I am trying to have PAM to use the hosting system's "passwd" and "shadow" file to authenticate a user who is using the web application. I am using RedHat 6, Apache is 2.2, module mod_authnz_pam for the Apache. PAM in apache (httpd.conf) is configured as such: AuthType Basic AuthName "basic_auth" AuthBasicProvider PAM AuthPAMService httpd Require valid-user I created a file named httpd in /etc/pam.d with the following configuration: auth required pam_unix.so account required pam_unix.so session required pam_unix.so SELinux is enabled. getenforce returns "Enforcing".  I also ran the following setsebool -P allow_httpd_mod_auth_pam 1 So I get prompted asking for user credentials when I try to visit the IP address. But when I entered my system credentials, I get the following logs > unix_chkpwd: check pass; user unknown > > unix_chkpwd: password check failed for user (username) > > localhost httpd: pam_unix(httpd:auth): authentication failure; > logname= uid=48 euid=48 tty= ruser= rhost=xxx.xx.xx.x user=username My user name definitely exists in passwd and shadow file, but somehow PAM is saying it doesn't exist. What else am I missing?

I was trying to use pam_exec.so on Ubuntu to call a script, prompt for user input and allow the user to log in through SSH if the script exits with an exit code of 0. I was unable to get this to work. So I wrote a simple script as follows to test pam_exec.so and see if the problem was with my original script. However I am getting the same issues even with this simple script. /usr/local/bin/test.sh #!/bin/bash echo -n "Please enter your name:" read name echo "Hello $name" I called it by including the following line after @include common-auth in /etc/pam.d/sshd auth required pam_exec.so stdout /usr/local/bin/test.sh But when I SSH into this system as seen below, I do not get a prompt to enter any input. As soon as I enter the password, I get logged in. However, the output of the script is visible. Then I changed the above script as follows to exit with an exit code of 1 if no input is given. #!/bin/bash echo -n "Please enter your name:" read name if [ -z "$name" ] then exit 1 else echo "Hello $name" exit 0 fi Then I am unable to SSH into the system (screenshot below) even when I enter the correct password and I do not see any output of the script. So what I want to know is how can I correct this problem and use pam_exec.so to run a script, get user input, and allow ssh authorization only if that script exits with an exit code of 0?

I've been trying to set up 2FA with Google Authenticator on Ubuntu to protect sudo. I followed the steps at https://blog.jitendrapatro.me/configuring-two-factor-authentication-for-su-and-sudo/ and was able to see my commands 'sudo touch /test' being protected, i.e. I would be prompted for my Google Authenticator verification code. However, the article says the following, which seems to imply to me that it's pretty easy to bypass the 2FA: > There are three downsides to this. First, 2FA needs to be enabled for the user account or there will be no prompt for entering verification code. Second, the switching to any user from root now will require to enter the verification code for that user, which is not so convenient anymore even if you’re root! Third and most important of all is you can just use “sudo -s” and get a root shell completely bypassing su! 🙂 Likewise, I was able to run sudo -i and bypass 2FA. Any way to prevent this bypassing? What am I missing?

I am having an issue that is only present since about April after updating packages. When I am accessing servers and use sudo su or sudo -s to access root and enter my password, I'll get: sudo: PAM account management error: Permission denied \ sudo: a password is required However, when I exit and restart the SSH session, it works fine. This a periodic issue and does not happen on all servers at the same time in my environment. I have noticed that the sssd service reports offline sometimes, but is back up and the log timings don't seem to match up with the events. I have turned on base level logging for sssd, but have not seen anything that is inherently apparent as the issue. Any insight would be welcomed. Updates: The failed login attempts trigger several PAM modules in sssd_pam.log and ends in this:

[pam] [pam_reply] (0x0200): [CID#9] blen: 24
[pam] [pam_reply] (0x0200): [CID#9] Returning : Permission denied to the client
[pam] [client_recv] (0x0200): [CID#9] Client disconnected!

