On 12/20/04(22:18) you "Shade" <email@example.com> wrote
| I have some problems with PAM authentication. Well, I'll try to
| describe the problem in the whole: I've got local and external networks,
| and a firewall between them. On the same computer with the FW there is
| installed DeleGate. I use only 6 protocols: telnet, ftp, http, pop, smtp,
| imap and their 'ssl-forms'. Well, earlier for proxy-users' authentication
| I used special files, e.g. 'proxy.users', where the information about
| logins and passwords of allowed users was kept. Then my boss told me he
| wanted to use PAM for this purpose.
| I did "AUTHORIZER='-pam/delegate-auth'", where 'delegate-auth' is my
| own pamconf file. Everything works, I can see, that DeleGate works
| with PAM. But there are two problems:
| 1. there are no pam-logs at all. When I log-in my FW-computer locally,
| there are lots of pam-logs in /var/log/auth/*, but when I go through
| DeleGate, using PAM, there are no logs at all.
What kind of logs is in your /var/log/auth/* ? If it is like "session
opened/closed", then it is not logged by DeleGate because DeleGate
use PAM just for the purpose of authentication (PAM category "auth"),
and does not use other features including "session" management.
Furthermore, DeleGate does not always refer PAM for each authentication.
It reuses authenticated user+pass pairs which are authenticated by PAM
(or other auth-server) in cache (in 180 seconds).
| And 2. I need to allow only users in special group 'delegate-users'
| (there they have home directory and shell - /dev/null, in order not
| to let them into FW-system). I know that I can use modules 'pam_group'
| and 'pam_require' (www.splitbrain.org). And when I use them on the
| local FW-machine, or, for example, through ssh from the remote machine
| (to the FW-machine), it works fine. But when I use it with DeleGate,
| it acts like there is no 'group'-rule in the conf-file.
There are so many versions of PAM implementations on various platform.
If you would tell me the version of your PAM and OS, I might be able to
D G Yutaka Sato <firstname.lastname@example.org> http://delegate.org/y.sato/
( - ) National Institute of Advanced Industrial Science and Technology
_< >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller