bconsole - pam - unable to authenticate console
432 views
Skip to first unread message
Martin Krämer
Oct 24, 2019, 9:18:11 AM10/24/19
to bareos...@googlegroups.com
Hello All,
I try to authenticate users to bconsole using pam.
I used the follwing two guidelines (with small adjustments due to reasons I explain below):
https://docs.bareos.org/master/TasksAndConcepts/PAM.html#configuration
https://github.com/bareos/bareos-contrib/tree/master/misc/bareos_pam_integration
https://github.com/bareos/bareos-contrib/tree/master/misc/bareos_pam_integration
Unfortunately I always end up with an error of:
bconsole (100): lib/bnet.cc:643-0 Error while receiving response message: bconsole (100): include/jcr.h:324-0 Destruct JobControlRecord
bconsole (100): lib/bnet.cc:643-0 Error while receiving response message: bconsole (100): include/jcr.h:324-0 Destruct JobControlRecord
on the bconsole side and:
bareos-dir: ERROR in dird/authenticate_console.cc:339 Unable to authenticate console "pamadduser" at client:127.0.0.1:9101.
on the bareos-dir messages side.
The following is my configuration and what I have done - this is a test machine so I do not care about PWs here :) :
root@bareos-000001:~# bconsole -?
bareos.org binaries are UNSUPPORTED by bareos.com.
Get official binaries and vendor support on https://www.bareos.com
Copyright (C) 2013-2019 Bareos GmbH & Co. KG
Copyright (C) 2000-2012 Free Software Foundation Europe e.V.
Copyright (C) 2010-2017 Planets Communications B.V.
Version: 18.2.5 (30 January 2019) Linux-4.4.92-6.18-default debian Debian GNU/Linux 9.7 (stretch)
Usage: bconsole [-s] [-c config_file] [-d debug_level]
-D <dir> select a Director
-l list Directors defined
-c <path> specify configuration file or directory
-p <path> specify pam credentials file
-o send pam credentials over unencrypted connection
-d <nn> set debug level to <nn>
-dt print timestamp in debug output
-s no signals
-u <nn> set command execution timeout to <nn> seconds
-t test - read configuration and exit
-xc print configuration and exit
-xs print configuration file schema in JSON format and exit
-? print this message.
root@bareos-000001:~# cat /etc/pam.d/bareos
# version: 2019.10.24
# author: Martin Kraemer, mk.m...@gmail.com
# description: The PAM configuration file for the bareos backup service
# Standard Un*x authentication.
@include common-auth
# Standard Un*x account and session
@include common-account
@include common-session
@include common-password
#auth required pam_succeed_if.so user ingroup mygroup
#account required pam_access.so accessfile=/etc/security/bareos-operator.conf
#account required pam_access.so accessfile=/etc/security/bareos-user.conf
#auth [default=ignore] pam_exec.so quiet /usr/local/bin/pam_exec_add_bareos_user.py --name pamadduser --password secret --profile pamadduser
root@bareos-000001:~# su - bareos -s /bin/bash -c "pamtester bareos tstusr authenticate"
Password:
pamtester: successfully authenticated
root@bareos-000001:~# cat /etc/bareos/bareos-dir.d/console/pamadduser.conf
Console {
Name = "pamadduser"
Password = "secret"
Profile = "pamadduser"
UsePamAuthentication = yes
TlsEnable = false
}
root@bareos-000001:~# cat /etc/bareos/bareos-dir.d/profile/pamadduser.conf
Profile {
Name = "pamadduser"
JobACL = "*all*"
ClientACL = "*all*"
StorageACL = "*all*"
ScheduleACL = "*all*"
PoolACL = "*all*"
CommandACL = "!.bvfs_clear_cache","!.exit","!.sql","!configure","!create","!delete","!purge","!prune","!sqlquery","!umount","!unmount","*all*"
FileSetACL = "*all*"
CatalogACL = "*all*"
WhereACL = "*all*"
}
root@bareos-000001:~# cat /etc/bareos/bconsole-pamadduser.conf
#
# Bareos User Agent (or Console) Configuration File
#
Director {
Name = bareos-dir
address = localhost
Password = "Kw4Nhr4TBus6GN1cwQ2PvFeCOKIgLoWWniN4aAZSjduc"
Description = "Bareos Console credentials for local Director"
}
Console {
Name = "pamadduser"
Password = "secret"
}
root@bareos-000001:~# bconsole <<< reload
Connecting to Director localhost:9101
Encryption: ECDHE-PSK-CHACHA20-POLY1305
1000 OK: bareos-dir Version: 18.2.5 (30 January 2019)
bareos.org build binary
bareos.org binaries are UNSUPPORTED by bareos.com.
