[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
PAM authentication failure
From: |
Yves Martin |
Subject: |
PAM authentication failure |
Date: |
Tue, 21 Aug 2007 11:47:16 +0200 |
Hello,
I'm trying to configure a cvs server 1.12.13-8 from Debian Etch with PAM
authentication on pserver protocol.
Here is my pam file /etc/pam.d/cvs to use ldap:
auth required /lib/security/pam_ldap.so
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_unix_acct.so
My CVSROOT/config file contains:
SystemAuth=no
PamAuth=yes
DefaultPamUser=cvs
Only the "cvs" account is a system account.
$ cvs -d :pserver:ldapuser@myserver.mydomain:/cvsroot login
works properly (fail with wrong password, pass if right)
But a checkout fails:
$ cvs -d :pserver:ldapuser@myserver.mydomain:/cvsroot co cvstest
Fatal error, aborting.
ldapuser: no such system user
I really agrees that "ldapuser" is not a system user, but I expect the
"switch_to_user" method to use "cvs" account.
I have debugged the source code. Here is my analysis in case of a non
existing account on the local system:
1. pam_set_item PAM_USER succeeds in my installation, so "ldapuser" is
never replaced by "DefaultPamUser". To work-around, I have replaced the
test-call to pam_set_item by getpwnam to check if the account exists
locally - because getpwnam finally fails in switch_to_user.
2. then check_pam_password replaces "username" (ldapuser) by the
"DefaultPamUser" (cvs)
3. in check_password at "handle_return", "CVS_Username" is set to
"username" (too late !!) with "cvs" (instead of ldapuser)
4. switch_to_user is called with (ldapuser, cvs) - OK
5. but pam_get_item (pamh, PAM_USER, (const void **)&username) called
there replaces "cvs" by "ldapuser" from the pam context I guess.
6. as a result getpwnam failed because username == "ldapupser"
The only valid information I have found about the PAM support in Debian
cvs is:
http://olympus.het.brown.edu/cgi-bin/info2www?(cvs)Password
+authentication+server
I'm working on a patch but my proposal is not to replace "username" in
check_pam_password but to return a "host_user" value for check_password.
In that case, I wonder if a "map=user" option in the PAM chain is
supposed to work or not ?
Thank you in advance for your help
--
Yves Martin
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- PAM authentication failure,
Yves Martin <=