A successful login attempt just triggers twice, SSS_PAM_PREAUTH and once SSS_PAM_AUTHENTICATE and results in this when using sudo:

[pam_reply] (0x0200): [CID#10] blen: 24
[pam] [pam_reply] (0x0200): [CID#10] Returning : Success to the client
[pam] [pam_cmd_acct_mgmt] (0x0100): [CID#10] entering pam_cmd_acct_mgmt

While speaking of PAM, worth noting that I have compared PAM configurations from lowers where this is occurring to PROD where it is not present and they are identical, the only change I found yesterday was a smartcard auth rpm file, which I deleted, but that, as expected, did not change this behavior. More updates: /var/log/secure shows that the same sudo:auth success message leads to two different results. The failed:

pam_sss(sudo:auth): authentication success; logname=xxxx uid=XXXX euid=0 tty=/dev/pts/0 ruser=xxxx rhost= user=xxxx
pam_sss(sudo:account): Access denied for user xxxx: 6 (Permission denied)

The success:

pam_sss(sudo:auth): authentication success; logname=xxxx uid=XXXX euid=0 tty=/dev/pts/0 ruser=xxxx rhost= user=xxxx
pam_unix(sudo:session): session opened for user root by xxxx(uid=xxxx)

I found a configuration difference that may prove useful - /etc/pam.d/systemd-user seems to have a line in non-effected environments that is not present in affected environments:

session  optional pam_keyinit.so force revoke

I'm not familiar with this configuration option so I'm doing some research on it and implementing it, once it's in place I'll try to replicate the issue, but after a session is restarted(in order to reach root to make the change) it can take a while to present. Latest Update: I found a line that, upon investigation, doesn't appear to indicate that it would cause this kind of behavior, but I have not been able to reproduce the error since removing this line from /etc/pam.d/login

session    optional     pam_console.so

I want to make efficient use of the fingerprint reader on my laptop. I was able to configure fingerprint reading through fprint and PAM (using the steps described in the second comment here ), but I've encountered a small problem. When logging in with the fingerprint reader the GNOME keyring isn't unlocked. Now I understand that this is this way because fprintand the keyring have no support for hardware-based keystore unlocking like for example Windows Hello does. I have no problem with this restriction, but it means that I have to type my password on login anyways. How I get around this right now is by waiting for 10s on the first login so the fingerprint reader times out and I get the password prompt. Then I enter the password to login and the keyring gets unlocked with the login. When I unlock my device or run sudo commands afterwards I will still use the fingerprint reader. So my question is if it is possible to configure PAM in a way that allows me to do the first login directly with the password (without waiting for the fingerprint sensor to time out) while still allowing me to unlock and run sudo commands with the fingerprint reader. I'm running Linux Mint with the Cinnamon desktop.

I am trying to set up a Linux machine with LDAP authentication and root account enabled. There is no issue with the LDAP server and everything works fine. I wanted to disable local users, so I tried editing PAM. I tried using pam-auth-update and unticking the "Unix authentication". Local users are successfully denied, but so is the root account. I am now trying different things at the pam.d files, but it seems I screwed up multiple times and don't know what am I doing. Editing the /etc/pam.d/common-auth file:

auth		sufficient	pam_rootok.so

After I added this line, there is no password prompt and it logs in directly.

auth     pam_succeed_if.so    uid = 0 quiet

I added this line and it does nothing. I am now reading the PAM configuration.  Could anyone help me understand and solve my problem?

The Gnome Keyrings "Login" and "Default" are not unlocked automatically on my Linux Mint 22 machine. This is an LDAP user account and login goes throughg pam_sss.so (SSSD). The journal seems to indicate that pam_gnome_keyring.so does not receive the entered password (gkr-pam: no password is available for user), but I do not understand why:

$ sudo journalctl -b | egrep -i 'keyring|pam'
Okt 11 17:24:16 promoter lightdm: gkr-pam: gnome-keyring-daemon started properly
Okt 11 17:24:17 promoter lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "fritz"
Okt 11 17:24:22 promoter lightdm: pam_sss(lightdm:auth): authentication success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=fritz
Okt 11 17:24:22 promoter lightdm: gkr-pam: no password is available for user
Okt 11 17:24:22 promoter lightdm: pam_unix(lightdm:session): session opened for user fritz(uid=30108) by (uid=0)
Okt 11 17:24:22 promoter lightdm: gkr-pam: gnome-keyring-daemon started properly

