authenticate role via pam

Submit your RBAC policies or suggest policy improvements

authenticate role via pam

Postby cormander » Tue Mar 18, 2008 6:08 pm

Hello,

I've added a role with flags "sPG" name corman (which is also a user on the system with a password) to make corman a special role, to authenticate off of PAM.

With RBAC enabled, PAM auth is working with pamtester when the right password is typed, and failing when the wrong password is typed.

Code: Select all
[root@localhost ~]# pamtester -v login corman authenticate
pamtester: invoking pam_start(login, corman, ...)
pamtester: performing operation - authenticate
Password:
pamtester: successfully authenticated


However, "gradm -p corman" fails without even asking for a password. An strace on that command (running it under the admin role so I don't get permissions denied on the ptrace) reveals:

Code: Select all
[pid  7270] open("/etc/pam.d/gradm", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid  7270] open("/etc/pam.d/other", O_RDONLY) = 3


I'm sure that gradm was built with pam support, the pam-devel package is installed and the gradm_pam binary exists. It seems that the /etc/pam.d/gradm file is missing... and it rolls back to "other", which basically is deny only. What is supposed to be in /etc/pam.d/gradm?

I'm using gradm-2.1.11-200803171746
cormander
 
Posts: 154
Joined: Tue Jan 29, 2008 12:51 pm

Re: authenticate role via pam

Postby cormander » Tue Mar 18, 2008 6:12 pm

HAH I feel like an idiot.

The moment I hit "submit" after previewing my thread... I thought to myself, "what if I symlnk system-auth to gradm".

Code: Select all
[root@c1inf047 ~]# cd /etc/pam.d/
[root@c1inf047 pam.d]# ln -s system-auth gradm
[root@c1inf047 pam.d]# gradm -E
[root@c1inf047 pam.d]# gradm -p corman
Password:
[root@c1inf047 pam.d]#


Hope this helps anyone else who runs into this problem.

spender, mind making the symlink a part of the "make install" for gradm? :-D
cormander
 
Posts: 154
Joined: Tue Jan 29, 2008 12:51 pm

Re: authenticate role via pam

Postby cormander » Thu Mar 20, 2008 10:18 am

And since system-auth is a redhat thing.... for other distros doing the symlink to /etc/pam.d/login should work as well.
cormander
 
Posts: 154
Joined: Tue Jan 29, 2008 12:51 pm


Return to RBAC policy development

cron