Better example/ docs

[spacekookie]

So…I'm kinda new to pam and I'm not entirely sure how some of this is supposed to work. When creating an Authenticator it takes a service name. Does this have to be one of these? https://docs.oracle.com/cd/E19683-01/816-4883/pam-34/index.html

I'm currently running into the problem that authenticate() fails and I'm not sure why (and not sure how to debug it)

[klemens]

You can use any service name you like:

fn authenticate(user: &str, password: &str) {
    let mut auth = Authenticator::new("pam-auth-test").unwrap();
    auth.set_credentials(user, password);
    println!("{:?}", auth.authenticate());
}

For debugging, look for messages in the system log, eg using journalctl -f on a system using systemd.

[spacekookie]

Thanks for the feedback. Looking into the system log, I'm a wee bit confused what's going on

Jul 02 20:48:20 rayya lockchain-server[10702]: pam_tally(login:auth): Error opening /var/log/faillog for update
Jul 02 20:48:20 rayya lockchain-server[10702]: pam_tally(login:auth): Error opening /var/log/faillog for read
Jul 02 20:48:20 rayya unix_chkpwd[10704]: check pass; user unknown
Jul 02 20:48:20 rayya unix_chkpwd[10705]: check pass; user unknown
Jul 02 20:48:20 rayya unix_chkpwd[10705]: password check failed for user (testkookie)
Jul 02 20:48:20 rayya lockchain-server[10702]: pam_unix(login:auth): authentication failure; logname= uid=1000 euid=1000 tty= ruser= rhost=  user=testkookie
Jul 02 20:48:22 rayya lockchain-server[10702]: pam_tally(login:setcred): Error opening /var/log/faillog for update
Jul 02 20:48:22 rayya lockchain-server[10702]: pam_tally(login:setcred): Error opening /var/log/faillog for update

But doing su testkookie with the same password works :thinking:

[klemens]

Just a guess, but are you trying to authenticate a user different from the one running the program? This does not work with local users by default, as it needs access to /etc/shadow, the file which contains the passwords of users. Only root can normally read this file.

When you are using remote authentication like ldap in an active directory or nis, it generally works without root access. Also users can authenticate themselves.

[spacekookie]

Hmm, oh okay. I thought I could use pam to open a session as a different user and then do stuff with it.

Ultimately some user will be running the software but I want to authenticate users by their system accounts and only really make sure they are member of the right group. I guess pam isn't what I want then? 😅

[FirstWithThisName]

@spacekookie I got exactly the same issue do you have a solution for this?