Get official binaries and vendor support on https://www.bareos.com
You are connected using the default console
Enter a period to cancel a command.
reload
reloaded
root@bareos-000001:~# su - tstusr -s /bin/bash -c "bconsole -d 250 -c /etc/bareos/bconsole-pamadduser.conf"
Creating directory '/home/example.corp/tstusr'.
bconsole (100): lib/parse_conf.cc:191-0 config file = /etc/bareos/bconsole-pamadduser.conf
bconsole (100): lib/lex.cc:335-0 glob /etc/bareos/bconsole-pamadduser.conf: 1 files
bconsole (100): lib/lex.cc:229-0 open config file: /etc/bareos/bconsole-pamadduser.conf
bconsole (100): lib/lex.cc:335-0 glob /etc/bareos/bconsole-pamadduser.conf: 1 files
bconsole (100): lib/lex.cc:229-0 open config file: /etc/bareos/bconsole-pamadduser.conf
Connecting to Director localhost:9101
bconsole (100): lib/bsock.cc:81-0 Construct BareosSocket
bconsole (100): lib/bsock_tcp.cc:235-0 Current host[ipv6;::1;9101] All host[ipv6;::1;9101] host[ipv4;127.0.0.1;65535]
bconsole (100): lib/bsock_tcp.cc:235-0 Current host[ipv4;127.0.0.1;9101] All host[ipv6;::1;9101] host[ipv4;127.0.0.1;9101]
bconsole (100): lib/bsock_tcp.cc:158-0 who=Director daemon host=localhost port=9101
bconsole (100): lib/tls_openssl_private.cc:57-0 Construct TlsOpenSslPrivate
bconsole (100): lib/tls_openssl_private.cc:536-0 Set tcp filedescriptor: <3>
bconsole (100): lib/tls_openssl_private.cc:482-0 Set ca_certfile: <>
bconsole (100): lib/tls_openssl_private.cc:488-0 Set ca_certdir: <>
bconsole (100): lib/tls_openssl_private.cc:494-0 Set crlfile_: <>
bconsole (100): lib/tls_openssl_private.cc:500-0 Set certfile_: <>
bconsole (100): lib/tls_openssl_private.cc:506-0 Set keyfile_: <>
bconsole (100): lib/tls_openssl_private.cc:518-0 Set pem_userdata to address: <0>
bconsole (100): lib/tls_openssl_private.cc:524-0 Set dhfile_: <>
bconsole (100): lib/tls_openssl_private.cc:542-0 Set cipherlist: <>
bconsole (100): lib/tls_openssl_private.cc:530-0 Set Verify Peer: <false>
bconsole (50): lib/tls_openssl.cc:85-0 Preparing TLS_PSK CLIENT context for identity R_CONSOLE pamadduser
bconsole (100): lib/tls_openssl_private.cc:467-0 psk_client_cb. identity: R_CONSOLE pamadduser.
bconsole (50): lib/bnet.cc:201-0 TLS client negotiation established.
bconsole (100): lib/cram_md5.cc:116-0 cram-get received: auth cram-md5 <1233551633.1571922197@bareos-dir> ssl=0
bconsole (99): lib/cram_md5.cc:135-0 sending resp to challenge: h+/Fq7/+qU+uh+/8N48jxD
bconsole (50): lib/cram_md5.cc:69-0 send: auth cram-md5 <646896189.1571922197@bconsole> ssl=1
bconsole (50): lib/cram_md5.cc:88-0 Authenticate OK 69/oVGgSX/d+1l/02V/94C
bconsole (6): lib/bsock.cc:347-0 >dird: 1000 OK auth
Encryption: ECDHE-PSK-CHACHA20-POLY1305
login:tstusr
Password:
bconsole (100): lib/bnet.cc:643-0 Error while receiving response message: bconsole (100): include/jcr.h:324-0 Destruct JobControlRecord
root@bareos-000001:~# journalctl -a -u bareos*
-- Logs begin at Thu 2019-10-24 12:59:25 UTC, end at Thu 2019-10-24 13:03:25 UTC. --
Oct 24 12:59:26 bareos-000001.example.corp systemd[1]: Starting Bareos Storage Daemon service...
