checkpassword-pam 在本地有效,但不能通过 qmail 运行

checkpassword-pam 在本地有效,但不能通过 qmail 运行

我有检查密码-pam0.99,当我在本地运行时,就像

echo -e 'testuser\0theuserspassword\0.' | 
    /usr/local/bin/checkpassword-pam -s smtp --debug --stdout /usr/bin/id 3<&0

一切正常,我得到了

Reading username and password
Username 'testuser'
Password read successfully
Initializing PAM library using service name 'smtp'
PAM library initialization succeeded
conversation(): msg[0], style PAM_PROMPT_ECHO_OFF, msg = "Password: "
Authentication passed
Account management succeeded
Setting PAM credentials succeeded
PAM session opened
PAM session closed
Terminating PAM library
Executing /usr/bin/id
uid=1001(testuser) gid=1001(testuser) groups=1001(testuser)

(如果我不这样做,--stdout它会记录到 auth.log,并且仍然成功)

当通过 qmail 调用时,看起来我以某种方式修改了库加载路径,因为 PAM 的 dlopen() 不起作用:

Dec 28 21:19:43 standby smtp[18229]: Reading username and password
Dec 28 21:19:43 standby smtp[18229]: Username 'testuser'
Dec 28 21:19:43 standby smtp[18229]: Password read successfully
Dec 28 21:19:43 standby smtp[18229]: Initializing PAM library using service name 'smtp'
Dec 28 21:19:43 standby smtp[18229]: PAM unable to dlopen(pam_systemd.so): /lib/security/pam_systemd.so: cannot open shared object file: No such file or directory
Dec 28 21:19:43 standby smtp[18229]: PAM adding faulty module: pam_systemd.so
Dec 28 21:19:43 standby smtp[18229]: PAM library initialization succeeded
Dec 28 21:19:43 standby smtp[18229]: conversation(): msg[0], style PAM_PROMPT_ECHO_OFF, msg = "Password: "
Dec 28 21:19:43 standby smtp[18229]: pam_unix(smtp:auth): check pass; user unknown
Dec 28 21:19:43 standby smtp[18229]: pam_unix(smtp:auth): authentication failure; logname= uid=64011 euid=0 tty= ruser= rhost=71.217.92.189
Dec 28 21:19:45 standby smtp[18229]: Authentication failed: Authentication failure
Dec 28 21:19:45 standby smtp[18229]: Exiting with status 1

由于 的正确路径pam_systemd.so/lib/x86_64-linux-gnu/security/pam_systemd.so

qmail-invoked 的环境块中没有任何内容checkpassword-pam看起来不合适(根据修改以从environ全局打印所有内容):

Dec 28 21:19:43 standby smtp[18229]: Env: PATH=/command:/usr/local/bin:/usr/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/snap/bin
Dec 28 21:19:43 standby smtp[18229]: Env: PWD=/var/qmail/supervise/qmail-smtpd
Dec 28 21:19:43 standby smtp[18229]: Env: SHLVL=0
Dec 28 21:19:43 standby smtp[18229]: Env: XDG_DATA_DIRS=/usr/local/share:/usr/share:/var/lib/snapd/desktop
Dec 28 21:19:43 standby smtp[18229]: Env: PROTO=TCP
Dec 28 21:19:43 standby smtp[18229]: Env: TCPLOCALIP=an.ip.v4.address
Dec 28 21:19:43 standby smtp[18229]: Env: TCPLOCALPORT=25
Dec 28 21:19:43 standby smtp[18229]: Env: TCPLOCALHOST=fqdn
Dec 28 21:19:43 standby smtp[18229]: Env: TCPREMOTEIP=another.ip.v4.address
Dec 28 21:19:43 standby smtp[18229]: Env: TCPREMOTEPORT=44994
Dec 28 21:19:43 standby smtp[18229]: Env: TCPREMOTEHOST=anotherfqdn

环境变量的存在TCPREMOTEIP确实使得 checkpassword-pam 将 RHOST 值设置为 PAM 会话,但我也尝试过将该部分注释掉。

来自 Digital Ocean 的 Ubuntu 16.04 x64 + daemontools、ucspi-tcp、gcc、libpam0g-dev、libssl-dev、qmail-uids-gids

