pam-pgsql 与 sshd
pam-pgsql with sshd
这是我的 pam_pgsql.conf
配置
host = localhost
database = x
user = xx
password = xxx
table = userdb_user
user_column = username
pwd_column = password
pw_type = clear
debug = 1
这是我的 sshd 配置
session required pam_pgsql.so debug
auth required pam_pgsql.so debug
account required pam_pgsql.so debug
password required pam_pgsql.so debug
执行密码查询是因为我在/var/log/postgresql
中有这个
2015-12-07 12:00:02 CET [5603-1] db LOG: Ausführen <unnamed>: select password from userdb_user where username =
2015-12-07 12:00:02 CET [5603-2] db DETAIL: Parameter: = 'admin'
我总是在 /var/log/auth.log
中得到这个
PAM_pgsql[5788]: couldn't authenticate user admin
我真的不知道是什么问题了,因为密码的查询达到了数据库级别,并按照上面的 pgsql 日志所示执行!
您指定的配置声明要检查 table userdb_user
的 password
列是否有 纯文本 密码匹配- 即字段密码将包含密码的未加密版本,并且还将验证用户名。
在不知道数据的情况下,您必须遵循通常的反复试验检查:
检查用户名和密码是否可以登录到有问题的数据库:
psql -h localhost -U xx x
检查数据库是否存在,table是否存在,使用您指定的用户名和密码:
select password from userdb_user where username='admin'
检查输入的密码是否与 return 从 userdb_user
table 编辑的密码匹配 - 它们是纯文本匹配。
还有一个 ssh 要求是用户帐户必须有一个可用的 passwd
条目 - 即 getent passwd admin
必须 return 一些数据。
您可以使用 libnss-pgsql
模块(也称为 sysauth-pgsql
)为用户配置密码和组条目。
在这种情况下,您需要在 /etc/nsswitch.conf
文件中的 passwd
和 group
行中包含 pgsql
,以便它们读取如下内容:
passwd: compat pgsql
group: compat pgsql
这会将名称服务开关配置为开始查找 pgsql
以获取帐户信息 - 您必须重新启动 sshd 才能使此更改生效。
然后添加一个引用 postgres 数据库的 /etc/nss-pgsql.conf
文件:
connectionstring = hostaddr=127.0.0.1 dbname=x user=xx password=xxx connect_timeout=1
getpwnam = SELECT p.username, '*' AS passwd, p.username, p.homedir, p.shell, p.uid, p.gid FROM userdb_passwd p WHERE p.username =
getpwuid = SELECT p.username, '*' AS passwd, p.username, p.homedir, p.shell, p.uid, p.gid FROM userdb_passwd p WHERE p.uid =
allusers = SELECT p.username, '*' AS passwd, p.username, p.homedir, p.shell, p.uid, p.gid FROM userdb_passwd p
getgrnam = SELECT g.groupname, 'x' AS passwd, g.gid, ARRAY(SELECT p.username FROM userdb_passwd p INNER JOIN userdb_user_group ug ON ug.uid=p.uid WHERE ug.gid = g.gid) AS members FROM userdb_groups g WHERE g.groupname =
getgrgid = SELECT g.groupname, 'x' AS passwd, g.gid, ARRAY(SELECT p.username FROM userdb_passwd p INNER JOIN userdb_user_group ug ON ug.uid=p.uid WHERE ug.gid = g.gid) AS members FROM userdb_groups g WHERE g.gid =
allgroups = SELECT g.groupname, 'x' AS passwd, g.gid, ARRAY(SELECT p.username FROM userdb_passwd p INNER JOIN userdb_user_group ug ON ug.uid=p.uid WHERE ug.gid = g.gid) AS members FROM userdb_groups g
