我有检查密码-pam0.99,当我在本地运行时,就像
echo -e 'testuser\0theuserspassword\0.' |
/usr/local/bin/checkpassword-pam -s smtp --debug --stdout /usr/bin/id 3<&0
一切正常,我得到了
Reading username and password
Username 'testuser'
Password read successfully
Initializing PAM library using service name 'smtp'
PAM library initialization succeeded
conversation(): msg[0], style PAM_PROMPT_ECHO_OFF, msg = "Password: "
Authentication passed
Account management succeeded
Setting PAM credentials succeeded
PAM session opened
PAM session closed
Terminating PAM library
Executing /usr/bin/id
uid=1001(testuser) gid=1001(testuser) groups=1001(testuser)
(如果我不这样做,--stdout
它会记录到 auth.log,并且仍然成功)
当通过 qmail 调用时,看起来我以某种方式修改了库加载路径,因为 PAM 的 dlopen() 不起作用:
Dec 28 21:19:43 standby smtp[18229]: Reading username and password
Dec 28 21:19:43 standby smtp[18229]: Username 'testuser'
Dec 28 21:19:43 standby smtp[18229]: Password read successfully
Dec 28 21:19:43 standby smtp[18229]: Initializing PAM library using service name 'smtp'
Dec 28 21:19:43 standby smtp[18229]: PAM unable to dlopen(pam_systemd.so): /lib/security/pam_systemd.so: cannot open shared object file: No such file or directory
Dec 28 21:19:43 standby smtp[18229]: PAM adding faulty module: pam_systemd.so
Dec 28 21:19:43 standby smtp[18229]: PAM library initialization succeeded
Dec 28 21:19:43 standby smtp[18229]: conversation(): msg[0], style PAM_PROMPT_ECHO_OFF, msg = "Password: "
Dec 28 21:19:43 standby smtp[18229]: pam_unix(smtp:auth): check pass; user unknown
Dec 28 21:19:43 standby smtp[18229]: pam_unix(smtp:auth): authentication failure; logname= uid=64011 euid=0 tty= ruser= rhost=71.217.92.189
Dec 28 21:19:45 standby smtp[18229]: Authentication failed: Authentication failure
Dec 28 21:19:45 standby smtp[18229]: Exiting with status 1
由于 的正确路径pam_systemd.so
是/lib/x86_64-linux-gnu/security/pam_systemd.so
。
qmail-invoked 的环境块中没有任何内容checkpassword-pam
看起来不合适(根据修改以从environ
全局打印所有内容):
Dec 28 21:19:43 standby smtp[18229]: Env: PATH=/command:/usr/local/bin:/usr/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/snap/bin
Dec 28 21:19:43 standby smtp[18229]: Env: PWD=/var/qmail/supervise/qmail-smtpd
Dec 28 21:19:43 standby smtp[18229]: Env: SHLVL=0
Dec 28 21:19:43 standby smtp[18229]: Env: XDG_DATA_DIRS=/usr/local/share:/usr/share:/var/lib/snapd/desktop
Dec 28 21:19:43 standby smtp[18229]: Env: PROTO=TCP
Dec 28 21:19:43 standby smtp[18229]: Env: TCPLOCALIP=an.ip.v4.address
Dec 28 21:19:43 standby smtp[18229]: Env: TCPLOCALPORT=25
Dec 28 21:19:43 standby smtp[18229]: Env: TCPLOCALHOST=fqdn
Dec 28 21:19:43 standby smtp[18229]: Env: TCPREMOTEIP=another.ip.v4.address
Dec 28 21:19:43 standby smtp[18229]: Env: TCPREMOTEPORT=44994
Dec 28 21:19:43 standby smtp[18229]: Env: TCPREMOTEHOST=anotherfqdn
环境变量的存在TCPREMOTEIP
确实使得 checkpassword-pam 将 RHOST 值设置为 PAM 会话,但我也尝试过将该部分注释掉。
来自 Digital Ocean 的 Ubuntu 16.04 x64 + daemontools、ucspi-tcp、gcc、libpam0g-dev、libssl-dev、qmail-uids-gids
定制qmail,定制checkpassword-pam。
