Debugging PAM in Solaris

Pluggable Authentication Module (PAM), as defined here, allows integration of various authentication technologies such as UNIX®, Kerberos, RSA, smart cards and DCE into system entry services such as login, passwd, rlogin, telnet, ftp, and su without changing any of these services.

To see all the debug messages generated during PAM authentication, one needs to follow 2 simple rules,

[1] Configure the syslog daemon (system-log service), to print the debug messages to a specified file/device. You could do this by editing /etc/syslog.conf as given below,

\*.debug        /var/log/pam_log

Restart the system-log service.

[2] touch /etc/pam_debug.

PAM implementation uses /etc/pam_debug file as a debug flag and if found, starts printing the debug messages to the file configured in syslog.conf file.

This is the debug output I see when I login to my desktop from the locked Xscreen,


Nov 13 17:16:20 dancefloor xscreensaver[726]: [ID 910332 auth.debug] PAM[726]: pam_start(xscreensaver,blood,8047860:80eec18) - debug = 1
Nov 13 17:16:20 dancefloor xscreensaver[726]: [ID 874416 auth.debug] PAM[726]: pam_set_item(80eec18:service)
Nov 13 17:16:20 dancefloor xscreensaver[726]: [ID 874416 auth.debug] PAM[726]: pam_set_item(80eec18:user)
Nov 13 17:16:20 dancefloor xscreensaver[726]: [ID 874416 auth.debug] PAM[726]: pam_set_item(80eec18:conv)
Nov 13 17:16:20 dancefloor xscreensaver[726]: [ID 536501 auth.debug] PAM[726]: while load_modules[0:/etc/pam.conf](80eec18, pam_sm_authenticate)=/usr/lib/security//pam_authtok_get.so.1
Nov 13 17:16:20 dancefloor xscreensaver[726]: [ID 186051 auth.debug] PAM[726]: load_function: successful load of pam_sm_authenticate
Nov 13 17:16:20 dancefloor xscreensaver[726]: [ID 536501 auth.debug] PAM[726]: while load_modules[0:/etc/pam.conf](80eec18, pam_sm_authenticate)=/usr/lib/security//pam_dhkeys.so.1
Nov 13 17:16:20 dancefloor xscreensaver[726]: [ID 186051 auth.debug] PAM[726]: load_function: successful load of pam_sm_authenticate
Nov 13 17:16:20 dancefloor xscreensaver[726]: [ID 536501 auth.debug] PAM[726]: while load_modules[0:/etc/pam.conf](80eec18, pam_sm_authenticate)=/usr/lib/security//pam_unix_cred.so.1
Nov 13 17:16:20 dancefloor xscreensaver[726]: [ID 186051 auth.debug] PAM[726]: load_function: successful load of pam_sm_authenticate
Nov 13 17:16:20 dancefloor xscreensaver[726]: [ID 536501 auth.debug] PAM[726]: while load_modules[0:/etc/pam.conf](80eec18, pam_sm_authenticate)=/usr/lib/security//pam_unix_auth.so.1
Nov 13 17:16:20 dancefloor xscreensaver[726]: [ID 186051 auth.debug] PAM[726]: load_function: successful load of pam_sm_authenticate
Nov 13 17:16:20 dancefloor xscreensaver[726]: [ID 947272 auth.debug] PAM[726]: pam_get_user(80eec18, fef86970, NULL)
Nov 13 17:16:23 dancefloor xscreensaver[726]: [ID 874416 auth.debug] PAM[726]: pam_set_item(80eec18:authtok)
Nov 13 17:16:23 dancefloor last message repeated 1 time
Nov 13 17:16:23 dancefloor xscreensaver[726]: [ID 536501 auth.debug] PAM[726]: while load_modules[0:/etc/pam.conf](80eec18, pam_sm_authenticate)=/usr/lib/security//pam_dhkeys.so.1
Nov 13 17:16:23 dancefloor xscreensaver[726]: [ID 536501 auth.debug] PAM[726]: while load_modules[0:/etc/pam.conf](80eec18, pam_sm_authenticate)=/usr/lib/security//pam_unix_cred.so.1
