PAM module authentication fails

satish.kumar.yarru · 09-17-2018, 05:52 PM

Hi,

I am working on redhat 7.3 linux server box and trying to configure PAM to use my service module (libradpam.so) for authencation during ssh connection.

I did configuration in /etc/pam.d/password-auth file as follows:

auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet_success
auth sufficient libradpam.so
auth required pam_deny.so

But when I see the logs in libradpam.so, it appears like pam service APIs are not getting called when I try to do ssh with external user id and password.

I have kept the libradpam.so in /usr/lib64/security path of linux file system.

Is there anything wrong with my PAM configuration?

From the /var/log/secure i see the following logs from sshd

======
Sep 17 18:29:07 masaml101 sshd[39642]: Invalid user yarrusa from xxx.xxx.xxx.xxx
Sep 17 18:29:07 masaml101 sshd[39642]: input_userauth_request: invalid user yarrusa [preauth]
Sep 17 18:29:07 masaml101 sshd[39642]: Postponed keyboard-interactive for invalid user yarrusa from xxx.xxx.xxx.xxx port 64579 ssh2 [preauth]
Sep 17 18:29:25 masaml101 sshd[39649]: pam_unix(sshd:auth): check pass; user unknown
Sep 17 18:29:25 masaml101 sshd[39649]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.xxx
Sep 17 18:29:27 masaml101 sshd[39642]: error: PAM: User not known to the underlying authentication module for illegal user yarrusa from xxx.xxx.xxx.xxx
Sep 17 18:29:27 masaml101 sshd[39642]: Failed keyboard-interactive/pam for invalid user yarrusa from 139.49.219.93 port 64579 ssh2
Sep 17 18:29:27 masaml101 sshd[39642]: Postponed keyboard-interactive for invalid user yarrusa from xxx.xxx.xxx.xxx port 64579 ssh2 [preauth]
Sep 17 18:29:47 masaml101 sshd[39642]: error: Received disconnect from xxx.xxx.xxx.xxx: 13: Unable to authenticate [preauth]
==========

berndbausch · 09-18-2018, 05:16 PM

My thinking: pam_succeed_if fails because there is no uid, issuing the message User not known to the underlying authentication module. The requisite keyword then fails the whole stack and stops processing.

satish.kumar.yarru · 09-18-2018, 08:27 PM

Quote:

Originally Posted by berndbausch

My thinking: pam_succeed_if fails because there is no uid, issuing the message User not known to the underlying authentication module. The requisite keyword then fails the whole stack and stops processing.

I have commented the line in password-auth file

#auth requisite pam_succeed_if.so uid >= 500 quiet_success

but still same error comes. I still don't see any calls to pam_sm_authenticate() in libradpam.so

berndbausch · 09-18-2018, 11:17 PM

Even without the pam_succeed_if, you get user not found?

Well, I have never written a PAM module and won’t be able to help, but there may well be bugs in your code that prevent it from correctly executing the authentication function.

satish.kumar.yarru · 09-19-2018, 03:28 AM

Quote:

Originally Posted by berndbausch

Even without the pam_succeed_if, you get user not found?

Well, I have never written a PAM module and won’t be able to help, but there may well be bugs in your code that prevent it from correctly executing the authentication function.

Yes I get the same error. The same PAM module works in RHEL 6.x servers. It is failing only for 7.x machines. I suspect something wrong with PAM configurations only.
Is there any difference in PAM configurations when compared to redhat 6 and 7?