469,344 Members | 6,313 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,344 developers. It's quick & easy.

pam authentification trouble ...

Dear all,

I have a trouble with the pam authentification for PostgreSQL.

I have add in the pg_hba.conf the good line ... and I have create
a /etc/pam.d/postresql file which contains :

auth required pam_unix.so nullok_secure
account required pam_unix.so

Now like this ... impossible for me to connect to the dabase ... I have
message like this :
Jul 6 13:26:44 zoot arr [local] authentication: (pam_unix) auth could not
identify password for [herve]
Jul 6 13:26:47 zoot arr [local] authentication: (pam_unix) authentication
failure; logname= uid=31 euid=31 tty= ruser= rhost= user=herve

The only solution I have found to make it running is to put the postgres user
in the shadow group ... to be able to read the /etc/shadow file ...

I think this is not normal ... so please if you have any idea to solve my
trouble ... I'll be very pleased ...

I'm using linux, on Debian Woody ... but using my own compilation of
PostgreSQL v7.4.3.

Regards,
--
Hervé Piedvache

Elma Ingénierie Informatique
6 rue du Faubourg Saint-Honoré
F-75008 - Paris - France
Pho. 33-144949901
Fax. 33-144949902

---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to ma*******@postgresql.org)

Nov 23 '05 #1
1 1711
On Tue, 2004-07-06 at 15:13, Hervé Piedvache wrote:
Dear all,

I have a trouble with the pam authentification for PostgreSQL.

I have add in the pg_hba.conf the good line ... and I have create
a /etc/pam.d/postresql file which contains :

auth required pam_unix.so nullok_secure
account required pam_unix.so

Now like this ... impossible for me to connect to the dabase ... I have
message like this :
Jul 6 13:26:44 zoot arr [local] authentication: (pam_unix) auth could not
identify password for [herve]
Jul 6 13:26:47 zoot arr [local] authentication: (pam_unix) authentication
failure; logname= uid=31 euid=31 tty= ruser= rhost= user=herve

The only solution I have found to make it running is to put the postgres user
in the shadow group ... to be able to read the /etc/shadow file ...

I think this is not normal ... so please if you have any idea to solve my
trouble ... I'll be very pleased ...


Yes, it's normal: the password is in /etc/shadow, so you MUST be in the
shadow group to be able to check it; otherwise the security of
/etc/shadow is useless. Almost every other password checking process
runs as root; since postmaster does not, there is a problem.

Putting postgres in the shadow group decreases its security somewhat;
however, if postgres itself has no valid password ("*" in the password
field in /etc/shadow) it can only be accessed by doing su from root,
which reduces the security problem to checking that C functions and
insecure PL functions do not try to read /etc/shadow.

Oliver Elphick
---------------------------(end of broadcast)---------------------------
TIP 9: the planner will ignore your desire to choose an index scan if your
joining column's datatypes do not match

Nov 23 '05 #2

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

reply views Thread by maxx | last post: by
6 posts views Thread by Ivan Demkovitch | last post: by
6 posts views Thread by SalamElias | last post: by
reply views Thread by serge calderara | last post: by
3 posts views Thread by serge calderara | last post: by
1 post views Thread by HIK | last post: by
1 post views Thread by CARIGAR | last post: by
1 post views Thread by Marylou17 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.