Is this AddOn still working with the current shinken release?

[mw84367]

Hi,

I'd like to use pam authentication with shinken. I installed auth-pam and added the module to webui2.cfg to the modules property.

When I login with a ordinary system user "administrator" I get the following messages within the log:

[1464939295] INFO: [broker-master] [WebUI] user 'administrator' is signing in ... [1464939295] INFO: [broker-master] [WebUI] Checking authentication for user: administrator [1464939295] INFO: [broker-master] [WebUI] Requesting authentication for user: administrator [1464939295] INFO: [broker-master] [WebUI] Authenticating user 'administrator' [1464939295] INFO: [broker-master] [WebUI] Authenticating user 'administrator' with auth-pam [1464939297] INFO: [broker-master] [WebUI] Internal htpasswd authentication [1464939297] INFO: [broker-master] [WebUI] Internal alignak backend authentication [1464939297] INFO: [broker-master] [WebUI] Internal contact authentication [1464939297] INFO: [broker-master] [WebUI-auth-cfg-password] Authenticating user 'administrator' [1464939297] ERROR: [broker-master] [WebUI-auth-cfg-password] You need to have a contact having the same name as your user: administrator [1464939297] WARNING: [broker-master] [WebUI] The user 'administrator' has not been authenticated.

For me it seems that your module is used properly but the authentication fails. Do I need to provide additional authentication configuration parameters? Is the module still operational for the latest release?

Cheers

Mike

[mw84367]

I investigated the problem further. The module is still operational. The problem is that it runs as user shinken. shinken by default has no access to /etc/shadow as root has. In this case PAM's unix_chkpwd will only accept shinken as a valid user. If the real uid does not match the authenticating username, it sets the euid to be the real uid of the user process calling unix_chkpwd. Not retaining euid=0 prevents unix_chkpwd from reading /etc/shadow and authentication will fail logging 'check pass; user unknown' to syslog.

I've no good solution to this yet.

[mingbowan]

maybe you forgot to define a pam config with shinken as service name? do something like this and try again:

ln -s /etc/pam.d/system-auth /etc/pam.d/shiken

[mw84367]

maybe you forgot to define a pam config with shinken as service name?

No I didn't. First of all there is no file called /etc/pam.d/system-auth. But I created a config file by my self. Even if this is not available it should work because there is a /etc/pam.d/other which handles any application not specified by a separate file.

As I mentioned in my previous comment the module can only be used with the user shinken is running with. This is an issue with pam not with the module.