定制qmail,定制checkpassword-pam。

# file /var/qmail/bin/qmail-smtpd `which tcpserver` `which checkpassword-pam`
/var/qmail/bin/qmail-smtpd:       ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=e858c3d33bb8fea26d7618e3ce63c37dc7c0557d, stripped
/usr/bin/tcpserver:               ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.15, BuildID[sha1]=1e727ea57ca4de886e56b6783de7df0190a2ad26, stripped
/usr/local/bin/checkpassword-pam: setuid ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=8b6e3fffb52cab99526653078e0fd018b5e97a77, not stripped

由于环境块中没有任何异常,我实在搞不清楚到底发生了什么。我知道我以前在 Ubuntu 服务器上运行过这个,但我记得这是一个令人沮丧的过程,先是失败,然后它又运行起来了,我不明白为什么。现在我无法重现成功路径。

编辑ldd按要求输出:

新机器(无法工作):

$ ldd /usr/local/bin/checkpassword-pam
    linux-vdso.so.1 =>  (0x00007ffc6daf4000)
    libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x00007fa12f54f000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fa12f185000)
    libaudit.so.1 => /lib/x86_64-linux-gnu/libaudit.so.1 (0x00007fa12ef5e000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fa12ed5a000)
    /lib64/ld-linux-x86-64.so.2 (0x00007fa12f75d000)

另一台 Ubuntu 机器上似乎正在运行:

$ ldd /usr/local/bin/checkpassword-pam
    linux-vdso.so.1 =>  (0x00007ffd437ab000)
    libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x00007ff6cfe89000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ff6cfab9000)
    libaudit.so.1 => /lib/x86_64-linux-gnu/libaudit.so.1 (0x00007ff6cf891000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007ff6cf689000)
    /lib64/ld-linux-x86-64.so.2 (0x00007ff6d0099000)

包装信息:

$ dpkg -l | grep libpam
ii  libpam-modules:amd64             1.1.8-3.2ubuntu2                             amd64        Pluggable Authentication Modules for PAM
ii  libpam-modules-bin               1.1.8-3.2ubuntu2                             amd64        Pluggable Authentication Modules for PAM - helper binaries
ii  libpam-runtime                   1.1.8-3.2ubuntu2                             all          Runtime support for the PAM library
ii  libpam-systemd:amd64             229-4ubuntu21                                amd64        system and service manager - PAM module
ii  libpam0g:amd64                   1.1.8-3.2ubuntu2                             amd64        Pluggable Authentication Modules library
ii  libpam0g-dev:amd64               1.1.8-3.2ubuntu2                             amd64        Development files for PAM

$ dpkg -l | grep systemd
ii  libpam-systemd:amd64             229-4ubuntu21                                amd64        system and service manager - PAM module
ii  libsystemd0:amd64                229-4ubuntu21                                amd64        systemd utility library
ii  python3-systemd                  231-2build1                                  amd64        Python 3 bindings for systemd
ii  systemd                          229-4ubuntu21                                amd64        system and service manager
ii  systemd-sysv                     229-4ubuntu21                                amd64        system and service manager - SysV links

$ dpkg -S /lib/security/pam_systemd.so
dpkg-query: no path found matching pattern /lib/security/pam_systemd.so

$ ls -ld /lib/security/pam_systemd.so
ls: cannot access '/lib/security/pam_systemd.so': No such file or directory

$ locate pam_systemd.so
/lib/x86_64-linux-gnu/security/pam_systemd.so

$ dpkg -S `locate pam_systemd.so`
libpam-systemd:amd64: /lib/x86_64-linux-gnu/security/pam_systemd.so

出错的机器和后续机器之间的包装结果相同。

答案1

查看

debconf-show libpam-runtime

pam 是否使用 systemd?

是 - 检查

/etc/pam.d/common-session

没有?删除 systemd

pam-auth-update --package --remove systemd

相关内容