Oct 24 12:59:26 bareos-000001.example.corp systemd[1]: bareos-storage.service: PID file /var/lib/bareos/bareos-sd.9103.pid not readable (yet?) after start: No such file or directory
Oct 24 12:59:26 bareos-000001.example.corp systemd[1]: Started Bareos Storage Daemon service.
Oct 24 12:59:44 bareos-000001.example.corp systemd[1]: Starting Bareos Director Daemon service...
Oct 24 12:59:44 bareos-000001.example.corp systemd[1]: bareos-director.service: PID file /var/lib/bareos/bareos-dir.9101.pid not readable (yet?) after start: No such file or directory
Oct 24 12:59:44 bareos-000001.example.corp systemd[1]: Started Bareos Director Daemon service.
Oct 24 13:03:25 bareos-000001.example.corp bareos-dir[2947]: pam_krb5(bareos:auth): user tstusr authenticated as tst...@EXAMPLE.CORP
root@bareos-000001:~# bconsole <<< messages
Connecting to Director localhost:9101
Encryption: ECDHE-PSK-CHACHA20-POLY1305
1000 OK: bareos-dir Version: 18.2.5 (30 January 2019)
bareos.org build binary
bareos.org binaries are UNSUPPORTED by bareos.com.
Get official binaries and vendor support on https://www.bareos.com
You are connected using the default console
Enter a period to cancel a command.
messages
24-Oct 13:03 bareos-dir: ERROR in dird/authenticate_console.cc:339 Unable to authenticate console "pamadduser" at client:127.0.0.1:9101.
root@bareos-000001:~#
bareos.org binaries are UNSUPPORTED by bareos.com.
Get official binaries and vendor support on https://www.bareos.com
Copyright (C) 2013-2019 Bareos GmbH & Co. KG
Copyright (C) 2000-2012 Free Software Foundation Europe e.V.
Copyright (C) 2010-2017 Planets Communications B.V.
Version: 18.2.5 (30 January 2019) Linux-4.4.92-6.18-default debian Debian GNU/Linux 9.7 (stretch)
Usage: bconsole [-s] [-c config_file] [-d debug_level]
-D <dir> select a Director
-l list Directors defined
-c <path> specify configuration file or directory
-p <path> specify pam credentials file
-o send pam credentials over unencrypted connection
-d <nn> set debug level to <nn>
-dt print timestamp in debug output
-s no signals
-u <nn> set command execution timeout to <nn> seconds
-t test - read configuration and exit
-xc print configuration and exit
-xs print configuration file schema in JSON format and exit
-? print this message.
