How to debug the PAM stack

I have a client that has made many changes in the PAM files and now things they want to be configured does not work.

How can one debug the PAM stack and see how it behave while we try to login from different source being ssh, su, sudo, login, etc?

Google has not been very useful so far. I hope there is a way to do it.

Environment:
[FONT=Courier New]pgiststinf06:~ # lsb_release -a
LSB Version: n/a
Distributor ID: SUSE
Description: SUSE Linux Enterprise Server for SAP Applications 12 SP2
Release: 12.2
Codename: n/a

pgiststinf06:~ # arch
ppc64le
[/FONT]

Thanks,

Hi bfay,

have you seen https://serverfault.com/questions/249671/switch-on-pam-debugging-to-syslog ? Once you’ve configured syslog to also show debug-level messages, creating /etc/pam_debug (i.e. via “touch /etc/pam_debug”) will turn on debug for all pam modules at once. Of course, there’s a debug option for most (if not all) modules all by itself, so you could try to debug only those modules suspicious of adding to the problems you’re after…

I’ve not tested /etc/pam_debug myself, though, so YMMV.

Regards,
J

Thanks jmozdzen,

I saw this possible solution but it does not work. It seems to be an old solution which has been deprecated. The log was not talkative at all.

My actual problem is pam_tally2 not resetting the failure counter after a successful login. On a plain installation of SLES12 it is working but not on systems modified by my client. The man page of pam_tally2 does not mention a debug option but I am going to give it a try in case it is an undocumented feature.

I’ll keep searching.

Thanks

Hi bfay,

[QUOTE=bfay;54240]
My actual problem is pam_tally2 not resetting the failure counter after a successful login. On a plain installation of SLES12 it is working but not on systems modified by my client. The man page of pam_tally2 does not mention a debug option but I am going to give it a try in case it is an undocumented feature. [/QUOTE]

I just checked a SLES12SP2 server, using pam 1.1.8, comparing to a newer version of pam (1.3.0) on a Leap installation: It seems that the 1.1.8 version does indeed not have the debug option.

Based on your description, you might want to focus on the configuration for the “account” phase. The following two quotes are from the pam_tally2 man page:

Regards,
J

Hi jmozdzen,

One thing I know for sure, is that we need:
[FONT=Courier New]account required pam_tally2.so[/FONT]

Without this, the failure counter is not reset. In a plain SLES12 SP2 it works fine. But not in the modified PAM configuration on my client’s systems.

I cannot believe there is no way to debug the PAM stack!!!

Thanks for your suggestions.

Hi bfay,

have you considered to open a service request? SUSE support might spot the problem directly, and/or engineering might be able to provide some means to debug the PAM function calls.

Regards,
J

Hi jmozdzen,

I’ll do that even though my experience with SUSE support regarding PAM has not been too impressive so far. I have nothing to loose after all.

Thanks for you help,