I tried both www-apache/mod_authn_pam-0.0.1 and mod_auth_pam-1.1.1-r2 and got the same results. I upgrading pam to sys-libs/pam-0.99.10.0 last week, and ever since, apache is not able to authenticate anyone against PAM - all requests fail saying the login was invalid. Here's a sample from the log: user candrews: authentication failure for "/xyz": Password Mismatch I tried changing /etc/pam.d/apache2 from the default, trying different settings... but I cannot get it to work. Reproducible: Always Steps to Reproduce: 1. Upgrade pam to sys-libs/pam-0.99.10.0 (I'm also using pambase-20080306.2 - I'm not sure if that's important) 2. Use mod_auth_pam or mod_authn_pam for authentication 3. Try to login to a protect apache location Actual Results: Login fails saying the password was wrong Expected Results: Successful login Portage 2.1.4.4 (default-linux/amd64/2007.0/desktop, gcc-4.2.3, glibc-2.7-r1, 2.6.24-gentoo-r2 x86_64) ================================================================= System uname: 2.6.24-gentoo-r2 x86_64 AMD Athlon(tm) 64 Processor 3300+ Timestamp of tree: Mon, 17 Mar 2008 17:46:01 +0000 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] ccache version 2.4 [enabled] app-shells/bash: 3.2_p33 dev-java/java-config: 1.3.7, 2.1.5 dev-lang/python: 2.5.1-r5 dev-util/ccache: 2.4-r7 sys-apps/baselayout: 2.0.0 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.24 ACCEPT_KEYWORDS="amd64 ~amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=athlon64 -pipe -fomit-frame-pointer" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-O2 -march=athlon64 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="ccache distlocks metadata-transfer parallel-fetch prelink sandbox sfperms strict unmerge-orphans userfetch usersandbox" GENTOO_MIRRORS="http://gentoo.chem.wisc.edu/gentoo" LDFLAGS="-Wl,--hash-style=both,-z,relro,--enable-new-dtags,-O1,-z,now,--as-needed" LINGUAS="en" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/layman/sunrise /usr/portage/local/layman/webapps-experimental /usr/portage/local/layman/openrc /usr/local/portage" SYNC="rsync://rsync21.us.gentoo.org/gentoo-portage" USE="3dnow X a52 aac acl acpi aiglx alsa amd64 animation apache2 artworkextra asf aspnet2 asyncns authdaemond avahi avi bash-completion berkdb bitmap-fonts bluetooth bzip2 cairo caps cdda cdparanoia cdr chm cli cracklib crypt cups curl daap dbus dga divx4linux dlloader dpms dri dts dv dvb dvd dvdr dvdread emboss encode exif fam fame fat fbcondecor fbsplash ffmpeg fftw firefox flac foomaticdb fortran freetype gaim gd gdbm geoip gif gimpprint glib glibc-omitfp glitz glut gnome gnutls gphoto2 gpm gstreamer gstreamer10 gtk gtk2 hal hardenedphp hbci howl howl-compat iconv ieee1394 imagemagick imap imlib innodb ipv6 isdnlog java java5 joystick jpeg jpeg2k junit kde kdehiddenvisibility lcms libfame libnotify libsamplerate libusb lirc live lm_sensors lzo mad maildir mdnsresponder-compat midi mikmod mjpeg mmap mmx mmxext mng mono motif mozilla mozsvg mp3 mpeg mpeg2 mplayer mudflap musepack mysql mythtv nautilus ncurses network nls nptl nptlonly ntfs nvidia offensive ofx ogg oggvorbis openexr opengl openmp pam pango pcre pdf pdflib perl pic pie png pnp ppd ppds pppd prelude pulseaudio python qt qt3 qt3support qt4 quicktime rar readline reflection rtc samba sasl screensaver sdl session sharedmem shout snmp sox speex spell spl sqlite sse sse2 ssl suspend2 svg tcpd theora threads tiff transcode truetype truetype-fonts type-fonts unicode unzip upnp ups usb v4l v4l2 vcd videos vorbis webdav webservices wifi wmf wv x264 xanim xcb xine xinerama xml xml2 xorg xpm xprint xrandr xscreensaver xv xvid xvmc zeroconf zip zlib" ALSA_CARDS="via82xx" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias auth_digest proxy proxy_ajp proxy_connect proxy_http" ELIBC="glibc" INPUT_DEVICES="evdev joystick keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" LIRC_DEVICES="mceusb2" USERLAND="GNU" VIDEO_CARDS="nv nvidia" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
I just discovered this same behavior is shown by other applications - jabberd2 does the same thing. The bug must be in pam, pambase, or something else involving pam.
Please post your /etc/pam.d/apache2 and jabberd2 files.
Created attachment 146500 [details] /etc/pam.d/jabberd /etc/pam.d/jabberd
Created attachment 146501 [details] /etc/pam.d/apache2 /etc/pam.d/apache2
I bet this will affect more people once this hits stable. I'm really lost as to how to even debug this - can I get some pointers on what I can do to try to fix this myself?
I'm conversing with someone on the gentoo forums at http://forums.gentoo.org/viewtopic-p-5021798.html#5021798 and we've proven that PAM is broken in Gentoo. I'll spare the redundancy of copying/pasting in the discussion, and just point to the forum posts.
I'll spare the redundancy of saying that it's up to now TWO people (you and the one in the forum) having this problem, which screams "setup issue" hugely.
I'm sorry about the harsh tone of my previous comment - it's been a few very long days at the office, and I've been a bit cranky :-( In an effort to test if it's a config issue, I'll delete everything in /etc/pam.d and re-emerge everything that creates those files. However, I'm skeptical as to whether it's a config issue. I think there is just a possibility that not many people use apache or jabber against PAM. A lot of other things that go against PAM, like courier, run the authentication as root, which gets around this issue. Thanks for the hard work, Diego - I'll try to be a little friendlier.
Sorry too, just not liking the "Gentoo PAM" as we don't really change anything beside the default config files, which I doubt is the problem. What I can tell is that SuSE (which is the main contributor to Linux-PAM) runs _everything_ authenticating against PAM as root. So I suppose they _could_ have broken Linux-PAM running as user. The problem is, could that actually be fixed, or is it a design decision? Reason why I didn't spend (yet) time to investigate this in deep is that I actually hoped to find more people reporting it so I could reduce the area to look for, as there usually is _a lot_ going on between PAM and authentication. Now at least I do know it seems to be related to non-root authentication process. It's a start at least. If the problem is indeed Linux-PAM, I sincerely hope that the SoC project to set up OpenPAM for Gentoo Linux is going to provide us some independence from Linux-PAM SuSE-centric design.
I'm adding 1.0.0 in portage right now, I'll try to synthesise a testcase for this bug but please test with it because I'm not sure if I can do it right away :/
I just finished upgrading to sys-libs/pam-1.0.0, and there was no change, unfortunately. Thanks for the push, though, Diego!
I stand corrected - after a restarting the relevant services (jabberd and apache), they work again! Sweet :-)