root@bareos-000001:~# cat /etc/pam.d/bareos
# version: 2019.10.24
# author: Martin Kraemer, mk.m...@gmail.com
# description: The PAM configuration file for the bareos backup service
# Standard Un*x authentication.
@include common-auth
# Standard Un*x account and session
@include common-account
@include common-session
@include common-password
#auth required pam_succeed_if.so user ingroup mygroup
#account required pam_access.so accessfile=/etc/security/bareos-operator.conf
#account required pam_access.so accessfile=/etc/security/bareos-user.conf
#auth [default=ignore] pam_exec.so quiet /usr/local/bin/pam_exec_add_bareos_user.py --name pamadduser --password secret --profile pamadduser
root@bareos-000001:~# su - bareos -s /bin/bash -c "pamtester bareos tstusr authenticate"
Password:
pamtester: successfully authenticated
root@bareos-000001:~# cat /etc/bareos/bareos-dir.d/console/pamadduser.conf
Console {
Name = "pamadduser"
Password = "secret"
Profile = "pamadduser"
UsePamAuthentication = yes
TlsEnable = false
}
root@bareos-000001:~# cat /etc/bareos/bareos-dir.d/profile/pamadduser.conf
Profile {
Name = "pamadduser"
JobACL = "*all*"
ClientACL = "*all*"
StorageACL = "*all*"
ScheduleACL = "*all*"
PoolACL = "*all*"
CommandACL = "!.bvfs_clear_cache","!.exit","!.sql","!configure","!create","!delete","!purge","!prune","!sqlquery","!umount","!unmount","*all*"
FileSetACL = "*all*"
CatalogACL = "*all*"
WhereACL = "*all*"
}
root@bareos-000001:~# cat /etc/bareos/bconsole-pamadduser.conf
#
# Bareos User Agent (or Console) Configuration File
#
Director {
Name = bareos-dir
address = localhost
Password = "Kw4Nhr4TBus6GN1cwQ2PvFeCOKIgLoWWniN4aAZSjduc"
Description = "Bareos Console credentials for local Director"
}
Console {
Name = "pamadduser"
Password = "secret"
}
root@bareos-000001:~# bconsole <<< reload
Connecting to Director localhost:9101
Encryption: ECDHE-PSK-CHACHA20-POLY1305
1000 OK: bareos-dir Version: 18.2.5 (30 January 2019)
bareos.org build binary
bareos.org binaries are UNSUPPORTED by bareos.com.
Get official binaries and vendor support on https://www.bareos.com
You are connected using the default console
Enter a period to cancel a command.
reload
reloaded
root@bareos-000001:~# su - tstusr -s /bin/bash -c "bconsole -d 250 -c /etc/bareos/bconsole-pamadduser.conf"
Creating directory '/home/example.corp/tstusr'.
bconsole (100): lib/parse_conf.cc:191-0 config file = /etc/bareos/bconsole-pamadduser.conf
bconsole (100): lib/lex.cc:335-0 glob /etc/bareos/bconsole-pamadduser.conf: 1 files
bconsole (100): lib/lex.cc:229-0 open config file: /etc/bareos/bconsole-pamadduser.conf
bconsole (100): lib/lex.cc:335-0 glob /etc/bareos/bconsole-pamadduser.conf: 1 files
bconsole (100): lib/lex.cc:229-0 open config file: /etc/bareos/bconsole-pamadduser.conf
Connecting to Director localhost:9101
bconsole (100): lib/bsock.cc:81-0 Construct BareosSocket
bconsole (100): lib/bsock_tcp.cc:235-0 Current host[ipv6;::1;9101] All host[ipv6;::1;9101] host[ipv4;127.0.0.1;65535]
bconsole (100): lib/bsock_tcp.cc:235-0 Current host[ipv4;127.0.0.1;9101] All host[ipv6;::1;9101] host[ipv4;127.0.0.1;9101]
bconsole (100): lib/bsock_tcp.cc:158-0 who=Director daemon host=localhost port=9101
bconsole (100): lib/tls_openssl_private.cc:57-0 Construct TlsOpenSslPrivate
bconsole (100): lib/tls_openssl_private.cc:536-0 Set tcp filedescriptor: <3>
bconsole (100): lib/tls_openssl_private.cc:482-0 Set ca_certfile: <>
bconsole (100): lib/tls_openssl_private.cc:488-0 Set ca_certdir: <>
bconsole (100): lib/tls_openssl_private.cc:494-0 Set crlfile_: <>
bconsole (100): lib/tls_openssl_private.cc:500-0 Set certfile_: <>
bconsole (100): lib/tls_openssl_private.cc:506-0 Set keyfile_: <>
bconsole (100): lib/tls_openssl_private.cc:518-0 Set pem_userdata to address: <0>
bconsole (100): lib/tls_openssl_private.cc:524-0 Set dhfile_: <>
bconsole (100): lib/tls_openssl_private.cc:542-0 Set cipherlist: <>
bconsole (100): lib/tls_openssl_private.cc:530-0 Set Verify Peer: <false>
bconsole (50): lib/tls_openssl.cc:85-0 Preparing TLS_PSK CLIENT context for identity R_CONSOLE pamadduser
bconsole (100): lib/tls_openssl_private.cc:467-0 psk_client_cb. identity: R_CONSOLE pamadduser.