Here's the (hopefully) relevant sections of my PAM auth config. I could provide more, but I don't think that common-account, common-session, and common-password are relevant to this question:

$ cat /etc/pam.d/lightdm
#%PAM-1.0
auth    requisite       pam_nologin.so
auth    sufficient      pam_succeed_if.so user ingroup nopasswdlogin
@include common-auth
-auth    optional        pam_gnome_keyring.so
-auth    optional        pam_kwallet.so
-auth    optional        pam_kwallet5.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
#session required        pam_loginuid.so
session required        pam_limits.so
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
-session optional        pam_gnome_keyring.so auto_start
-session optional        pam_kwallet.so auto_start
-session optional        pam_kwallet5.so auto_start
session required        pam_env.so readenv=1
session required        pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
@include common-password

$ /etc/pam.d/cat common-auth 
# here are the per-package modules (the "Primary" block)
auth	[success=2 default=ignore]	pam_sss.so
auth	[success=1 default=ignore]	pam_unix.so nullok
# here's the fallback if no module succeeds
auth	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth	required			pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth	required	pam_ecryptfs.so unwrap
auth	optional			pam_cap.so 
# end of pam-auth-update config

###### Further observations: * The journal message gkr-pam: no password is available for user also appears when unlocking the screensaver from source cinnamon-screensaver-pam-helper.

I have an /etc/pam.d/dcv file (goes with nice-dcv) and it has just these two lines: auth include password-auth account include password-auth my problem is a security request to include a faillock item in password-auth prevents my nice-dcv connections from working for users. As a fix I would like to have the faillock syntax in /etc/pam.d/password-auth to meet requirements and then just tweak my /etc/pam.d/dcv file to use the redhat default password-auth but **without** my faillock modification. But the pam syntax has me confused when it has an auth include and an account include of the same [password-auth] file... what do I do? How does it work for an auth include **and** then an account include of this one file having these contents which then has all it has? # # default redhat-8 /etc/pam.d/password-auth # auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_usertype.so issystem account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so local_users_only password sufficient pam_unix.so sha512 shadow nullok use_authtok password [success=1 default=ignore] pam_localuser.so password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so

I have a weird issue with my Debian Sid system. I want to set a global environment variable in /etc/environment, which is supposed to be read by the pam_env module. Unfortunately, after having relogin in the system, the variable is not set. On another Arch Linux box, the same variable set in etc/environment is defined as expected. Just for testing, I tried to setup a local env variable in .pam_environment and, again, on Debian it's not being defined while on Arch it is. I'm using GDM on Debian and SDDM on Arch as login managers. What am I missing? Which (PAM or GDM) configuration files should I look at? EDIT: output of grep pam_env /etc/pam.d/* $ grep pam_env /etc/pam.d/* /etc/pam.d/atd:auth required pam_env.so /etc/pam.d/cron:# Read environment variables from pam_env's default files, /etc/environment /etc/pam.d/cron:# and /etc/security/pam_env.conf. /etc/pam.d/cron:session required pam_env.so /etc/pam.d/cron:session required pam_env.so envfile=/etc/default/locale /etc/pam.d/gdm-autologin:session required pam_env.so readenv=1 /etc/pam.d/gdm-autologin:session required pam_env.so readenv=1 envfile=/etc/default/locale /etc/pam.d/gdm-launch-environment:session required pam_env.so readenv=1 /etc/pam.d/gdm-launch-environment:session required pam_env.so readenv=1 envfile=/etc/default/locale /etc/pam.d/gdm-password:session required pam_env.so readenv=1 /etc/pam.d/gdm-password:session required pam_env.so readenv=1 envfile=/etc/default/locale /etc/pam.d/login:# file /etc/security/pam_env.conf. /etc/pam.d/login:session required pam_env.so readenv=1 /etc/pam.d/login:session required pam_env.so readenv=1 envfile=/etc/default/locale /etc/pam.d/polkit-1:session required pam_env.so readenv=1 user_readenv=0 /etc/pam.d/polkit-1:session required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0 /etc/pam.d/su:# file /etc/security/pam_env.conf. /etc/pam.d/su:session required pam_env.so readenv=1 /etc/pam.d/su:session required pam_env.so readenv=1 envfile=/etc/default/locale

