verifique
debconf-show libpam-runtime
é pam usando o systemd?
sim - verifique
/etc/pam.d/common-session
Não? remova o systemd
pam-auth-update --package --remove systemd
Eu tenho checkpassword-pam 0,99, e quando o executo localmente, como em
echo -e 'testuserReading username and password
Username 'testuser'
Password read successfully
Initializing PAM library using service name 'smtp'
PAM library initialization succeeded
conversation(): msg[0], style PAM_PROMPT_ECHO_OFF, msg = "Password: "
Authentication passed
Account management succeeded
Setting PAM credentials succeeded
PAM session opened
PAM session closed
Terminating PAM library
Executing /usr/bin/id
uid=1001(testuser) gid=1001(testuser) groups=1001(testuser)
theuserspasswordDec 28 21:19:43 standby smtp[18229]: Reading username and password
Dec 28 21:19:43 standby smtp[18229]: Username 'testuser'
Dec 28 21:19:43 standby smtp[18229]: Password read successfully
Dec 28 21:19:43 standby smtp[18229]: Initializing PAM library using service name 'smtp'
Dec 28 21:19:43 standby smtp[18229]: PAM unable to dlopen(pam_systemd.so): /lib/security/pam_systemd.so: cannot open shared object file: No such file or directory
Dec 28 21:19:43 standby smtp[18229]: PAM adding faulty module: pam_systemd.so
Dec 28 21:19:43 standby smtp[18229]: PAM library initialization succeeded
Dec 28 21:19:43 standby smtp[18229]: conversation(): msg[0], style PAM_PROMPT_ECHO_OFF, msg = "Password: "
Dec 28 21:19:43 standby smtp[18229]: pam_unix(smtp:auth): check pass; user unknown
Dec 28 21:19:43 standby smtp[18229]: pam_unix(smtp:auth): authentication failure; logname= uid=64011 euid=0 tty= ruser= rhost=71.217.92.189
Dec 28 21:19:45 standby smtp[18229]: Authentication failed: Authentication failure
Dec 28 21:19:45 standby smtp[18229]: Exiting with status 1
.' |
/usr/local/bin/checkpassword-pam -s smtp --debug --stdout /usr/bin/id 3<&0
tudo funciona e eu recebo
Dec 28 21:19:43 standby smtp[18229]: Env: PATH=/command:/usr/local/bin:/usr/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/snap/bin
Dec 28 21:19:43 standby smtp[18229]: Env: PWD=/var/qmail/supervise/qmail-smtpd
Dec 28 21:19:43 standby smtp[18229]: Env: SHLVL=0
Dec 28 21:19:43 standby smtp[18229]: Env: XDG_DATA_DIRS=/usr/local/share:/usr/share:/var/lib/snapd/desktop
Dec 28 21:19:43 standby smtp[18229]: Env: PROTO=TCP
Dec 28 21:19:43 standby smtp[18229]: Env: TCPLOCALIP=an.ip.v4.address
Dec 28 21:19:43 standby smtp[18229]: Env: TCPLOCALPORT=25
Dec 28 21:19:43 standby smtp[18229]: Env: TCPLOCALHOST=fqdn
Dec 28 21:19:43 standby smtp[18229]: Env: TCPREMOTEIP=another.ip.v4.address
Dec 28 21:19:43 standby smtp[18229]: Env: TCPREMOTEPORT=44994
Dec 28 21:19:43 standby smtp[18229]: Env: TCPREMOTEHOST=anotherfqdn
(Se eu não fizer --stdout
, ele registra no auth.log e ainda tem sucesso)
Quando invocado via qmail, parece que de alguma forma tenho um caminho de carregamento de biblioteca modificado, porque o dlopen () s do PAM não funciona:
# file /var/qmail/bin/qmail-smtpd 'which tcpserver' 'which checkpassword-pam'
/var/qmail/bin/qmail-smtpd: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=e858c3d33bb8fea26d7618e3ce63c37dc7c0557d, stripped
/usr/bin/tcpserver: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.15, BuildID[sha1]=1e727ea57ca4de886e56b6783de7df0190a2ad26, stripped
/usr/local/bin/checkpassword-pam: setuid ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=8b6e3fffb52cab99526653078e0fd018b5e97a77, not stripped
Como o caminho correto para pam_systemd.so
é /lib/x86_64-linux-gnu/security/pam_systemd.so
.
Nada no bloco de ambiente para o qmail-invoked checkpassword-pam
parece fora de lugar (por uma modificação para imprimir tudo do environ
global):
$ ldd /usr/local/bin/checkpassword-pam
linux-vdso.so.1 => (0x00007ffc6daf4000)
libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x00007fa12f54f000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fa12f185000)
libaudit.so.1 => /lib/x86_64-linux-gnu/libaudit.so.1 (0x00007fa12ef5e000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fa12ed5a000)
/lib64/ld-linux-x86-64.so.2 (0x00007fa12f75d000)
A presença da variável de ambiente TCPREMOTEIP
faz o checkpassword-pam definir o valor RHOST para a sessão do PAM, mas eu também tentei com essa seção comentada.
Ubuntu 16.04 x64 da Digital Ocean + daemontools, ucspi-tcp, gcc, libpam0g-dev, libssl-dev, qmail-uids-gids
Qmail personalizado, pam de senha de acesso personalizado.
