1. Tildeslash Avatar Tildeslash
  2. Untitled project
  3. Monit
  4. Issues

The man page PAM sample is outdated

Issue #1101 resolved
Lutz Mader created an issue

Hello Tildeslash,
the PAM sample in the monit man page is outdated, this is for MacOS up to 10.5.

Based on my configuration I add a more up to date sample for MacOS and one for Linux also.

The pull request is comming soon.

With regards,
Lutz

p.s.

My suggestion:

Sample PAM service for Monit on macOS (store as
"/etc/pam.d/monit" file):

  # monit: auth account password session
  #auth       sufficient     pam_securityserver.so
  #auth       sufficient     pam_unix.so
  auth       sufficient     pam_opendirectory.so
  auth       required       pam_deny.so
  account    required       pam_permit.so
  password   required       pam_deny.so
  session    required       pam_permit.so

And a similar PAM service for Monit on Linux (store as
"/etc/pam.d/monit" file):

  # monit: auth account password session
  auth       sufficient   pam_unix2.so
  auth       required     pam_deny.so
  account    required     pam_permit.so
  password   required     pam_deny.so
  session    required     pam_permit.so

A C<monitrc> config which only allows group C<admin> and C<staff>
authenticated via
PAM to access the web interface:

  set httpd
      port 2812
      allow @admin
      allow @staff readonly

Comments (7)

  2. Lutz Mader reporter

    Hello,
    we use "pam_ldap.so" to authorize user access to the monit web interface (in a Linux/SLES environment).

    Unfortunately, the monit program terminated with signal SIGABRT (Aborted) in the "libcrypto.so" used by "pam_ldap.so" all the time monit try to authenticate a user (via "pam_authenticate" in "util.c").
    If monit is build with OpenSSL 1.1.1t dynamic linked everything seems to work well.

    For your information only,
    Lutz

  5. Tildeslash repo owner

    backport: commit b178b7688075926cd3159b22a91b6ec8e493ecd1 Author: tildeslash info@tildeslash.com Date: Sat May 11 07:01:37 2024 +0200

    Fixed Issue #1101: Updated configuration examples for PAM in the Monit manual. Thanks to Lutz Mader.

    commit f4b4917b86daf8446710709a0e179184512113ba Merge: 0620d099 c9e22f2e Author: Lutz Mader lutz.mader@freenet.de Date: Sat May 11 04:59:46 2024 +0000

    Thank you Lutz.

Merged in issue_1101 (pull request #137)

Update the MacOS sample and add a Linux sample also.

Approved-by: Tildeslash

    → <<cset ee74516a2a3b>>

  6. Tildeslash repo owner

    the mentioned crash sounds bad, please can you try monit with libasan? (when you compile, use ‘./configure --with-asan’)

  7. Lutz Mader reporter

    Hello,
    I will try to collect some more data.

    In a MacOS environment (10.9, 10.10 and 10.13) everything works well, based on monit 5.33.0 and static linked to OpenSSL 1.1.1t (I use an old OpenSSL 1.0.2 with "pam_ldap").

    We will see,
    Lutz

  8. Log in to comment
Assignee
Type
proposal
Priority
trivial
Status
resolved
Component
Monit
Version
5.33.0
Votes
0
Watchers
1