Previously, Gnome Keyring only asked for the Default Keyring password when I attempted to launch Chrome. I tried playing around with settings in Seahorse to see if there was a work around for this, other than leaving the password database unencrypted. During that process I switched the default keyring to the Login Keyring. Obviously, that did not impact Chrome asking for a keyring password; so, I switched the default keyring back to the Default Keyring. Now, when Lightdm auto logs me in to Cinnamon, Gnome Keyring asks for the Login password every time, after logging in. I cancel that prompt and Gnome Keyring asks for the Default Keyring when I launch Chrome. (I'm fine with this) How do i return to the old behaviour of having the Login Keyring encrypted, but never asking for my user password? (default uses root) I never explicitly set up a password for the Login Keyring prior, and I'm pretty sure it was encrypted before since there has been a Login keyring file since I installed Gnome Keyring a few weeks back.

I have [setup](https://gist.github.com/pavinjosdev/0d7ade586e4b4a33d03a19c7684e78ce) the PAM module pam_u2f.so for FIDO2 as the primary authentication method on my LMDE 5 (based on Debian 11) machine. Is there a way to integrate passkey support with this PAM module or with another? Specifically I'm looking for the ability to use Google [passkeys](https://passkeys.dev/device-support/) in addition to my hardware security key (Yubikey). There are several advantages to using a passkey from Google/Apple with the potential privacy downside: 1. The credentials are tied to the Google account and synced across all Google devices, so any device can be used as an authenticator 2. Not tied to a physical object that can be lost/stolen 3. Main point for lazy me: no need to remove a lost/stolen/damaged key from every website and device it's configured on The Chrome browser on Linux sends a push notification via Bluetooth to a nearby Android smartphone for FIDO2/WebAuthn registration/authentication. Can the pam_u2f.so module (or another one) be configured to send a similar request and receive its response instead of relying on a locally connected USB security key?

I have 2 RHEL machines . I am attempting to login via ssh with publickeyauthentication from 1 machine (say Machine A) to the other (say machine B) both of which are in the same network. For that first i created a .ssh folder in the home directory of an account which happens to be a domain account. Then i created a file "authorized_keys" wher i added the public key generated in the machine B. I gave appropriate permissions to the ".ssh" folder ( 700 ) and the "authorized_keys" file (600). I also made necessary changes in the /etc/ssh/sshd_config file and restarted sshd service . When i tried to login from machine B via ssh it is still prompting for password. My /etc/pam.d/sshd file looks like below

`
#### Google OS Login control. Do not edit this section. ####
auth       [default=ignore] pam_group.so
#### End Google OS Login control section. ####
#%PAM-1.0
auth       substack     password-auth
auth       include      postlogin
account    required     pam_sepermit.so
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    optional     pam_motd.so
session    include      password-auth
session    include      postlogin

` and the password-auth file in /etc/pam.d/ looks like below

`# This file is used for both password-auth and system-auth and is statically managed by Salt

auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
auth        sufficient                                   pam_unix.so nullok try_first_pass
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        sufficient                                   pam_sss.so forward_pass
auth        required                                     pam_deny.so

account     [success=2 default=ignore]                   pam_succeed_if.so service in su:su-l:sudo:sudo-i:login:systemd-user:crond quiet
account     [success=1 default=ignore]                   pam_oslogin_login.so
account     substack                                     gmi-policy
account     required                                     pam_unix.so
account     sufficient                                   pam_localuser.so
account     sufficient                                   pam_usertype.so issystem
account     [default=bad success=ok user_unknown=ignore] pam_sss.so quiet
account     required                                     pam_permit.so

password    requisite                                    pam_pwquality.so try_first_pass local_users_only
password    sufficient                                   pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient                                   pam_sss.so use_authtok
password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
-session    optional                                     pam_systemd.so
session     optional                                     pam_oddjob_mkhomedir.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so
session     optional                                     pam_sss.so

` Can someone plz tell me where in the configuration do i have to make changes for successful ssh publickeyauthentication?

