Use PAM without giving gitea access to /etc/shadow


#1

Hi guys,

The configuration manual tells me to just compile gitea with PAM and give it access to /etc/shadow.

https://docs.gitea.io/en-us/authentication/#pam-pluggable-authentication-module

I thought PAM was supposed to be the solution that services don’t have access to sensitive files? Sadly I also could not get it to work with a file in /etc/pam.d/gitea and the standard authentication includes:

@include common-account
@include common-session
@include common-auth

What do I have to do to be able to auth with pam without giving Gitea access to /etc/shadow?

Gitea apparently uses https://github.com/msteinert/pam – but apparently this is just a wrapper around the C bindings for PAM? Why doesn’t this work then?

These are the errors I get in /var/log/auth.log:

Feb 14 16:03:31  unix_chkpwd[13957]: check pass; user unknown
Feb 14 16:03:31  unix_chkpwd[13957]: password check failed for user (helix)
Feb 14 16:03:31  gitea: pam_unix(gitea:auth): authentication failure; logname= uid=120 euid=120 tty= ruser= rhost=  user=helix

Thank you for your assistance in advance :slight_smile: