Better example/ docs

Question

Better example/ docs

spacekookie opened this issue 6 years ago · comments

So…I'm kinda new to pam and I'm not entirely sure how some of this is supposed to work. When creating an Authenticator it takes a service name. Does this have to be one of these? https://docs.oracle.com/cd/E19683-01/816-4883/pam-34/index.html

I'm currently running into the problem that authenticate() fails and I'm not sure why (and not sure how to debug it)

Klemens Schölhorn · Answer 1 · Mon Jul 02 2018 23:15:57 GMT+0800 (China Standard Time)

You can use any service name you like:

fn authenticate(user: &str, password: &str) {
    let mut auth = Authenticator::new("pam-auth-test").unwrap();
    auth.set_credentials(user, password);
    println!("{:?}", auth.authenticate());
}

For debugging, look for messages in the system log, eg using journalctl -f on a system using systemd.

Katharina Fey · Answer 2 · Tue Jul 03 2018 02:49:20 GMT+0800 (China Standard Time)

Thanks for the feedback. Looking into the system log, I'm a wee bit confused what's going on

Jul 02 20:48:20 rayya lockchain-server[10702]: pam_tally(login:auth): Error opening /var/log/faillog for update
Jul 02 20:48:20 rayya lockchain-server[10702]: pam_tally(login:auth): Error opening /var/log/faillog for read
Jul 02 20:48:20 rayya unix_chkpwd[10704]: check pass; user unknown
Jul 02 20:48:20 rayya unix_chkpwd[10705]: check pass; user unknown
Jul 02 20:48:20 rayya unix_chkpwd[10705]: password check failed for user (testkookie)
Jul 02 20:48:20 rayya lockchain-server[10702]: pam_unix(login:auth): authentication failure; logname= uid=1000 euid=1000 tty= ruser= rhost=  user=testkookie
Jul 02 20:48:22 rayya lockchain-server[10702]: pam_tally(login:setcred): Error opening /var/log/faillog for update
Jul 02 20:48:22 rayya lockchain-server[10702]: pam_tally(login:setcred): Error opening /var/log/faillog for update

But doing su testkookie with the same password works 🤔

Klemens Schölhorn · Answer 3 · Tue Jul 03 2018 06:01:57 GMT+0800 (China Standard Time)

Just a guess, but are you trying to authenticate a user different from the one running the program? This does not work with local users by default, as it needs access to /etc/shadow, the file which contains the passwords of users. Only root can normally read this file.

When you are using remote authentication like ldap in an active directory or nis, it generally works without root access. Also users can authenticate themselves.

Katharina Fey · Answer 4 · Tue Jul 03 2018 15:39:54 GMT+0800 (China Standard Time)

Hmm, oh okay. I thought I could use pam to open a session as a different user and then do stuff with it.

Ultimately some user will be running the software but I want to authenticate users by their system accounts and only really make sure they are member of the right group. I guess pam isn't what I want then? 😅

FirstWithThisName · Answer 5 · Wed Aug 17 2022 19:42:58 GMT+0800 (China Standard Time)

@spacekookie I got exactly the same issue do you have a solution for this?