If I invoked checkpassword-pam from the command line, it works every time: malta sbin # echo -e "sfbosch\0w33ner\0\0" | checkpassword-pam -s system-auth --debug --stdout -- /usr/bin/id 3<&0 Reading username and password Username 'sfbosch' Password read successfully Initializing PAM library using service name 'system-auth' PAM library initialization succeeded conversation(): msg[0], style PAM_PROMPT_ECHO_OFF, msg = "Password: " Authentication passed Account management succeeded Setting PAM credentials succeeded PAM session opened PAM session closed Terminating PAM library Executing /usr/bin/id uid=1005(sfbosch) gid=100(users) groups=10(wheel),18(audio),100(users) If I run it as part of a run script in qmail, it fails. Here is the run script for qmail-smtpd: #!/bin/sh QMAILDUID=`id -u qmaild` NOFILESGID=`id -g qmaild` MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` LOCAL=`head -1 /var/qmail/control/me` if [ -z "$QMAILDUID" -o -z "$NOFILESGID" -o -z "$MAXSMTPD" -o -z "$LOCAL" ]; then echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in echo /var/qmail/supervise/qmail-smtpd/run exit 1 fi if [ ! -f /var/qmail/control/rcpthosts ]; then echo "No /var/qmail/control/rcpthosts!" echo "Refusing to start SMTP listener because it'll create an open relay" exit 1 fi exec /usr/bin/softlimit -m 4000000 \ /usr/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \ -u "$QMAILDUID" -g "$NOFILESGID" 0 smtp /var/qmail/bin/qmail-smtpd /usr/bin/checkpassword-pam --debug -s system-auth /bin/true 2>&1 (I have patched this qmail-smtpd with Bill Shupp's consolidated patch available at: http://shupp.org/patches/netqmail-1.05-tls-smtpauth-20051423.patch The qmail installation is built from raw source, not the ebuild. I'm using netqmail-1.05.) When I try to authenticate with a mail client, this is what appears in /var/log/messages: May 17 00:18:12 malta system-auth[15655]: Reading username and password May 17 00:18:12 malta system-auth[15655]: Username 'sfbosch' May 17 00:18:12 malta system-auth[15655]: Password read successfully May 17 00:18:12 malta system-auth[15655]: Initializing PAM library using service name 'system-auth' May 17 00:18:12 malta system-auth[15655]: PAM library initialization succeeded May 17 00:18:12 malta system-auth[15655]: conversation(): msg[0], style PAM_PROMPT_ECHO_OFF, msg = "Password: " May 17 00:18:12 malta unix_chkpwd[15656]: check pass; user unknown May 17 00:18:12 malta system-auth(pam_unix)[15655]: authentication failure; logname= uid=201 euid=201 tty= ruser= rhost=66.18.218.36 user=sfbosch May 17 00:18:14 malta checkpassword-pam[15655]: Authentication failed: Authentication failure May 17 00:18:14 malta checkpassword-pam[15655]: Exiting with status 1 I have another, very similar machine with this configuration that works fine -- the major difference being that it is running 2004.0 and this one is running 2005.0 and kernel 2.6. When I compare the syslog output on the other machine, I notice that this line May 17 00:18:12 malta unix_chkpwd[15656]: check pass; user unknown is absent. As an experiment, I copied over the unix_chkpwd from the working machine and sent a test message. This worked -- *once*. I have been unable to reproduce this success since. I'm really puzzled and have no idea where to proceed from here. I strongly suspect a bug somewhere in pam, but I've tried three different pam versions and they all give me the same results. I've even tried compiling with a blank CFLAGS. Reproducible: Sometimes Steps to Reproduce: Actual Results: May 17 00:18:19 malta system-auth[15658]: Reading username and password May 17 00:18:19 malta system-auth[15658]: Username 'sfbosch' May 17 00:18:19 malta system-auth[15658]: Password read successfully May 17 00:18:19 malta system-auth[15658]: Initializing PAM library using service name 'system-auth' May 17 00:18:19 malta system-auth[15658]: PAM library initialization succeeded May 17 00:18:19 malta system-auth[15658]: conversation(): msg[0], style PAM_PROMPT_ECHO_OFF, msg = "Password: " May 17 00:18:19 malta unix_chkpwd[15659]: check pass; user unknown May 17 00:18:19 malta system-auth(pam_unix)[15658]: authentication failure; logname= uid=201 euid=201 tty= ruser= rhost=66.18.218.36 user=sfbosch Expected