|
IDS Forum
RE: how to setup PAM Kerberose on IDS 10.FC6
Posted By: Jim Cramer Date: Wednesday, 23 May 2007, at 11:59 a.m.
In Response To: RE: how to setup PAM Kerberose on IDS 10.FC6 (Nilesh Ozarkar)
Nilesh,
You are right. The change that you suggest is a better
way to test if PAM is functioning with pam_unix (/etc/passwd
file) as the authetication service and, at the same time,
to test if the Kerberos authentication service is also working.
Thank you for pointing that out.
I just found out what is going on and why PAM on the IDS 10.x
server was not working. Please see my next post, which is
a reply to an earlier post of yours on this topic.
Regards,
Jim
> -----Original Message-----
> From: ids-bounces@iiug.org [mailto:ids-bounces@iiug.org] On
> Behalf Of Nilesh Ozarkar
> Sent: Monday, May 21, 2007 6:31 PM
> To: ids@iiug.org
> Subject: RE: how to setup PAM Kerberose on IDS 10.FC6 [9208]
>
> Hi Jim,
>
> Looking at your /etc/pam.conf I see that pam_pass service is
> stacked (same service name with 3 entries) and control_flag
> (3rd field - which determines the behavior of stacking) is
> set to 'required' for all. So if any one of that module fails
> PAM will return failure. I suggest you update control_flag
> for Kerberos module to 'optional' that way even if it fails
> it's error is ignored and your basic test to validate PAM in
> password mode using pam_unix will succeed.
>
> > pam_pass auth required libpam_hpsec.so.1 debug pam_pass
> auth required
> > libpam_unix.so.1 debug pam_pass auth required libpam_krb5.so.1 debug
>
> change to
>
> > pam_pass auth required libpam_hpsec.so.1 debug pam_pass
> auth required
> > libpam_unix.so.1 debug pam_pass auth optional libpam_krb5.so.1 debug
>
> For more details on stacking and control_flag refer to 'man pam.conf'
>
> Regards,
>
> Nilesh
>
> ids-bounces@iiug.org wrote on 05/18/2007 03:58:49 PM:
>
> > Hi Nilesh (or Martin F, or anyone who has used PAM with IDS),
> >
> > Thanks for answering my question about PAM and for the
> suggestion of
> > using libpam_unix.so and the /etc/password as a test that the basic
> > PAM framework functionality is working before I move on to trying
> > krb5.
> >
> > Unfortunately, this test did not work. In fact, I have
> added the debug
> > keyword after my PAM library in pam.conf and I have configured my
> > syslog.conf file to log DEBUG-level messages.
> > When I then connect to the server I do not get any messages
> logged in
> > syslog.log. It is as though IDS is not even trying to use
> PAM. I must
> > be missing something basic here. Can you help?
> >
> > Here is the hpux 11.23 Itanium /etc/pam.conf configuration I used
> > (note, I do have the TAB character after pam_pass and after
> > "auth_required":
> > pam_pass auth required libpam_hpsec.so.1 debug pam_pass
> auth required
> > libpam_unix.so.1 debug pam_pass auth required libpam_krb5.so.1 debug
> >
> > and here is my sqlhosts entry:
> > tidsidcard onsoctcp xxx.xxx.xx.xx sqltidsidcard
> > s=4,pam_serv=(pam_pass),pamauth=(password)
> >
> > Also, at the end of your message below you said:
> > "BTW, what type of client you are using (ESQLC/ODBC/JDBC) ?
> does that
> > client version support PAM or not ? "
> >
> > but you also said in response to my point (3) below that if
> I am using
> > PAM Password Mode and my client explicitly connects with
> the password,
> > that my client does not need any modifications to support
> PAM in this
> > way.
> >
> > Your "BTW..." stmt seems to contradict what you said in
> your answer to
> > (3). I am probably just confused.
> >
> > I am trying to test PAM with the I-Connect and DBPing from Windows
> > CSDK 2.70.
> >
> > Again, even though that version is old and does not
> "support PAM", it
> > should not have to unless I use PAM Challenge Mode.
> >
> > Is my understanding of this still correct?
> >
> > Thank you for your help,
> >
> > Jim Cramer
> > Univ of Iowa
> >
> > > -----Original Message-----
> > > From: ids-bounces@iiug.org [mailto:ids-bounces@iiug.org]
> On Behalf
> > > Of Nilesh Ozarkar
> > > Sent: Wednesday, May 09, 2007 10:31 PM
> > > To: ids@iiug.org
> > > Subject: Re: how to setup PAM Kerberose on IDS 10.FC6 [9112]
> > >
> > > ids-bounces@iiug.org wrote on 05/09/2007 01:49:46 PM:
> > >
> > > > Hi Martin Fuerderer (and anyone else who is kind enough
> > > >
> > > > to help out),
> > > >
> > > > Last Oct, you posted the below note to the ids@iiug list
> > > about how to
> > > > setup PAM for Informix IDS server.
> > > >
> > > > I am trying to get PAM working on IDS and need some help.
> > > > I have tried but keep getting this message in online.log:
> > > > "listener-thread: err = -952: oserr = 0: errstr =
> > > >
> > > > jcramer@a-coe002.engr.uiowa.edu: User
> > > >
> > > > (jcramer@a-coe002.engr.uiowa.edu)'s
> > > >
> > > > password is not correct for the database server."
> > > >
> > > > I am using:
> > > > IDS 10.00.FC6
> > > > HP-UX B.11.23 U ia64
> > > >
> > > > 1) I am trying to use pam_krb5 authentication via our Kerberos
> > > > Security Server
> > > >
> > > > 2) I am trying to use IDS in the PAM "Simple Password
> > > Authentication"
> > > > pamauth mode
> > > >
> > > > 3) I want to use my existing client's without modification. My
> > > > understanding is that they need modification only when PAM is
> > > > operating in the "Challenge" pamauth mode and that the Krb5
> > > > authentication service does not utilize a
> > > Challenge-Response behavior.
> > > > Thus, I assumed that none of my clients will require
> > > modification in
> > > > order to use IDS-PAM this way.
> > > >
> > > > Is this assumption correct?
> > >
> > > Yes [But, in case of password mode, application should connect
> > > explicitly with password.]
> > >
> > > >
> > > > 4) HPUX has an hpux-specific PAM module called
> pam_hpsec. It's man
> > > > page says
> > > >
> > > > "The use of pam_hpsec is mandatory for services like login,
> > > > dtlogin,
>
> > > >
> > > > ftp, remsh/rexec and ssh. It is required that these
> services stack
> > > >
> > > > this module on the top of the stack above one or more
> non-optional
> > > >
> > > > modules such as pam_unix, pam_krb5, or pam_ldap. Application
> > > > writers
>
> > > >
> > > > and system administrators must consider whether it is
> appropriate
> > > > to
>
> > > >
> > > > use pam_hpsec for any given application. This module is
> specific
> > > > to
> > > >
> > > > HP-UX, and the functionality may vary significantly between
> > > releases.
> > > >
> > > > Do you know if this is required for IDS, which in my
> case is the
> > > > "application that they are referring to", in order to use PAM?
> > >
> > > No. [although you could use it with IDS if you want to.]
> > >
> > > >
> > > > 5) From what little I have found on IDS PAM from the
> IBM/Informix
> > > > support site, IIUG site, developerWorks, various
> Informix-related
> > > > blogs, I found one reference which claims that something
> > > needs to be
> > > > put in the IDS concsm.cfg file when using PAM. It is in the IBM
> > > > Redbook:
> > > > http://www.redbooks.ibm.com/abstracts/sg247299.html?Open
> > > >
> > > > on page 250, 2nd paragraph under section 8.5.1.
> > > >
> > > > Is this true??? If so, is there a reference to PAM-specific
> > > > configurations in concsm.cfg. The IDS10 Admin Guide/Ref
> > > does not have
> > > > anything about PAM in it's section on this file.
> > > > I have not found any other IDS PAM references to using
> this file.
> > >
> > > No, concsm.cfg is not needed for PAM.
> > > It's needed only if you want to enable password encryption or
> > > network (client/server communication) encryption.
> > >
> > > >
> > > > Here is my configuration:
> > > >
> > > > In sqlhosts I have:
> > > > tidsidcard onsoctcp xxx.xxx.xxx.xxx sqltidsidcard
> > > > s=4,pam_serv=(ifmx),pamauth=(password)
> > > >
> > > > In /etc/pam.conf I have:
> > > > ifmx auth required
> /usr/lib/security/hpux64/libpam_krb5.so.1 debug
> > > >
> > >
> > > I don't have Kerberos setup but I tried using
> libpam_unix.so.1 and
> > > it worked.
> > > Here is my config looks like.
