Hudson fails to use unix user/group to do authentication

StackOverflow https://stackoverflow.com/questions/4666305

Question

I'm trying to use unix user/group database as security realm of hudson. The linux server is using NIS for user management. My account could login the hudson server via ssh.

And the hudson server is running by user 'hudson' that is also a member of group 'shadow', so hudson could read /etc/shadow. And I tested the configuration using 'test' button, hudson tells me it works well.

But I can't use my unix account and password to login the hudson sever.

And I found below java exception in the log of hudson,

Jan 12, 2011 8:23:42 AM hudson.security.AuthenticationProcessingFilter2 onUnsuccessfulAuthentication
INFO: Login attempt failed
org.acegisecurity.BadCredentialsException: pam_authenticate failed : Authentication failure; nested exception is org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication failure
    at hudson.security.PAMSecurityRealm$PAMAuthenticationProvider.authenticate(PAMSecurityRealm.java:100)
    at org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:195)
    at org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:45)
    at org.acegisecurity.ui.webapp.AuthenticationProcessingFilter.attemptAuthentication(AuthenticationProcessingFilter.java:71)
    at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:252)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:173)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
    at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:66)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
    at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
    at winstone.FilterConfiguration.execute(FilterConfiguration.java:195)
    at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:368)
    at winstone.RequestDispatcher.forward(RequestDispatcher.java:333)
    at winstone.RequestHandlerThread.processRequest(RequestHandlerThread.java:244)
    at winstone.RequestHandlerThread.run(RequestHandlerThread.java:150)
    at java.lang.Thread.run(Thread.java:595)
Caused by: org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication failure
    at org.jvnet.libpam.PAM.check(PAM.java:105)
    at org.jvnet.libpam.PAM.authenticate(PAM.java:123)
    at hudson.security.PAMSecurityRealm$PAMAuthenticationProvider.authenticate(PAMSecurityRealm.java:90)
    ... 18 more

Update on Jan. 17,

The host is RHEL 4.5, and I created user and group shadow, then add hudson into group shadow.

-bash-3.00$ cat  /etc/redhat-release 
Red Hat Enterprise Linux WS release 4 (Nahant Update 5)
-bash-3.00$ ll /etc/shadow
-r--r-----  1 root shadow 1114 Jan  4 11:37 /etc/shadow
-bash-3.00$ cat /etc/group |grep shadow
shadow:x:44:hudson

I also tried to setup hudson on another RHEL 4.8 host. This time I ran the hudson by root,

kzhu0@pek-wb-rhws4_32:~$ ps -ef|grep hudson
root     18764 29161  0 Jan14 pts/5    00:00:33 /usr/bin/java -Dcom.sun.akuma.Daemon=daemonized -Djava.awt.headless=true -DHUDSON_HOME=/var/lib/hudson -jar /usr/lib/hudson/hudson.war --logfile=/var/log/hudson/hudson.log --daemon --httpPort=8080 --debug=5 --handlerCountMax=100 --handlerCountMaxIdle=20
kzhu0    22404 18833  0 10:52 pts/2    00:00:00 grep hudson
kzhu0@pek-wb-rhws4_32:~$ cat /etc/redhat-release

But I still don't have luck to get unix user/password group work. And I can't find any pam error message in /var/log/messages and /var/log/secure. It looks like hudson throws the exception before actually using pam to get authentication. Red Hat Enterprise Linux WS release 4 (Nahant Update 8)

Was it helpful?

Solution

I find the solution after debugging the code of libpam4j that is used by hudson for PAM security realm.

  1. the service name must be 'sshd' in my case, because I want to use NIS to do authentication.alt text RHEL 4.x uses the pam 0.77, it strictly depends on the service name specified by hudson. However my Ubuntu 10.04 accepts any meaningless service name, which uses pam 1.1.1.
  2. the user who runs the hudson must have the permission to read the service file of pam, /etc/pam.d/sshd is the file in my case

OTHER TIPS

In my case, ubuntu 10.04 Ihad to use ssh instead of sshd for the Service Name

I have struggled with this problem for many hours. At the end what worked for me: 1. Add 'hudson' user to root and shadow groups 2. Install sshd (missing in /etc/pam.d). 3. Set PAM service to login.

Then I could login to Hudson with Unix account and execute build as Unix user.

I think point 1 is the one which fixed issue.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top