Getting PAM to work


#1

Hello everyone!
Sadly I can not get Gogs’ PAM authentication to work on (Arch)Linux (PAM version 1.3). The installed gogs version is 0.11.66.0916 compiled with PAM support. As a database I use SQLite.

The gogs service is running as a service user (gogs, uid 511), and I am trying to log in as a normal user using pam. I configured a new PAM authentication source named “gogs” pointing to the PAM service file “/ets/pam.d/system-auth” (which I didnt not change, it’s the default file that comes with PAM).

If I try to login using the right username, password and authentication source, I get an error: “Username or password is not correct.” as well as a log entry:

pam_unix(system-auth:auth): authentication failure; logname= uid=511 euid=511 tty= ruser= rhost= user=pedro

I made sure the user running the gogs web front-end is able to read my /etc/shadow file, like mentioned here: PAM Authentication fails. Still no success.

Can anyone help?

(for reference, I uploaded my system-auth service file at https://pastebin.com/RNRC2NeE)


#2

Ok, I finally figured out how to get it to work. I had to make sure that two files’ permissions are setup correctly:

-rw-r----- 1 root shadow   589 27. Sep 13:31 /etc/shadow
-rwsr-sr-x 1 root shadow 30496 22. Jun 10:21 /sbin/unix_chkpwd

For security reasons I created the shadow group and added the service user (gogs) to that group.

So, tl;dr: make sure the permissions on the two files are as mentioned above.