From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6 Description of problem: The postgresql-server package should include a default /etc/pam.d/postgresql file that calls pam_stack.so service=system-auth. Otherwise, the admin has to manually configure PAM, even after enabling it in /var/lib/pgsql/data/pg_hba.conf; AFAIK, no other RH/Fedora services require manually configuring PAM like this. Version-Release number of selected component (if applicable): 8.0.3-1 How reproducible: Always Steps to Reproduce: 1. Install postgresql-server. 2. Enable PAM auth in /var/lib/pgsql/data/pb_hba.conf Actual Results: No users can log in. Expected Results: PAM authentication using system default user authentication settings. Additional info:
Will look into it. Is there any likely scenario where this would *not* be the desired PAM configuration?
None that I can think of - but I don't have experience with a wide variety of different Linux setups, so I may be overlooking something. Even with pam_stack system-auth, users still have to be enabled in pg_hba.conf, so this default wouldn't do anything unless an admin edits pg_hba.conf, and editing pg_hba.conf would hopefully prompt the admin to double-check the pam config if he doesn't want system-auth.
I've added this file in postgresql-8.0.4-2.FC4.1, which should appear as an update tomorrow. I'm not super familiar with PAM, so I'd appreciate it if you'd check it out and make sure the fix is good.
The included PAM file doesn't work for PostgreSQL 7.4.8-1.RHEL4.1 (on RHEL 4 / CentOS 4) at least; it needs an account line too. account required pam_stack.so service=system-auth Thanks.
Thanks, I'll update it on next respin.
Hmm ... on fedora-devel-list Tomas Mraz says that pam_stack is deprecated and recommends this instead: #%PAM-1.0 auth include system-auth account include system-auth Any comments?
That's news to me; I was just copying the same format as was used in other PAM files on my RHEL 3 and 4 boxes. If "include system-auth" is the new recommended approach, then that sounds good. Thanks.
I think the "include" syntax is too new for RHEL3, but it should work in FC4 and probably RHEL4.
Note to self: also, tweak spec file to avoid overwriting any existing PAM configuration file ...
I've pushed out a fixed-up file in postgresql-8.0.5-1.FC4.1.
Thanks.