这是我对pam_pgsql.conf的配置
host = localhost
database = x
user = xx
password = xxx
table = userdb_user
user_column = username
pwd_column = password
pw_type = clear
debug = 1
这是我对sshd的配置
session required pam_pgsql.so debug
auth required pam_pgsql.so debug
account required pam_pgsql.so debug
password required pam_pgsql.so debug
执行密码查询是因为我在 / var / log / postgresql
中有此密码2015-12-07 12:00:02 CET [5603-1] db LOG: Ausführen <unnamed>: select password from userdb_user where username = $1
2015-12-07 12:00:02 CET [5603-2] db DETAIL: Parameter: $1 = 'admin'
我总是在/var/log/auth.log
中得到这个PAM_pgsql[5788]: couldn't authenticate user admin
我真的不知道问题是什么了,因为密码查询达到数据库级别并执行,如上面的pgsql日志所示!!
答案 0 :(得分:3)
您指定的配置指出要检查表password的列userdb_user以获取密码的纯文本匹配 - 即字段密码将包含未加密的密码的版本,它还将验证用户名。
在不知道数据的情况下,您必须遵循通常的试错检查:
检查用户名和密码是否可以登录到相关数据库:
psql -h localhost -U xx x
使用您指定的用户名和密码检查数据库是否存在,表是否存在:
select password from userdb_user where username='admin'
检查输入的密码是否与userdb_user表格中返回的密码相匹配 - 它们是纯文本匹配。
还有一个ssh要求是,用户帐户必须有passwd条目 - 即getent passwd admin必须返回一些数据。
您可以使用libnss-pgsql模块(也称为sysauth-pgsql)为用户配置passwd和group条目。
在这种情况下,您需要在pgsql和/etc/nsswitch.conf行的passwd文件中添加group,以便他们阅读以下内容:
passwd: compat pgsql
group: compat pgsql
这会将名称服务开关配置为开始查找pgsql以获取帐户信息 - 您必须重新启动sshd才能获取此更改。
然后添加引用postgres数据库的/etc/nss-pgsql.conf文件:
connectionstring = hostaddr=127.0.0.1 dbname=x user=xx password=xxx connect_timeout=1
getpwnam = SELECT p.username, '*' AS passwd, p.username, p.homedir, p.shell, p.uid, p.gid FROM userdb_passwd p WHERE p.username = $1
getpwuid = SELECT p.username, '*' AS passwd, p.username, p.homedir, p.shell, p.uid, p.gid FROM userdb_passwd p WHERE p.uid = $1
allusers = SELECT p.username, '*' AS passwd, p.username, p.homedir, p.shell, p.uid, p.gid FROM userdb_passwd p
getgrnam = SELECT g.groupname, 'x' AS passwd, g.gid, ARRAY(SELECT p.username FROM userdb_passwd p INNER JOIN userdb_user_group ug ON ug.uid=p.uid WHERE ug.gid = g.gid) AS members FROM userdb_groups g WHERE g.groupname = $1
getgrgid = SELECT g.groupname, 'x' AS passwd, g.gid, ARRAY(SELECT p.username FROM userdb_passwd p INNER JOIN userdb_user_group ug ON ug.uid=p.uid WHERE ug.gid = g.gid) AS members FROM userdb_groups g WHERE g.gid = $1
allgroups = SELECT g.groupname, 'x' AS passwd, g.gid, ARRAY(SELECT p.username FROM userdb_passwd p INNER JOIN userdb_user_group ug ON ug.uid=p.uid WHERE ug.gid = g.gid) AS members FROM userdb_groups g
getgroupmembersbygid = SELECT p.username FROM userdb_passwd p INNER JOIN userdb_user_group ug ON ug.uid=p.uid WHERE ug.gid = $1
groups_dyn = SELECT ug.gid FROM userdb_user_group ug INNER JOIN userdb_passwd p ON p.uid=ug.uid WHERE p.username = $1 AND $2 = $2
这需要以下表格中的三个表格:userdb_passwd,userdb_groups和userdb_user_group(这取自项目的dbschema.sql文件):
-- sequences, to deal with the userid and groupids
CREATE SEQUENCE group_id MINVALUE 10000 MAXVALUE 2147483647 NO CYCLE;
CREATE SEQUENCE user_id MINVALUE 10000 MAXVALUE 2147483647 NO CYCLE;
-- group table - all groups
CREATE TABLE "userdb_groups" (
"gid" int4 NOT NULL DEFAULT nextval('group_id'),
"groupname" character varying(16) NOT NULL,
"descr" character varying,
"passwd" character varying(20),
PRIMARY KEY ("gid")
);
-- passwd entry tables - the passwd field is unused because of PAM against userdb_users
CREATE TABLE "userdb_passwd" (
"username" character varying(64) NOT NULL,
"passwd" character varying(128) NOT NULL,
"uid" int4 NOT NULL DEFAULT nextval('user_id'),
"gid" int4 NOT NULL,
"gecos" character varying(128),
"homedir" character varying(256) NOT NULL,
"shell" character varying DEFAULT '/bin/bash' NOT NULL,
PRIMARY KEY ("username")
);
CREATE UNIQUE INDEX passwd_table_uid ON userdb_passwd USING btree (uid);
CREATE TABLE "userdb_user_group" (
"gid" int4 NOT NULL,
"uid" int4 NOT NULL,
PRIMARY KEY ("gid", "uid"),
CONSTRAINT "ug_gid_fkey" FOREIGN KEY ("gid") REFERENCES "userdb_groups"("gid"),
CONSTRAINT "ug_uid_fkey" FOREIGN KEY ("uid") REFERENCES "userdb_passwd"("uid")
);
添加表格后,您可以加载相关用户。
如果没有用户和组信息,用户帐户将无法正确指定登录系统并可能引入漏洞。