[bareos-users] PAM authentication problem for Bareos Director

Denis Akimov Thu, 18 Jun 2020 12:07:18 -0700

Hi Folks,

I try to authenticate users to bconsole using pam.
I used the follwing two guidelines (with small adjustments due to reasons I 
explain below):
https://docs.bareos.org/master/TasksAndConcepts/PAM.html#configuration
https://github.com/bareos/bareos-contrib/tree/master/misc/bareos_pam_integration


Unfortunately, I had pam_exec_add_bareos_user.py script errors

*root@e2b0cad87793:/# /etc/bareos/pam_exec_add_bareos_user.py --name 
pam-adduser --password* 
eX2rBYCptQeAvz82EIRIrB6tWuQKVCdBd3V2ygXoqU6pcnpNV6Hr3Lpg3H4I --profile 
pam-adduser
WARNING lowlevel._handleSocketError: socket error: [SSL: 
ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT] attempt to reuse session in 
different context (_ssl.c:727)
WARNING lowlevel.__connect: Failed to connect via TLS-PSK. Trying plain 
connection.
INFO directorconsole.finalize_authentication: Authentication: OK: 
bareos-dir Version: 19.2.7 (16 April 2020)
ERROR pam_exec_add_bareos_user.check_requirements: The version command is 
required, but not available: failed: version: is an invalid command.


*Log example:*

*root@e2b0cad87793:/# adduser test1*
Adding user `test1' ...
Adding new group `test1' (1001) ...
Adding new user `test1' (1000) with group `test1' ...
Creating home directory `/home/test1' ...
Copying files from `/etc/skel' ...
New password:
Retype new password:
passwd: password updated successfully
Changing the user information for test1
Enter the new value, or press ENTER for the default
        Full Name []:
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n] Y

*root@e2b0cad87793:/# **cat /etc/pam.d/bareos*
auth required  pam_unix.so
#auth requisite pam_ldap.so
#auth [default=ignore] pam_exec.so quiet 
/etc/bareos/pam_exec_add_bareos_user.py --name pam-adduser --password 
eX2rBYCptQeAvz82EIRIrB6tWuQKVCdBd3V2ygXoqU6pcnpNV6Hr3Lpg3H4I --profile 
pam-adduser

*root@e2b0cad87793:/# su - bareos -s /bin/bash -c "pamtester bareos test1 
authenticate"*
Password:
pamtester: Authentication failure

*root@e2b0cad87793:/# chown bareos /etc/shadow*
*root@e2b0cad87793:/# su - bareos -s /bin/bash -c "pamtester bareos test1 
authenticate"*
Password:
pamtester: successfully authenticated

*root@e2b0cad87793:/# cat /etc/bareos/bconsole-pam-preauth.conf*
#
# Bareos User Agent (or Console) Configuration File
#

Director {
 Name = bareos-dir
 address = localhost
 Password = "7txKyTD6LqGI0sQEX16tmG/crvn4mimRwkA/iIRDZeEk"
 Description = "Bareos Console credentials for local Director"
}
Console {
 Name = "pam-preauth"
 Password = "FGHLdpjYIdIKva8XD4aLUmc1z4DR0tKgnXW"
}

*root@e2b0cad87793:/# cat /etc/bareos/bareos-dir.d/console/pam-preauth.conf*
Console {
 Name = "pam-preauth"
 Password = "FGHLdpjYIdIKva8XD4aLUmc1z4DR0tKgnXW"
 UsePamAuthentication = yes
}

