Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-3660

PAM does not work for non-root installations

    XMLWordPrintable

Details

    • Bug
    • Status: Open (View Workflow)
    • Major
    • Resolution: Unresolved
    • pam-auth-plugin
    • None
    • Platform: Sun, OS: SunOS

    Description

      I installed Hudson under the user/group 'hudson/hudson' with the role Primary
      Administrator.

      When trying to get the PAM authentication to work, I get the following error in
      the SMF logs:

      Caused by: org.jvnet.libpam.PAMException: pam_authenticate failed : No account
      present for user

      If I click on advanced and change 'sshd' to 'passwd' I get:

      Caused by: org.jvnet.libpam.PAMException: pam_authenticate failed : Permission
      denied

      Attachments

        Activity

          On Linux all it takes is for Jenkins to be able to read /etc/shadow. We now explicitly check for the permission to access this file and provide a friendly error message.

          I wonder if this bug report predates that change, or if Solaris behaves differently.

          kohsuke Kohsuke Kawaguchi added a comment - On Linux all it takes is for Jenkins to be able to read /etc/shadow. We now explicitly check for the permission to access this file and provide a friendly error message. I wonder if this bug report predates that change, or if Solaris behaves differently.
          malachid malachid added a comment -

          Hey Kohsuke,

          I have not worked at that job since 2009 (this was reported May 2009) - so it very well could predate that change.

          malachid malachid added a comment - Hey Kohsuke, I have not worked at that job since 2009 (this was reported May 2009) - so it very well could predate that change.
          tommythekid Tommy McNeely added a comment -

          Comparing hashes in the shadow file is NOT PAM authentication. What if I am authenticating against LDAP/Kerberos/Active Directory? That has nothing to do with the shadow file, yet the module still unhelpfully requires it to be readable.

          ~tommy

          tommythekid Tommy McNeely added a comment - Comparing hashes in the shadow file is NOT PAM authentication. What if I am authenticating against LDAP/Kerberos/Active Directory? That has nothing to do with the shadow file, yet the module still unhelpfully requires it to be readable. ~tommy

          I'm trying to use pam_exec.so to authenticate using a script. I created a PAM service called "jenkins" (/etc/pam.d/jenkins) with "auth" and "account" lines. Authentication succeeds, but I see this in the Jenkins log: "org.jvnet.libpam.PAMException: Authentication succeeded but no user information is available". I believe the problem described in this ticket results from the fact that libpam4j attempts to retrieve an account record using the libc function getpwnam() rather than relying solely on PAM calls.

          https://github.com/kohsuke/libpam4j/blob/377d71a2b73c11b7c21bea0fb4ac5050ba8fc5c9/src/main/java/org/jvnet/libpam/PAM.java

          I have been using the Security Realm by custom script (script-realm) Jenkins plugin to authenticate via script, which has been working fine without any entries in /etc/passwd. However, that plugin is unmaintained and pulls in the deprecated WMI Windows Agents Plugin, so I tried replacing it with a PAM configuration. Since I don't want to have to modify /etc/passwd, I'll probably find a different solution.

          jrogers Jonathan Rogers added a comment - I'm trying to use pam_exec.so to authenticate using a script. I created a PAM service called "jenkins" (/etc/pam.d/jenkins) with "auth" and "account" lines. Authentication succeeds, but I see this in the Jenkins log: "org.jvnet.libpam.PAMException: Authentication succeeded but no user information is available". I believe the problem described in this ticket results from the fact that libpam4j attempts to retrieve an account record using the libc function getpwnam() rather than relying solely on PAM calls. https://github.com/kohsuke/libpam4j/blob/377d71a2b73c11b7c21bea0fb4ac5050ba8fc5c9/src/main/java/org/jvnet/libpam/PAM.java I have been using the Security Realm by custom script (script-realm) Jenkins plugin to authenticate via script, which has been working fine without any entries in /etc/passwd. However, that plugin is unmaintained and pulls in the deprecated WMI Windows Agents Plugin, so I tried replacing it with a PAM configuration. Since I don't want to have to modify /etc/passwd, I'll probably find a different solution.

          People

            Unassigned Unassigned
            malachid malachid
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: