Menu
▾
▴
#4227 Pam_conv login fails
On Ubuntu 12.04, if pam_conv is enabled users are unable to log into webmin - it rejects them with "Login failed. Please try again."
Upon looking at the logs it shows that webmin is attempting to first log in to PAM with no password (Imediately when user submits username) and then when they submit the password, it attempts to log in with just the pssword nd no username,
perl[31641]: pam_unix(webmin:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=suolirav
webmin[31648]: Non-existent login as unknown from 109.175.243.163
Oli
Could you post or attach your full PAM log file (/var/log/secure or /var/log/authlog)
Here is the log file showing all the events after webmin restart, when which pam_conv was enabled via the webmin config page
##############################################################################################
May 5 16:10:25 olirav perl: pam_unix(webmin:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=root
May 5 16:10:27 olirav webmin[26329]: Webmin starting
May 5 16:10:32 olirav webmin[26416]: Logout by WEBMINUSER from 109.175.243.163
May 5 16:10:37 olirav perl[26422]: pam_unix(webmin:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=WEBMINUSER
May 5 16:10:40 olirav webmin[26423]: Non-existent login as unknown from 109.175.243.163
##############################################################################################
Weirdly the first time I tried this a different result occurred (I am guessing correct one) and I managed to log in.
The sequence that triggered this was :
Enable pam_conv via wemin options
After restart logout
Immediately try logging in (Starting from session_login.cgi?logout=1)
#########################################################################################
May 5 15:49:20 olirav perl[25925]: pam_unix(webmin:session): session opened for user WEBMINUSER by (uid=0)
May 5 15:49:20 olirav perl[25925]: pam_ck_connector(webmin:session): cannot determine display-device
May 5 15:49:20 olirav webmin[25926]: Successful login as WEBMINUSER from 109.175.243.163
#########################################################################################
However even by repeating this exact sequence I have not been able to replicate this again.
Ok .. and I assume by having pam_conv enabled, you mean that in /etc/webmin/miniserv.conf you have the line pam_conv=1 ?
Yep have pam_conv=1 (When testing) and the webmin user is set up to use unix auth as the password. log extrac below shows that webmin is using pam when pam_conv is disabled
May 9 14:34:18 olirav perl[6490]: pam_unix(webmin:session): session opened for user WEBMIN_USER by (uid=0)
May 9 14:34:18 olirav webmin[6490]: Successful login as suwebolirav from 127.0.0.1
I'm having trouble re-producing this problem. Have you made any changes to the default PAM configuration?
I have made alterations in the past so it is possible, however looking at the moment I don't believe I have made any changes that could effect this;
Basically I have been attempting to activate 2 facto auth on webmin, but I had difficulty, with it regecting my password - so I tried without the 2 factor enabled and still had the same issues. My webmin PAM file looks like it has always looked:
#%PAM-1.0
@include common-auth
@include common-account
@include common-password
@include common-session
One thing I have thought of that could be an issue in replicating this, is that it is not a clean install of 13.04 (Have updated last weekend - made no difference) and that as such the pam files will mostly have been kept from old versions (Either v10 or v11 I am unsure) so I am planning to get a recent copy of ubuntu to see if these files have been draged though from the past, I will get back over the weekend once I have set up a VM to test this in.
Ok, I would be interested to know if a fresh install has this same problem.
Right basically I have installed a copy of ubuntu server 13.04 into a virtual machine, and installed webmin 1.620 via apt repo.
First I compared the relevant pam files. The only differences were; on my server I didn't have any
session optional pam_ecryptfs.so unwrap - Think this shoud be irrelivant as I don't use encrypted user home dirs
session optional pam_ck_connector.so nox11 - Looked interesting
#################################################
Anyway now I had a go at replicating the issue, and managed to - these are the exact steps I used.
Connect to the webmin server & login using a sudoer
Create new webmin user with same name as unix user (I was currntly logged in as olirav - created with ubuntu install (sudoer))
password=unix auth
granting all permissions for webmin modules
Untick "Users wh can run all commands via sudo to login as root"
Enable "Support full PAM conversations"
Save - server restarts
Logout
Login as unix user & pass = Login successfull
Now logout again, go to the root url and try loging in and you should be unable to
If webmin is restarted it seems possible to complete one sucessfull login, after that it will reject you at either the username or password stage
########################################################
## Webmin Config diff results (From clean install dir)
diff /etc/webmin/config /etc/webminclean/config
20,22d19
< webprefix=
< noremember=
< realname=
diff /etc/webmin/miniserv.conf /etc/webminclean/miniserv.conf
35,45c35
< sudo=
< pamany=
< unixauth=
< pam_end=
< pam_conv=1
< blockuser_time=
< blocklock=
< blockuser_failures=
< no_pam=0
< logouttime=
< utmp=
---
> sudo=1
diff /etc/webmin/miniserv.users /etc/webminclean/miniserv.users
2d1
< olirav❌0::::::::
diff /etc/webmin/webmin.acl /etc/webminclean/webmin.acl
2d1
< olirav: {List of modules}
What if you just enable "Support full PAM conversations" without creating the additional user?
Sorry have been a little busy for the last month or so.
Anyway I have tried on the virtual machine and I seem to encounter the same issue without altering any of the user settings -> only changing the pam_conv setting from a fresh install (1.630)
Oli