[Fusionforge-general] GForge/FusionForge developer access toSVN - WebDAV or ssh/svnserve better?

Matt Kleffner kleffner at gmail.com
Wed Mar 4 14:59:34 CET 2009


Hello,

On Wed, Mar 4, 2009 at 3:30 AM,  <christian.bayle at orange-ftgroup.com> wrote:
> Hello,
>
>>
>> I did have to add to /etc/pam.d/sshd :
>>
>> auth sufficient pam_pgsql.so
>> account sufficient pam_pgsql.so
>> password sufficient pam_pgsql.so
>>
>> just to get the PAM_pgsql error (in auth.log) below - without
>> these lines only traditional authentication is attempted.
>
> Did you try getent shadow and see is you can see the crypted passwd
> you also have to ckeck you use the same encoding crypt or md5.
>

I'll check this out as soon as I can access the machine...

>>
>> I still get this error with nss-pgsql-root.conf present.
>
> You have to ckeck getent shadow to see if it works
>
>> I dug into this some more, and my understanding is that PAM does the
>> authentication but NSS does the username lookup. What I am unclear
>> about is what order and how the config files are used. I assume that
>> once pgsql shows up in /etc/nsswitch.conf, the files nss-pgsql.conf
>> and nss-pgsql-root.conf are loaded by /lib/libnss_pgsql.so .
>>
>> I'm confused as to which library handles the authentication request
>> first NSS or PAM. Based on observed behavior when I remove the above
>> lines from /etc/pam.d/sshd It seems that PAM gets the request and
>> (potentially) uses NSS to get the username. However, either the
>> options in the nss-pgsql*.conf files do not map to the "database
>> connection string and auth_query" options, or these options must be
>> specified at the end of the above lines in /etc/pam.d/sshd . I'm not
>> sure how to test whether PAM is using NSS for usernames. How can I
>> best track this PAM-NSS issue down? Getent still doesn't show the
>> user.
>
> If you created /etc/pam.d/sshd like you said you only use pam_pgsql
> if you want to use nss, I think it's done vi pam_unix
>

OK, I think I understand a little better now. When I take my additions
out of sshd, the auth.log error is from pam_unix (invalid user as
well), not pam_pgsql . I assumed that meant that nothing was even
attempting to connect to the database, but you are saying that
pam_unix will try with properly-configured nss. Are nss and pam truly
orthogonal authentication mechanisms, then, or does pam use nss as
well?

> on my linux box (debian/lenny) I have go some more complex
>
> auth       required     pam_env.so # [1]
> auth       required     pam_env.so envfile=/etc/default/locale
> @include common-auth
> account    required     pam_nologin.so
> @include common-account
> @include common-session
> session    optional     pam_motd.so # [1]
> session    optional     pam_mail.so standard noenv # [1]
> session    required     pam_limits.so
> @include common-password
>
> I can check that any include has pam_unix required
> pam will try pgsql then unix
>
> If you use pam-pgsql you also have to setup
> /etc/pam_pgsql.conf with the following parameters
>
> database = dbname
> user = username
> table = account
> user_column = user_name
> pwd_column = user_password
> expired_column = acc_expired
> newtok_column = acc_new_pwreq
> debug
>
>> A second problem that should be unrelated to the first is that the
>> nss_* tables are not being populated in the gforge database, which
>> seems to be another barrier to gforge logins. Here is what I have:
>>
>> psql -U gforge_nss gforge
>>
>> select * from nss_groups;
>>  user_id | group_id |      name      |  gid
>> ---------+----------+----------------+-------
>>        0 |        3 | stats          | 10003
>>        0 |        4 | peerrating     | 10004
>>        0 |        1 | siteadmin      | 10001
>>        0 |        2 | newsadmin      | 10002
>>        0 |        3 | scm_stats      | 50003
>>        0 |        4 | scm_peerrating | 50004
>>        0 |        1 | scm_siteadmin  | 50001
>>        0 |        2 | scm_newsadmin  | 50002
>>
>> select * from nss_passwd;
>>  uid | gid | login | passwd | gecos | shell | homedir | status
>> -----+-----+-------+--------+-------+-------+---------+--------
>> (0 rows)
>>
>> nss_usergroups, and nss_shadow also have 0 rows like the above.
>>
>> Logging into the database with admin rights and running "select * from
>> users;" shows a few users that obviously aren't showing up in the
>> nss_* files. Even if PAM+NSS is otherwise properly configured on my
>> machine, it looks like gforge shell logins still won't work without
>> the proper database entries.  How are the nss_* tables populated
>> and/or updated?
>>
> your problem seems to be that
> getent shadow don't get the crypted passwd

>From where? I see two problems that can occur - getent can't get to
the database (is this where the crypted passwd is?), and/or the nss_*
tables haven't been filled with the necessary information from the
standard gforge tables. Regarding the table issue, is there a cron job
that fills these tables? Or are these tables somehow filled by getent?

> For me, it's pam that is used systematically, following the config
> in /ets/pam.d
> and if you use pam_unix
> it uses the getent function that make use of /etc/nsswitch.conf
> nss then load the proper modules
>

Which method is developer-preferred for gforge/fusionforge, or is it
really admin preference?

> just an extra question, which distro do you use ? because not all are
> configuring pam in the same way
> I answered rather with may knowledge of what is done in debian and
> derivated.
>

I am using Debian Lenny with the stable gforge packages. I enabled
shell access as soon as I installed the gforge-shell-postgresql
package. I'm wondering if I didn't mess something up somehow, though,
because this seems like something that might otherwise work right
after install. Am I better of reinstalling? Installing a version from
unstable or experimental? Is it expected that gforge-account shell
access works immediately after installing the shell package? Either
way, this experience is teaching me quite a bit about various
authentication mechanisms - which is quite useful.

> hope this help
>

Thanks again for the help!

 - Matt

> Cheers
>
> Christian
>
>
>




More information about the Fusionforge-general mailing list