Use PAM without giving gitea access to /etc/shadow

Hi guys,

The configuration manual tells me to just compile gitea with PAM and give it access to /etc/shadow.

I thought PAM was supposed to be the solution that services don’t have access to sensitive files? Sadly I also could not get it to work with a file in /etc/pam.d/gitea and the standard authentication includes:

@include common-account
@include common-session
@include common-auth

What do I have to do to be able to auth with pam without giving Gitea access to /etc/shadow?

Gitea apparently uses – but apparently this is just a wrapper around the C bindings for PAM? Why doesn’t this work then?

These are the errors I get in /var/log/auth.log:

Feb 14 16:03:31  unix_chkpwd[13957]: check pass; user unknown
Feb 14 16:03:31  unix_chkpwd[13957]: password check failed for user (helix)
Feb 14 16:03:31  gitea: pam_unix(gitea:auth): authentication failure; logname= uid=120 euid=120 tty= ruser= rhost=  user=helix

Thank you for your assistance in advance :slight_smile: