-authn-dbd is reputed to be buggy, and the old mod-auth-apache2-mysql
is absent in debian etch. So it appears im gpoing with pam.

Oddly, access works when it matchs a /etc/passwd user, which I dont want!.
Everything else fails to login, and presents a new login prompt, except
where a mysql entry matches, in which case the PAM log (mysql) says:

entry                    user     pid	host	ts
AUTHENTICATION SUCCESS test 6193 (unknown) 2008-02-28 10:14:24

yet the browser gets:

401 Authorization Required

This server could not verify that you are authorized to access the document
requested. Either you supplied the wrong credentials (e.g., bad password),
or your browser doesn't understand how to supply the credentials required.

and var/log/apache/error.log gets

PAM: user 'ee'  - invalid account: User not known to the underlying
authentication module

and /var/log/auth.log gets

Feb 28 11:16:21 solarbus1 apache2: pam_mysql - SELECT
solarbus.spacepersons.password FROM so
(Continue reading)

Permalink | Reply | 0 comments |
headers
Ido Levy | 25 Mar 2008 10:15
Picon
Favicon

Integrated Login


Hello,

I am trying to configure PAM to provide both AFS token and Kerberos 5
ticket in the login process but unfortunately with no luck.
I am able to get AFS token or Kerberos 5 ticket but not both of them.

Following is the system-auth file.

#%PAM-1.0
auth        required      pam_env.so
auth        sufficient      /lib64/security/pam_krb5.so use_first_pass
auth        sufficient      /lib64/security/pam_afs.so try_first_pass
ignore_root set_token
auth        required      pam_deny.so

account     sufficient    pam_unix.so
account     sufficient    /lib64/security/pam_krb5.so
account     sufficient    pam_ldap.so

password    requisite     pam_passwdqc.so min=disabled,8,8,8,8 passphrase=0
enforce=users
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password    sufficient    /lib64/security/pam_krb5.so use_authtok
password    required      pam_deny.so

session     required      pam_limits.so
session     optional      /lib64/security/pam_krb5.so
session     optional      pam_ldap.so
(Continue reading)

Permalink | Reply | 5 comments |
headers
Tomas Mraz | 25 Mar 2008 10:24
Picon
Favicon

Re: Integrated Login

On Tue, 2008-03-25 at 11:15 +0200, Ido Levy wrote:
> Hello,
> 
> I am trying to configure PAM to provide both AFS token and Kerberos 5
> ticket in the login process but unfortunately with no luck.
> I am able to get AFS token or Kerberos 5 ticket but not both of them.
> 
> Following is the system-auth file.
> 
> #%PAM-1.0
> auth        required      pam_env.so
> auth        sufficient      /lib64/security/pam_krb5.so use_first_pass
This module must be "required" and not "sufficient".
> auth        sufficient      /lib64/security/pam_afs.so try_first_pass
> ignore_root set_token
Also you shouldn't use full paths to the modules, the pam library will
search /lib(64)/security automatically.

--

-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
Permalink | Reply | 4 comments |
headers
Ido Levy | 25 Mar 2008 10:28
Picon

Re: Integrated Login

Tomas,

Thanks for the advice !!
I will check it out and will update the list for my results.

Ido

On Tue, Mar 25, 2008 at 11:24 AM, Tomas Mraz <tmraz <at> redhat.com> wrote:
On Tue, 2008-03-25 at 11:15 +0200, Ido Levy wrote:
> Hello,
>
> I am trying to configure PAM to provide both AFS token and Kerberos 5
> ticket in the login process but unfortunately with no luck.
> I am able to get AFS token or Kerberos 5 ticket but not both of them.
>
> Following is the system-auth file.
>
> #%PAM-1.0
> auth        required      pam_env.so
> auth        sufficient      /lib64/security/pam_krb5.so use_first_pass
This module must be "required" and not "sufficient".
> auth        sufficient      /lib64/security/pam_afs.so try_first_pass
> ignore_root set_token
Also you shouldn't use full paths to the modules, the pam library will
search /lib(64)/security automatically.