getgroupmembersbygid = SELECT p.username FROM userdb_passwd p INNER JOIN userdb_user_group ug ON ug.uid=p.uid WHERE ug.gid =
groups_dyn = SELECT ug.gid FROM userdb_user_group ug INNER JOIN userdb_passwd p ON p.uid=ug.uid WHERE p.username = AND =
这需要三个 table:userdb_passwd
、userdb_groups
和 userdb_user_group
,格式如下(取自 dbschema.sql
文件项目):
-- sequences, to deal with the userid and groupids
CREATE SEQUENCE group_id MINVALUE 10000 MAXVALUE 2147483647 NO CYCLE;
CREATE SEQUENCE user_id MINVALUE 10000 MAXVALUE 2147483647 NO CYCLE;
-- group table - all groups
CREATE TABLE "userdb_groups" (
"gid" int4 NOT NULL DEFAULT nextval('group_id'),
"groupname" character varying(16) NOT NULL,
"descr" character varying,
"passwd" character varying(20),
PRIMARY KEY ("gid")
);
-- passwd entry tables - the passwd field is unused because of PAM against userdb_users
CREATE TABLE "userdb_passwd" (
"username" character varying(64) NOT NULL,
"passwd" character varying(128) NOT NULL,
"uid" int4 NOT NULL DEFAULT nextval('user_id'),
"gid" int4 NOT NULL,
"gecos" character varying(128),
"homedir" character varying(256) NOT NULL,
"shell" character varying DEFAULT '/bin/bash' NOT NULL,
PRIMARY KEY ("username")
);
CREATE UNIQUE INDEX passwd_table_uid ON userdb_passwd USING btree (uid);
CREATE TABLE "userdb_user_group" (
"gid" int4 NOT NULL,
"uid" int4 NOT NULL,
PRIMARY KEY ("gid", "uid"),
CONSTRAINT "ug_gid_fkey" FOREIGN KEY ("gid") REFERENCES "userdb_groups"("gid"),
CONSTRAINT "ug_uid_fkey" FOREIGN KEY ("uid") REFERENCES "userdb_passwd"("uid")
);
添加 table 后,您可以加载相关用户。
如果没有用户和组信息,将无法很好地指定用于登录系统的用户帐户,并可能引入漏洞。
这是我的 pam_pgsql.conf
配置host = localhost
database = x
user = xx
password = xxx
table = userdb_user
user_column = username
pwd_column = password
pw_type = clear
debug = 1
这是我的 sshd 配置
session required pam_pgsql.so debug
auth required pam_pgsql.so debug
account required pam_pgsql.so debug
password required pam_pgsql.so debug
执行密码查询是因为我在/var/log/postgresql
中有这个2015-12-07 12:00:02 CET [5603-1] db LOG: Ausführen <unnamed>: select password from userdb_user where username =
2015-12-07 12:00:02 CET [5603-2] db DETAIL: Parameter: = 'admin'
我总是在 /var/log/auth.log
中得到这个PAM_pgsql[5788]: couldn't authenticate user admin
我真的不知道是什么问题了,因为密码的查询达到了数据库级别,并按照上面的 pgsql 日志所示执行!