Nov 13 17:16:23 dancefloor xscreensaver[726]: [ID 536501 auth.debug] PAM[726]: while load_modules[0:/etc/pam.conf](80eec18, pam_sm_authenticate)=/usr/lib/security//pam_unix_auth.so.1
Nov 13 17:16:23 dancefloor xscreensaver[726]: [ID 536501 auth.debug] PAM[726]: while load_modules[0:/etc/pam.conf](80eec18, pam_sm_acct_mgmt)=/usr/lib/security//pam_roles.so.1
Nov 13 17:16:23 dancefloor xscreensaver[726]: [ID 186051 auth.debug] PAM[726]: load_function: successful load of pam_sm_acct_mgmt
Nov 13 17:16:23 dancefloor xscreensaver[726]: [ID 536501 auth.debug] PAM[726]: while load_modules[0:/etc/pam.conf](80eec18, pam_sm_acct_mgmt)=/usr/lib/security//pam_unix_account.so.1
Nov 13 17:16:23 dancefloor xscreensaver[726]: [ID 186051 auth.debug] PAM[726]: load_function: successful load of pam_sm_acct_mgmt
Nov 13 17:16:23 dancefloor xscreensaver[726]: [ID 536501 auth.debug] PAM[726]: while load_modules[0:/etc/pam.conf](80eec18, pam_sm_acct_mgmt)=/usr/lib/security//pam_unix_account.so.1
Nov 13 17:16:23 dancefloor xscreensaver[726]: [ID 536501 auth.debug] PAM[726]: while load_modules[0:/etc/pam.conf](80eec18, pam_sm_setcred)=/usr/lib/security//pam_authtok_get.so.1
Nov 13 17:16:23 dancefloor xscreensaver[726]: [ID 186051 auth.debug] PAM[726]: load_function: successful load of pam_sm_setcred
Nov 13 17:16:23 dancefloor xscreensaver[726]: [ID 536501 auth.debug] PAM[726]: while load_modules[0:/etc/pam.conf](80eec18, pam_sm_setcred)=/usr/lib/security//pam_dhkeys.so.1
Nov 13 17:16:23 dancefloor xscreensaver[726]: [ID 186051 auth.debug] PAM[726]: load_function: successful load of pam_sm_setcred
Nov 13 17:16:23 dancefloor xscreensaver[726]: [ID 536501 auth.debug] PAM[726]: while load_modules[0:/etc/pam.conf](80eec18, pam_sm_setcred)=/usr/lib/security//pam_unix_cred.so.1
Nov 13 17:16:23 dancefloor xscreensaver[726]: [ID 186051 auth.debug] PAM[726]: load_function: successful load of pam_sm_setcred
Nov 13 17:16:23 dancefloor xscreensaver[726]: [ID 536501 auth.debug] PAM[726]: while load_modules[0:/etc/pam.conf](80eec18, pam_sm_setcred)=/usr/lib/security//pam_unix_auth.so.1
Nov 13 17:16:23 dancefloor xscreensaver[726]: [ID 186051 auth.debug] PAM[726]: load_function: successful load of pam_sm_setcred
Nov 13 17:16:23 dancefloor xscreensaver[726]: [ID 536501 auth.debug] PAM[726]: while load_modules[0:/etc/pam.conf](80eec18, pam_sm_setcred)=/usr/lib/security//pam_dhkeys.so.1
Nov 13 17:16:23 dancefloor xscreensaver[726]: [ID 536501 auth.debug] PAM[726]: while load_modules[0:/etc/pam.conf](80eec18, pam_sm_setcred)=/usr/lib/security//pam_unix_cred.so.1
Nov 13 17:16:23 dancefloor xscreensaver[726]: [ID 536501 auth.debug] PAM[726]: while load_modules[0:/etc/pam.conf](80eec18, pam_sm_setcred)=/usr/lib/security//pam_unix_auth.so.1
Nov 13 17:16:23 dancefloor xscreensaver[726]: [ID 707315 auth.debug] PAM[726]: pam_end(80eec18): status = Success

Comments:

This doesn't work for me. No pam logging shows up on OpenSolaris 2009.06

Posted by David Abrahams on March 08, 2010 at 06:48 PM IST #

thanks!
1 up for solaris. it is not possible to toggle PAM debug mode in RHEL! it needs to be turn on and off in build time! "Enterprise ready!? or not"

Posted by guest on August 29, 2013 at 03:52 AM IST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

user13377336

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today
Bookmarks
Blogroll

No bookmarks in folder