[tac_plus] FreeBSD & PAM
Aaron Scarisbrick
aaronsca at gmail.com
Mon Aug 18 21:59:53 UTC 2008
Greetings,
I'm writing to ask that a blurb be placed in the tac_plus users_guide, faq
or man page so that others may not suffer the same excruciating debug
session to discover why PAM and tac_plus didn't work together the way I
thought they should:
Be aware that when the tac_plus daemon runs as a non-root user (as is the
default in FreeBSD /usr/ports), it will not be able to authenticate using
the pam_unix.so module. This is because the system function getpwnam()
called by pam_unix.so requires root privileges to retrieve the password to
validate from the /etc/master.passwd or /etc/shadow file. The symptom will
be that for each authentiction that is attempted, the password will appear
to be wrong whether it was typed correctly or not.
The maddening bit was that by default, PAM debug messages are suppressed in
tac_plus via the PAM_SILENT flag passed to pam_authenticate() in the pwlib.c
source file. This was compounded by FreeBSD also hard coding that all libpam
debug messages be disabled as well. Once those hurdles were cleared, the
cuplable system function was identified. After inserting some additional
debug statements, it was obvious what the problem was. Too obvious as it
turned out. I should have known better.
Cheers,
Aaron M. Scarisbrick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20080818/fc08d679/attachment.html
More information about the tac_plus
mailing list