[OATH-Toolkit-help] How to redirect pam_oath's debug output?

[Markus Ueberall]

Hi,

I currently have a hard time trying to migrate from a working
apache2/mod-authn-otp installation to nginx/pam_oath (running under
Debian squeeze/unstable) in order to, e.g., access Roundcube using an
OTP C200 Token.
While it was easy to get the token to work with "su" using the following
line in /etc/pam.d/su, ...

auth required pam_oath.so usersfile=.../login window=20 digits=6 debug

...the same line copied to /etc/pam.d/nginx wouldn't work as expected
(I'm using http://github.com/rjenster/ngx_http_auth_pam_module, btw)

Now, while I suspect that the problem lies on the "nginx->pam side", as
you have to make sure, e.g., that nginx running as www-data/www-data has
access to the shadow group, the resulting debug information in the nginx
error log is not very helpful:

2011/07/02 13:23:56 [debug] 20246#0: *5 PAM: user 'ueberall' \
        - not authenticated: Authentication failure

Unfortunately, there also currently seems to be no way to redirect the
pam_oath output (which would allow to check whether user/pass
information is actually seen by pam_oath); the rsyslog log only shows
the following (which is as helpful as the single line above):

Jul  2 13:02:16 vserver13 su[25141]: pam_authenticate: Authentication
failure
Jul  2 13:02:16 vserver13 su[25141]: FAILED su for root by root
Jul  2 13:02:16 vserver13 su[25141]: - /dev/pts/2 root:root

There are currently no entries mentioning nginx (which leads to my
previous assumption), but while I guess that I will have to ask nginx
related questions elsewhere ;) -- what options are there to make sure
that every single line the "debug" argument of pam_oath produces can be
captured in a log file regardless of the application-specific use of the
standard (error) input/output handles?

Ad astra, Markus