PAM debug logs in syslog
-
Hi all
my goal is to log the PAM's debug messages in syslog (for debugging my settup)
Since now, I did the following with no success:1- in the webGUI (Status > System logs, Settings tab) I found nothing about this.
2- edit /etc/syslog.conf
- added at the end of the file:
pam.debug %/var/log/pam_debug.log
- created /var/log/pam_debug.log file
- and then restart syslogd```
serviece syslogd restart
nothing was written in /var/log/pam_debug.log file, but pam INFO messages were still appearing in the "default" /var/log/system.log any suggestions or advice on where to find info about editing syslog.conf successfully ?? regards
-
You probably need to tell pam to log at debug level. This used to work for me:
touch /etc/pam_debug -
hi MindfulCoyote
I have already told the pam I am using to log at debug level, providing "debug" parameter (same steps worked on CentOS).
That's why I am asking how to "tell" syslog to "print" those debug-level logs that pam generates.
But in your suggestion:
- what should /etc/pam.d/pam_debug stack have ?
- I can not find pam_debug.so anywhere in /usr/lib
regards
-
I edit /etc/syslog.conf like this:
just bellowauth.info;authpriv.info;daemon.info %/var/log/system.log
(in line 36)
added the followingauth.debug %/var/log/pam_debug.log
and restarted syslogd.
Not that my problem is solved (still can not see debug log the the module I want generates), but I can see some log in the /var/log/pam_debug.log file, so I think pam debug logging works…
There might be problems with that specific module.... I will further test it...
Only when I try to
clog -f /var/log/pam_debug.log
there is an error
clog: ERROR: could not write output (Bad address)
but it has to do with circular log file generation … so maybe a subject of another post...
-
I have already told the pam I am using to log at debug level, providing "debug" parameter (same steps worked on CentOS).
I must be overlooking how you are providing the debug paramenter? On the command line? The instruction I provided should have enabled pam debugging globally for all services otherwise you have to enable debugging for each one separately by editing each individual file in /etc/pam.d
Only when I try to
clog -f /var/log/pam_debug.log
there is an error
clog: ERROR: could not write output (Bad address)
but it has to do with circular log file generation … so maybe a subject of another post...
Some of the pfSense logs are 'normal' text logs and you can just use 'tail -f /var/log/pam_debug.log' instead of clog.
-
I was not so clear.. forgive me for that…
-
I am using a pam stack in /etc/pam.d/common-pam
-
in there I call the pam.so I want with the debug parameter like :
auth required /path/to/my_pam.so debug … other parameters...
since this pam works great (except the debug log ;-)), I think it is all I need for debug logs … correct me on this.
And thanks for clearing to me about the clog and "normal" logs.... newbie here
regards
-
-
I was not so clear.. forgive me for that…
Ancient history. ;)
-
I am using a pam stack in /etc/pam.d/common-pam
-
in there I call the pam.so I want with the debug parameter like :
auth required /path/to/my_pam.so debug … other parameters...
since this pam works great (except the debug log ;-)), I think it is all I need for debug logs … correct me on this.
Well, now I'm a bit more confused than before. The default installation doesn't have /etc/pam.d/common-pam did it install with one of the packages?
Also, it appears I'm not sure of your goal. Originally you said you wanted pam debugging messages in syslog so I took that to mean that you were not seeing pam debugging especially since you hadn't mentioned this bit about enabling debug in pam.d/common-pam. But then when I re-read your original post, you wrote:
@alexxtasi:but pam INFO messages were still appearing in the "default" /var/log/system.log
So I take it that you are seeing pam messages from common-pam in /var/log/syslog but would prefer that they appear in /var/log/pam_debug.log? Also perhaps that you are not seeing the exact data you are looking for?
The reason I ask this is because pam generally does log actual errors, so it might be you think that the debugging will log additional data that pam perhaps doesn't log regardless. (This is especially complicated by the non-standard pam module.) Maybe what you actually want is a module like pam_echo? http://www.freebsd.org/cgi/man.cgi?query=pam_echo&apropos=0&sektion=8&manpath=FreeBSD+8.3-RELEASE&arch=default&format=html
Ref. http://www.freebsd.org/doc/en/articles/pam/article.htmlAs you discovered, determining which log facility a daemon is using matters. (Bitten me many times.)
@alexxtasi:added the following
auth.debug %/var/log/pam_debug.log
It's possible that pam is logging the the information you are looking for under a different facility. You could try changing auth.debug to *.debug temporarily to check.
What kind of information are you trying to get pam to log, errors, or parameters, systems calls, or accounting data, or…? Does it have to be in /var/log/pam_debug.log, or is that just a convenience? Maybe truss would be more appropriate to your task?
-
-
Hi MindfulCoyote,
let me explain …My setup is an OpenVPN deamon on a CentOS machine calling a pam (pam_linotp.so in the same machine) that authenticates the user in an authentication server (LinOTP). This works fine and also provides pam debug logs on linux's rsyslog service using *.debug .
I am trying to move this setup in pfSense (cause I like it's firewall and many other features) so I used pfSense's OpenVPN capabilities, created the needed /etc/pam.d/common-pam stack and call from there the pam_linotp.so with debug param (same way as in linux).
I have compiled pam_linotp in FreeBSD (FreeBSD-8.3 for pfSense-2.1.4 compatibility) and copied .so file and all needed libraries in pfSense.
While the hole setup works great (the same way it did on CentOS), I suppose the setup and compile stuff are ok (correct me on this).The only difference is, I cannot see any pam debug messages even though I tried changing the syslog.conf as described (tests using *.debug auth.debug ...)
Does it have to be in /var/log/pam_debug.log, or is that just a convenience?
No need for it, just for separation of the messages…
@MindfulCoyote:It's possible that pam is logging the the information you are looking for under a different facility. You could try changing auth.debug to *.debug temporarily to check.
I think I 've done this with no success (say "think" cause I did many many tests with different settings).
@MindfulCoyote:What kind of information are you trying to get pam to log, errors, or parameters, systems calls, or accounting data, or…?
the debug level messages of the PAM I am using, those in centos are listed using *.debug in rsyslog.
@MindfulCoyote:Maybe truss would be more appropriate to your task?
I have no idea of truss so I will give it a try… thanks for that info!!
I read there is no other experience on using this pam_linotp.so on pfSense (anyone can correct me on this and provide info...).
The fact that the same setup is working great on linux, make me think that there might be a missconfiguration of my side... so I will keep testing when I can and provide results if any.meanwhile any suggestions are welcome :)
regards
-
I won't be able to help out any further alexxtasi. You've exceeded my ability to assist through the forums. It's often difficult enough to get the base system running properly because of it's numerous bugs and quirks much less when you customize to the extent that you have. Good luck my friend. :)