PAM authentication failure

bug-cvs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PAM authentication failure

From:	Yves Martin
Subject:	PAM authentication failure
Date:	Tue, 21 Aug 2007 11:47:16 +0200

 Hello,

I'm trying to configure a cvs server 1.12.13-8 from Debian Etch with PAM
authentication on pserver protocol.

Here is my pam file /etc/pam.d/cvs to use ldap:

auth       required     /lib/security/pam_ldap.so
account    sufficient   /lib/security/pam_ldap.so
account    required     /lib/security/pam_unix_acct.so

My CVSROOT/config file contains:
SystemAuth=no
PamAuth=yes
DefaultPamUser=cvs

Only the "cvs" account is a system account.

$ cvs -d :pserver:ldapuser@myserver.mydomain:/cvsroot login

works properly (fail with wrong password, pass if right)

But a checkout fails:
$ cvs -d :pserver:ldapuser@myserver.mydomain:/cvsroot co cvstest
Fatal error, aborting.
ldapuser: no such system user

I really agrees that "ldapuser" is not a system user, but I expect the
"switch_to_user" method to use "cvs" account.


I have debugged the source code. Here is my analysis in case of a non
existing account on the local system:

1. pam_set_item PAM_USER succeeds in my installation, so "ldapuser" is
never replaced by "DefaultPamUser". To work-around, I have replaced the
test-call to pam_set_item by getpwnam to check if the account exists
locally - because getpwnam finally fails in switch_to_user.

2. then check_pam_password replaces "username" (ldapuser) by the
"DefaultPamUser" (cvs)
3. in check_password at "handle_return", "CVS_Username" is set to
"username" (too late !!) with "cvs" (instead of ldapuser)
4. switch_to_user is called with (ldapuser, cvs) - OK
5. but pam_get_item (pamh, PAM_USER, (const void **)&username) called
there replaces "cvs" by "ldapuser" from the pam context I guess.
6. as a result getpwnam failed because username == "ldapupser"

The only valid information I have found about the PAM support in Debian
cvs is:
http://olympus.het.brown.edu/cgi-bin/info2www?(cvs)Password
+authentication+server

I'm working on a patch but my proposal is not to replace "username" in
check_pam_password but to return a "host_user" value for check_password.
In that case, I wonder if a "map=user" option in the PAM chain is
supposed to work or not ?

Thank you in advance for your help
-- 
Yves Martin

[Prev in Thread]

Current Thread

[Next in Thread]

PAM authentication failure, Yves Martin <=

Prev by Date: Re: CVS soft-tagging + other problems & solutions
Next by Date: During checkout error
Previous by thread: CVS soft-tagging + other problems & solutions
Next by thread: During checkout error
Index(es):
- Date
- Thread