bconsole (50): lib/bnet.cc:201-0 TLS client negotiation established.
bconsole (100): lib/cram_md5.cc:116-0 cram-get received: auth cram-md5 <1233551633.1571922197@bareos-dir> ssl=0
bconsole (99): lib/cram_md5.cc:135-0 sending resp to challenge: h+/Fq7/+qU+uh+/8N48jxD
bconsole (50): lib/cram_md5.cc:69-0 send: auth cram-md5 <646896189.1571922197@bconsole> ssl=1
bconsole (50): lib/cram_md5.cc:88-0 Authenticate OK 69/oVGgSX/d+1l/02V/94C
bconsole (6): lib/bsock.cc:347-0 >dird: 1000 OK auth
Encryption: ECDHE-PSK-CHACHA20-POLY1305
login:tstusr
Password:
bconsole (100): lib/bnet.cc:643-0 Error while receiving response message: bconsole (100): include/jcr.h:324-0 Destruct JobControlRecord
root@bareos-000001:~# journalctl -a -u bareos*
-- Logs begin at Thu 2019-10-24 12:59:25 UTC, end at Thu 2019-10-24 13:03:25 UTC. --
Oct 24 12:59:26 bareos-000001.example.corp systemd[1]: Starting Bareos Storage Daemon service...
Oct 24 12:59:26 bareos-000001.example.corp systemd[1]: bareos-storage.service: PID file /var/lib/bareos/bareos-sd.9103.pid not readable (yet?) after start: No such file or directory
Oct 24 12:59:26 bareos-000001.example.corp systemd[1]: Started Bareos Storage Daemon service.
Oct 24 12:59:44 bareos-000001.example.corp systemd[1]: Starting Bareos Director Daemon service...
Oct 24 12:59:44 bareos-000001.example.corp systemd[1]: bareos-director.service: PID file /var/lib/bareos/bareos-dir.9101.pid not readable (yet?) after start: No such file or directory
Oct 24 12:59:44 bareos-000001.example.corp systemd[1]: Started Bareos Director Daemon service.
Oct 24 13:03:25 bareos-000001.example.corp bareos-dir[2947]: pam_krb5(bareos:auth): user tstusr authenticated as tst...@EXAMPLE.CORP
root@bareos-000001:~# bconsole <<< messages
Connecting to Director localhost:9101
Encryption: ECDHE-PSK-CHACHA20-POLY1305
1000 OK: bareos-dir Version: 18.2.5 (30 January 2019)
bareos.org build binary
bareos.org binaries are UNSUPPORTED by bareos.com.
Get official binaries and vendor support on https://www.bareos.com
You are connected using the default console
Enter a period to cancel a command.
messages
24-Oct 13:03 bareos-dir: ERROR in dird/authenticate_console.cc:339 Unable to authenticate console "pamadduser" at client:127.0.0.1:9101.
root@bareos-000001:~#
As described I did a small adjustment to the guidelines, which was not creating "PAM User" (https://docs.bareos.org/master/TasksAndConcepts/PAM.html#pam-user).
If I try to create a "/user/*.conf" file as described there (changing "Name = pamadduser") I see the following error during reload:
bareos-dir JobId 0: Error: "Password" directive in Console "pamadduser" resource is required, but not found.
If I try to create a "/user/*.conf" file as described there (changing "Name = pamadduser") I see the following error during reload:
bareos-dir JobId 0: Error: "Password" directive in Console "pamadduser" resource is required, but not found.
If I now add 'Password = "secret"' to the configuration I get the error:
bareos-dir: ERROR in dird/dird_conf.cc:3851 Attempt to define second Console resource named "pamadduser" is not permitted.
bareos-dir: ERROR in dird/dird_conf.cc:3851 Attempt to define second Console resource named "pamadduser" is not permitted.
Background on this is that I have already created a "/console/*.conf" file and using "bconsole <<< show all" I can see that "/user/*.conf" seem to be resolved into Console configurations.
Thanks for any input or ideas in advance.
