problem with pam_ruby + postgres-pr (stack level too deep)

[Vladimir Konrad]

(code attached at the end)

i am developing a pam module for blocking multiple failed attempts from
the same host. with sqlite3 i had run into database locking problem so i
am trying to switch the database to postgresql (using postgres-pr 0.4.0
driver with DBI).

the error in the auth.log is:
Jan 24 13:27:34 whirpool sshd[5771]: [pam_ruby] exception:
#<SystemStackError: stack level too deep>
Jan 24 13:27:34 whirpool sshd[5771]: [pam_ruby]
["/usr/lib/ruby/1.8/DBD/Pg/Pg.rb:476:in `==='",
"/usr/lib/ruby/1.8/DBD/Pg/Pg.rb:476:in `load_type_map'",
"/usr/lib/ruby/1.8/DBD/Pg/Pg.rb:467:in `each'",
"/usr/lib/ruby/1.8/DBD/Pg/Pg.rb:467:in`load_type_map'",
"/usr/lib/ruby/1.8/DBD/Pg/Pg.rb:105:in `initialize'",
"/usr/lib/ruby/1.8/DBD/Pg/Pg.rb:55:in `new'",
"/usr/lib/ruby/1.8/DBD/Pg/Pg.rb:55:in `connect'",
"/usr/lib/ruby/1.8/dbi/dbi.rb:584:in `connect'",
"/usr/lib/ruby/1.8/dbi/dbi.rb:384:in `connect'",
"/lib/security/ruby/hostblock.rb:76",
"/lib/security/ruby/hostblock.rb:71:in `call'"]
Jan 24 13:27:34 whirpool sshd[5771]: fatal: PAM: pam_setcred(): System
error

the :authenticate part works as it should but the :setcred part fails
consistently on DBI.connect(...).

the DBI with postgres-pr works ok from irb.

any ideas how to progress on this?

vladimir

ps: the code:

["/usr/local/lib/site_ruby/1.8",
"/usr/local/lib/site_ruby/1.8/i386-linux", "/usr/local/lib/site_ruby",
"/usr/lib/ruby/1.8", "/usr/lib/ruby/1.8/i386-linux","."].each {|x|
$:.push(x)}

require 'rubygems'
require 'dbi'

# how many failed attemts to tolerate
MAX_ATTEMPTS = 10

# database descriptor for the "host" table - passed to DBI.connect
DATABASE = 'DBIg:hostblock:localhost'

# where is the system command for logging to files
LOGGER = '/usr/bin/logger'

PAM.dispatchauthenticate) {|pamh, flags, args|
dbh = DBI.connect(DATABASE, 'postgres', 'postgres')
result = dbh.execute("select * from host where name =
'#{pamh.get_item(PAM:AM_RHOST)}'")

rows = result.fetch_all()

if rows.empty?
dbh.do("insert into host values ('#{pamh.get_item(PAM:AM_RHOST)}',
0, 0)")
end

dbh.do("update host set attempt_count = attempt_count + 1 where name =
'#{pamh.get_item(PAM:AM_RHOST)}'")
result = dbh.execute("select * from host where name =
'#{pamh.get_item(PAM:AM_RHOST)}'")
rows = result.fetch_all()

if rows[0][1] > MAX_ATTEMPTS
system("#{LOGGER} -p auth.debug -t hostblock.rb
#{pamh.get_item(PAM:AM_SERVICE)} blocking: #{rows[0][0]},
#{rows[0][1]}")
dbh.disconnect()
raise PAM:AM_AUTH_ERR
end

dbh.disconnect()

}

PAM.dispatchacct_mgmt) {|pamh, flags, args|
system("#{LOGGER} -p auth.debug -t hostblock.rb :acct_mgmt")
if false
raise PAM:AM_PERM_DENIED
end
}

PAM.dispatchopen_session){|pamh, flags, args|
system("#{LOGGER} -p auth.debug -t hostblock.rb pen_session")
# raise PAM:AM_SESSION_ERR, "not available"
}
PAM.dispatchclose_session){|pamh, flags, args|
raise PAM:AM_SESSION_ERR, "not available"
}
PAM.dispatchchauthtok){|pamh, flags, args|
raise PAM:AM_AUTHTOK_ERR, "not available"
}
PAM.dispatchsetcred){|pamh, flags, args|
if flags == PAM:AM_DELETE_CRED
return PAM:AM_SUCCESS
end
begin
dbh = DBI.connect(DATABASE, 'postgres', 'postgres')
dbh.do("update host set attempt_count = 0 where name =
'#{pamh.get_item(PAM:AM_RHOST)}'")
rescue DBI:atabaseError
system("#{LOGGER} -p auth.debug -t hostblock.rb :setcred
DBI:atabaseError")
ensure
dbh.disconnect()
end
}

# eof

 

[Vladimir Konrad]

i am developing a pam module for blocking multiple failed attempts from

the same host. with sqlite3 i had run into database locking problem so i
am trying to switch the database to postgresql (using postgres-pr 0.4.0
driver with DBI).

swapped the driver (used ruby-postgres - postgres.so C binding) and used
it without DBI.

not really sure why this one works...

vlad