Basically, what I'm looking for is Samba - except that I want it to be WebDAV in the front. The requirements are that the users can log in to the WebDAV dir with their system account, and files will have their user and group set accordingly. I know there's sambadav, but frustratingly, it seems to not be possible to get write functionality with it under FreeBSD.

I am using pamela with JupyterHub to open PAM sessions for my users. I am on CentOS 8 and I am using the login service. I can see in /var/log/secure > pam_unix(login:session): session opened for user testuser by (uid=0) and in /var/log/messages > systemd\[1\]: Started Session 8341 of user testuser Furthermore there are no erros logged in /var/log/{messages|secure|audit/audit.log}. But with a new user succesfull logged in to JupyterHub, the lastlog command still says that this user has never logged in. So I think I miss some requirements for pam_lastlog in order to write information to /var/log/lastlog. pam_open_session is called in a subprocess with root privileges. Maybe this subprocess needs to be tied to a pts or tty in order to write useful information to /var/log/lastlog? This is the /etc/pamd.d/login file: #%PAM-1.0 auth substack system-auth auth include postlogin account required pam_nologin.so account include system-auth password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so session optional pam_console.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open session required pam_namespace.so session optional pam_keyinit.so force revoke session include system-auth session include postlogin -session optional pam_ck_connector.so this is in /etc/pamd.d/postlogin #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authselect is run. session optional pam_umask.so silent session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet session [default=1] pam_lastlog.so nowtmp showfailed session optional pam_lastlog.so silent noupdate showfailed and this is in /etc/pamd.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authselect is run. auth required pam_env.so auth sufficient pam_unix.so try_first_pass nullok auth required pam_deny.so account required pam_unix.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so

Debian 12 Bookworm; Inspecting the SSH system log , there is always a trailing grayed-out message at the end of each log entry: > pam_env(sshd:session): deprecated reading of user environment enabled I am curious if / how to safely get rid of it? The whole SSH entry for reference:

May 02 23:11:24 sshd: Server listening on 0.0.0.0 port -port number redacted-
May 02 23:11:40 sshd: Accepted publickey for root from -ip address redacted- port 41318 ssh2: ED25519 SHA256:-public key id redacted-
May 02 23:11:40 sshd: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)
May 02 23:11:40 sshd: pam_env(sshd:session): deprecated reading of user environment enabled

I installed libpam-pwquality: sudo apt-get install libpam-pwquality And configured /etc/pam.d/common-password: password requisite pam_pwquality.so retry=3 minlen=10 password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 password required pam_deny.so password required pam_permit.so Then when I ran passwd, I could still set a password of 2 or 3 characters. What was missing?

Somehow I ended up in SLES 15 with error messages like this: > (systemd): PAM unable to dlopen(/lib64/security/pam_ldap.so): /lib64/security/pam_ldap.so: cannot open shared object file: No such file or directory However I'm not sure what lead to that situation, and also I'm unsure how to fix it, because there is no RPM with pam_ldap.so it seems. The system had been upgraded from SLES 12 SP5 via SLES 15 SP3 to SLES 15 SP4. Obviously LDAP client configuration was intended and once worked, but it does not at the moment.