您指定的配置声明要检查 table userdb_user
的 password
列是否有 纯文本 密码匹配- 即字段密码将包含密码的未加密版本,并且还将验证用户名。
在不知道数据的情况下,您必须遵循通常的反复试验检查:
检查用户名和密码是否可以登录到有问题的数据库:
psql -h localhost -U xx x
检查数据库是否存在,table是否存在,使用您指定的用户名和密码:
select password from userdb_user where username='admin'
检查输入的密码是否与 return 从
userdb_user
table 编辑的密码匹配 - 它们是纯文本匹配。
还有一个 ssh 要求是用户帐户必须有一个可用的 passwd
条目 - 即 getent passwd admin
必须 return 一些数据。
您可以使用 libnss-pgsql
模块(也称为 sysauth-pgsql
)为用户配置密码和组条目。
在这种情况下,您需要在 /etc/nsswitch.conf
文件中的 passwd
和 group
行中包含 pgsql
,以便它们读取如下内容:
passwd: compat pgsql
group: compat pgsql
这会将名称服务开关配置为开始查找 pgsql
以获取帐户信息 - 您必须重新启动 sshd 才能使此更改生效。
然后添加一个引用 postgres 数据库的 /etc/nss-pgsql.conf
文件:
connectionstring = hostaddr=127.0.0.1 dbname=x user=xx password=xxx connect_timeout=1
getpwnam = SELECT p.username, '*' AS passwd, p.username, p.homedir, p.shell, p.uid, p.gid FROM userdb_passwd p WHERE p.username =
getpwuid = SELECT p.username, '*' AS passwd, p.username, p.homedir, p.shell, p.uid, p.gid FROM userdb_passwd p WHERE p.uid =
allusers = SELECT p.username, '*' AS passwd, p.username, p.homedir, p.shell, p.uid, p.gid FROM userdb_passwd p
getgrnam = SELECT g.groupname, 'x' AS passwd, g.gid, ARRAY(SELECT p.username FROM userdb_passwd p INNER JOIN userdb_user_group ug ON ug.uid=p.uid WHERE ug.gid = g.gid) AS members FROM userdb_groups g WHERE g.groupname =
getgrgid = SELECT g.groupname, 'x' AS passwd, g.gid, ARRAY(SELECT p.username FROM userdb_passwd p INNER JOIN userdb_user_group ug ON ug.uid=p.uid WHERE ug.gid = g.gid) AS members FROM userdb_groups g WHERE g.gid =
allgroups = SELECT g.groupname, 'x' AS passwd, g.gid, ARRAY(SELECT p.username FROM userdb_passwd p INNER JOIN userdb_user_group ug ON ug.uid=p.uid WHERE ug.gid = g.gid) AS members FROM userdb_groups g
getgroupmembersbygid = SELECT p.username FROM userdb_passwd p INNER JOIN userdb_user_group ug ON ug.uid=p.uid WHERE ug.gid =
groups_dyn = SELECT ug.gid FROM userdb_user_group ug INNER JOIN userdb_passwd p ON p.uid=ug.uid WHERE p.username = AND =
这需要三个 table:userdb_passwd
、userdb_groups
和 userdb_user_group
,格式如下(取自 dbschema.sql
文件项目):
-- sequences, to deal with the userid and groupids
CREATE SEQUENCE group_id MINVALUE 10000 MAXVALUE 2147483647 NO CYCLE;
CREATE SEQUENCE user_id MINVALUE 10000 MAXVALUE 2147483647 NO CYCLE;
-- group table - all groups
CREATE TABLE "userdb_groups" (
"gid" int4 NOT NULL DEFAULT nextval('group_id'),
"groupname" character varying(16) NOT NULL,
"descr" character varying,
"passwd" character varying(20),
PRIMARY KEY ("gid")
);
-- passwd entry tables - the passwd field is unused because of PAM against userdb_users
CREATE TABLE "userdb_passwd" (
"username" character varying(64) NOT NULL,
"passwd" character varying(128) NOT NULL,
"uid" int4 NOT NULL DEFAULT nextval('user_id'),
"gid" int4 NOT NULL,
"gecos" character varying(128),
"homedir" character varying(256) NOT NULL,
"shell" character varying DEFAULT '/bin/bash' NOT NULL,
PRIMARY KEY ("username")
);
CREATE UNIQUE INDEX passwd_table_uid ON userdb_passwd USING btree (uid);
CREATE TABLE "userdb_user_group" (
"gid" int4 NOT NULL,
"uid" int4 NOT NULL,
PRIMARY KEY ("gid", "uid"),
CONSTRAINT "ug_gid_fkey" FOREIGN KEY ("gid") REFERENCES "userdb_groups"("gid"),
CONSTRAINT "ug_uid_fkey" FOREIGN KEY ("uid") REFERENCES "userdb_passwd"("uid")
);
添加 table 后,您可以加载相关用户。
如果没有用户和组信息,将无法很好地指定用于登录系统的用户帐户,并可能引入漏洞。