From owner-freebsd-i386@FreeBSD.ORG Sat Jun 14 12:20:10 2003 Return-Path: Delivered-To: freebsd-i386@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0CCF937B405 for ; Sat, 14 Jun 2003 12:20:09 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3FC1743FB1 for ; Sat, 14 Jun 2003 12:20:08 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h5EJK8Up063893 for ; Sat, 14 Jun 2003 12:20:08 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h5EJK8n4063892; Sat, 14 Jun 2003 12:20:08 -0700 (PDT) Resent-Date: Sat, 14 Jun 2003 12:20:08 -0700 (PDT) Resent-Message-Id: <200306141920.h5EJK8n4063892@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-i386@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Kamen@edelweiss.dyns.cx, "Angelov ; Sat, 14 Jun 2003 12:18:16 -0700 (PDT) Received: from edelweiss.dyns.cx (d226-89-236.home.cgocable.net [24.226.89.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 18B5143FCB for ; Sat, 14 Jun 2003 12:18:16 -0700 (PDT) (envelope-from root@edelweiss.dyns.cx) Received: by edelweiss.dyns.cx (Postfix, from userid 0) id 83A89F74A1; Sat, 14 Jun 2003 15:18:16 -0400 (EDT) Message-Id: <20030614191816.83A89F74A1@edelweiss.dyns.cx> Date: Sat, 14 Jun 2003 15:18:16 -0400 (EDT) From: Kamen Angelov To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: i386/53324: pam_group problems (PAM_RUSER used instead of PAM_USER) X-BeenThere: freebsd-i386@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Kamen@edelweiss.dyns.cx, "Angelov List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Jun 2003 19:20:10 -0000 >Number: 53324 >Category: i386 >Synopsis: pam_group problems (PAM_RUSER used instead of PAM_USER) >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-i386 >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Jun 14 12:20:07 PDT 2003 >Closed-Date: >Last-Modified: >Originator: Kamen Angelov >Release: FreeBSD 5.1-RELEASE i386 >Organization: Do-Nothing Unlimited >Environment: System: FreeBSD edelweiss.dyns.cx 5.1-RELEASE FreeBSD 5.1-RELEASE #11: Sat Jun 14 03:10:32 EDT 2003 root@edelweiss.dyns.cx:/usr/src/sys/i386/compile/EDELWEISS i386 >Description: I use pam_group to control which users can use which services. I have the following line in my PAM configuration for my FTP server: auth requisite pam_group.so group=allow_ftp With this line uncommented, the server refuses access to everyone: even the users who are supposed to have access to it. With (mostly) the same PAM setting, I get the following error in the SSHD log: Jun 14 14:19:07 edelweiss sshd[26043]: error: PAM: authentication error and then the user is allowed in (?!?!?). I believe this is a problem with pam_group itself: the module reads the PAM_RUSER field instead of PAM_USER when trying to fetch the username of the user. I believe PAM_USER would be the correct field to read in this context. When PAM_RUSER is replaced with PAM_USER all warnings disappear and everything seem to work as expected. >How-To-Repeat: I believe I answered this above. >Fix: Run "Search and Replace" on PAM_RUSER and replace it with PAM_USER. >Release-Note: >Audit-Trail: >Unformatted: