2

I am trying to set up authentication via PAM for PostgreSQL 9.3. I already managed to get this working on an Ubuntu 12.04 server, but I am unable to get this working on a Centos-6 install.

The relevant pg_hba.conf line:

host    all             all             0.0.0.0/0               pam     pamservice=postgresql93

The pam.d/postgressql93 is the default config shipped with the official postgresql 9.3 package:

#%PAM-1.0

auth            include         password-auth
account         include         password-auth

When a user tries to authenticate the following is reported in secure log:

hostname unix_chkpwd[31807]: check pass; user unknown
hostname unix_chkpwd[31808]: check pass; user unknown
hostname unix_chkpwd[31808]: password check failed for user (myuser)
hostname  postgres 10.1.0.1(61459) authentication: pam_unix(postgresql93:auth): 
    authentication failure; logname= uid=26 euid=26 tty= ruser= rhost=  user=myuser

The relevant content of password-auth config is:

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

The problem is with the pam_unix.so. It is unable to validate the password, and unable to retrieve the user info (when I remove the auth entry of pam_unix.so).

The Centos-6 install is only 5 days old, so it does not have a lot of baggage.

The unix_chkpwd is suid and has execute rights for everybody, so it should be able to check the shadow file (which has no privileges at all?).

elmuerte
  • 141
  • 1
  • 6
  • I found a probable cause in a [post for Jenkins CI](https://java.net/projects/hudson/lists/users/archive/2009-03/message/367). It sounds a bit like a design flaw in `unix_chkpwd`. I wonder why I did not observe the same issue on the Ubuntu server I tried. – elmuerte Aug 26 '14 at 08:01
  • On ubuntu `/etc/shadow` belongs to group `shadow`, and `unix_chkpwd` has sgid to `shadow`. So that is probably the solution I am looking for. – elmuerte Aug 26 '14 at 08:05

1 Answers1

2

I have solved the problem by changing the setup of Centos to be more like the set up in Ubuntu.

I created the group shadow with a low group id and no members. I changed the group for /etc/shadow and /sbin/unit_chkpwd to the created group shadow. And lastly I made unix_chkpwd SGID:

----r----- 1 root shadow 1049 Aug 22 16:38 /etc/shadow
-rwxr-sr-x 1 root shadow 34840 Nov 22  2013 /sbin/unix_chkpwd

With these changes I am able to use PAM to authenticate system users for PostgreSQL. I do not feel I have compromised security a lot with these changes. Although the shadow file is now readable for non-root users if they belong to the shadow group.

elmuerte
  • 141
  • 1
  • 6