# ssh & PAM (problem traced to PAM, missing pam_pwdb.so, H

## InAt!QuE

Hi,

I set my PAM settings as in the security guide.

And when I want to set PAM on ssh in /etc/ssh/sshd_conf I can't login anymore... 

I'm talking about the

```
UsePAM yes
```

 in the conf.

someone a suggestion ?

----------

## ckdake

is pam is your USE in /etc/make.conf and did you emerge openssh after putting it there?

----------

## InAt!QuE

 *ckdake wrote:*   

> is pam is your USE in /etc/make.conf and did you emerge openssh after putting it there?

 

well, PAM is in my /etc/make.conf but I didn't emerge openssh again .. 

I'll try it right now...

( so PAM isn't standaard in openssh? )

----------

## ckdake

According to the gentoo security guide,  *Quote:*   

> "PAM is a suite of shared libraries that provide an alternative way of making authentication in programs. The pam USE flag is turned on by default. Thus the PAM settings on Gentoo Linux are pretty reasonable..."

   so that might actually not be your problem, however it might be... post back what happens after you emerge it again and we'll see what else this could be.  does anything show up  in you system log?

If not, you could check out the Gentoo Security Guide section on logging http://www.gentoo.org/doc/en/gentoo-security.xml#doc_chap4, tell it to log things related to logging in, and see if that gives you any more information.

What happens when you try to login with PAM enabled?

----------

## InAt!QuE

Ok... My PAM and Syslog-ng configs are exactly copied from http://www.gentoo.org/doc/en/gentoo-security.xml#doc_chap4, I already had this.

And YES .. you're right. It's a problem with PAM itself....

In my /var/log/auth.log this shows up:

```
Feb 12 13:05:36 MultiServers1 sshd[15215]: PAM unable to dlopen(/lib/security/pam_pwdb.so)

Feb 12 13:05:36 MultiServers1 sshd[15215]: PAM [dlerror: /lib/security/pam_pwdb.so: cannot open shared object file: No such file or directory]

Feb 12 13:05:36 MultiServers1 sshd[15215]: PAM adding faulty module: /lib/security/pam_pwdb.so

Feb 12 13:05:39 MultiServers1 sshd[15215]: Failed password for kray from 10.0.0.101 port 1243 ssh2

Feb 12 13:06:56 MultiServers1 sshd[15206]: Received signal 15; terminating.

Feb 12 13:06:57 MultiServers1 sshd[15282]: Server listening on 0.0.0.0 port 22.

Feb 12 13:07:00 MultiServers1 sshd[15215]: Failed password for kray from 10.0.0.101 port 1243 ssh2

Feb 12 13:07:01 MultiServers1 sshd[15215]: Failed password for kray from 10.0.0101 port 1243 ssh2
```

```
#ls /lib/security

pam_access.so                pam_listfile.so     pam_succeed_if.so

pam_chroot.so                pam_localuser.so    pam_tally.so

pam_console.so               pam_mail.so         pam_time.so

pam_console_apply_devfsd.so  pam_mkhomedir.so    pam_timestamp.so

pam_cracklib.so              pam_motd.so         pam_unix.so

pam_debug.so                 pam_nologin.so      pam_unix_acct.so

pam_deny.so                  pam_permit.so       pam_unix_auth.so

pam_env.so                   pam_postgresok.so   pam_unix_passwd.so

pam_filter                   pam_rhosts_auth.so  pam_unix_session.so

pam_filter.so                pam_rootok.so       pam_userdb.so

pam_ftp.so                   pam_rps.so          pam_warn.so

pam_group.so                 pam_securetty.so    pam_wheel.so

pam_issue.so                 pam_shells.so       pam_xauth.so

pam_lastlog.so               pam_stack.so

pam_limits.so                pam_stress.so
```

Pam_pwdb.so isn't in here... how could this be?

I emerged pam & pam-login new ... and still it isn't on the machine...

```
#locate pam-pwdb.so
```

didn't find anything....

HELP !!

----------

## ckdake

I have pam and pam-login, but i don't have the /lib/security/pam_pwdb.so either.  Have you emerged cracklib?  I think that may be where that file comes from because I don't have cracklib and thats seems to be a likely place.

I have yet to fully configure stuff on my server after it died a month or so ago, so here is my unchanged config file:

```
root@zion security # cat /etc/pam.d/passwd

#%PAM-1.0

auth       required     /lib/security/pam_stack.so service=system-auth

account    required     /lib/security/pam_stack.so service=system-auth

password   required     /lib/security/pam_stack.so service=system-auth
```

----------

## InAt!QuE

Yes I 've emerged cracklib and I did it again...

----------

## ckdake

hmm. I did some googleing around and ran into several mailing list archives where pam_pwdb.so went missing.  Try switching every occurence of pam_pwdb.so in your pam config files with pam_unix.so

----------

## InAt!QuE

ok .. I will if I can't fix this ...

On irc someone told me to do 

```
USE=pwdb emerge pam
```

But this wasn't also the solution ...

But it's very strange because the security guide shows the configs with pam_pwdb.so 

So it MUST be possible !!! aarrgggghhhh   :Mad:   :Mad: 

----------

## InAt!QuE

Uhm .. problem is fixed right now by downgrading PAM to pam-0.75-r11

now is pam_pwdb.so available...

see this: https://bugs.gentoo.org/show_bug.cgi?id=36043

----------

## ckdake

interesting.  I always assume that there aren't bugs in things but I really should dig around in the bugs database a bit more.  Glad you fixed it.

----------

