Bug#675924: radicale: Error on PAM authentication
Hi Jonas, Dňa Wed, 09 Jan 2013 20:35:33 +0100 Jonas Smedegaard d...@jones.dk napísal: You most likely use PAM with shadow passwords. it seems, that you are absolute right :-) perhaps can be enough to add the radicale's user into the shadow group and now i am not sure, if i was trying this. But, as i wrote early, i was go out of radicale (not related only to PAM problem). regards -- Slavko http://slavino.sk signature.asc Description: PGP signature
Bug#675924: radicale: Error on PAM authentication
Quoting Slavko (2013-01-10 20:28:46) Hi Jonas, Dňa Wed, 09 Jan 2013 20:35:33 +0100 Jonas Smedegaard d...@jones.dk napísal: You most likely use PAM with shadow passwords. it seems, that you are absolute right :-) perhaps can be enough to add the radicale's user into the shadow group and now i am not sure, if i was trying this. But, as i wrote early, i was go out of radicale (not related only to PAM problem). I did notice that you said you no longer use Radicale. For others reading this: Please do *not* simply add Radicale to shadow group on a production system, as that will weaken your system too much! - Jonas -- * Jonas Smedegaard - idealist Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#675924: radicale: Error on PAM authentication
Hi, Dňa Tue, 08 Jan 2013 22:05:12 +0100 Guillaume Ayoub guillaume.ay...@kozea.fr napísal: It can be a solution, not really clean but much easier. It seems as bad solution, because this was working only when the radicale was run under root. Running the radicale server under another user results in fail to login :-( I was playing with the pam module out of radicale, and it seems, that this module works under root and under user, which is trying to login. But the login fails under another users and this is bad. But perhaps i was doing something wrong... I am sorry, i will don't use radicale more. regards -- Slavko http://slavino.sk signature.asc Description: PGP signature
Bug#675924: radicale: Error on PAM authentication
Quoting Slavko (2013-01-09 18:25:22) Dňa Tue, 08 Jan 2013 22:05:12 +0100 Guillaume Ayoub guillaume.ay...@kozea.fr napísal: It can be a solution, not really clean but much easier. It seems as bad solution, because this was working only when the radicale was run under root. Running the radicale server under another user results in fail to login :-( I was playing with the pam module out of radicale, and it seems, that this module works under root and under user, which is trying to login. But the login fails under another users and this is bad. But perhaps i was doing something wrong... I am sorry, i will don't use radicale more. You most likely use PAM with shadow passwords. Then by design only root and users in shadow group can succesfully authenticate. Tools like login runs as root - i.e. has setuid bit set: more info with this command: info coreutils 'Mode Structure' You can test if that is the case, by temporarily lowering the fence and disable shadow passwords with this command: shadowconfig off Don't do that in production, however - there is a good reason shadow config is activated! For a daemon to sanely use PAM against shadow passwords, something needs to run as trusted. Ideally not the whole daemon, but only a tiny isolated tool which can be easier security audited. One (relatively complex) way to get around the limitations of this is to use LDAP. Another less common one is to use poppassd and lock it down to only serve on localhost. - Jonas -- * Jonas Smedegaard - idealist Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#675924: radicale: Error on PAM authentication
Le mardi 25 décembre 2012 à 21:19 +0100, Slavko a écrit : Hi Guillaume, you are right about improper pam module. But it is only part of the problem (see below). First, solution about missing pam module is pretty simple - place the downloaded pam.py (link in previous post - i tried the 1.3 version) into /usr/share/pyshared/radicale/acl/ directory and create symlink(s) in appropriate /usr/lib/python2.X/dist-packages/radicale/acl/ directory. IMHO, this can be simple done by patching (add file by patch) the package. It can be a solution, not really clean but much easier. Second problem is, that there is bad syntax in the line (PAM.py): members = grp.getgrnam(GROUP_MEMBERSHIP) and the members variable has not the members list in result, that the user is not in configured group. Solution is simple - add the missing index: members = grp.getgrnam(GROUP_MEMBERSHIP)[3] After these two modifications i get the radicale to work via PAM in the testing environment (virtualbox, Debian testing) You're right! Actually, it's even been fixed in 0.7.1. https://github.com/Kozea/Radicale/commit/a45b7b7c232d2eda8e9884402a5bf23bc56d76fc Regards, -- Guillaume signature.asc Description: This is a digitally signed message part
Bug#675924: radicale: Error on PAM authentication
Hi Guillaume, you are right about improper pam module. But it is only part of the problem (see below). First, solution about missing pam module is pretty simple - place the downloaded pam.py (link in previous post - i tried the 1.3 version) into /usr/share/pyshared/radicale/acl/ directory and create symlink(s) in appropriate /usr/lib/python2.X/dist-packages/radicale/acl/ directory. IMHO, this can be simple done by patching (add file by patch) the package. Second problem is, that there is bad syntax in the line (PAM.py): members = grp.getgrnam(GROUP_MEMBERSHIP) and the members variable has not the members list in result, that the user is not in configured group. Solution is simple - add the missing index: members = grp.getgrnam(GROUP_MEMBERSHIP)[3] After these two modifications i get the radicale to work via PAM in the testing environment (virtualbox, Debian testing) regards -- Slavko http://slavino.sk signature.asc Description: PGP signature
Bug#675924: radicale: Error on PAM authentication
