PDA

View Full Version : SLES 12 SP2 How to debug the PAM stack



bfay
04-Sep-2018, 19:53
I have a client that has made many changes in the PAM files and now things they want to be configured does not work.

How can one debug the PAM stack and see how it behave while we try to login from different source being ssh, su, sudo, login, etc?

Google has not been very useful so far. I hope there is a way to do it.

Environment:
pgiststinf06:~ # lsb_release -a
LSB Version: n/a
Distributor ID: SUSE
Description: SUSE Linux Enterprise Server for SAP Applications 12 SP2
Release: 12.2
Codename: n/a

pgiststinf06:~ # arch
ppc64le


Thanks,

jmozdzen
05-Sep-2018, 11:53
Hi bfay,

have you seen https://serverfault.com/questions/249671/switch-on-pam-debugging-to-syslog ? Once you've configured syslog to also show debug-level messages, creating /etc/pam_debug (i.e. via "touch /etc/pam_debug") will turn on debug for *all* pam modules at once. Of course, there's a debug option for most (if not all) modules all by itself, so you could try to debug only those modules suspicious of adding to the problems you're after...

I've not tested /etc/pam_debug myself, though, so YMMV.

Regards,
J

bfay
05-Sep-2018, 12:53
Thanks jmozdzen,

I saw this possible solution but it does not work. It seems to be an old solution which has been deprecated. The log was not talkative at all.

My actual problem is pam_tally2 not resetting the failure counter after a successful login. On a plain installation of SLES12 it is working but not on systems modified by my client. The man page of pam_tally2 does not mention a debug option but I am going to give it a try in case it is an undocumented feature.

I'll keep searching.

Thanks

jmozdzen
05-Sep-2018, 13:13
Hi bfay,


My actual problem is pam_tally2 not resetting the failure counter after a successful login. On a plain installation of SLES12 it is working but not on systems modified by my client. The man page of pam_tally2 does not mention a debug option but I am going to give it a try in case it is an undocumented feature.

I just checked a SLES12SP2 server, using pam 1.1.8, comparing to a newer version of pam (1.3.0) on a Leap installation: It seems that the 1.1.8 version does indeed not have the debug option.

Based on your description, you might want to focus on the configuration for the "account" phase. The following two quotes are from the pam_tally2 man page:



Account phase resets attempts counter if the user is not magic root. This phase can be used optionally for services which don't call pam_setcred(3) correctly or if the reset should be done regardless of the failure of the account phase of other modules.




EXAMPLES
[...]
The module does not have to be called in the account phase because the login calls pam_setcred(3) correctly.


Regards,
J

bfay
05-Sep-2018, 14:20
Hi jmozdzen,

One thing I know for sure, is that we need:
account required pam_tally2.so

Without this, the failure counter is not reset. In a plain SLES12 SP2 it works fine. But not in the modified PAM configuration on my client's systems.

I cannot believe there is no way to debug the PAM stack!!!

Thanks for your suggestions.

jmozdzen
05-Sep-2018, 15:55
Hi bfay,

have you considered to open a service request? SUSE support might spot the problem directly, and/or engineering might be able to provide some means to debug the PAM function calls.

Regards,
J

bfay
05-Sep-2018, 16:21
Hi jmozdzen,

I'll do that even though my experience with SUSE support regarding PAM has not been too impressive so far. I have nothing to loose after all.

Thanks for you help,