$ ldd /usr/local/bin/checkpassword-pam
linux-vdso.so.1 => (0x00007ffd437ab000)
libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x00007ff6cfe89000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ff6cfab9000)
libaudit.so.1 => /lib/x86_64-linux-gnu/libaudit.so.1 (0x00007ff6cf891000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007ff6cf689000)
/lib64/ld-linux-x86-64.so.2 (0x00007ff6d0099000)
Com nada no bloco de ambiente parecendo fora do lugar, não consigo descobrir o que está acontecendo. Eu sei que eu tinha este trabalho em um servidor Ubuntu no passado, mas me lembro de ser um processo frustrante de fracasso seguido por ele trabalhar sem eu entender o porquê. E agora não consigo reproduzir o caminho do sucesso.
Editar : ldd
output, conforme solicitado:
Nova máquina (não funciona):
$ dpkg -l | grep libpam
ii libpam-modules:amd64 1.1.8-3.2ubuntu2 amd64 Pluggable Authentication Modules for PAM
ii libpam-modules-bin 1.1.8-3.2ubuntu2 amd64 Pluggable Authentication Modules for PAM - helper binaries
ii libpam-runtime 1.1.8-3.2ubuntu2 all Runtime support for the PAM library
ii libpam-systemd:amd64 229-4ubuntu21 amd64 system and service manager - PAM module
ii libpam0g:amd64 1.1.8-3.2ubuntu2 amd64 Pluggable Authentication Modules library
ii libpam0g-dev:amd64 1.1.8-3.2ubuntu2 amd64 Development files for PAM
$ dpkg -l | grep systemd
ii libpam-systemd:amd64 229-4ubuntu21 amd64 system and service manager - PAM module
ii libsystemd0:amd64 229-4ubuntu21 amd64 systemd utility library
ii python3-systemd 231-2build1 amd64 Python 3 bindings for systemd
ii systemd 229-4ubuntu21 amd64 system and service manager
ii systemd-sysv 229-4ubuntu21 amd64 system and service manager - SysV links
$ dpkg -S /lib/security/pam_systemd.so
dpkg-query: no path found matching pattern /lib/security/pam_systemd.so
$ ls -ld /lib/security/pam_systemd.so
ls: cannot access '/lib/security/pam_systemd.so': No such file or directory
$ locate pam_systemd.so
/lib/x86_64-linux-gnu/security/pam_systemd.so
$ dpkg -S 'locate pam_systemd.so'
libpam-systemd:amd64: /lib/x86_64-linux-gnu/security/pam_systemd.so
Uma máquina Ubuntu diferente, onde parece estar funcionando:
echo -e 'testuserReading username and password
Username 'testuser'
Password read successfully
Initializing PAM library using service name 'smtp'
PAM library initialization succeeded
conversation(): msg[0], style PAM_PROMPT_ECHO_OFF, msg = "Password: "
Authentication passed
Account management succeeded
Setting PAM credentials succeeded
PAM session opened
PAM session closed
Terminating PAM library
Executing /usr/bin/id
uid=1001(testuser) gid=1001(testuser) groups=1001(testuser)
theuserspasswordDec 28 21:19:43 standby smtp[18229]: Reading username and password
Dec 28 21:19:43 standby smtp[18229]: Username 'testuser'
Dec 28 21:19:43 standby smtp[18229]: Password read successfully
Dec 28 21:19:43 standby smtp[18229]: Initializing PAM library using service name 'smtp'
Dec 28 21:19:43 standby smtp[18229]: PAM unable to dlopen(pam_systemd.so): /lib/security/pam_systemd.so: cannot open shared object file: No such file or directory
Dec 28 21:19:43 standby smtp[18229]: PAM adding faulty module: pam_systemd.so
Dec 28 21:19:43 standby smtp[18229]: PAM library initialization succeeded
Dec 28 21:19:43 standby smtp[18229]: conversation(): msg[0], style PAM_PROMPT_ECHO_OFF, msg = "Password: "
Dec 28 21:19:43 standby smtp[18229]: pam_unix(smtp:auth): check pass; user unknown
Dec 28 21:19:43 standby smtp[18229]: pam_unix(smtp:auth): authentication failure; logname= uid=64011 euid=0 tty= ruser= rhost=71.217.92.189
Dec 28 21:19:45 standby smtp[18229]: Authentication failed: Authentication failure
Dec 28 21:19:45 standby smtp[18229]: Exiting with status 1
.' |
/usr/local/bin/checkpassword-pam -s smtp --debug --stdout /usr/bin/id 3<&0
Informação do pacote:
Dec 28 21:19:43 standby smtp[18229]: Env: PATH=/command:/usr/local/bin:/usr/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/snap/bin
Dec 28 21:19:43 standby smtp[18229]: Env: PWD=/var/qmail/supervise/qmail-smtpd
Dec 28 21:19:43 standby smtp[18229]: Env: SHLVL=0
Dec 28 21:19:43 standby smtp[18229]: Env: XDG_DATA_DIRS=/usr/local/share:/usr/share:/var/lib/snapd/desktop
Dec 28 21:19:43 standby smtp[18229]: Env: PROTO=TCP
Dec 28 21:19:43 standby smtp[18229]: Env: TCPLOCALIP=an.ip.v4.address
Dec 28 21:19:43 standby smtp[18229]: Env: TCPLOCALPORT=25
Dec 28 21:19:43 standby smtp[18229]: Env: TCPLOCALHOST=fqdn
Dec 28 21:19:43 standby smtp[18229]: Env: TCPREMOTEIP=another.ip.v4.address
Dec 28 21:19:43 standby smtp[18229]: Env: TCPREMOTEPORT=44994
Dec 28 21:19:43 standby smtp[18229]: Env: TCPREMOTEHOST=anotherfqdn
Resultados de pacotes idênticos entre as máquinas com erros e sucedidas.
verifique
debconf-show libpam-runtime
é pam usando o systemd?
sim - verifique
/etc/pam.d/common-session
Não? remova o systemd
pam-auth-update --package --remove systemd