> > >
> > > ---/etc/pam.conf---
> > > idspam auth required libpam_unix.so.1
> > >
> > > ---sqlhosts.pam---
> > > ol_nilesho onsoctcp hpia64 999101
> > > s=4,pam_serv=(idspam),pamauth=(password)
> > >
> > > Could you try using libpam_unix.so.1 ? cause if that work then
> > > problem could be related to Kerberos setup or libpam_krb5.so.1
> > > module itself.
> > > BTW, what type of client you are using (ESQLC/ODBC/JDBC)
> ? does that
> > > client version support PAM or not ?
> > >
> > > Regards,
> > >
> > > - Nilesh -
> > >
> > > > Thanks for any assistance that you can provide.
> > > >
> > > > Jim Cramer
> > > > University of Iowa
> > > >
> > > >
> > > --------------------------------------------------------------
> > > ------------
> > >
> > >
> > > > Hi,
> > > >
> > > > sorry for late reply ... :-(
> > > >
> > > > Following is an example about how to do a basic setup. It's a
> > > > cut&paste from an internal www-page that I once created on this
> > > > topic. I hope it is readable and understandable
> > > > anyway:
> > > >
> > > > --------------------------------------------------------------
> > > > OS Setup for PAM
> > > >
> > > > PAMs typically reside as shared libs in /usr/lib/security. The
> > > > configuration for each PAM is in /etc/pam.conf. On
> Linux however,
> > > > if directory /etc/pam.d exists, then each module has its own
> > > > configuration file in this directory and /etc/pam.conf
> is ignored.
> > > >
> > > > The following example illustrates a possible
> configuration for a
> > > > single PAM:
> > > >
> > > > The service name of the PAM is "pam_chal"
> > > > and the shared library implementing it is
> > > > /usr/lib/security/pam_chal.so. The configuration for this PAM
> > > > service consists of the following two lines:
> > > >
> > > > pam_chal <TAB> auth required <TAB>
> /usr/lib/security/pam_chal.so
> > > > pam_chal <TAB> account required <TAB>
> > > > /usr/lib/security/pam_chal.so
> > > >
> > > > where <TAB> denotes a tab character. This may be
> necessary, since
> > > > it could be possible that the middle parameter in the line
> > > > consists of only one token, which might confuse the parser when
> > > > reading the configuration. These two lines are in
> /etc/pam.conf.
> > > > On Linux, if the directory /etc/pam.d exists, they should be
> > > > placed in file /etc/pam.d/pam_chal.
> > > >
> > > > IDS Setup for PAM
> > > >
> > > > To make a specific IDS server name PAM-enabled, a new set of
> > > > additional parameters is used in the sqlhosts file for
> this server
> > > > name. The parameters are:
> > > >
> > > > s=4,pam_serv=(...),pamauth=(...)
> > > >
> > > > Example 1:
> > > >
> > > > mfu1_pam ontlitcp onbarfix
> > > s=4,pam_serv=(pam_chal),pamauth=(challenge)
> > > >
> > > > This line in the sqlhosts file will setup the server
> name mfu1_pam
> > > > to use the PAM with the service name pam_chal. The
> authentication
> > > > mode for this server name will be challenge, so clients
> connecting
> > > > to this servername must be prepared to handle a PAM challenge.
> > > >
> > > > Example 2:
> > > >
> > > > mfu1_pam ontlitcp onbarfix
> s=4,pam_serv=(other),pamauth=(password)
> > > >
> > > > This line in the sqlhosts file will setup the server
> name mfu1_pam
> > > > to use the PAM with the service name other which usually is
> > > > implemented by the system provided PAM module pam_unix.so. The
> > > > authentication mode for this server name will be password, so
> > > > clients connecting to this servername must be prepared
> to provide
> > > > the password with the connection request. Implicit connections
> > > > will be rejected.
> > > > --------------------------------------------------------------
> > > >
> > > > Regards,
> > > > Martin
> > > > --
> > > > Martin Fuerderer
> > > > IBM Informix Development Munich, Germany
> > > >
> > > >
> > > >
> > >
> > > **************************************************************
> > > ************
> > > *****
> > > > Forum Note: Use "Reply" to post a response in the
> discussion forum.
> > > >
> > >
> > >
> > > **************************************************************
> > > ************
> > > *****
> > > Forum Note: Use "Reply" to post a response in the
> discussion forum.
> > >
> > >
> >
> >
> >
>
> **************************************************************
> *****************
> > Forum Note: Use "Reply" to post a response in the discussion forum.
> >
>
>
> **************************************************************
> *****************
> Forum Note: Use "Reply" to post a response in the discussion forum.
>
>
Messages In This Thread
IDS Forum is maintained by Administrator with WebBBS 5.12.
|
|