*root@e2b0cad87793:/#  su - test1 -s /bin/bash -c "bconsole -d 250 -c 
/etc/bareos/bconsole-pam-preauth.conf"*
bconsole (100): lib/parse_conf.cc:208-0 config file = 
/etc/bareos/bconsole-pam-preauth.conf
bconsole (100): lib/lex.cc:333-0 glob 
/etc/bareos/bconsole-pam-preauth.conf: 1 files
bconsole (100): lib/lex.cc:226-0 open config file: 
/etc/bareos/bconsole-pam-preauth.conf
bconsole (100): lib/lex.cc:333-0 glob 
/etc/bareos/bconsole-pam-preauth.conf: 1 files
bconsole (100): lib/lex.cc:226-0 open config file: 
/etc/bareos/bconsole-pam-preauth.conf
Connecting to Director localhost:9101
bconsole (100): lib/jcr.cc:195-0 Construct JobControlRecord
bconsole (100): lib/bsock.cc:84-0 Construct BareosSocket
bconsole (100): lib/bsock_tcp.cc:233-0 Current host[ipv6;::1;9101]  All 
host[ipv6;::1;9101] host[ipv4;127.0.0.1;65535]
bconsole (100): lib/bsock_tcp.cc:233-0 Current host[ipv4;127.0.0.1;9101] 
 All host[ipv6;::1;9101] host[ipv4;127.0.0.1;9101]
bconsole (100): lib/bsock_tcp.cc:152-0 who=Director daemon host=localhost 
port=9101
bconsole (100): lib/tls_openssl_private.cc:63-0 Construct TlsOpenSslPrivate
bconsole (100): lib/tls_openssl_private.cc:550-0 Set tcp filedescriptor: <3>
bconsole (100): lib/tls_openssl_private.cc:496-0 Set ca_certfile:       <>
bconsole (100): lib/tls_openssl_private.cc:502-0 Set ca_certdir:        <>
bconsole (100): lib/tls_openssl_private.cc:508-0 Set crlfile_:  <>
bconsole (100): lib/tls_openssl_private.cc:514-0 Set certfile_: <>
bconsole (100): lib/tls_openssl_private.cc:520-0 Set keyfile_:  <>
bconsole (100): lib/tls_openssl_private.cc:538-0 Set dhfile_:   <>
bconsole (100): lib/tls_openssl_private.cc:556-0 Set cipherlist:        <>
bconsole (100): lib/tls_openssl_private.cc:544-0 Set Verify Peer:       
<false>
bconsole (50): lib/tls_openssl.cc:86-0 Preparing TLS_PSK CLIENT context for 
identity R_CONSOLE pam-preauth
bconsole (100): lib/tls_openssl_private.cc:481-0 psk_client_cb. identity: 
R_CONSOLE pam-preauth.
bconsole (50): lib/bnet.cc:196-0 TLS client negotiation established.
bconsole (100): lib/cram_md5.cc:136-0 cram-get received: auth cram-md5 
<1452758124.1592503175@bareos-dir> ssl=1
bconsole (99): lib/cram_md5.cc:178-0 sending resp to challenge: 
cB5MTA+Um6+rw4+Do7/+vD
bconsole (50): lib/cram_md5.cc:82-0 send: auth cram-md5 
<1690045988.1592503175@bconsole> ssl=1
bconsole (50): lib/cram_md5.cc:107-0 Authenticate OK u+srR8+qZ0/WeX/oa6/qZB
bconsole (6): lib/bsock.cc:357-0 >dird: 1000 OK auth
 Encryption: TLS_CHACHA20_POLY1305_SHA256
login:test1
Password:
1000 OK: bareos-dir Version: 19.2.7 (16 April 2020)
bareos.org build binary
bareos.org binaries are UNSUPPORTED by bareos.com.
Get official binaries and vendor support on https://www.bareos.com
You are logged in as: test1
bconsole (40): console/console.cc:1125-0 Opened connection with Director 
daemon

Enter a period (.) to cancel a command.
*

*root@e2b0cad87793:/# cat /etc/bareos/bareos-dir.d/console/pam-adduser.conf*
Console {
 Name = "pam-adduser"
 Password = "eX2rBYCptQeAvz82EIRIrB6tWuQKVCdBd3V2ygXoqU6pcnpNV6Hr3Lpg3H4I"
 CommandACL = ".api", ".consoles", ".profiles", "configure", ".users", 
"version", ".version"
 TlsEnable = "false"
 TLS Enable = No
}
*root@e2b0cad87793:/# cat /etc/bareos/bareos-dir.d/profile/pam-adduser.conf*
Profile {
  Name = "pam-adduser"
  CommandACL = *all*
  Job ACL = *all*
  Schedule ACL = *all*
  Catalog ACL = *all*
  Pool ACL = *all*
  Storage ACL = *all*
  Client ACL = *all*
  FileSet ACL = *all*
  Where ACL = *all*
}

