Problems with PAM authentication

Luis_Peralta · November 3, 2005, 5:07pm

Hi,

I’'ve been trying to setup Jive Messenger 2.3.0 beta 1 to authenticate against PAM on a RHEL3 machine without luck.

I added the corresponding provider sections and defined the nativeAuth domain to ‘‘shaj’’, created the ``

/etc/pam.d/shaj

file with the following contents, as read in the shaj documentation:


auth required pam_stack.so service=system_auth

The authentication will always fail and the PAM subsystem will log this:


Nov 3 14:32:32 celonia shaj(pam_unix)[14596]: authentication failure; logname= uid=508 euid=508 tty= ruser= rhost= user=peralta

Other services on the same machine authenticate against local accounts using PAM without problems.

I modified the ``

/etc/pam.d/shaj

file to allow every login:


auth sufficient pam_permit.so
#auth required pam_stack.so service=system_auth

And it worked. I also tried avoiding ``

pam_stack

entirely and using ``
pam_unix

directly with no luck. I am wondering with the user password supplied by the Jabber client (sent in plaintext) is reaching the pam subsystem.

Any ideas?

matt · November 3, 2005, 5:13pm

Are you getting anything in the Jive Messenger error log?

Regards,

Matt

Luis_Peralta · November 3, 2005, 5:15pm

Nothing at all.

Luis_Peralta · November 4, 2005, 1:19pm

Problem solved. The solution may not be useful for everybody though.

The problem was with the system_auth PAM service, which used the pam_unix module. This module allows a non-privileged user to check if his/her password is correct (xscreensaver for example), but it does not allow checking other users passwords for security reasons.

Using our custom PAM module solved the problem. For other installations there are two options:

Patching or creating a custom pam_unix module
Running Jive Messenger as root
For Jive developers, I guess the best option is to launch Jive as root and let Jive change the user to a non-privileged one after instantiating the Shaj classes.