I'm trying to programmatically change a user's password using chpasswd, but I'm getting the following error:

/sbin/chpasswd "
chpasswd: (user 0s22xmgW) pam_chauthtok() failed, error:
Authentication token manipulation error
chpasswd: (line 1, user 0s22xmgW) password not changed
root@phantom:/home/ealfonso#

After trying to enhance pam debug logging by appending "debug" to most lines in /etc/pam.d/common-auth and /etc/pam.d/common-password, and checking /var/auth.log, I see the following logs:

2025-04-23T12:37:33.676089-04:00 phantom chpasswd: pam_krb5(chpasswd:chauthtok): pam_sm_chauthtok: entry (prelim)
2025-04-23T12:37:33.676432-04:00 phantom chpasswd: pam_krb5(chpasswd:chauthtok): (user 0s22xmgW) attempting authentication as 0s22xmgW@example.com for kadmin/changepw
2025-04-23T12:37:34.701043-04:00 phantom chpasswd: pam_krb5(chpasswd:chauthtok): (user 0s22xmgW) krb5_get_init_creds_password: Client '0s22xmgW@example.com' not found in Kerberos database
2025-04-23T12:37:34.701246-04:00 phantom chpasswd: pam_krb5(chpasswd:chauthtok): pam_sm_chauthtok: exit (failure)
2025-04-23T12:37:34.701331-04:00 phantom chpasswd: pam_unix(chpasswd:chauthtok): username [0s22xmgW] obtained
2025-04-23T12:37:34.701762-04:00 phantom chpasswd: gkr-pam: invalid option: debug
2025-04-23T12:37:34.701966-04:00 phantom chpasswd: pam_krb5(chpasswd:chauthtok): pam_sm_chauthtok: entry (update)
2025-04-23T12:37:34.702065-04:00 phantom chpasswd: pam_krb5(chpasswd:chauthtok): (user 0s22xmgW) attempting authentication as 0s22xmgW@MY_REALM for kadmin/changepw
2025-04-23T12:37:35.719315-04:00 phantom chpasswd: pam_krb5(chpasswd:chauthtok): (user 0s22xmgW) krb5_get_init_creds_password: Client not found in Kerberos database
2025-04-23T12:37:35.719842-04:00 phantom chpasswd: pam_krb5(chpasswd:chauthtok): pam_sm_chauthtok: exit (failure)
2025-04-23T12:37:35.719923-04:00 phantom chpasswd: pam_unix(chpasswd:chauthtok): username [0s22xmgW] obtained
2025-04-23T12:37:35.719980-04:00 phantom chpasswd: pam_unix(chpasswd:chauthtok): password - new password not obtained

I do use kerberos authentication for AFS and I see some kerberos-related logs, but in this case I'm only trying to change the local unix password of the local unix user. The last two lines in the log show that chpasswd was able to obtain the user, but for some unknown reason, not the password:

2025-04-23T12:37:35.719923-04:00 phantom chpasswd: pam_unix(chpasswd:chauthtok): username [0s22xmgW] obtained
2025-04-23T12:37:35.719980-04:00 phantom chpasswd: pam_unix(chpasswd:chauthtok): password - new password not obtained

How can I get the reason behind the new password not obtained error and further debug this? I did try using strace and I see some kerberos-auth-related DNS and network requests, but again I'm not sure whether those are relevant to the failure to set the local unix password. For detail, below is the strace log : I think I do have the proper permissions on /etc/password and /etc/shadow:

ls -l /etc/shadow /etc/passwd
-rw-r--r-- 1 root root   2474 Apr 23 12:30 /etc/passwd
-rw-r----- 1 root shadow 1371 Apr 23 12:30 /etc/shadow

# grep -i password /etc/pam.d/common*:

# grep -i password /etc/pam.d/common*
/etc/pam.d/common-password:# /etc/pam.d/common-password - password-related modules common to all services
/etc/pam.d/common-password:# used to change user passwords.  The default is pam_unix.
/etc/pam.d/common-password:#hashed passwords using the yescrypt algorithm, introduced in Debian
/etc/pam.d/common-password:#used the option "sha512"; if a shadow password hash will be shared
/etc/pam.d/common-password:password     [success=2 default=ignore]      pam_krb5.so minimum_uid=1000 debug
/etc/pam.d/common-password:password     [success=1 default=ignore]      pam_unix.so obscure use_authtok try_first_pass yescrypt debug
/etc/pam.d/common-password:password     requisite                       pam_deny.so debug
/etc/pam.d/common-password:password     required                        pam_permit.so debug
/etc/pam.d/common-password:password     optional        pam_gnome_keyring.so debug
/etc/pam.d/common-password:password     optional        pam_ecryptfs.so debug

