Thread: PAM auth?

PAM auth?

From

"Michael W. Lucas"

Date:

07 June 2012, 16:03:33

Hi,

I'm running 9.1.2 on FreeBSD 9, installed via OS vendor package, and
trying to get PAM auth to work.

From what I've read, this should be as simple as the following
/usr/local/share/postgres/pg_hba.conf:

host     all             all     0.0.0.0/0               pam  postgresql
local    all             all     0.0.0.0/0               pam  postgresql

(I'm using my firewall for access control.)

After restarting postgresql, users are still not being prompted for
passwords. Here's my /usr/local/etc/pam.d/postgresql file:

auth            sufficient      /usr/local/lib/pam_ldap.so      no_warn
auth            required        pam_unix.so             no_warn try_first_pass nullok
account         include         system
session         include         system
password        include         system

Hoping to see some auth debugging, I set log_min_messages and
client_min_messages to debug5. Syslog sends local0 to
/var/log/postgres, but nothing on auth appears.

Any suggestions on how I can debug postgres authentication? Or am I
looking in the completely wrong place?

Thanks for any advice,
==ml

--
Michael W. Lucas
http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
Latest book: SSH Mastery http://www.michaelwlucas.com/nonfiction/ssh-mastery
mwlucas@BlackHelicopters.org, Twitter @mwlauthor

Re: PAM auth?

From

Tom Lane

Date:

07 June 2012, 16:17:36

"Michael W. Lucas" <mwlucas@blackhelicopters.org> writes:
> I'm running 9.1.2 on FreeBSD 9, installed via OS vendor package, and
> trying to get PAM auth to work.

> From what I've read, this should be as simple as the following
> /usr/local/share/postgres/pg_hba.conf:

Um ... that is not where the pg_hba.conf file should go, in any standard
configuration.  Try putting it in your $PGDATA directory.  (Actually I
think "show hba_file;" should tell you where the database thinks it
should be.)

> host     all             all     0.0.0.0/0               pam  postgresql
> local    all             all     0.0.0.0/0               pam  postgresql

I think the last field needs to read "pamservice=postgresql".

I'm not qualified to debug your pam configuration file, but from the
symptoms it sounds like the database isn't looking at it yet.

            regards, tom lane

Re: PAM auth?

From

Matthew Seaman

Date:

07 June 2012, 17:02:19

On 07/06/2012 20:03, Michael W. Lucas wrote:
> I'm running 9.1.2 on FreeBSD 9, installed via OS vendor package, and
> trying to get PAM auth to work.
>
> From what I've read, this should be as simple as the following
> /usr/local/share/postgres/pg_hba.conf:

Standard location on FreeBSD is /usr/local/pgsql/data/pg_hba.conf

    Cheers,

    Matthew

--
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew@infracaninophile.co.uk               Kent, CT11 9PW

Attachment

signature.asc

Re: PAM auth?

From

"Michael W. Lucas"

Date:

08 June 2012, 13:09:47

On Thu, Jun 07, 2012 at 08:58:21PM +0100, Matthew Seaman wrote:
> On 07/06/2012 20:03, Michael W. Lucas wrote:
> > I'm running 9.1.2 on FreeBSD 9, installed via OS vendor package, and
> > trying to get PAM auth to work.
> >
> > From what I've read, this should be as simple as the following
> > /usr/local/share/postgres/pg_hba.conf:
>
> Standard location on FreeBSD is /usr/local/pgsql/data/pg_hba.conf

I'm glad that this list is advertised as "no question too daft for
us!" Otherwise, I'd be deeply and thoroughly embarrassed.

Thanks, folks.

==ml

--
Michael W. Lucas
http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
Latest book: SSH Mastery http://www.michaelwlucas.com/nonfiction/ssh-mastery
mwlucas@BlackHelicopters.org, Twitter @mwlauthor