Subject: Use specific PAM configuration. - msg#00012

Previous Message by Date: click to view message preview

Still unknown problems with CRON and PAM (How does pam determine its state?)

Since nobody came up with an answer to my pam problems, I dug a little deeper today. The problem seems to be only with cron jobs in some vservers. The interesting lines in are in the cron job's do_command.c 148: fork 165: write crontab invocation log message 117: setsid ?? open new tty, xxx stdin/out manipulation 204: do_univ (should not apply to standard ubuntu linux, calls universe function if any) 213: setuid 222: debugmessage 230: execle (stack destruction - nothing remains from cron app, only guest app runs) Which lines would interact with pam? And how is the handshake between pam and the cron job done (syscall)? Would I need to debug into the kernel to see the cause? The problem is reproducible on some vservers after reboot but not on all. My old message: I'm trying to find out which files, commands can change the state and behavior of the pam modules. This is because I have two servers which should be identical in regard to login/pam configuration but they behave different. hosta: A linux vserver instance, with pam, cron hostb: A clone of hostb After cloning of hosta I installed logcheck, which runs without problems on hosta, but produces pam error messages in auth.log on hostb. The error messages are triggered via the logcheck cronjob, but a much simpler cronjob is also sufficient: * * * * * nobody date > /tmp/pamtest On hosta I get every minute: Aug 23 13:05:01 hosta CRON[16877]: (pam_unix) session opened for user nobody by (uid=0) Aug 23 13:05:01 hosta CRON[16877]: (pam_unix) session closed for user nobody On hostb: Aug 23 13:08:01 hostb CRON[16908]: (pam_unix) session opened for user nobody by (uid=0) Aug 23 13:08:01 hostb pam_limits[16908]: setrlimit limit #6 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0 Aug 23 13:08:01 hostb pam_limits[16908]: setrlimit limit #8 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0 Aug 23 13:08:01 hostb pam_limits[16908]: setrlimit limit #11 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0 Aug 23 13:08:01 hostb pam_limits[16908]: setrlimit limit #12 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0 Aug 23 13:08:01 hostb pam_limits[16908]: setrlimit limit #13 to soft=20, hard=20 failed: Operation not permitted; uid=0 euid=0 Aug 23 13:08:01 hostb pam_limits[16908]: setrlimit limit #14 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0 Aug 23 13:08:01 hostb CRON[16908]: (pam_unix) session closed for user nobody There are no differences in /etc/pam.conf, /etc/pam.d, the passwd/shadow files are identical. None of the instances was rebootet since installing logcheck. What could cause the different behavior?

Next Message by Date: click to view message preview

Re: Use specific PAM configuration.

Quoting Sridhar Bandi <bandisfire@xxxxxxxxx>: Is it possible to have user specific configuration in PAM. For example if we need to use LDAP as authentication for all the users and normal passwd based authentication for root, can we do that using the PAM framework? If it is possible, can someone refer me there? Yes, you can use PAM for validating normal users using LDAP and root using /etc/passwd (and /etc/shadow). You do that by stacking PAM modules (pam_ldap for the LDAP part, and pam_unix for the local part). Please take a look at http://www.padl.com/OSS/pam_ldap.html and RedHat's documentation might give you an idea on how to configure it: http://www.redhat.com/docs/manuals/linux/RHL-7.2-Manual/ref-guide/s1-ldap-redhattips.html /kneth -- Kenneth Geisshirt, M.Sc., Ph.D. · http://kenneth.geisshirt.dk Majbøl Allé 18 · 2770 Kastrup · Denmark · +45 60 62 71 82

Previous Message by Thread: click to view message preview

Still unknown problems with CRON and PAM (How does pam determine its state?)

Since nobody came up with an answer to my pam problems, I dug a little deeper today. The problem seems to be only with cron jobs in some vservers. The interesting lines in are in the cron job's do_command.c 148: fork 165: write crontab invocation log message 117: setsid ?? open new tty, xxx stdin/out manipulation 204: do_univ (should not apply to standard ubuntu linux, calls universe function if any) 213: setuid 222: debugmessage 230: execle (stack destruction - nothing remains from cron app, only guest app runs) Which lines would interact with pam? And how is the handshake between pam and the cron job done (syscall)? Would I need to debug into the kernel to see the cause? The problem is reproducible on some vservers after reboot but not on all. My old message: I'm trying to find out which files, commands can change the state and behavior of the pam modules. This is because I have two servers which should be identical in regard to login/pam configuration but they behave different. hosta: A linux vserver instance, with pam, cron hostb: A clone of hostb After cloning of hosta I installed logcheck, which runs without problems on hosta, but produces pam error messages in auth.log on hostb. The error messages are triggered via the logcheck cronjob, but a much simpler cronjob is also sufficient: * * * * * nobody date > /tmp/pamtest On hosta I get every minute: Aug 23 13:05:01 hosta CRON[16877]: (pam_unix) session opened for user nobody by (uid=0) Aug 23 13:05:01 hosta CRON[16877]: (pam_unix) session closed for user nobody On hostb: Aug 23 13:08:01 hostb CRON[16908]: (pam_unix) session opened for user nobody by (uid=0) Aug 23 13:08:01 hostb pam_limits[16908]: setrlimit limit #6 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0 Aug 23 13:08:01 hostb pam_limits[16908]: setrlimit limit #8 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0 Aug 23 13:08:01 hostb pam_limits[16908]: setrlimit limit #11 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0 Aug 23 13:08:01 hostb pam_limits[16908]: setrlimit limit #12 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0 Aug 23 13:08:01 hostb pam_limits[16908]: setrlimit limit #13 to soft=20, hard=20 failed: Operation not permitted; uid=0 euid=0 Aug 23 13:08:01 hostb pam_limits[16908]: setrlimit limit #14 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0 Aug 23 13:08:01 hostb CRON[16908]: (pam_unix) session closed for user nobody There are no differences in /etc/pam.conf, /etc/pam.d, the passwd/shadow files are identical. None of the instances was rebootet since installing logcheck. What could cause the different behavior?

Next Message by Thread: click to view message preview

Re: Use specific PAM configuration.

Quoting Sridhar Bandi <bandisfire@xxxxxxxxx>: Is it possible to have user specific configuration in PAM. For example if we need to use LDAP as authentication for all the users and normal passwd based authentication for root, can we do that using the PAM framework? If it is possible, can someone refer me there? Yes, you can use PAM for validating normal users using LDAP and root using /etc/passwd (and /etc/shadow). You do that by stacking PAM modules (pam_ldap for the LDAP part, and pam_unix for the local part). Please take a look at http://www.padl.com/OSS/pam_ldap.html and RedHat's documentation might give you an idea on how to configure it: http://www.redhat.com/docs/manuals/linux/RHL-7.2-Manual/ref-guide/s1-ldap-redhattips.html /kneth -- Kenneth Geisshirt, M.Sc., Ph.D. · http://kenneth.geisshirt.dk Majbøl Allé 18 · 2770 Kastrup · Denmark · +45 60 62 71 82