pam issues - was Re: [OpenAFS] Is OpenAFS appropriate?
Stephen Bosch
posting@vodacomm.ca
Wed, 21 Jan 2004 09:52:49 -0700
Hendrik Hoeth wrote:
> Hi,
>
>
>>The good news is, it is running.
>
>
> congratulations!
Hi, Henrik.
Thanks.
Though it's running, but not being used yet :\
>>I spent hours trying to understand uss.
>
>
> :-)
>
>
>>The bad news is that, in spite of using the pam modules, tokens are
>>not being issued at login time. I have created a user with the same
>>UID, password and login name, configured pam.d/login and pam.d/sshd to
>>use the afs pam module, and yet, no tokens.
>
>
> Can you post your pam.d/login ? What messages do you get in your
> /var/log/... files? (auth.log on my system, may be different on yours)
Here is an example of an ssh login, a check for tokens, and a view of
the relevant pam.d files:
sfbosch@jimjam:~$ ssh 192.168.1.50
sfbosch@192.168.1.50's password:
Last login: Wed Jan 21 00:14:40 2004 from 192.168.1.10
Could not chdir to home directory /home/sfbosch: No such file or directory
sfbosch@wopr / $ ls
afs boot etc install.html lost+found opt root tmp var vicepb
bin dev home lib mnt proc sbin usr vicepa
sfbosch@wopr / $ /usr/afs/bin/tokens
Tokens held by the Cache Manager:
--End of list--
sfbosch@wopr / $ cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_stack.so service=system-auth
auth required pam_shells.so
auth required pam_nologin.so
auth sufficient pam_afs.so try_first_pass ignore_root
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
sfbosch@wopr / $ cat /etc/pam.d/login
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_afs.so try_first_pass ignore_root
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.so
sfbosch@wopr / $ cat /etc/pam.d/su
#%PAM-1.0
auth sufficient /lib/security/pam_rootok.so
# If you want to restrict users begin allowed to su even more,
# create /etc/security/suauth.allow (or to that matter) that is only
# writable by root, and add users that are allowed to su to that
# file, one per line.
#auth required /lib/security/pam_listfile.so item=ruser
sense=allow onerr=fail file=/etc/security/suauth.allow
# Uncomment this to allow users in the wheel group to su without
# entering a passwd.
#auth sufficient /lib/security/pam_wheel.so use_uid trust
# Alternatively to above, you can implement a list of users that do
# not need to supply a passwd with a list.
#auth sufficient /lib/security/pam_listfile.so item=ruser
sense=allow onerr=fail file=/etc/security/suauth.nopass
# Comment this to allow any user, even those not in the 'wheel'
# group to su
auth required /lib/security/pam_wheel.so use_uid
auth required /lib/security/pam_stack.so service=system-auth
auth sufficient pam_afs.so try_first_pass ignore_root
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_xauth.so
sfbosch@wopr / $
Question: How do I list the users?
-Stephen-