X-Original-To: pgsql-general@postgresql.org Received: from localhost (unknown [64.117.224.193]) by developer.postgresql.org (Postfix) with ESMTP id CA192925161 for ; Tue, 20 May 2003 15:22:13 -0400 (EDT) Received: from developer.postgresql.org ([64.117.224.193]) by localhost (developer.postgresql.org [64.117.224.193:10024]) (amavisd-new) with ESMTP id 73580-06 for ; Tue, 20 May 2003 15:21:56 -0400 (EDT) Received: from news.hub.org (unknown [64.117.225.234]) by developer.postgresql.org (Postfix) with ESMTP id 9EE9A92514E for ; Tue, 20 May 2003 15:21:12 -0400 (EDT) Received: by news.hub.org (Postfix, from userid 8) id DADFC2534AC; Tue, 20 May 2003 15:21:09 -0400 (EDT) From: ahoward X-Newsgroups: comp.databases.postgresql.general Subject: pam-linux, /etc/shadow : HOW-TO Date: Tue, 20 May 2003 19:13:29 +0000 Organization: NOAA Boulder Lines: 62 Message-ID: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Complaints-To: usenet@news.boulder.noaa.gov To: pgsql-general@postgresql.org X-Virus-Scanned: by amavisd-new X-Archive-Number: 200305/778 X-Sequence-Number: 42433 note: i'm no sysad, nor do i even pretend to understand pam, the linux kernel, or postgresql, but this setup is a safe, working, postgresql/linux/pam setup. 0) configure postgresql for pam, for example [root@omega tmp]# grep pam /usr/local/pgsql/data/pg_hba.conf host all all 137.75.0.0 255.255.0.0 pam 1) create a /etc/pam.d/postgresql entry, here's how i did mine [root@omega tmp]# cp /etc/pam.d/passwd /etc/pam.d/postgresql i don't know if it's the best setup, but it works! mine looks like this [root@omega tmp]# cat /etc/pam.d/postgresql #%PAM-1.0 auth required /lib/security/pam_stack.so service=system-auth account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth 2) create a shadow group which will be used for user's needing read-access to /etc/shadow, and add postgres (or whatever user the postmaster runs as) to this entry. i used vi to add this entry to /etc/group [root@omega tmp]# grep shadow /etc/group shadow:*:4002:root,postgres root probably does not *need* to be added. note the '*' v.s. an 'x' in the password field. if you place an 'x' there you will also have to set up /etc/gshadow - i did not want to do this. if you don't set up /etc/gshadow pam will NOT work if an 'x' is in the password field - at least with my linux system. 3) make /etc/shadow group shadow [root@omega tmp]# chgrp shadow /etc/shadow 4) chmod 0440 /etc/shadow essentially, pam will not work with postgres since the daemon needs at some point, no matter how many library calls deep, to open and read /etc/shadow (assuming this is how your system is using pam). you must have some solution which allows postgres, but not everyone, to read /etc/shadow. others probably exist. -a -- ==================================== | Ara Howard | NOAA Forecast Systems Laboratory | Information and Technology Services | Data Systems Group | R/FST 325 Broadway | Boulder, CO 80305-3328 | Email: ara.t.howard@fsl.noaa.gov | Phone: 303-497-7238 | Fax: 303-497-7259 ====================================