javalinuxauthenticationhudsonpam
Hudson fails to use unix user/group to do authentication
I'm trying to use unix user/group database as security realm of hudson. The linux server is using NIS for user management. My account could login the hudson server via ssh.
And the hudson server is running by user 'hudson' that is also a member of group 'shadow', so hudson could read /etc/shadow. And I tested the configuration using 'test' button, hudson tells me it works well.
But I can't use my unix account and password to login the hudson sever.
And I found below java exception in the log of hudson,
Jan 12, 2011 8:23:42 AM hudson.security.AuthenticationProcessingFilter2 onUnsuccessfulAuthentication
INFO: Login attempt failed
org.acegisecurity.BadCredentialsException: pam_authenticate failed : Authentication failure; nested exception is org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication failure
at hudson.security.PAMSecurityRealm$PAMAuthenticationProvider.authenticate(PAMSecurityRealm.java:100)
at org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:195)
at org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:45)
at org.acegisecurity.ui.webapp.AuthenticationProcessingFilter.attemptAuthentication(AuthenticationProcessingFilter.java:71)
at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:252)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:173)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:66)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
at winstone.FilterConfiguration.execute(FilterConfiguration.java:195)
at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:368)
at winstone.RequestDispatcher.forward(RequestDispatcher.java:333)
at winstone.RequestHandlerThread.processRequest(RequestHandlerThread.java:244)
at winstone.RequestHandlerThread.run(RequestHandlerThread.java:150)
at java.lang.Thread.run(Thread.java:595)
Caused by: org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication failure
at org.jvnet.libpam.PAM.check(PAM.java:105)
at org.jvnet.libpam.PAM.authenticate(PAM.java:123)
at hudson.security.PAMSecurityRealm$PAMAuthenticationProvider.authenticate(PAMSecurityRealm.java:90)
... 18 more
Update on Jan. 17,
The host is RHEL 4.5, and I created user and group shadow, then add hudson into group shadow.
-bash-3.00$ cat /etc/redhat-release
Red Hat Enterprise Linux WS release 4 (Nahant Update 5)
-bash-3.00$ ll /etc/shadow
-r--r----- 1 root shadow 1114 Jan 4 11:37 /etc/shadow
-bash-3.00$ cat /etc/group |grep shadow
shadow:x:44:hudson
I also tried to setup hudson on another RHEL 4.8 host. This time I ran the hudson by root,
kzhu0@pek-wb-rhws4_32:~$ ps -ef|grep hudson
root 18764 29161 0 Jan14 pts/5 00:00:33 /usr/bin/java -Dcom.sun.akuma.Daemon=daemonized -Djava.awt.headless=true -DHUDSON_HOME=/var/lib/hudson -jar /usr/lib/hudson/hudson.war --logfile=/var/log/hudson/hudson.log --daemon --httpPort=8080 --debug=5 --handlerCountMax=100 --handlerCountMaxIdle=20
kzhu0 22404 18833 0 10:52 pts/2 00:00:00 grep hudson
kzhu0@pek-wb-rhws4_32:~$ cat /etc/redhat-release
But I still don't have luck to get unix user/password group work. And I can't find any pam error message in /var/log/messages and /var/log/secure. It looks like hudson throws the exception before actually using pam to get authentication. Red Hat Enterprise Linux WS release 4 (Nahant Update 8)
Solution
I find the solution after debugging the code of libpam4j that is used by hudson for PAM security realm.
- the service name must be 'sshd' in my case, because I want to use NIS to do authentication.
RHEL 4.x uses the pam 0.77, it strictly depends on the service name specified by hudson. However my Ubuntu 10.04 accepts any meaningless service name, which uses pam 1.1.1. - the user who runs the hudson must have the permission to read the service file of pam, /etc/pam.d/sshd is the file in my case
- Restricting access to static methds with ArchUnit
- Java day of the week from string
- Populating Spinner using ArrayList in Android
- Ionic Capacitor - Unknown Kotlin JVM target: 21
- Singleton & Multithreading in Java
- Maven version management w multiple child modules
- get number of working days in specific month
- Issue with Regex Pattern (split string with characters & numbers)
- Why would I ever create a separate mutex/lock object?
- Happens before guarantee in Volatile
- android.security.KeyStoreException: Signature/MAC verification failed
- array of parameterized types
- JavaFX WARNING: Unsupported JavaFX configuration: classes were loaded from 'unnamed module @...'
- unit test @Valid of springboot without having to spin up / mock the server
- Why dec 31 2010 returns 1 as week of year?
- Performance Difference of AtomicInteger vs Integer
- how do i restric a float value to only one placess after decimal in kotlin android
- consecutive pairs divisible by 3
- How to call a service from Main application calls Spring Boot?
- Setting Namespace Attributes on an Element
- How to find jUnit tests in a Java project?
- validate the credit card expiry date using java?
- A failure occurred while executing com.android.build.gradle.internal.tasks.FinalizeBundleTask$BundleToolRunnable
- Is Java completely Platform Independent?
- What does it exactly mean to use @DirtiesContext annotation on a class?
- Spring JBDC bad SQL grammar on PostgreSQL
- Test REST APIs on a real server (without localhost )
- How can I pass an array of objects in query params in postman for the post request?
- Is there a way to do 24-hour format and 60-minute format in Java?
- Removing files installed by previous version in Inno Setup