i'm trying use salt (2015.8.10 beryllium) "external_auth" via pam. ultimate goal use salt-api authenticate request salt-minion allow minion call it's own key accepted. first step, it's suggested first authentication working locally "salt -a pam" on salt master. that's i'm stuck.
the issue i'm having attempts use pam resulting in salt request timing out:
[root@saltmaster ~]# salt -a pam 'box603.example.com' test.ping --log-level [debug ] reading configuration /etc/salt/master ... [debug ] lazyloaded pam.auth username: user1 password: [debug ] initializing new asynczeromqreqchannel ('/etc/salt/pki/master', 'saltmaster.example.com_master', 'tcp://127.0.0.1:4506', 'clear') [trace ] inserted key loop_instance_map id 18446604434624361104 key ('/etc/salt/pki/master', 'saltmaster.example.com_master', 'tcp://127.0.0.1:4506', 'clear') , process 11045 [debug ] saltreqtimeouterror, retrying. (1/3) [debug ] saltreqtimeouterror, retrying. (2/3) [debug ] saltreqtimeouterror, retrying. (3/3) [debug ] lazyloaded nested.output [trace ] data = salt request timed out. master not responding. if error persists after verifying master up, worker_threads may need increased. salt request timed out. master not responding. if error persists after verifying master up, worker_threads may need increased. the host in question, box603.example.com online , pingable when not using pam authentication:
[root@saltmaster ~]# salt 'box603.example.com' test.ping box603.example.com: true my saltmaster:/etc/salt/master configuration file contains:
external_auth: pam: user1: - .* and user1 valid user in /etc/passwd|shadow, it's usable via ssh, , can su it.
the docs indicate when trying authenticate pam , salt, default's pam's login service. here's /etc/pam.d/login:
auth definitive pam_user_policy.so.1 auth requisite pam_authtok_get.so.1 auth required pam_dhkeys.so.1 auth required pam_unix_auth.so.1 auth required pam_unix_cred.so.1 for it's worth, salt master running solaris 11. see in posts salt problems requests post salt --versions-report, here's that:
salt version: salt: 2015.8.10 dependency versions: jinja2: 2.8 m2crypto: 0.24.0 mako: not installed pyyaml: 3.11 pyzmq: 15.2.0 python: 2.7.11 (default, mar 24 2016, 22:19:35) raet: 0.6.5 tornado: 4.3 zmq: 4.1.4 cffi: 1.5.2 cherrypy: 3.2.3 dateutil: not installed gitdb: not installed gitpython: not installed ioflo: 1.5.1 libgit2: not installed libnacl: 1.4.4 msgpack-pure: not installed msgpack-python: 0.4.7 mysql-python: not installed pycparser: 2.14 pycrypto: 2.6.1 pygit2: not installed python-gnupg: not installed smmap: not installed timelib: not installed system versions: dist: machine: i86pc release: 5.11
at time salt's "external_auth" pam implementation tied directly linux pam binaries , work on linux. means no solaris, unfortunately.