*root@e2b0cad87793:/# cat /etc/pam.d/bareos*
#auth required  pam_unix.so
#auth requisite pam_ldap.so
auth [default=ignore] pam_exec.so quiet 
/etc/bareos/pam_exec_add_bareos_user.py --name pam-adduser --password 
eX2rBYCptQeAvz82EIRIrB6tWuQKVCdBd3V2ygXoqU6pcnpNV6Hr3Lpg3H4I --profile 
pam-adduser

*root@e2b0cad87793:/# su - test1 -s /bin/bash -c "bconsole -d 250 -c 
/etc/bareos/bconsole-pam-preauth.conf"*
bconsole (100): lib/parse_conf.cc:208-0 config file = 
/etc/bareos/bconsole-pam-preauth.conf
bconsole (100): lib/lex.cc:333-0 glob 
/etc/bareos/bconsole-pam-preauth.conf: 1 files
bconsole (100): lib/lex.cc:226-0 open config file: 
/etc/bareos/bconsole-pam-preauth.conf
bconsole (100): lib/lex.cc:333-0 glob 
/etc/bareos/bconsole-pam-preauth.conf: 1 files
bconsole (100): lib/lex.cc:226-0 open config file: 
/etc/bareos/bconsole-pam-preauth.conf
Connecting to Director localhost:9101
bconsole (100): lib/jcr.cc:195-0 Construct JobControlRecord
bconsole (100): lib/bsock.cc:84-0 Construct BareosSocket
bconsole (100): lib/bsock_tcp.cc:233-0 Current host[ipv6;::1;9101]  All 
host[ipv6;::1;9101] host[ipv4;127.0.0.1;65535]
bconsole (100): lib/bsock_tcp.cc:233-0 Current host[ipv4;127.0.0.1;9101] 
 All host[ipv6;::1;9101] host[ipv4;127.0.0.1;9101]
bconsole (100): lib/bsock_tcp.cc:152-0 who=Director daemon host=localhost 
port=9101
bconsole (100): lib/tls_openssl_private.cc:63-0 Construct TlsOpenSslPrivate
bconsole (100): lib/tls_openssl_private.cc:550-0 Set tcp filedescriptor: <3>
bconsole (100): lib/tls_openssl_private.cc:496-0 Set ca_certfile:       <>
bconsole (100): lib/tls_openssl_private.cc:502-0 Set ca_certdir:        <>
bconsole (100): lib/tls_openssl_private.cc:508-0 Set crlfile_:  <>
bconsole (100): lib/tls_openssl_private.cc:514-0 Set certfile_: <>
bconsole (100): lib/tls_openssl_private.cc:520-0 Set keyfile_:  <>
bconsole (100): lib/tls_openssl_private.cc:538-0 Set dhfile_:   <>
bconsole (100): lib/tls_openssl_private.cc:556-0 Set cipherlist:        <>
bconsole (100): lib/tls_openssl_private.cc:544-0 Set Verify Peer:       
<false>
bconsole (50): lib/tls_openssl.cc:86-0 Preparing TLS_PSK CLIENT context for 
identity R_CONSOLE pam-preauth
bconsole (100): lib/tls_openssl_private.cc:481-0 psk_client_cb. identity: 
R_CONSOLE pam-preauth.
bconsole (50): lib/bnet.cc:196-0 TLS client negotiation established.
bconsole (100): lib/cram_md5.cc:136-0 cram-get received: auth cram-md5 
<679887046.1592506169@bareos-dir> ssl=1
bconsole (99): lib/cram_md5.cc:178-0 sending resp to challenge: 
16+En7+MG8/Fd4dspWsxrC
bconsole (50): lib/cram_md5.cc:82-0 send: auth cram-md5 
<867273750.1592506169@bconsole> ssl=1
bconsole (50): lib/cram_md5.cc:107-0 Authenticate OK Zm+3K7/a47/rD/+4vlgKND
bconsole (6): lib/bsock.cc:357-0 >dird: 1000 OK auth
 Encryption: TLS_CHACHA20_POLY1305_SHA256
login:test1
Password:
1000 OK: bareos-dir Version: 19.2.7 (16 April 2020)
bareos.org build binary
bareos.org binaries are UNSUPPORTED by bareos.com.
Get official binaries and vendor support on https://www.bareos.com
You are logged in as: test1
bconsole (40): console/console.cc:1125-0 Opened connection with Director 
daemon

