You're right; I had a setup /etc/pam.d/ngircd but it was setup to use the wrong pam module; local auth instead of ldap, unlike the login service.
So it was literally the wrong password for the user (and also why pamtester was working).
Thanks for pointing me in the right direction~
Cheers, Doug.
On Wed, Mar 6, 2013 at 1:31 AM, Alexander Barton alex@barton.de wrote:
Hi Doug!
On Tue, Mar 05, 2013 at 12:32:16PM +0800, Doug wrote:
I was wondering if someone could shed some light on how to use PAM with ngircd?
I've set PAM = yes, and PAMIsOptional = no, but I'm kind of fuzzy on how this is supposed to work.
The client connects with a nick and username, (in this case my username
for
both, douglasl).
But you/your client/"it" has to send a password using the PASS command, too :-)
The server rejects the connection, and logs:
[18632:6 5] Accepted connection 7 from 127.0.0.1:59814 on socket 6. [18906:3 5] PAM: Error on "douglasl" (douglasl!~douglasl@localhost): Authentication failure [18632:3 5] User "douglasl!~douglasl@localhost" rejected (connection
7):
Bad password! [18632:6 5] Shutting down connection 7 (Bad password) with localhost:59814 ... [18632:5 5] Client "douglasl" unregistered (connection 7): Bad
password
[18632:6 5] Connection 7 with localhost:59814 closed (in: 0.1k, out: 0.0k).
Because you provided no password at all, if I understand you correctly?
Riiight. I'm pretty sure I've got pam working, because I can use
pamtester
well enough:
~/ngircd/pamtester-0.1.2/src# ./pamtester login douglasl authenticate Password: pamtester: successfully authenticated
I don't know "pamtester", but PAM requires a "service name", and if I understand it correctly, you are using "login" as service name in your example above; but ngIRCd uses – guess what? – "ngircd" :-)
So most probably you have to check your PAM setup for ngIRCd using something like this:
$ pamtester ngircd douglasl authenticate
So, the question is, how the irc client supposed to be supplying the password for the user?
It has to send a valid PASS command, _before_ it sends NICK and USER. For example (raw IRC commands):
PASS :password NICK :nickname USER login . . :Real Name
The raw commands to the server after connect are PASS / NICK / USER,
which
sound like they should be all I need.
Right.
Regards Alex