Re: PAM

Here is a bit of a follow up to the PAM setup. If you want to
authenticate against an LDAP source then creatinga /etc/pam.d/postgresql
file containing the following:

auth required /lib/security/pam_ldap.so
account required /lib/security/pam_ldap.so

This works fine and I love the feature :) The problem I am having is if
I try to use pam_unix.so. If I set it up similarly,

auth required /lib/security/pam_unix.so
account required /lib/security/pam_unix.so

I get a bunch of errors from the system and postgres. System errors are
always of the form,

postgresql(pam_unix)[28219]: auth could not identify password for [myuser]
postgresql(pam_unix)[28220]: authentication failure; logname= uid=40
euid=40 tty= ruser= rhost= user=myuser

And the postgres logs show,

DEBUG: BackendStartup: forked pid=28290 socket=8
LOG: CheckPAMAuth: pam_authenticate failed: 'Conversation error'
FATAL: PAM authentication failed for user "myuser"
DEBUG: proc_exit(0)
DEBUG: shmem_exit(0)
DEBUG: exit(0)
DEBUG: reaping dead processes
DEBUG: child process (pid 28290) exited with exit code 0
DEBUG: BackendStartup: forked pid=28291 socket=8
DEBUG: received PAM packet
LOG: CheckPAMAuth: pam_authenticate failed: 'Authentication failure'
FATAL: PAM authentication failed for user "myuser"
DEBUG: proc_exit(0)
DEBUG: shmem_exit(0)
DEBUG: exit(0)
DEBUG: reaping dead processes
DEBUG: child process (pid 28291) exited with exit code 0

If I try the same thing, but logging in as the "postgres" user rather
than a normal user I get the following in the system logs,

postgresql(pam_unix)[28284]: auth could not identify password for [postgres]

and this in the postgres logs,

DEBUG: BackendStartup: forked pid=28284 socket=8
LOG: CheckPAMAuth: pam_authenticate failed: 'Conversation error'
FATAL: PAM authentication failed for user "postgres"
DEBUG: proc_exit(0)
DEBUG: shmem_exit(0)
DEBUG: exit(0)
DEBUG: reaping dead processes
DEBUG: child process (pid 28284) exited with exit code 0
DEBUG: BackendStartup: forked pid=28285 socket=8
DEBUG: received PAM packet
LOG: CheckPAMAuth: pam_acct_mgmt failed: 'Authentication failure
service cannot retrieve authentication info.'
FATAL: PAM authentication failed for user "postgres"
DEBUG: proc_exit(0)
DEBUG: shmem_exit(0)
DEBUG: exit(0)
DEBUG: reaping dead processes
DEBUG: child process (pid 28285) exited with exit code 0

Now, the good news is that if I modify the PAM configuration as follows,

auth required /lib/security/pam_unix.so
account required /lib/security/pam_permit.so

I can at least log in as the postgres user. I still can't log in as a
regular system user. I think there is something to do with PAM not
liking a system uid=40 for any user except the postgres user, but I
really don't have any hard proof to base that on. Even when the
postgres user successfully logs in I still get "errors" in the system logs,

postgresql(pam_unix)[28315]: auth could not identify password for [postgres]

and "errors" in the postgres logs,

DEBUG: BackendStartup: forked pid=28315 socket=8
LOG: CheckPAMAuth: pam_authenticate failed: 'Conversation error'
FATAL: PAM authentication failed for user "postgres"
DEBUG: proc_exit(0)
DEBUG: shmem_exit(0)
DEBUG: exit(0)
DEBUG: reaping dead processes
DEBUG: child process (pid 28315) exited with exit code 0
DEBUG: BackendStartup: forked pid=28316 socket=8
DEBUG: received PAM packet
DEBUG: /usr/local/pgsql73/bin/postmaster child[28316]: starting with (
DEBUG: postgres
DEBUG: -v131072
DEBUG: -p
DEBUG: test
DEBUG: )
DEBUG: InitPostgres
[ rest of successful connection messages ]

I am not a PAM expert, but this is the furthest I could get the
pam_unix.so working. I don't really need the functionality, but it
would be nice to be able to funnel postgres PAM functionality through
the system-auth stack on my RedHat systems, which has components for
pam_unix.so instead of creating another authentication stream.

I did apply a crypt patch that Bruce sent me, so I can't comment if this
work exactly the same way on the official 7.3 release. I do know I had
the same issues on the 7.3beta5 release.

Sorry for the long post, hopefully this will be of use to someone with
some better knowledge of postgres authentication and PAM.

Tim Frank