--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                             Turkish proverb

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
Permalink | Reply | 3 comments |
headers
Ido Levy | 25 Mar 2008 11:49
Picon

Re: Integrated Login

Hello,

Following your advice I have successfully setup integrated login for ssh.
I got both AFS token and Kerberos 5 ticket.

Following are the PAM files of sshd and system-auth:
I have a few questions regarding the setup of sshd PAM file that looks a little strange for me although it's working and satisfy my needs.

sshd

#%PAM-1.0
auth       required     pam_listfile.so item=user sense=deny file=/etc/ssh/ssh_host_deny onerr=succeed
# Without the following line it's not working properly ( I wonder why, it has the same line in system-auth file )
auth       required     pam_afs.so try_first_pass ignore_root set_token
# Note that the following line is marked as optional, any change will harm the login process - I think it should be required
auth       optional     pam_stack.so service=system-auth
auth       required     pam_nologin.so

account    required     pam_stack.so service=system-auth

password   required     pam_stack.so service=system-auth

session    required     pam_stack.so service=system-auth
session    required     pam_limits.so

system-auth

#%PAM-1.0
auth        required      pam_env.so
auth        optional      pam_krb5.so use_first_pass
auth        required      pam_afs.so try_first_pass ignore_root set_token
auth        required      pam_deny.so

account     sufficient    pam_unix.so
account     sufficient    pam_krb5.so
account     sufficient    pam_ldap.so

password    requisite     pam_passwdqc.so min=disabled,8,8,8,8 passphrase=0 enforce=users
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required     pam_deny.so

session     required      pam_limits.so
session     optional      pam_krb5.so
session     optional      pam_ldap.so
session     required      pam_unix.so


On Tue, Mar 25, 2008 at 11:28 AM, Ido Levy <idol.levy <at> gmail.com> wrote:
Tomas,

Thanks for the advice !!
I will check it out and will update the list for my results.

Ido


On Tue, Mar 25, 2008 at 11:24 AM, Tomas Mraz <tmraz <at> redhat.com> wrote:
On Tue, 2008-03-25 at 11:15 +0200, Ido Levy wrote:
> Hello,
>
> I am trying to configure PAM to provide both AFS token and Kerberos 5
> ticket in the login process but unfortunately with no luck.
> I am able to get AFS token or Kerberos 5 ticket but not both of them.
>
> Following is the system-auth file.
>
> #%PAM-1.0
> auth        required      pam_env.so
> auth        sufficient      /lib64/security/pam_krb5.so use_first_pass
This module must be "required" and not "sufficient".
> auth        sufficient      /lib64/security/pam_afs.so try_first_pass
> ignore_root set_token
Also you shouldn't use full paths to the modules, the pam library will
search /lib(64)/security automatically.

--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                             Turkish proverb

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list


_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
Permalink | Reply | 2 comments |
headers
Tomas Mraz | 25 Mar 2008 12:14
Picon
Favicon

Re: Integrated Login

On Tue, 2008-03-25 at 12:49 +0200, Ido Levy wrote:
> Hello,
> 
> Following your advice I have successfully setup integrated login for
> ssh.
> I got both AFS token and Kerberos 5 ticket. 
> 
> Following are the PAM files of sshd and system-auth:
> I have a few questions regarding the setup of sshd PAM file that looks
> a little strange for me although it's working and satisfy my needs.
> 
> sshd

Here is my recommendation - try if that works:

