i386/53324: pam_group problems (PAM_RUSER used instead of PAM_USER)
Kamen Angelov
kamenangelov at netscape.net
Sat Jun 14 12:20:10 PDT 2003
>Number: 53324
>Category: i386
>Synopsis: pam_group problems (PAM_RUSER used instead of PAM_USER)
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-i386
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Jun 14 12:20:07 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator: Kamen Angelov
>Release: FreeBSD 5.1-RELEASE i386
>Organization:
Do-Nothing Unlimited
>Environment:
System: FreeBSD edelweiss.dyns.cx 5.1-RELEASE FreeBSD 5.1-RELEASE #11: Sat Jun 14 03:10:32 EDT 2003 root at edelweiss.dyns.cx:/usr/src/sys/i386/compile/EDELWEISS i386
>Description:
I use pam_group to control which users can use which services. I have the following line
in my PAM configuration for my FTP server:
auth requisite pam_group.so group=allow_ftp
With this line uncommented, the server refuses access to everyone: even the users who are supposed to have access to it.
With (mostly) the same PAM setting, I get the following error in the SSHD log:
Jun 14 14:19:07 edelweiss sshd[26043]: error: PAM: authentication error
and then the user is allowed in (?!?!?).
I believe this is a problem with pam_group itself: the module reads the PAM_RUSER field instead of PAM_USER when trying to fetch the username of the user. I believe PAM_USER would be the correct field to read in this context.
When PAM_RUSER is replaced with PAM_USER all warnings disappear and everything seem to work as expected.
>How-To-Repeat:
I believe I answered this above.
>Fix:
Run "Search and Replace" on PAM_RUSER and replace it with PAM_USER.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-i386
mailing list