开发者

Simple PAM example

I want to develop an authentication module using PAM, but I'm having trouble getting a simple example working.

For starters, I would like to do a simple SSH login system where if the user enters the username backdoor, then the user will be logged in without a password (just like in TRON Legacy).

I tried using this guide as a template, but I can't get it to work. Here is my code so far:

PAM_EXTERN int pam_sm_setcred( pam_handle_t *pamh, int flags, int argc, const char **argv ) {
    return PAM_SUCCESS ;
}

PAM_EXTERN int pam_sm_authenticate( pam_handle_t *pamh, int flags,int argc, const char **argv ) {
    int retval;

    printf("I'm here");

    const char* pUsername;
    retval = pam_get_user(pamh, &pUsername, "Username: ");
    if (retval != PAM_SUCCESS) {
        return retval;
    }

    if (strcmp(pUsername, "backdoor") != 0) {
        return PAM_AUTH_ERR;
    }
    return PAM_SUCCESS;
}

When I log in with the name backdoor, I get permission denied. I've tried creating the user account, but I still get prompted for the password.

When I log in with a valid user, I see the "I'm here" printout. Is there a better way to debug something like this or is it mostly trial and error?

EDIT:

I added this to my /etc/pam.d/sshd after @include common-auth:

auth sufficient mypam.so

This comes after 2 other .so files, but I'm pretty sure it's getting executed every time.

I have not modified pam.conf (there isn't anything there). I figured that starting with SSH would be easiest because I don't have to log out each time.

EDIT:

I finally got it work开发者_开发百科ing. Here's the result:

https://github.com/beatgammit/simple-pam

It's open-source, so if you're interested, take a look!


First off, sufficient will still fail if a previous required module has failed. Since you say you have put your sufficient line beneath the include of common-auth you may be seeing a failure because some required module in common-auth has denied access already. Plus you have have sshd getting in the way.

I'd get all this stuff out of the way so you know your test is really a test of your pam module and not some further interaction with other things. I'd start with a simple test program like the one here with /etc/pam.d/check_user listing your module instead of pam_unix.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