#%PAM-1.0
auth       required     pam_listfile.so item=user sense=deny file=/etc/ssh/ssh_host_deny onerr=succeed
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so

account    required     pam_stack.so service=system-auth

password   required     pam_stack.so service=system-auth

session    required     pam_stack.so service=system-auth
session    required     pam_limits.so

system-auth

#%PAM-1.0
auth        required      pam_env.so
auth        required      pam_krb5.so
auth        sufficient    pam_afs.so try_first_pass ignore_root set_token
auth        required      pam_deny.so

account     sufficient    pam_unix.so
account     sufficient    pam_krb5.so
account     sufficient    pam_ldap.so

password    requisite     pam_passwdqc.so min=disabled,8,8,8,8 passphrase=0 enforce=users
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     required      pam_limits.so
session     optional      pam_krb5.so
session     optional      pam_ldap.so
session     required      pam_unix.so

--

-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
Permalink | Reply | 1 comment |
headers
Ido Levy | 25 Mar 2008 15:27
Picon

Re: Integrated Login

The most optimized configuration I have reached is as follows.
Thank you for the help !!

sshd

auth       required     pam_listfile.so item=user sense=deny file=/etc/ssh/ssh_host_deny onerr=succeed
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so

account    required     pam_stack.so service=system-auth

password   required     pam_stack.so service=system-auth

session    required     pam_stack.so service=system-auth
session    required     pam_limits.so

system-auth

auth        required      pam_env.so
auth        optional      pam_krb5.so try_first_pass
auth        sufficient    pam_afs.so try_first_pass ignore_root set_token
auth        required      pam_deny.so

account     sufficient    pam_unix.so
account     sufficient    pam_krb5.so
account     sufficient    pam_ldap.so

password    requisite     pam_passwdqc.so min=disabled,8,8,8,8 passphrase=0 enforce=users
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     required      pam_limits.so
session     optional      pam_krb5.so
session     optional      pam_ldap.so
session     required      pam_unix.so


Ido Levy

On Tue, Mar 25, 2008 at 1:14 PM, Tomas Mraz <tmraz <at> redhat.com> wrote:
On Tue, 2008-03-25 at 12:49 +0200, Ido Levy wrote:
> Hello,
>
> Following your advice I have successfully setup integrated login for
> ssh.
> I got both AFS token and Kerberos 5 ticket.
>
> Following are the PAM files of sshd and system-auth:
> I have a few questions regarding the setup of sshd PAM file that looks
> a little strange for me although it's working and satisfy my needs.
>
> sshd

Here is my recommendation - try if that works:

#%PAM-1.0
auth       required     pam_listfile.so item=user sense=deny file=/etc/ssh/ssh_host_deny onerr=succeed
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so

account    required     pam_stack.so service=system-auth

password   required     pam_stack.so service=system-auth

session    required     pam_stack.so service=system-auth
session    required     pam_limits.so

system-auth

#%PAM-1.0
auth        required      pam_env.so
auth        required      pam_krb5.so
auth        sufficient    pam_afs.so try_first_pass ignore_root set_token
auth        required      pam_deny.so

account     sufficient    pam_unix.so
account     sufficient    pam_krb5.so
account     sufficient    pam_ldap.so

password    requisite     pam_passwdqc.so min=disabled,8,8,8,8 passphrase=0 enforce=users
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     required      pam_limits.so
session     optional      pam_krb5.so
session     optional      pam_ldap.so
session     required      pam_unix.so

--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                             Turkish proverb

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
Permalink | Reply | 0 comments |
headers
Clark, Patti | 25 Mar 2008 20:30
Favicon

Notification of number of unsuccessful login attempts

While login offers up the last login notice, is there a way to also provide the number of unsuccessful (failed) login attempts for a user account?  I have pam_tally tracking these and didn't find any options to display that information to a user.

Patti Clark
Sr. Unix System Administrator - RHCT, GSEC
Office of Scientific and Technical Information 



<div>

<p>While login offers up the last login notice, is there a way to also provide the number of unsuccessful (failed) login attempts for a user account?&nbsp; I have pam_tally tracking these and didn't find any options to display that information to a user.</p>

<p>Patti Clark

<br>Sr. Unix System Administrator - RHCT, GSEC

<br>Office of Scientific and Technical Information
</p>
<br><br>
</div>
Permalink | Reply | 5 comments |

Gmane