Kind Regards
Martin
Martin Krämer
Oct 24, 2019, 11:38:48 AM10/24/19
to bareos...@googlegroups.com
Never mind. - I misunderstood the concept causing myself to do some errors.
root@bareos-000001:~# cat /etc/pam.d/bareos
What I understood now shortly explained - maybe it helps others, too.
With every pam authentication using "pam_exec_add_bareos_user.py" there are tree consoles (and with this /console/*.conf files) included.
The first console connected is one I would call "pam-preauth" since it connects to your director and makes sure you can perform the pam authentication.
The second console is opened as within the pam authentication itself by "pam_exec_add_bareos_user.py" - let's call it "pam-adduser" console.
And the last one is the actual user console that is created dynamically by pam_exec.
In accordance to this here are my !!working!! configuration files (note that the last one "tstusr.conf" is created automatically during pam logon):
The first console connected is one I would call "pam-preauth" since it connects to your director and makes sure you can perform the pam authentication.
The second console is opened as within the pam authentication itself by "pam_exec_add_bareos_user.py" - let's call it "pam-adduser" console.
And the last one is the actual user console that is created dynamically by pam_exec.
In accordance to this here are my !!working!! configuration files (note that the last one "tstusr.conf" is created automatically during pam logon):
root@bareos-000001:~# cat /etc/pam.d/bareos
# Standard Un*x authentication.
@include common-auth
# Standard Un*x account and session
@include common-account
@include common-session
@include common-password
#auth required pam_succeed_if.so user ingroup mygroup
#account required pam_access.so accessfile=/etc/security/bareos-operator.conf
#account required pam_access.so accessfile=/etc/security/bareos-user.conf
auth [default=ignore] pam_exec.so quiet /usr/local/bin/pam_exec_add_bareos_user.py --name pam-adduser --password eX2rBYCptQeAvz82EIRIrB6tWuQKVCdBd3V2ygXoqU6pcnpNV6Hr3Lpg3H4I --profile pamuser
root@bareos-000001:~# su - bareos -s /bin/bash -c "pamtester bareos tstusr authenticate"
Password:
pamtester: successfully authenticated
root@bareos-000001:~# cat /etc/bareos/bconsole-pam-preauth.conf
#
# Bareos User Agent (or Console) Configuration File
#
Director {
Name = bareos-dir
address = localhost
Password = "DYy7QdkQb1ytj2p1On8X2su4+3VlgETgtP56ETqUOiOK"
Description = "Bareos Console credentials for local Director"
}
Console {
Name = "pam-preauth"
Password = "FGHLdpjYIdIKva8XD4aLUmc1z4DR0tKgnXW"
}
root@bareos-000001:~# cat /etc/bareos/bareos-dir.d/console/pam-adduser.conf
Console {
Name = "pam-adduser"
Password = "eX2rBYCptQeAvz82EIRIrB6tWuQKVCdBd3V2ygXoqU6pcnpNV6Hr3Lpg3H4I"
CommandACL = ".api", ".consoles", ".profiles", "configure"
TlsEnable = false
}
root@bareos-000001:~# cat /etc/bareos/bareos-dir.d/console/pam-preauth.conf
Console {
Name = "pam-preauth"
Password = "FGHLdpjYIdIKva8XD4aLUmc1z4DR0tKgnXW"
UsePamAuthentication = yes
}
root@bareos-000001:~# cat /etc/bareos/bareos-dir.d/profile/pamuser.conf
Profile {
Name = "pamuser"
CommandACL = status, .status
JobACL = *all*
}
root@bareos-000001:~# su - tstusr -s /bin/bash -c "bconsole -d 250 -c /etc/bareos/bconsole-pam-preauth.conf"