# cat /etc/nsswitch.conf:

# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the glibc-doc-reference' and info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files systemd
group:          files systemd
shadow:         files systemd
gshadow:        files systemd

hosts:          files mdns4_minimal dns [NOTFOUND=return] dns mymachines myhostname
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

$ grep -P "pam_unix|pam_krb" -R /etc/pam.d

common-account :17:account	[success=1 new_authtok_reqd=done default=ignore]	pam_unix.so 
common-account :25:account	required			pam_krb5.so minimum_uid=1000
common-auth :17:auth	[success=2 default=ignore]	pam_krb5.so minimum_uid=1000 debug
common-auth :18:auth	[success=1 default=ignore]	pam_unix.so nullok try_first_pass debug
common-session-noninteractive :24:session	optional			pam_krb5.so minimum_uid=1000
common-session-noninteractive :25:session	required	pam_unix.so 
runuser :5:session		required	pam_unix.so
login :8:# to disable any delay, you should add the nodelay option to pam_unix)
common-password :6:# used to change user passwords.  The default is pam_unix.
common-password :8:# Explanation of pam_unix options:
common-password :15:#`OBSCURE_CHECKS_ENAB' option in login.defs.  See the pam_unix manpage
common-password :25:password	[success=2 default=ignore]	pam_krb5.so minimum_uid=1000 debug
common-password :26:password	[success=1 default=ignore]	pam_unix.so obscure use_authtok try_first_pass yescrypt debug
common-session :23:session	optional			pam_krb5.so minimum_uid=1000
common-session :24:session	required	pam_unix.so

Following this post I created my own version of the script, with the difference that user and password are forwarded from the environment variables:

#!/bin/zsh


pamtester login $user authenticate << eof 
echo $pwd
eof

How is it possible to redirect the output of the pamtester to a variable within the script? It looks like I always have the pamtester output to the terminal Password: pamtester: successfully authenticated or Password: pamtester: Authentication failure and everything that I insert after the eof line is ignored.

At this moment i have installed freeradius and PAM radius properly. When i create an account on the system and set a password in /etc/raddb/users.conf the user can login. Sudo also works great with PAM radius. What i want to achieve is when i create a user in /etc/raddb/users.conf and reload the config. That the account and home dir will be created if the authentication for Radius succeeds. I tried many things including session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 The last log lines from the login without a system user account. Feb 23 18:59:17 localhost sshd: pam_unix(sshd:auth): check pass; user unknown Feb 23 18:59:18 localhost sshd: Failed password for invalid user pop from 192.168.0.115 port 53608 ssh2 Feb 23 18:59:18 localhost sshd: Connection closed by 192.168.0.115 [preauth] Feb 23 18:59:18 localhost sshd: PAM 3 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=danys-mbp.fritz.box Feb 23 18:59:18 localhost sshd: PAM service(sshd) ignoring max retries; 4 > 3 Feb 23 18:59:18 localhost sshd: Invalid user pop from 192.168.0.115 Feb 23 18:59:18 localhost sshd: input_userauth_request: invalid user pop [preauth] Feb 23 18:59:21 localhost sshd: pam_unix(sshd:auth): check pass; user unknown Feb 23 18:59:21 localhost sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=danys-mbp.fritz.box Feb 23 18:59:22 localhost sshd: Failed password for invalid user pop from 192.168.0.115 port 53609 ssh2 My config for PAM sshd #%PAM-1.0 auth required pam_sepermit.so auth sufficient pam_radius_auth.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare #account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare Is it possible to create the system account and home directory on login when using freeradius and PAM radius? If so, how does this work? ps : I am using CentOS 7. Edit : I have tried with a bash script to check if the user exists. Then to create it if it does not exist, but this will not work and i do not see any log output for pam_exec.so failing. Edit : radtest tells me the username and password are correct