PAM implementation in PG 9.2.3
Hi All,
I am trying to implement PAM on my local machine.
Below are the details of my setup:
OS: RHEL 6
PG: 9.2.3
/etc/pam.d/postgresql (PAM file)
#%PAM-1.0
auth required pam_unix.so
account required pam_unix.so
$PGDATA/pg_hba.conf
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all pam
pamservice=postgresql
# IPv4 local connections:
host all all 127.0.0.1/32 pam
pamservice=postgresql
Session 1 Session 2
-bash-4.1$ psql -U postgres
Password for user postgres:
-bash-4.1$ tail -f postgresql-2013-04-26_000000.log
2013-04-26 20:08:16.605 IST-13943-postgres-postgres-[local] LOG:
pam_authenticate failed: Conversation error
2013-04-26 20:08:16.606 IST-13943-postgres-postgres-[local] FATAL: PAM
authentication failed for user "postgres"
2013-04-26 20:08:16.606 IST-13943-postgres-postgres-[local] LOG: could not
send data to client: Broken pipe
In OS logs(/var/log/secure)
Apr 26 20:11:03 localhost res [local] authentication:
pam_unix(postgresql:auth): conversation failed
Apr 26 20:11:03 localhost res [local] authentication:
pam_unix(postgresql:auth): auth could not identify password for [postgres]
I have not entered password in session 1 which was waiting for my password
to enter, but logs are printed beforehand in both logs (OS/DB) as you see
in session 2.
When, I enter password in session 1 which was waiting for password, it will
immediately takes me into the database without any error.
Couple of question's in mind on this scenario:
1. Why database server logs shows lines beforehand as pam_authentication
failed even though I have not typed password ?
2. Though logs show as PAM authentication failed, still user's are allowed
into the database ?
3. What above log entries mean precisely ?
4. Was my PAM setup successful ?
Sorry for my too many questions, I just lost all of my endeavors to
understand the above scenario.
Any help will be highly appreciated.
Thanks in advance.
---
Regards,
Raghavendra
Hello Raghavendra,
I think probably psql is a problem here. WIthout -W (force password
before connect) option psql has no way knowing if this user needs a
password to connect to the given database. So, psql first attempts a
connection to the database without a password (if -W is not
specified), which fails since server responds with "password needed"
kind of message back to psql (this is because we have set 'pam' as the
authentication method). This makes psql know that a password is needed
for this user/database combination and it prompts for the password and
subsequently connects successfully if correct password is specified.
But this first unsuccessful attempt is indeed logged by the server as
authentication failure just as what you see. So, this logged failure
is just the kind of dummy connection attempt (indeed withoutn
password) made by the psql.
However, if you specify -W option, psql won't connect before it
accepts password. You can try this (and see that no authentication
failure is logged)
I think log entries just mean the authentication has failed with
PAM-specific error message.
--
Amit Langote
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
On Wed, May 8, 2013 at 4:55 PM, Amit Langote <amitlangote09@gmail.com>wrote:
Hello Raghavendra,
I think probably psql is a problem here. WIthout -W (force password
before connect) option psql has no way knowing if this user needs a
password to connect to the given database. So, psql first attempts a
connection to the database without a password (if -W is not
specified), which fails since server responds with "password needed"
kind of message back to psql (this is because we have set 'pam' as the
authentication method). This makes psql know that a password is needed
for this user/database combination and it prompts for the password and
subsequently connects successfully if correct password is specified.
But this first unsuccessful attempt is indeed logged by the server as
authentication failure just as what you see. So, this logged failure
is just the kind of dummy connection attempt (indeed withoutn
password) made by the psql.
Firstly, Thank you for your insight explanation.
However, if you specify -W option, psql won't connect before it
accepts password. You can try this (and see that no authentication
failure is logged)
Affirmative, I have tried with -W option and it worked as expected and
authentication passed as per PAM setup.
However, PG documentation doesn't highlight about this in psql or PAM
section, because log entries written are slightly confusing.
http://www.postgresql.org/docs/9.2/static/auth-methods.html
http://www.postgresql.org/docs/9.2/static/app-psql.html
I think log entries just mean the authentication has failed with
PAM-specific error message.
Yep... understood.
---
Regards,
Raghavendra
Blog: http://raghavt.blogspot.com/
Show quoted text
--
Amit Langote
However, PG documentation doesn't highlight about this in psql or PAM
section, because log entries written are slightly confusing.
http://www.postgresql.org/docs/9.2/static/auth-methods.html
http://www.postgresql.org/docs/9.2/static/app-psql.html
It turns out this logging is a bug in PAM authentication code in the
backend that needs to resolved. This has been reported on
pgsql-hackers.
--
Amit Langote
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
On Mon, May 13, 2013 at 11:17 AM, Amit Langote <amitlangote09@gmail.com>wrote:
However, PG documentation doesn't highlight about this in psql or PAM
section, because log entries written are slightly confusing.
http://www.postgresql.org/docs/9.2/static/auth-methods.html
http://www.postgresql.org/docs/9.2/static/app-psql.htmlIt turns out this logging is a bug in PAM authentication code in the
backend that needs to resolved. This has been reported on
pgsql-hackers.
Thank you.
--Raghav