bconsole (100): lib/parse_conf.cc:191-0 config file = /etc/bareos/bconsole-pam-preauth.conf
bconsole (100): lib/lex.cc:335-0 glob /etc/bareos/bconsole-pam-preauth.conf: 1 files
bconsole (100): lib/lex.cc:229-0 open config file: /etc/bareos/bconsole-pam-preauth.conf
bconsole (100): lib/lex.cc:335-0 glob /etc/bareos/bconsole-pam-preauth.conf: 1 files
bconsole (100): lib/lex.cc:229-0 open config file: /etc/bareos/bconsole-pam-preauth.conf
Password = "FGHLdpjYIdIKva8XD4aLUmc1z4DR0tKgnXW"
}
root@bareos-000001:~# cat /etc/bareos/bareos-dir.d/console/pam-adduser.conf
Console {
Name = "pam-adduser"
Password = "eX2rBYCptQeAvz82EIRIrB6tWuQKVCdBd3V2ygXoqU6pcnpNV6Hr3Lpg3H4I"
CommandACL = ".api", ".consoles", ".profiles", "configure"
TlsEnable = false
}
root@bareos-000001:~# cat /etc/bareos/bareos-dir.d/console/pam-preauth.conf
Console {
Name = "pam-preauth"
Password = "FGHLdpjYIdIKva8XD4aLUmc1z4DR0tKgnXW"
UsePamAuthentication = yes
}
root@bareos-000001:~# cat /etc/bareos/bareos-dir.d/profile/pamuser.conf
Profile {
Name = "pamuser"
CommandACL = status, .status
JobACL = *all*
}
root@bareos-000001:~# su - tstusr -s /bin/bash -c "bconsole -d 250 -c /etc/bareos/bconsole-pam-preauth.conf"
bconsole (100): lib/parse_conf.cc:191-0 config file = /etc/bareos/bconsole-pam-preauth.conf
bconsole (100): lib/lex.cc:335-0 glob /etc/bareos/bconsole-pam-preauth.conf: 1 files
bconsole (100): lib/lex.cc:229-0 open config file: /etc/bareos/bconsole-pam-preauth.conf
bconsole (100): lib/lex.cc:335-0 glob /etc/bareos/bconsole-pam-preauth.conf: 1 files
bconsole (100): lib/lex.cc:229-0 open config file: /etc/bareos/bconsole-pam-preauth.conf
Connecting to Director localhost:9101
bconsole (100): lib/bsock.cc:81-0 Construct BareosSocket
bconsole (100): lib/bsock_tcp.cc:235-0 Current host[ipv6;::1;9101] All host[ipv6;::1;9101] host[ipv4;127.0.0.1;65535]
bconsole (100): lib/bsock_tcp.cc:235-0 Current host[ipv4;127.0.0.1;9101] All host[ipv6;::1;9101] host[ipv4;127.0.0.1;9101]
bconsole (100): lib/bsock_tcp.cc:158-0 who=Director daemon host=localhost port=9101
bconsole (100): lib/tls_openssl_private.cc:57-0 Construct TlsOpenSslPrivate
bconsole (100): lib/tls_openssl_private.cc:536-0 Set tcp filedescriptor: <3>
bconsole (100): lib/tls_openssl_private.cc:482-0 Set ca_certfile: <>
bconsole (100): lib/tls_openssl_private.cc:488-0 Set ca_certdir: <>
bconsole (100): lib/tls_openssl_private.cc:494-0 Set crlfile_: <>
bconsole (100): lib/tls_openssl_private.cc:500-0 Set certfile_: <>
bconsole (100): lib/tls_openssl_private.cc:506-0 Set keyfile_: <>
bconsole (100): lib/tls_openssl_private.cc:518-0 Set pem_userdata to address: <0>
bconsole (100): lib/tls_openssl_private.cc:524-0 Set dhfile_: <>
bconsole (100): lib/tls_openssl_private.cc:542-0 Set cipherlist: <>
bconsole (100): lib/tls_openssl_private.cc:530-0 Set Verify Peer: <false>
bconsole (50): lib/tls_openssl.cc:85-0 Preparing TLS_PSK CLIENT context for identity R_CONSOLE pam-preauth
bconsole (100): lib/tls_openssl_private.cc:467-0 psk_client_cb. identity: R_CONSOLE pam-preauth.
bconsole (100): lib/tls_openssl_private.cc:467-0 psk_client_cb. identity: R_CONSOLE pam-preauth.
bconsole (50): lib/bnet.cc:201-0 TLS client negotiation established.
