Hi,
i tried to use the included PAM-Module for authentication with
my local Shadow Password-File.
I have also tried with the PAM-Module from Henrik Nordström (last version).
Error-Description: "no authentication is possible with the PAM.Module"
see debug-output from Squid:
----------------------------
aclDecodeProxyAuth: cleartext = 'usil:xxxxx'
2002/07/06 11:23:16| aclMatchProxyAuth: checking user 'usil'
2002/07/06 11:23:16| aclMatchProxyAuth: authentication failed for user
'usil'
1. I have succesfull compiled the pam_auth.c file with this command:
"gcc -o pam_auth pam_auth.c -lpam -ldl"
2. I have create the squid-file in the /etc/pam.d Directory with this
contain:
#%PAM-1.0
auth required /lib/security/pam_unix.so
account required /lib/security/pam_unix.so
3. I have set the SUID Root permission for the pam_auth in
/usr/local/squid/bin:
-rwsr-sr-t 1 root root 18106 Jul 6 11:03 pam_auth
4. I have set the authentication Values in the squid.conf to this values:
- authenticate_program /usr/local/squid/bin/pam_auth
- acl PAM_Auth proxy_auth REQUIRED
- http_access allow PAM_Auth all
5. I have inserted some new test-users into the local password/shadow file.
PS. ALL needed PAM.rpm's are installed (inclusive: pam_devperm.rpm)
Question:
---------
Know someone any errors, or tips for me ???
see also the Debug-output of the authentication Session:
--------------------------------------------------------
2002/07/06 11:23:15| aclCheck: checking 'http_access allow PAM_Auth all'
2002/07/06 11:23:15| aclMatchAclList: checking PAM_Auth
2002/07/06 11:23:15| aclMatchAcl: checking 'acl PAM_Auth proxy_auth
REQUIRED'
2002/07/06 11:23:15| aclDecodeProxyAuth: header = 'Basic
dXNpbDpDSVNDT3NsXzcweA=='
2002/07/06 11:23:15| aclDecodeProxyAuth: cleartext = 'usil:xxxxxxx'
2002/07/06 11:23:15| aclMatchProxyAuth: checking user 'usil'
2002/07/06 11:23:15| aclMatchProxyAuth: user 'usil' not yet known
2002/07/06 11:23:15| aclMatchAclList: returning 0
2002/07/06 11:23:15| aclCheck: checking password via authenticator
2002/07/06 11:23:15| aclDecodeProxyAuth: header = 'Basic
dXNpbDpDSVNDT3NsXzcweA=='
2002/07/06 11:23:15| aclDecodeProxyAuth: cleartext = 'usil:xxxxxxx'
2002/07/06 11:23:15| aclLookupProxyAuthStart: going to ask authenticator on
usil
2002/07/06 11:23:15| authenticateStart: 'usil:xxxxxxx'
2002/07/06 11:23:15| cbdataAdd: 0x86fac90
2002/07/06 11:23:15| cbdataLock: 0x8563500
2002/07/06 11:23:15| cbdataLock: 0x86fac90
2002/07/06 11:23:15| cbdataValid: 0x86fac90
2002/07/06 11:23:15| comm_write: FD 7: sz 17: hndl (nil): data (nil).
2002/07/06 11:23:15| commSetSelect: FD 7 type 2
2002/07/06 11:23:15| commSetSelect: FD 7 type 1
2002/07/06 11:23:15| helperDispatch: Request sent to authenticator #1, 17
bytes
2002/07/06 11:23:15| idnsRead: FD 5: received 123 bytes from 192.168.202.4.
2002/07/06 11:23:15| idnsGrokReply: ID 0xa, -3 answers
2002/07/06 11:23:15| idnsGrokReply: error 3
2002/07/06 11:23:15| cbdataValid: 0x82496e8
2002/07/06 11:23:15| cbdataUnlock: 0x82496e8
2002/07/06 11:23:15| cbdataFree: 0x82496e8
2002/07/06 11:23:15| cbdataReallyFree: Freeing 0x82496e8
2002/07/06 11:23:15| fqdncacheParse: Lookup failed (error 3)
2002/07/06 11:23:15| fqdncacheRelease: Released FQDN record for
'192.168.200.100'.
2002/07/06 11:23:15| comm_poll: 1 FDs ready
2002/07/06 11:23:15| comm_poll: FD 7 ready for writing
2002/07/06 11:23:15| commHandleWrite: FD 7: off 0, sz 17.
2002/07/06 11:23:15| commHandleWrite: write() returns 17
2002/07/06 11:23:15| comm_poll: 0 FDs ready
2002/07/06 11:23:16| comm_poll: 1 FDs ready
2002/07/06 11:23:16| comm_poll: FD 7 ready for reading
2002/07/06 11:23:16| cbdataValid: 0x8282f80
2002/07/06 11:23:16| helperHandleRead: 4 bytes from authenticator #1.
2002/07/06 11:23:16| helperHandleRead: end of reply found
2002/07/06 11:23:16| cbdataValid: 0x86fac90
2002/07/06 11:23:16| authenticateHandleReply: {ERR}
2002/07/06 11:23:16| cbdataValid: 0x8563500
2002/07/06 11:23:16| cbdataUnlock: 0x8563500
2002/07/06 11:23:16| aclLookupProxyAuthDone: result = ERR
2002/07/06 11:23:16| cbdataValid: 0x824bc10
2002/07/06 11:23:16| aclCheck: checking 'http_access allow PAM_Auth all'
2002/07/06 11:23:16| aclMatchAclList: checking PAM_Auth
2002/07/06 11:23:16| aclMatchAcl: checking 'acl PAM_Auth proxy_auth
REQUIRED'
2002/07/06 11:23:16| aclDecodeProxyAuth: header = 'Basic
dXNpbDpDSVNDT3NsXzcweA=='
2002/07/06 11:23:16| aclDecodeProxyAuth: cleartext = 'usil:xxxxxxx'
2002/07/06 11:23:16| aclMatchProxyAuth: checking user 'usil'
2002/07/06 11:23:16| aclMatchProxyAuth: authentication failed for user
'usil'
2002/07/06 11:23:16| aclMatchAclList: returning 0
2002/07/06 11:23:16| cbdataUnlock: 0x824bc10
2002/07/06 11:23:16| aclCheck: match found, returning 2
2002/07/06 11:23:16| aclCheckCallback: answer=2
2002/07/06 11:23:16| cbdataValid: 0x86fc000
2002/07/06 11:23:16| The request GET http://www.suse.de/ is DENIED, because
it matched 'PAM_Auth'
2002/07/06 11:23:16| Access Denied: http://www.suse.de/
2002/07/06 11:23:16| AclMatchedName = PAM_Auth
2002/07/06 11:23:16| storeCreateEntry: 'http://www.suse.de/'
Thanks for any help
Siegbert Laukas
Received on Sat Jul 06 2002 - 07:14:57 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:04 MST