Controls/gitea-pages
0
2
Fork 0
Code Pull Requests Actions Activity
Files
cdcc025dbd4c2f4288505ffec4e2bfcffe7cc9af
gitea-pages/admin-guide/troubleshooting/pam.md
T
ebner 0dc72126d1 reshuffle
2024-08-08 16:30:50 +02:00

58 lines
2.7 KiB
Markdown
Raw Blame History

# PAM
Checking PAM issues can be quite tricky.
## Debugging Messages with `pam_echo.so`
This can be used to print a message. When placed on every PAM step it shows how far the processing goes and maybe where the error might be:
```
auth required pam_env.so
auth optional pam_echo.so "Have passed pam_env"
auth [default=1 success=ok] pam_localuser.so
auth optional pam_echo.so "Have passed pam_localuser"
auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth optional pam_echo.so "Have passed pam_unix"
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth optional pam_echo.so "Have passed pam_succeed_if"
auth required pam_sss.so forward_pass
auth optional pam_echo.so "Have passed pam_sss"
auth optional pam_afs_session.so debug always_aklog program=/usr/bin/aklog minimum_uid=1000
auth optional pam_echo.so "Have passed pam_afs_session"
```
Please note that above example introduced a bug: the `default=1` on line 3 ignores the next entry (`1`) if the user is local. Now with adding the debugging statements it needs to be `default=2`, but then the message does not fit, so it should be more specific:
```
auth [default=2 success=ok] pam_localuser.so
auth optional pam_echo.so "Have local user (pam_localuser) and now try to check local password database (pam_unix)"
auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth optional pam_echo.so "Have passed pam_localuser and pam_unix"
```
Or just one message after this block without changing the skip number:
```
auth [default=1 success=ok] pam_localuser.so
auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth optional pam_echo.so "Have passed pam_localuser and pam_unix"
```
## PAM Call Stack with SystemTap
When debugging an PAM issue with the RedHat support, they provided us a neat Systemtab script to create a PAM call stack of the `do_pam_setcred()` function in sshd. You find it [here](_static/para-callgraph-pam.stp).
For other PAM functions or other processes this script would need changes.
In order to run it, you need to have the debug rpms enabled. In our RHEL8 you can do that manually by setting in
`/etc/yum.repos.d/rhel8_baseos_debug.repo` and `/etc/yum.repos.d/rhel8_appstream_debug.repo` `enabled = 1`. It will then be reset with the next Puppet run.
Then install `systemtap` and `yum-utils`.
Finally a
```
stap -x $PID -v ./para-callgraph-pam.stp
```
will make the Systemtab script observe the given process `$PID`. On the first run it will fail and tell what debug packages it needs to have installed.
View Git Blame Copy Permalink