Cannot login using PAM authentication anymore

421 views
Skip to first unread message

David Harkness

unread,
Sep 6, 2011, 2:41:33 PM9/6/11
to Jenkins Users
We've been using PAM on Ubuntu for many months without trouble until a few days ago. It seems like it must be related to some system changes we made since it started happening a couple days after, but I'm pretty sure (75%?) that we were able to log in after making these changes. Here's what we did:

1. Created a new "test" unix group.
2. Assign the jenkins user to that group along with some users who are manage jenkins.
3. Changed jenkins's umask to 022 so it would create files that are writable by test group users.
4. "chmod -R g+w" and "chgrp -R test" on /var/lib/jenkins.

I did this so that I could easily update the config files in the jenkins folder. Is there any way any of the above could have caused PAM to stop working?

Thanks,
David

P.S. Here's the exception, though I don't see anything important:

INFO: Login attempt failed
org.acegisecurity.BadCredentialsException: pam_authenticate failed : Authentication failure; 
nested exception is org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication failure
        at hudson.security.PAMSecurityRealm.authenticate(PAMSecurityRealm.java:87)
        at hudson.security.AbstractPasswordBasedSecurityRealm$Authenticator.retrieveUser(AbstractPasswordBasedSecurityRealm.java:137)
        at org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:119)
        at org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:195)
        at org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:45)
        at org.acegisecurity.ui.webapp.AuthenticationProcessingFilter.attemptAuthentication(AuthenticationProcessingFilter.java:71)
        at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:252)
        at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
        at org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:173)
        at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
        at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
        at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:66)
        at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
        at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
        at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
        at winstone.FilterConfiguration.execute(FilterConfiguration.java:195)
        at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:368)
        at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
        at winstone.FilterConfiguration.execute(FilterConfiguration.java:195)
        at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:368)
        at winstone.RequestDispatcher.forward(RequestDispatcher.java:333)
        at winstone.RequestHandlerThread.processRequest(RequestHandlerThread.java:244)
        at winstone.RequestHandlerThread.run(RequestHandlerThread.java:150)
        at java.lang.Thread.run(Thread.java:662)
Caused by: org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication failure
        at org.jvnet.libpam.PAM.check(PAM.java:106)
        at org.jvnet.libpam.PAM.authenticate(PAM.java:124)
        at hudson.security.PAMSecurityRealm.authenticate(PAMSecurityRealm.java:82)
        ... 23 more

David Harkness

unread,
Sep 6, 2011, 8:33:51 PM9/6/11
to Jenkins Users
On Tue, Sep 6, 2011 at 11:41 AM, David Harkness <dav...@highgearmedia.com> wrote:
We've been using PAM on Ubuntu for many months without trouble until a few days ago . . .

It looks like we were bit by the change that requires jenkins has access to /etc/shadow. I added it to the shadow group and all seems well again.

David

Reply all
Reply to author
Forward
0 new messages