bconsole (100): lib/cram_md5.cc:116-0 cram-get received: auth cram-md5 <1928344771.1571931367@bareos-dir> ssl=1
bconsole (99): lib/cram_md5.cc:135-0 sending resp to challenge: wX/6G8tE/+/yi3B+2y+fMC
bconsole (50): lib/cram_md5.cc:69-0 send: auth cram-md5 <1920788964.1571931367@bconsole> ssl=1
bconsole (50): lib/cram_md5.cc:88-0 Authenticate OK 6/Y4o9Zid0lEH8pjzF4pqA
bconsole (99): lib/cram_md5.cc:135-0 sending resp to challenge: wX/6G8tE/+/yi3B+2y+fMC
bconsole (50): lib/cram_md5.cc:69-0 send: auth cram-md5 <1920788964.1571931367@bconsole> ssl=1
bconsole (50): lib/cram_md5.cc:88-0 Authenticate OK 6/Y4o9Zid0lEH8pjzF4pqA
bconsole (6): lib/bsock.cc:347-0 >dird: 1000 OK auth
Encryption: ECDHE-PSK-CHACHA20-POLY1305
tstusr
Password:
Password:
1000 OK: bareos-dir Version: 18.2.5 (30 January 2019)
bareos.org build binary
bareos.org binaries are UNSUPPORTED by bareos.com.
Get official binaries and vendor support on https://www.bareos.com
bareos.org build binary
bareos.org binaries are UNSUPPORTED by bareos.com.
Get official binaries and vendor support on https://www.bareos.com
You are logged in as: tstusr
bconsole (40): console/console.cc:1157-0 Opened connection with Director daemon
bconsole (40): console/console.cc:1157-0 Opened connection with Director daemon
Enter a period to cancel a command.
*quit
bconsole (100): lib/tls_openssl.cc:71-0 Destruct TLsOpenSsl Implementation Object
bconsole (100): lib/tls_openssl_private.cc:62-0 Destruct TlsOpenSslPrivate
bconsole (100): lib/tls_openssl.cc:71-0 Destruct TLsOpenSsl Implementation Object
bconsole (100): lib/tls_openssl_private.cc:62-0 Destruct TlsOpenSslPrivate
bconsole (100): include/jcr.h:324-0 Destruct JobControlRecord
root@bareos-000001:~# cat /etc/bareos/bareos-dir.d/console/tstusr.conf
Console {
Name = tstusr
Password = PAM_WORKAROUND_79xNxGn3uo8tBYuZ
Profile = pamuser
}
root@bareos-000001:~#
Console {
Name = tstusr
Password = PAM_WORKAROUND_79xNxGn3uo8tBYuZ
Profile = pamuser
}
root@bareos-000001:~#
Jörg Steffens
Oct 25, 2019, 5:28:36 AM10/25/19
to bareos...@googlegroups.com
On 24.10.19 at 17:38 wrote Martin Krämer:
Patches to
https://github.com/bareos/bareos-contrib/tree/master/misc/bareos_pam_integration
are also welcome.
Regards,
Jörg
--
Jörg Steffens joerg.s...@bareos.com
Bareos GmbH & Co. KG Phone: +49 221 630693-91
http://www.bareos.com Fax: +49 221 630693-10
Sitz der Gesellschaft: Köln | Amtsgericht Köln: HRA 29646
Komplementär: Bareos Verwaltungs-GmbH
Geschäftsführer:
S. Dühr, M. Außendorf, Jörg Steffens, P. Storz
> Never mind. - I misunderstood the concept causing myself to do some errors.
>
> What I understood now shortly explained - maybe it helps others, too.
Thank you for your explanation.
>
> What I understood now shortly explained - maybe it helps others, too.
Patches to
https://github.com/bareos/bareos-contrib/tree/master/misc/bareos_pam_integration
are also welcome.
Regards,
Jörg
--
Jörg Steffens joerg.s...@bareos.com
Bareos GmbH & Co. KG Phone: +49 221 630693-91
http://www.bareos.com Fax: +49 221 630693-10
Sitz der Gesellschaft: Köln | Amtsgericht Köln: HRA 29646
Komplementär: Bareos Verwaltungs-GmbH
Geschäftsführer:
S. Dühr, M. Außendorf, Jörg Steffens, P. Storz
Reply all
Reply to author
Forward
0 new messages