Controls/gitea-pages
0
2
Fork 0
Code Pull Requests Actions Activity
Files
2a04343c9f709ceb3db3f0ceb77aaa7a7c1952bf
gitea-pages/admin-guide/troubleshooting/pam.md
ebner 0dc72126d1 reshuffle
2024-08-08 16:30:50 +02:00

2.7 KiB
Raw Blame History

PAM

Checking PAM issues can be quite tricky.

Debugging Messages with pam_echo.so

This can be used to print a message. When placed on every PAM step it shows how far the processing goes and maybe where the error might be:

auth        required      pam_env.so
auth        optional      pam_echo.so "Have passed pam_env"
auth        [default=1 success=ok] pam_localuser.so
auth        optional      pam_echo.so "Have passed pam_localuser"
auth        [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth        optional      pam_echo.so "Have passed pam_unix"
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        optional      pam_echo.so "Have passed pam_succeed_if"
auth        required      pam_sss.so forward_pass
auth        optional      pam_echo.so "Have passed pam_sss"
auth        optional      pam_afs_session.so debug always_aklog program=/usr/bin/aklog minimum_uid=1000
auth        optional      pam_echo.so "Have passed pam_afs_session"

Please note that above example introduced a bug: the default=1 on line 3 ignores the next entry (1) if the user is local. Now with adding the debugging statements it needs to be default=2, but then the message does not fit, so it should be more specific:

auth        [default=2 success=ok] pam_localuser.so
auth        optional      pam_echo.so "Have local user (pam_localuser) and now try to check local password database (pam_unix)"
auth        [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth        optional      pam_echo.so "Have passed pam_localuser and pam_unix"

Or just one message after this block without changing the skip number:

auth        [default=1 success=ok] pam_localuser.so
auth        [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth        optional      pam_echo.so "Have passed pam_localuser and pam_unix"

PAM Call Stack with SystemTap

When debugging an PAM issue with the RedHat support, they provided us a neat Systemtab script to create a PAM call stack of the do_pam_setcred() function in sshd. You find it here.

For other PAM functions or other processes this script would need changes.

In order to run it, you need to have the debug rpms enabled. In our RHEL8 you can do that manually by setting in /etc/yum.repos.d/rhel8_baseos_debug.repo and /etc/yum.repos.d/rhel8_appstream_debug.repo enabled = 1. It will then be reset with the next Puppet run.

Then install systemtap and yum-utils.

Finally a

stap -x $PID -v ./para-callgraph-pam.stp

will make the Systemtab script observe the given process $PID. On the first run it will fail and tell what debug packages it needs to have installed.

View Git Blame Copy Permalink