Enter a period (.) to cancel a command.
*exit
bconsole (100): lib/tls_openssl.cc:73-0 Destruct TLsOpenSsl Implementation 
Object
bconsole (100): lib/tls_openssl_private.cc:68-0 Destruct TlsOpenSslPrivate
bconsole (100): lib/jcr.cc:392-0 Destruct JobControlRecord
bconsole (100): lib/jcr.cc:278-0 FreeCommonJcr: 7fff0c5aca50
bconsole (100): lib/bsock.cc:136-0 Destruct BareosSocket

*root@e2b0cad87793:/# su - test1 -s /bin/bash -c "bconsole -d 250 -c 
/etc/bareos/bconsole-pam-preauth.conf"*
bconsole (100): lib/parse_conf.cc:208-0 config file = 
/etc/bareos/bconsole-pam-preauth.conf
bconsole (100): lib/lex.cc:333-0 glob 
/etc/bareos/bconsole-pam-preauth.conf: 1 files
bconsole (100): lib/lex.cc:226-0 open config file: 
/etc/bareos/bconsole-pam-preauth.conf
bconsole (100): lib/lex.cc:333-0 glob 
/etc/bareos/bconsole-pam-preauth.conf: 1 files
bconsole (100): lib/lex.cc:226-0 open config file: 
/etc/bareos/bconsole-pam-preauth.conf
Connecting to Director localhost:9101
bconsole (100): lib/jcr.cc:195-0 Construct JobControlRecord
bconsole (100): lib/bsock.cc:84-0 Construct BareosSocket
bconsole (100): lib/bsock_tcp.cc:233-0 Current host[ipv6;::1;9101]  All 
host[ipv6;::1;9101] host[ipv4;127.0.0.1;65535]
bconsole (100): lib/bsock_tcp.cc:233-0 Current host[ipv4;127.0.0.1;9101] 
 All host[ipv6;::1;9101] host[ipv4;127.0.0.1;9101]
bconsole (100): lib/bsock_tcp.cc:152-0 who=Director daemon host=localhost 
port=9101
bconsole (100): lib/tls_openssl_private.cc:63-0 Construct TlsOpenSslPrivate
bconsole (100): lib/tls_openssl_private.cc:550-0 Set tcp filedescriptor: <3>
bconsole (100): lib/tls_openssl_private.cc:496-0 Set ca_certfile:       <>
bconsole (100): lib/tls_openssl_private.cc:502-0 Set ca_certdir:        <>
bconsole (100): lib/tls_openssl_private.cc:508-0 Set crlfile_:  <>
bconsole (100): lib/tls_openssl_private.cc:514-0 Set certfile_: <>
bconsole (100): lib/tls_openssl_private.cc:520-0 Set keyfile_:  <>
bconsole (100): lib/tls_openssl_private.cc:538-0 Set dhfile_:   <>
bconsole (100): lib/tls_openssl_private.cc:556-0 Set cipherlist:        <>
bconsole (100): lib/tls_openssl_private.cc:544-0 Set Verify Peer:       
<false>
bconsole (50): lib/tls_openssl.cc:86-0 Preparing TLS_PSK CLIENT context for 
identity R_CONSOLE pam-preauth
bconsole (100): lib/tls_openssl_private.cc:481-0 psk_client_cb. identity: 
R_CONSOLE pam-preauth.
bconsole (50): lib/bnet.cc:196-0 TLS client negotiation established.
bconsole (100): lib/cram_md5.cc:136-0 cram-get received: auth cram-md5 
<1748034700.1592506230@bareos-dir> ssl=1
bconsole (99): lib/cram_md5.cc:178-0 sending resp to challenge: 
b5gdmn+DA/lWS+Iug7UsYB
bconsole (50): lib/cram_md5.cc:82-0 send: auth cram-md5 
<246452041.1592506230@bconsole> ssl=1
bconsole (50): lib/cram_md5.cc:107-0 Authenticate OK Y7g9mQEpj9/tC4ppLGcAXD
bconsole (6): lib/bsock.cc:357-0 >dird: 1000 OK auth
 Encryption: TLS_CHACHA20_POLY1305_SHA256