Results: May 16 23:17:47 corsica checkpassword-pam[3055]: Reading username and password May 16 23:17:47 corsica checkpassword-pam[3055]: Username 'sfbosch' May 16 23:17:47 corsica checkpassword-pam[3055]: Password read successfully May 16 23:17:47 corsica checkpassword-pam[3055]: Initializing PAM library usingservice name 'system-auth' May 16 23:17:47 corsica checkpassword-pam[3055]: Pam library initialization succeeded May 16 23:17:47 corsica checkpassword-pam[3055]: conversation(): msg[0], style PAM_PROMPT_ECHO_OFF, msg = "Password: " May 16 23:17:47 corsica checkpassword-pam[3055]: Authentication passed May 16 23:17:47 corsica checkpassword-pam[3055]: Account management succeeded May 16 23:17:47 corsica checkpassword-pam[3055]: Setting PAM credentials succeeded May 16 23:17:47 corsica system-auth(pam_unix)[3055]: session opened for user sfbosch by (uid=201) May 16 23:17:47 corsica checkpassword-pam[3055]: PAM session opened May 16 23:17:47 corsica system-auth(pam_unix)[3055]: session closed for user sfbosch May 16 23:17:47 corsica checkpassword-pam[3055]: PAM session closed May 16 23:17:47 corsica checkpassword-pam[3055]: Terminating PAM library May 16 23:17:47 corsica checkpassword-pam[3055]: Exiting with status 0 Portage 2.0.51.19 (default-linux/x86/2005.0, gcc-3.3.5-20050130, glibc-2.3.4.20041102-r1, 2.6.11.7 i686) ================================================================= System uname: 2.6.11.7 i686 AMD Athlon(tm) XP 2200+ Gentoo Base System version 1.4.16 Python: dev-lang/python-2.3.5 [2.3.5 (#1, May 12 2005, 17:51:40)] dev-lang/python: 2.3.5 sys-apps/sandbox: [Not Present] sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.5, 1.8.5-r3, 1.6.3, 1.9.5, 1.7.9-r1, 1.4_p6 sys-devel/binutils: 2.15.92.0.2-r7 sys-devel/libtool: 1.4.3-r4, 1.5.16 virtual/os-headers: 2.6.8.1-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-O2 -march=athlon-xp -fomit-frame-pointer" CHOST="i386-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=athlon-xp -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms strict" GENTOO_MIRRORS="ftp://gentoo.ccccom.com" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 alsa apm arts avi berkdb bitmap-fonts crypt cups emboss encode foomaticdb fortran gdbm gif gpm imlib ipv6 jpeg kde libg++ libwww mad mikmod motif mp3 mpeg ncurses nls oggvorbis opengl oss pam pdflib perl png python quicktime readline sdl spell ssl svga tcpd tiff truetype truetype-fonts type1-fonts xml2 xmms xv zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CBUILD, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTDIR_OVERLAY Below is the emerge info from the working system: Portage 2.0.50-r3 (default-x86-2004.0, gcc-3.3.2, glibc-2.3.2-r9, 2.4.25) ================================================================= System uname: 2.4.25 i686 AMD Athlon(tm) XP 1800+ Gentoo Base System version 1.4.3.13 Autoconf: sys-devel/autoconf-2.58 Automake: sys-devel/automake-1.7.7 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-O2 -march=athlon-xp -fomit-frame-pointer" CHOST="i386-pc-linux-gnu" COMPILER="gcc3" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d" CXXFLAGS="-O2 -march=athlon-xp -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs ccache sandbox" GENTOO_MIRRORS="http://gentoo.ccccom.com/ ftp://gentoo.netnitco.net/pub/mirrors/gentoo/source/ http://gentoo.netnitco.net http://adelie.polymtl.ca/ http://mirrors.tds.net/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="berkdb crypt encode gdbm gif gpm imlib jpeg libg++ libwww mad mikmod mpeg ncurses nls pam pdflib perl png python readline slang spell ssl tcpd x86 xml2 zlib"
Hmm which version of pam are you using in the two machines? There are differences between the pamd file? You are sure that the username exists in both machines?
The problem turned out to be caused by bad RAM. When the RAM was replaced, I rebuilt the whole system with emerge --emptytree -u world after deleting the contents of 'distfiles'. Once that was done, it still didn't work -- but the checkpassword-pam doesn't set its permissions properly. It must be set sticky in order to work. Is this prevented by portage? Perhaps a comment in the ebuild remindng the builder to change the permissions after the build is done would be useful.
