checkpassword-pam funciona localmente, mas não através do qmail

1

Eu tenho checkpassword-pam 0,99, e quando o executo localmente, como em

echo -e 'testuser
Reading username and password
Username 'testuser'
Password read successfully
Initializing PAM library using service name 'smtp'
PAM library initialization succeeded
conversation(): msg[0], style PAM_PROMPT_ECHO_OFF, msg = "Password: "
Authentication passed
Account management succeeded
Setting PAM credentials succeeded
PAM session opened
PAM session closed
Terminating PAM library
Executing /usr/bin/id
uid=1001(testuser) gid=1001(testuser) groups=1001(testuser)
theuserspassword
Dec 28 21:19:43 standby smtp[18229]: Reading username and password
Dec 28 21:19:43 standby smtp[18229]: Username 'testuser'
Dec 28 21:19:43 standby smtp[18229]: Password read successfully
Dec 28 21:19:43 standby smtp[18229]: Initializing PAM library using service name 'smtp'
Dec 28 21:19:43 standby smtp[18229]: PAM unable to dlopen(pam_systemd.so): /lib/security/pam_systemd.so: cannot open shared object file: No such file or directory
Dec 28 21:19:43 standby smtp[18229]: PAM adding faulty module: pam_systemd.so
Dec 28 21:19:43 standby smtp[18229]: PAM library initialization succeeded
Dec 28 21:19:43 standby smtp[18229]: conversation(): msg[0], style PAM_PROMPT_ECHO_OFF, msg = "Password: "
Dec 28 21:19:43 standby smtp[18229]: pam_unix(smtp:auth): check pass; user unknown
Dec 28 21:19:43 standby smtp[18229]: pam_unix(smtp:auth): authentication failure; logname= uid=64011 euid=0 tty= ruser= rhost=71.217.92.189
Dec 28 21:19:45 standby smtp[18229]: Authentication failed: Authentication failure
Dec 28 21:19:45 standby smtp[18229]: Exiting with status 1
.' | /usr/local/bin/checkpassword-pam -s smtp --debug --stdout /usr/bin/id 3<&0

tudo funciona e eu recebo

Dec 28 21:19:43 standby smtp[18229]: Env: PATH=/command:/usr/local/bin:/usr/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/snap/bin
Dec 28 21:19:43 standby smtp[18229]: Env: PWD=/var/qmail/supervise/qmail-smtpd
Dec 28 21:19:43 standby smtp[18229]: Env: SHLVL=0
Dec 28 21:19:43 standby smtp[18229]: Env: XDG_DATA_DIRS=/usr/local/share:/usr/share:/var/lib/snapd/desktop
Dec 28 21:19:43 standby smtp[18229]: Env: PROTO=TCP
Dec 28 21:19:43 standby smtp[18229]: Env: TCPLOCALIP=an.ip.v4.address
Dec 28 21:19:43 standby smtp[18229]: Env: TCPLOCALPORT=25
Dec 28 21:19:43 standby smtp[18229]: Env: TCPLOCALHOST=fqdn
Dec 28 21:19:43 standby smtp[18229]: Env: TCPREMOTEIP=another.ip.v4.address
Dec 28 21:19:43 standby smtp[18229]: Env: TCPREMOTEPORT=44994
Dec 28 21:19:43 standby smtp[18229]: Env: TCPREMOTEHOST=anotherfqdn

(Se eu não fizer --stdout , ele registra no auth.log e ainda tem sucesso)

Quando invocado via qmail, parece que de alguma forma tenho um caminho de carregamento de biblioteca modificado, porque o dlopen () s do PAM não funciona:

# file /var/qmail/bin/qmail-smtpd 'which tcpserver' 'which checkpassword-pam'
/var/qmail/bin/qmail-smtpd:       ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=e858c3d33bb8fea26d7618e3ce63c37dc7c0557d, stripped
/usr/bin/tcpserver:               ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.15, BuildID[sha1]=1e727ea57ca4de886e56b6783de7df0190a2ad26, stripped
/usr/local/bin/checkpassword-pam: setuid ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=8b6e3fffb52cab99526653078e0fd018b5e97a77, not stripped

Como o caminho correto para pam_systemd.so é /lib/x86_64-linux-gnu/security/pam_systemd.so .

Nada no bloco de ambiente para o qmail-invoked checkpassword-pam parece fora de lugar (por uma modificação para imprimir tudo do environ global):

$ ldd /usr/local/bin/checkpassword-pam
    linux-vdso.so.1 =>  (0x00007ffc6daf4000)
    libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x00007fa12f54f000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fa12f185000)
    libaudit.so.1 => /lib/x86_64-linux-gnu/libaudit.so.1 (0x00007fa12ef5e000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fa12ed5a000)
    /lib64/ld-linux-x86-64.so.2 (0x00007fa12f75d000)

A presença da variável de ambiente TCPREMOTEIP faz o checkpassword-pam definir o valor RHOST para a sessão do PAM, mas eu também tentei com essa seção comentada.

Ubuntu 16.04 x64 da Digital Ocean + daemontools, ucspi-tcp, gcc, libpam0g-dev, libssl-dev, qmail-uids-gids

Qmail personalizado, pam de senha de acesso personalizado.

$ ldd /usr/local/bin/checkpassword-pam
    linux-vdso.so.1 =>  (0x00007ffd437ab000)
    libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x00007ff6cfe89000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ff6cfab9000)
    libaudit.so.1 => /lib/x86_64-linux-gnu/libaudit.so.1 (0x00007ff6cf891000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007ff6cf689000)
    /lib64/ld-linux-x86-64.so.2 (0x00007ff6d0099000)

Com nada no bloco de ambiente parecendo fora do lugar, não consigo descobrir o que está acontecendo. Eu sei que eu tinha este trabalho em um servidor Ubuntu no passado, mas me lembro de ser um processo frustrante de fracasso seguido por ele trabalhar sem eu entender o porquê. E agora não consigo reproduzir o caminho do sucesso.

Editar : ldd output, conforme solicitado:

Nova máquina (não funciona):

$ dpkg -l | grep libpam
ii  libpam-modules:amd64             1.1.8-3.2ubuntu2                             amd64        Pluggable Authentication Modules for PAM
ii  libpam-modules-bin               1.1.8-3.2ubuntu2                             amd64        Pluggable Authentication Modules for PAM - helper binaries
ii  libpam-runtime                   1.1.8-3.2ubuntu2                             all          Runtime support for the PAM library
ii  libpam-systemd:amd64             229-4ubuntu21                                amd64        system and service manager - PAM module
ii  libpam0g:amd64                   1.1.8-3.2ubuntu2                             amd64        Pluggable Authentication Modules library
ii  libpam0g-dev:amd64               1.1.8-3.2ubuntu2                             amd64        Development files for PAM

$ dpkg -l | grep systemd
ii  libpam-systemd:amd64             229-4ubuntu21                                amd64        system and service manager - PAM module
ii  libsystemd0:amd64                229-4ubuntu21                                amd64        systemd utility library
ii  python3-systemd                  231-2build1                                  amd64        Python 3 bindings for systemd
ii  systemd                          229-4ubuntu21                                amd64        system and service manager
ii  systemd-sysv                     229-4ubuntu21                                amd64        system and service manager - SysV links

$ dpkg -S /lib/security/pam_systemd.so
dpkg-query: no path found matching pattern /lib/security/pam_systemd.so

$ ls -ld /lib/security/pam_systemd.so
ls: cannot access '/lib/security/pam_systemd.so': No such file or directory

$ locate pam_systemd.so
/lib/x86_64-linux-gnu/security/pam_systemd.so

$ dpkg -S 'locate pam_systemd.so'
libpam-systemd:amd64: /lib/x86_64-linux-gnu/security/pam_systemd.so

Uma máquina Ubuntu diferente, onde parece estar funcionando:

echo -e 'testuser
Reading username and password
Username 'testuser'
Password read successfully
Initializing PAM library using service name 'smtp'
PAM library initialization succeeded
conversation(): msg[0], style PAM_PROMPT_ECHO_OFF, msg = "Password: "
Authentication passed
Account management succeeded
Setting PAM credentials succeeded
PAM session opened
PAM session closed
Terminating PAM library
Executing /usr/bin/id
uid=1001(testuser) gid=1001(testuser) groups=1001(testuser)
theuserspassword
Dec 28 21:19:43 standby smtp[18229]: Reading username and password
Dec 28 21:19:43 standby smtp[18229]: Username 'testuser'
Dec 28 21:19:43 standby smtp[18229]: Password read successfully
Dec 28 21:19:43 standby smtp[18229]: Initializing PAM library using service name 'smtp'
Dec 28 21:19:43 standby smtp[18229]: PAM unable to dlopen(pam_systemd.so): /lib/security/pam_systemd.so: cannot open shared object file: No such file or directory
Dec 28 21:19:43 standby smtp[18229]: PAM adding faulty module: pam_systemd.so
Dec 28 21:19:43 standby smtp[18229]: PAM library initialization succeeded
Dec 28 21:19:43 standby smtp[18229]: conversation(): msg[0], style PAM_PROMPT_ECHO_OFF, msg = "Password: "
Dec 28 21:19:43 standby smtp[18229]: pam_unix(smtp:auth): check pass; user unknown
Dec 28 21:19:43 standby smtp[18229]: pam_unix(smtp:auth): authentication failure; logname= uid=64011 euid=0 tty= ruser= rhost=71.217.92.189
Dec 28 21:19:45 standby smtp[18229]: Authentication failed: Authentication failure
Dec 28 21:19:45 standby smtp[18229]: Exiting with status 1
.' | /usr/local/bin/checkpassword-pam -s smtp --debug --stdout /usr/bin/id 3<&0

Informação do pacote:

Dec 28 21:19:43 standby smtp[18229]: Env: PATH=/command:/usr/local/bin:/usr/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/snap/bin
Dec 28 21:19:43 standby smtp[18229]: Env: PWD=/var/qmail/supervise/qmail-smtpd
Dec 28 21:19:43 standby smtp[18229]: Env: SHLVL=0
Dec 28 21:19:43 standby smtp[18229]: Env: XDG_DATA_DIRS=/usr/local/share:/usr/share:/var/lib/snapd/desktop
Dec 28 21:19:43 standby smtp[18229]: Env: PROTO=TCP
Dec 28 21:19:43 standby smtp[18229]: Env: TCPLOCALIP=an.ip.v4.address
Dec 28 21:19:43 standby smtp[18229]: Env: TCPLOCALPORT=25
Dec 28 21:19:43 standby smtp[18229]: Env: TCPLOCALHOST=fqdn
Dec 28 21:19:43 standby smtp[18229]: Env: TCPREMOTEIP=another.ip.v4.address
Dec 28 21:19:43 standby smtp[18229]: Env: TCPREMOTEPORT=44994
Dec 28 21:19:43 standby smtp[18229]: Env: TCPREMOTEHOST=anotherfqdn

Resultados de pacotes idênticos entre as máquinas com erros e sucedidas.

    
por bartonjs 28.12.2017 / 22:35

1 resposta

0

verifique

debconf-show libpam-runtime

é pam usando o systemd?

sim - verifique

/etc/pam.d/common-session

Não? remova o systemd

pam-auth-update --package --remove systemd
    
por 03.01.2018 / 14:06