The PAM authentication module is available in Radicale since version 0.7. PAM with older versions won't work. For 0.7+, the module handling PAM authentication in Radicale is called PAM.py, and can be used with [acl]type=PAM in the config file (uppercase everywhere, no problem in the config file). This PAM.py module relies on an external package called pam (lowercase), and this packages is: - *not* this one: http://packages.debian.org/sid/libpam-python - *not* this one: http://packages.debian.org/sid/python-pam - this one: http://atlee.ca/software/pam/ (AFAIK not packaged in Debian, but available on PyPI: http://pypi.python.org/pypi/pam/0.1.4 ). I think that it's a problem in the Debian package, as it suggests to install the wrong python-pam package. Le vendredi 03 août 2012 à 23:10 +, Joseph Nahmias a écrit : Package: radicale Version: 0.7-1 Followup-For: Bug #675924 This bug seems to occur because radicale is trying to do 'import pam', when it should be doing 'import PAM'; module names are case-sensitive in python! On further investigation, it looks like it might be an issue in the config parser, because my /etc/radicale/config has: $ grep -A 4 acl /etc/radicale/config [acl] # Access method # Value: None | htpasswd | LDAP | PAM | courier #type = None type = PAM -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (990, 'testing') Architecture: i386 (x86_64) Kernel: Linux 2.6.32-xenU-3831-x86_64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages radicale depends on: ii adduser 3.113+nmu3 ii python 2.7.3~rc2-1 ii python-radicale 0.7-1 radicale recommends no packages. Versions of packages radicale suggests: pn apache2-utils none pn courier-authdaemon none pn python-ldap none ii python-pam 0.4.2-13 -- Configuration Files: /etc/default/radicale changed [not included] /etc/logrotate.d/radicale changed [not included] /etc/radicale/config changed [not included] -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#675924: radicale: Error on PAM authentication
Package: radicale Version: 0.7-1 Followup-For: Bug #675924 This bug seems to occur because radicale is trying to do 'import pam', when it should be doing 'import PAM'; module names are case-sensitive in python! On further investigation, it looks like it might be an issue in the config parser, because my /etc/radicale/config has: $ grep -A 4 acl /etc/radicale/config [acl] # Access method # Value: None | htpasswd | LDAP | PAM | courier #type = None type = PAM -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (990, 'testing') Architecture: i386 (x86_64) Kernel: Linux 2.6.32-xenU-3831-x86_64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages radicale depends on: ii adduser 3.113+nmu3 ii python 2.7.3~rc2-1 ii python-radicale 0.7-1 radicale recommends no packages. Versions of packages radicale suggests: pn apache2-utils none pn courier-authdaemon none pn python-ldap none ii python-pam 0.4.2-13 -- Configuration Files: /etc/default/radicale changed [not included] /etc/logrotate.d/radicale changed [not included] /etc/radicale/config changed [not included] -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#675924: radicale: Error on PAM authentication
Package: radicale Version: 0.3-2 Severity: normal When I start radicale configured with PAM authentication it exits with the following error: Traceback (most recent call last): File /usr/bin/radicale, line 97, in module (options.host, options.port), radicale.CalendarHTTPHandler) File /usr/lib/pymodules/python2.6/radicale/__init__.py, line 97, in __init__ HTTPServer.__init__(self, address, handler) File /usr/lib/pymodules/python2.6/radicale/__init__.py, line 84, in __init__ self.acl = acl.load() File /usr/lib/pymodules/python2.6/radicale/acl/__init__.py, line 36, in load return getattr(module, config.get(acl, type)) AttributeError: 'module' object has no attribute 'PAM' -- System Information: Debian Release: 6.0.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32.27xls-domU (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages radicale depends on: ii python 2.6.6-3+squeeze7 interactive high-level object-orie ii python-radicale 0.3-2simple calendar server - module radicale recommends no packages. radicale suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#675924: radicale: Error on PAM authentication
On 12-06-04 at 10:06am, Paul Bongers wrote: When I start radicale configured with PAM authentication it exits with the following error: Traceback (most recent call last): File /usr/bin/radicale, line 97, in module (options.host, options.port), radicale.CalendarHTTPHandler) File /usr/lib/pymodules/python2.6/radicale/__init__.py, line 97, in __init__ HTTPServer.__init__(self, address, handler) File /usr/lib/pymodules/python2.6/radicale/__init__.py, line 84, in __init__ self.acl = acl.load() File /usr/lib/pymodules/python2.6/radicale/acl/__init__.py, line 36, in load return getattr(module, config.get(acl, type)) AttributeError: 'module' object has no attribute 'PAM' Hmm. Perhaps I simply missed to recommend the Debian package python-pam. Could you please check if you have that package installed, and if not see if it changes anything to install it? Regards, - Jonas -- * Jonas Smedegaard - idealist Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: Digital signature
Bug#675924: radicale: Error on PAM authentication
On Mon, Jun 04, 2012 at 12:03:25PM +0200, Jonas Smedegaard wrote: On 12-06-04 at 10:06am, Paul Bongers wrote: When I start radicale configured with PAM authentication it exits with the following error: Traceback (most recent call last): File /usr/bin/radicale, line 97, in module (options.host, options.port), radicale.CalendarHTTPHandler) File /usr/lib/pymodules/python2.6/radicale/__init__.py, line 97, in __init__ HTTPServer.__init__(self, address, handler) File /usr/lib/pymodules/python2.6/radicale/__init__.py, line 84, in __init__ self.acl = acl.load() File /usr/lib/pymodules/python2.6/radicale/acl/__init__.py, line 36, in load return getattr(module, config.get(acl, type)) AttributeError: 'module' object has no attribute 'PAM' Hmm. Perhaps I simply missed to recommend the Debian package python-pam. The package python-pam is indeed not recommended. Could you please check if you have that package installed, and if not see if it changes anything to install it? I had the package installed already. I tried reinstalling with no luck. Regards, Paul signature.asc Description: Digital signature