HylaFAX The world's most advanced open source fax server

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [hylafax-users] PAM Authentication



Suggestion 1 didn't work. I've also tried using pam_pwdb same results.  I
have also tried pam_mysql which causes the hfaxd child processes to segfault
repeatedly on authentication attempts.

Answers to questions:

1) Linux kernel 2.4.22-1.2188 on Fedora Core 1
2) Have been running Hylafax successfully for a few months now with
hosts.hfaxd authentication based on user/pass. Currently it contains:

127.0.0.1

3) rpm -qa | grep pam

pam-0.77-15
pam-devel-0.77-15
pam_smb-1.1.7-2
pam_krb5-2.0.5-1

4,5,6) Users exist, can login on console and SSH and I have the correct
password.

More information:

I am successfully using pam with pam_mysql to authenticate imap users on the
same machine. Eventually I'd like to be using pam_mysql but I am starting
simple as it's obviously not working.

strace on the hfaxd process and children shows it is reading the correct
username and password from the client. It also shows pam opening and reading
/etc/passwd, /etc/shadow if that's any use.

I've been having a look at the PAM code in Asterisk and it seems pretty
close to the reference implementation here:

http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_appl-8.php

Which works just fine for me when I compile it.

I don't claim to be a C or C++ expert. In fact it's years since I've written
anything in it.  There was one discrepency between the struct in the
reference application and the code in Hylafax.

example application:

static struct pam_conv conv = {
    misc_conv,
    NULL
};

Hylafax
        struct pam_conv conv = {
                pamconv,
                (void*)pass
        };

The difference looks fairly harmless to me but can anyone with more
experience see any problems occurring?

I hope I've provided enough information. If there's anything else let me
know.

Regards,

Kimble Young


-----Original Message-----
From: Michael J. Pedersen [mailto:pedermj@xxxxxxxxxxx]
Sent: Friday, June 25, 2004 8:18 AM
To: Kimble Young
Subject: Re: [hylafax-users] PAM Authentication


On Fri, Jun 25, 2004 at 05:25:14PM -0400, Kimble Young wrote:
> I've been having some issues setting up PAM authentication with hylafax
> 4.2.0 beta 2.

Cool (well, for me anyway). It's always pleasurable seeing somebody else
using it.

> I've been trying to use WHFC to connect and am only successful when
logging
> in as root.

That's more than a bit odd, as I'm using it for everybody BUT root.

> Syslog shows:
>
> Jun 25 17:20:16 asterisk hylafax(pam_unix)[6380]: authentication failure;
> logname= uid=0 euid=10 tty= ruser= rhost=  user=ultimate
> Jun 25 17:20:18 asterisk hfaxd[6380]: Login failed from kimble
> [192.168.0.244], ultimate
>
> Everything seems to point to a problem with PAM configuration but no
matter
> what i try there's no luck.  The most basic config file for
> /etc/pam.d/hylafax is below:
>
> #%PAM-1.0
> auth     required       pam_unix.so
> account  required       pam_unix.so
> password required       pam_unix.so
> session  required       pam_unix.so

Okay, this is good, and I'll give a suggestion, but also ask for more
information in case it fails.

Suggestion:
1) If you are running this on Linux, you might need to set password line
as follows:
password required       pam_unix.so md5

Questions:
1) What operating system and version number (and distribution, if
applicable) are you running the HylaFAX server on?
2) Were you running HylaFAX on this machine before now? If so, are there
users with the same name in hosts.hfaxd, but different passwords? If so,
that might be the source of the problem. Either delete the users from
hosts.hfaxd, or fix their passwords.
3) What version of the PAM libraries are you using on this system?
4) Can any of these users log in at the console?
5) Do any of these users actually exist? Try running this command, and
making sure the users exist (on the machine running HylaFAX of course!):
getent passwd
6) Are you sure you know the correct password? Try logging in at the
console (or by way of telnet, or ssh) as the user. If the user exists,
but you are unable to login, try resetting the user password.

> Is it possible that hylafax is trying to authenticate uid=0 as seen in the
> syslog line above?

Now, I'll admit to being no PAM expert, but that doesn't seem like what
it's reading out to me. It sounds (to me) like it's reading the uid of
the process for HylaFAX. Basically, it means that root is running hfaxd,
and is failing to authenticate user ultimate.

> Can anyone help me with getting it working for all local system accounts?

Here's hoping the above gives enough information to troubleshoot the
problem for you.

--
Michael J. Pedersen
My IM IDs: Jabber/pedersen@xxxxxxxxxxxxxx, ICQ/103345809, AIM/pedermj022171
           Yahoo/pedermj2002, MSN/pedermj022171@xxxxxxxxxxx
My GnuPG KeyID: 6CB0A96C       My Public Key Available At: www.keyserver.net
My GnuPG Key Fingerprint: E8F0 920F EB2F 7FDE DF4E  23CC 2CEB 8E6F 6CB0 A96C


____________________ HylaFAX(tm) Users Mailing List _______________________
  To subscribe/unsubscribe, click http://lists.hylafax.org/cgi-bin/lsg2.cgi
 On UNIX: mail -s unsubscribe hylafax-users-request@xxxxxxxxxxx < /dev/null
  *To learn about commercial HylaFAX(tm) support, mail sales@xxxxxxxxx*




Project hosted by iFAX Solutions