Date: Sat, 14 Jun 2003 15:18:16 -0400 (EDT) From: Kamen Angelov <kamenangelov@netscape.net> To: FreeBSD-gnats-submit@FreeBSD.org Subject: i386/53324: pam_group problems (PAM_RUSER used instead of PAM_USER) Message-ID: <20030614191816.83A89F74A1@edelweiss.dyns.cx> Resent-Message-ID: <200306141920.h5EJK8n4063892@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 53324 >Category: i386 >Synopsis: pam_group problems (PAM_RUSER used instead of PAM_USER) >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-i386 >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Jun 14 12:20:07 PDT 2003 >Closed-Date: >Last-Modified: >Originator: Kamen Angelov >Release: FreeBSD 5.1-RELEASE i386 >Organization: Do-Nothing Unlimited >Environment: System: FreeBSD edelweiss.dyns.cx 5.1-RELEASE FreeBSD 5.1-RELEASE #11: Sat Jun 14 03:10:32 EDT 2003 root@edelweiss.dyns.cx:/usr/src/sys/i386/compile/EDELWEISS i386 >Description: I use pam_group to control which users can use which services. I have the following line in my PAM configuration for my FTP server: auth requisite pam_group.so group=allow_ftp With this line uncommented, the server refuses access to everyone: even the users who are supposed to have access to it. With (mostly) the same PAM setting, I get the following error in the SSHD log: Jun 14 14:19:07 edelweiss sshd[26043]: error: PAM: authentication error and then the user is allowed in (?!?!?). I believe this is a problem with pam_group itself: the module reads the PAM_RUSER field instead of PAM_USER when trying to fetch the username of the user. I believe PAM_USER would be the correct field to read in this context. When PAM_RUSER is replaced with PAM_USER all warnings disappear and everything seem to work as expected. >How-To-Repeat: I believe I answered this above. >Fix: Run "Search and Replace" on PAM_RUSER and replace it with PAM_USER. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030614191816.83A89F74A1>