The man page PAM sample is outdated
Hello Tildeslash,
the PAM sample in the monit man page is outdated, this is for MacOS up to 10.5.
Based on my configuration I add a more up to date sample for MacOS and one for Linux also.
The pull request is comming soon.
With regards,
Lutz
p.s.
My suggestion:
Sample PAM service for Monit on macOS (store as
"/etc/pam.d/monit" file):
# monit: auth account password session
#auth sufficient pam_securityserver.so
#auth sufficient pam_unix.so
auth sufficient pam_opendirectory.so
auth required pam_deny.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so
And a similar PAM service for Monit on Linux (store as
"/etc/pam.d/monit" file):
# monit: auth account password session
auth sufficient pam_unix2.so
auth required pam_deny.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so
A C<monitrc> config which only allows group C<admin> and C<staff>
authenticated via
PAM to access the web interface:
set httpd
port 2812
allow @admin
allow @staff readonly
Comments (7)
-
reporter -
reporter Hello,
we use "pam_ldap.so" to authorize user access to the monit web interface (in a Linux/SLES environment).Unfortunately, the monit program terminated with signal SIGABRT (Aborted) in the "libcrypto.so" used by "pam_ldap.so" all the time monit try to authenticate a user (via "pam_authenticate" in "util.c").
If monit is build with OpenSSL 1.1.1t dynamic linked everything seems to work well.For your information only,
Lutz -
repo owner - changed status to open
-
repo owner - changed status to resolved
Fixed Issue
#1101: Updated configuration examples for PAM in the Monit manual. Thanks to Lutz Mader.→ <<cset b178b7688075>>
-
repo owner backport: commit b178b7688075926cd3159b22a91b6ec8e493ecd1 Author: tildeslash info@tildeslash.com Date: Sat May 11 07:01:37 2024 +0200
Fixed Issue #1101: Updated configuration examples for PAM in the Monit manual. Thanks to Lutz Mader.
commit f4b4917b86daf8446710709a0e179184512113ba Merge: 0620d099 c9e22f2e Author: Lutz Mader lutz.mader@freenet.de Date: Sat May 11 04:59:46 2024 +0000
Thank you Lutz. Merged in issue_1101 (pull request #137) Update the MacOS sample and add a Linux sample also. Approved-by: Tildeslash
→ <<cset ee74516a2a3b>>
-
repo owner the mentioned crash sounds bad, please can you try monit with libasan? (when you compile, use ‘./configure --with-asan’)
-
reporter Hello,
I will try to collect some more data.In a MacOS environment (10.9, 10.10 and 10.13) everything works well, based on monit 5.33.0 and static linked to OpenSSL 1.1.1t (I use an old OpenSSL 1.0.2 with "pam_ldap").
We will see,
Lutz - Log in to comment
Hello,
I create a pull request #137, to update the MacOS sample and add a Linux sample also.
Have a nice weekend,
Lutz