Problem with pam_ruby + postgres-pr (stack level too deep)


#1

(code attached at the end)

i am developing a pam module for blocking multiple failed attempts from
the same host. with sqlite3 i had run into database locking problem so i
am trying to switch the database to postgresql (using postgres-pr 0.4.0
driver with DBI).

the error in the auth.log is:
Jan 24 13:27:34 whirpool sshd[5771]: [pam_ruby] exception:
#<SystemStackError: stack level too deep>
Jan 24 13:27:34 whirpool sshd[5771]: [pam_ruby]
["/usr/lib/ruby/1.8/DBD/Pg/Pg.rb:476:in ==='", "/usr/lib/ruby/1.8/DBD/Pg/Pg.rb:476:inload_type_map’",
“/usr/lib/ruby/1.8/DBD/Pg/Pg.rb:467:in each'", "/usr/lib/ruby/1.8/DBD/Pg/Pg.rb:467:inload_type_map’”,
“/usr/lib/ruby/1.8/DBD/Pg/Pg.rb:105:in initialize'", "/usr/lib/ruby/1.8/DBD/Pg/Pg.rb:55:innew’”,
“/usr/lib/ruby/1.8/DBD/Pg/Pg.rb:55:in connect'", "/usr/lib/ruby/1.8/dbi/dbi.rb:584:inconnect’”,
“/usr/lib/ruby/1.8/dbi/dbi.rb:384:in connect'", "/lib/security/ruby/hostblock.rb:76", "/lib/security/ruby/hostblock.rb:71:incall’”]
Jan 24 13:27:34 whirpool sshd[5771]: fatal: PAM: pam_setcred(): System
error

the :authenticate part works as it should but the :setcred part fails
consistently on DBI.connect(…).

the DBI with postgres-pr works ok from irb.

any ideas how to progress on this?

vladimir

ps: the code:

["/usr/local/lib/site_ruby/1.8",
“/usr/local/lib/site_ruby/1.8/i386-linux”, “/usr/local/lib/site_ruby”,
“/usr/lib/ruby/1.8”, “/usr/lib/ruby/1.8/i386-linux”,"."].each {|x|
$:.push(x)}

require ‘rubygems’
require ‘dbi’

how many failed attemts to tolerate

MAX_ATTEMPTS = 10

database descriptor for the “host” table - passed to DBI.connect

DATABASE = ‘DBI:pg:hostblock:localhost’

where is the system command for logging to files

LOGGER = ‘/usr/bin/logger’

PAM.dispatch(:authenticate) {|pamh, flags, args|
dbh = DBI.connect(DATABASE, ‘postgres’, ‘postgres’)
result = dbh.execute(“select * from host where name =
‘#{pamh.get_item(PAM::PAM_RHOST)}’”)

rows = result.fetch_all()

if rows.empty?
dbh.do(“insert into host values (’#{pamh.get_item(PAM::PAM_RHOST)}’,
0, 0)”)
end

dbh.do(“update host set attempt_count = attempt_count + 1 where name =
‘#{pamh.get_item(PAM::PAM_RHOST)}’”)
result = dbh.execute(“select * from host where name =
‘#{pamh.get_item(PAM::PAM_RHOST)}’”)
rows = result.fetch_all()

if rows[0][1] > MAX_ATTEMPTS
system("#{LOGGER} -p auth.debug -t hostblock.rb
#{pamh.get_item(PAM::PAM_SERVICE)} blocking: #{rows[0][0]},
#{rows[0][1]}")
dbh.disconnect()
raise PAM::PAM_AUTH_ERR
end

dbh.disconnect()

}

PAM.dispatch(:acct_mgmt) {|pamh, flags, args|
system("#{LOGGER} -p auth.debug -t hostblock.rb :acct_mgmt")
if false
raise PAM::PAM_PERM_DENIED
end
}

PAM.dispatch(:open_session){|pamh, flags, args|
system("#{LOGGER} -p auth.debug -t hostblock.rb :open_session")
# raise PAM::PAM_SESSION_ERR, “not available”
}
PAM.dispatch(:close_session){|pamh, flags, args|
raise PAM::PAM_SESSION_ERR, “not available”
}
PAM.dispatch(:chauthtok){|pamh, flags, args|
raise PAM::PAM_AUTHTOK_ERR, “not available”
}
PAM.dispatch(:setcred){|pamh, flags, args|
if flags == PAM::PAM_DELETE_CRED
return PAM::PAM_SUCCESS
end
begin
dbh = DBI.connect(DATABASE, ‘postgres’, ‘postgres’)
dbh.do(“update host set attempt_count = 0 where name =
‘#{pamh.get_item(PAM::PAM_RHOST)}’”)
rescue DBI::DatabaseError
system("#{LOGGER} -p auth.debug -t hostblock.rb :setcred
DBI::DatabaseError")
ensure
dbh.disconnect()
end
}

eof


#2

i am developing a pam module for blocking multiple failed attempts from
the same host. with sqlite3 i had run into database locking problem so i
am trying to switch the database to postgresql (using postgres-pr 0.4.0
driver with DBI).

swapped the driver (used ruby-postgres - postgres.so C binding) and used
it without DBI.

not really sure why this one works…

vlad