2

I have a Linux system with a user named service. I'm using the pam_succeed_if.so module to match this username. For example:

auth required pam_succeed_if.so user = service

But it won't match a username of service, apparently because it is also a field accepted by pam_succeed_if.so. From the man page (edited for emphasis):

Available fields are user, uid, gid, shell, home, ruser, rhost, tty and service

How do you escape values that match field names?

Further Troubleshooting:

I turned the debug option on for pam_succeed_if.so, and it's converting the username service to login:

login: pam_succeed_if(login:auth): 'user' resolves to 'login'

And this just so happens to be the PAM config for login, /etc/pam.d/login.

Improve this question

1 Answer 1

Reset to default
2

pam_succeed_if.so converts the passed-in user to the field value, if that value exists. For example, using the user shell:

login: pam_succeed_if(login:auth): 'user' resolves to '/bin/bash'

I don't know how to keep it from doing this clearly undesired resolve. But there is a workaround that will work for almost everyone.

Just check for the resolved value, instead of the actual value.

Examples

To match the service user in the login PAM config:

auth required pam_succeed_if.so user = login

To match the service user in the sshd PAM config:

auth required pam_succeed_if.so user = sshd

To match the shell user, whose configured shell is /bin/bash:

auth required pam_succeed_if.so user = /bin/bash
Improve this answer
5
  • Since this is just a workaround, I will keep this question open for awhile, hoping someone else knows more. Commented Jun 21, 2015 at 0:49
  • I'm not sure I understand the question well enough for an answer, but it's confusing to me that your answer says " ... user = login" while your question/requirement says "user = service". Commented Jun 21, 2015 at 0:57
  • @JeffSchaller Do the new examples help? Commented Jun 21, 2015 at 1:02
  • It still looks to me like your "service" user is showing up with a username of "login" when it seems to me it should say "service" Commented Jun 21, 2015 at 2:26
  • Yep, so this workaround wouldn't work if you have a login user you need to consider. In my case, it's not a problem. Commented Jun 21, 2015 at 2:54

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.