# file /var/qmail/bin/qmail-smtpd `which tcpserver` `which checkpassword-pam`
/var/qmail/bin/qmail-smtpd: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=e858c3d33bb8fea26d7618e3ce63c37dc7c0557d, stripped
/usr/bin/tcpserver: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.15, BuildID[sha1]=1e727ea57ca4de886e56b6783de7df0190a2ad26, stripped
/usr/local/bin/checkpassword-pam: setuid ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=8b6e3fffb52cab99526653078e0fd018b5e97a77, not stripped
由于环境块中没有任何异常,我实在搞不清楚到底发生了什么。我知道我以前在 Ubuntu 服务器上运行过这个,但我记得这是一个令人沮丧的过程,先是失败,然后它又运行起来了,我不明白为什么。现在我无法重现成功路径。
编辑:ldd
按要求输出:
新机器(无法工作):
$ ldd /usr/local/bin/checkpassword-pam
linux-vdso.so.1 => (0x00007ffc6daf4000)
libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x00007fa12f54f000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fa12f185000)
libaudit.so.1 => /lib/x86_64-linux-gnu/libaudit.so.1 (0x00007fa12ef5e000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fa12ed5a000)
/lib64/ld-linux-x86-64.so.2 (0x00007fa12f75d000)
另一台 Ubuntu 机器上似乎正在运行:
$ ldd /usr/local/bin/checkpassword-pam
linux-vdso.so.1 => (0x00007ffd437ab000)
libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x00007ff6cfe89000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ff6cfab9000)
libaudit.so.1 => /lib/x86_64-linux-gnu/libaudit.so.1 (0x00007ff6cf891000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007ff6cf689000)
/lib64/ld-linux-x86-64.so.2 (0x00007ff6d0099000)
包装信息:
$ dpkg -l | grep libpam
ii libpam-modules:amd64 1.1.8-3.2ubuntu2 amd64 Pluggable Authentication Modules for PAM
ii libpam-modules-bin 1.1.8-3.2ubuntu2 amd64 Pluggable Authentication Modules for PAM - helper binaries
ii libpam-runtime 1.1.8-3.2ubuntu2 all Runtime support for the PAM library
ii libpam-systemd:amd64 229-4ubuntu21 amd64 system and service manager - PAM module
ii libpam0g:amd64 1.1.8-3.2ubuntu2 amd64 Pluggable Authentication Modules library
ii libpam0g-dev:amd64 1.1.8-3.2ubuntu2 amd64 Development files for PAM
$ dpkg -l | grep systemd
ii libpam-systemd:amd64 229-4ubuntu21 amd64 system and service manager - PAM module
ii libsystemd0:amd64 229-4ubuntu21 amd64 systemd utility library
ii python3-systemd 231-2build1 amd64 Python 3 bindings for systemd
ii systemd 229-4ubuntu21 amd64 system and service manager
ii systemd-sysv 229-4ubuntu21 amd64 system and service manager - SysV links
$ dpkg -S /lib/security/pam_systemd.so
dpkg-query: no path found matching pattern /lib/security/pam_systemd.so
$ ls -ld /lib/security/pam_systemd.so
ls: cannot access '/lib/security/pam_systemd.so': No such file or directory
$ locate pam_systemd.so
/lib/x86_64-linux-gnu/security/pam_systemd.so
$ dpkg -S `locate pam_systemd.so`
libpam-systemd:amd64: /lib/x86_64-linux-gnu/security/pam_systemd.so
出错的机器和后续机器之间的包装结果相同。
答案1
查看
debconf-show libpam-runtime
pam 是否使用 systemd?
是 - 检查
/etc/pam.d/common-session
没有?删除 systemd
pam-auth-update --package --remove systemd