Switch on PAM debugging to Syslog
Solution 1:
A couple of things for you to try:
Did you enable logging of debug messages in syslog?
cp /etc/syslog.conf /etc/syslog.conf.original
vi /etc/syslog.conf
Add the following line:
*.debug /var/log/debug.log
Exit with :wq!.
touch /var/log/debug.log
service syslog restart
You can enable debugging for all modules like so:
touch /etc/pam_debug
OR you can enable debugging only for the modules you're interested in by adding "debug" to the end of the relevant lines in /etc/pam.d/system-auth or the other /etc/pam.d/* files:
login auth required pam_unix.so debug
Then debugging messages should start appearing in /var/log/debug.log. Hope this helps you out!
Solution 2:
At least on CentOS 6.4, /etc/pam_debug is NOT used.
If the pam_warn.so module is installed, you can get some logging output this way:
auth required pam_warn.so
success required pam_warn.so
etc. This module ensures that it will not interfere with the authentication process at any point, but it logs meaningful stuff via syslog.
Update
After examining the code and doing some compiling, I found that (1) it's possible to enable this debug mode through the source, and (2) a RHEL patch makes the feature nearly unusable (at least the pam_unix module) and (3) it's probably better to patch the code anyway.
To get this to work for RHEL, you can get the Linux-PAM ... src.rpm (for any 1.1 version) and change the spec file as follows:
Find the line beginning with
%configure \
and after it, add --enable-debug \
- Remove the line or comment-out the line (above the previous one) that begins with %patch2
Then build the rpm and install (with force, to overwrite existing packages). Now create the file /var/run/pam-debug.log:
install -m 622 /dev/null /var/run/pam-debug.log
If the file does not exist, debug output will be sent to stderr.
This sending out to stderr is, in my opinion, stupid, and is what causes the patch conflict. You can change that behavior by going into the file libpam/include/security/_pam_macros.h and replacing the 4 lines of
logfile = stderr;
with
return;
On build, you'll get warnings about unreachable statements, but they can be ignored. You can make this change in a sed script (and put it in the %prep section of the RPM after the patches)...
sed -i 's/logfile = stderr;$/return;/' libpam/include/security/_pam_macros.h
IF you do this little patch, you can restore the %patch2, as it should work again properly.
Solution 3:
I just happened to spend several hours trying to find out how to enable debug logs in PAM on CentOS 6.4. Although this question is for Debian, I will still write down how to do it on CentOS in the hope that other people don't have to put in the time that I already have.
As it ultimately turned out, enabling debug logs in the pam CentOS package is straightforward. The difficulty stems from the fact that it involves recompilation of the package. So, first find the SRPM (e.g. pam-1.1.1-13.el6.src.rpm) from here. Folks who don't know about compiling packages from SRPMs, can refer to the steps on setting up a RPM build environment.
Here is the main step. Open the spec file and add --enable-debug to the %build section in the configure invocation. Recompile! Reinstall the newly created package. Finally, create the file where debug logs will get written.
$ sudo touch /var/run/pam-debug.log
If you don't create the file then a lot logs will fly by at the terminal, which might not be very useful.
Solution 4:
Debian and Ubuntu (and maybe other distros) have a special log file into which all pam output is logged:
/var/log/auth.log
I've been struggling with a pam related problem for a day and a half, finally found out about this log file, and saved myself from insanity.
Here's a sample of the contents of this file when things don't go as planned.
Jul 10 09:31:14 vagrant-ubuntu-trusty-64 pamtester: pam_userdb(vsftpd:auth): user_lookup: could not open database `/etc/vsftpd_users.db': No such file or directory
Jul 10 09:36:20 vagrant-ubuntu-trusty-64 sudo: vagrant : TTY=pts/1 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/cat /var/log/auth.log
Here's how it looks when it works:
Jul 10 09:47:00 vagrant-ubuntu-trusty-64 sshd[5222]: pam_unix(sshd:session): session closed for user vagrant
Jul 10 09:50:58 vagrant-ubuntu-trusty-64 sshd[5584]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
Jul 10 09:50:58 vagrant-ubuntu-trusty-64 sshd[5584]: Accepted publickey for vagrant from 10.0.2.2 port 54652 ssh2: RSA dd:3b:b8:2e:85:04:06:e9:ab:ff:a8:0a:c0:04:6e:d6
Jul 10 09:50:58 vagrant-ubuntu-trusty-64 sshd[5584]: pam_unix(sshd:session): session opened for user vagrant by (uid=0)
Jul 10 09:51:13 vagrant-ubuntu-trusty-64 sudo: vagrant : TTY=pts/1 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/cat /var/log/auth.log
Jul 10 09:51:13 vagrant-ubuntu-trusty-64 sudo: pam_unix(sudo:session): session opened for user root by vagrant(uid=0)
Jul 10 09:51:13 vagrant-ubuntu-trusty-64 sudo: pam_unix(sudo:session): session closed for user root
Jul 10 09:51:41 vagrant-ubuntu-trusty-64 pamtester: pam_userdb(vsftpd:auth): user 'foo' granted access
Jul 10 09:51:44 vagrant-ubuntu-trusty-64 sudo: vagrant : TTY=pts/1 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/cat /var/log/auth.log
Jul 10 09:51:44 vagrant-ubuntu-trusty-64 sudo: pam_unix(sudo:session): session opened for user root by vagrant(uid=0)
Note that none of the other possibilities for enabling pam debug logging worked for me.