*PAM authentication failed. Giving up.*

*root@e2b0cad87793:/# /etc/bareos/pam_exec_add_bareos_user.py --name 
pam-adduser --password 
eX2rBYCptQeAvz82EIRIrB6tWuQKVCdBd3V2ygXoqU6pcnpNV6Hr3Lpg3H4I --profile 
pam-adduser*
/usr/lib/python2.7/dist-packages/bareos/bsock/lowlevel.py:39: UserWarning: 
Connection encryption via TLS-PSK is not available, as the module sslpsk is 
not installed.
  u"Connection encryption via TLS-PSK is not available, as the module 
sslpsk is not installed."
INFO directorconsole.finalize_authentication: Authentication: OK: 
bareos-dir Version: 19.2.7 (16 April 2020)
ERROR pam_exec_add_bareos_user.check_requirements: The version command is 
required, but not available: failed: version: is an invalid command.

*root@e2b0cad87793:/# apt-get install -y python-dev  \*
*     build-essential libssl-dev libffi-dev \*
*     libxml2-dev libxslt1-dev zlib1g-dev \*
*     python-pip*

*root@e2b0cad87793:/# python -m pip install sslpsk*
Collecting sslpsk
  Downloading 
https://files.pythonhosted.org/packages/87/1c/b8b5a2d0af9f9a3624d65ce1981777275ac765be45839c4c052018ec715e/sslpsk-1.0.0.tar.gz
Building wheels for collected packages: sslpsk
  Running setup.py bdist_wheel for sslpsk ... done
  Stored in directory: 
/root/.cache/pip/wheels/b1/4c/e4/7cc48ca1747112089b9c2f12ad106cf00a5ca0260bb3fbaabd
Successfully built sslpsk
Installing collected packages: sslpsk
Successfully installed sslpsk-1.0.0

*root@e2b0cad87793:/# /etc/bareos/pam_exec_add_bareos_user.py --name 
pam-adduser --password 
eX2rBYCptQeAvz82EIRIrB6tWuQKVCdBd3V2ygXoqU6pcnpNV6Hr3Lpg3H4I --profile 
pam-adduser*
WARNING lowlevel._handleSocketError: socket error: [SSL: 
ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT] attempt to reuse session in 
different context (_ssl.c:727)
WARNING lowlevel.__connect: Failed to connect via TLS-PSK. Trying plain 
connection.
INFO directorconsole.finalize_authentication: Authentication: OK: 
bareos-dir Version: 19.2.7 (16 April 2020)
ERROR pam_exec_add_bareos_user.check_requirements: The version command is 
required, but not available: failed: version: is an invalid command.

Any thoughts, ideas?

Thanks,
Denis Akimov

-- 
You received this message because you are subscribed to the Google Groups 
"bareos-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to bareos-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/bareos-users/5c95594d-ad75-41a0-a29f-e2315b211d0eo%40googlegroups.com.

[bareos-users] PAM authentication problem for Bareos Director

Reply via email to