Linux PAM module in Java

I do have a custom authentication mechanism which is written in Java. I was wondering what would be the best way to implement a Linux PAM module without rewriting the code in C?

I am aware of this list of available PAM modules but none of them are Java-related.

There's also JPam but it does the opposite thing: it allows to get user/group information to be used in Java app whereas I need to use 开发者_JAVA技巧existing Java code to authenticate users in Linux (e.g. via SSH).

Any suggestions are welcome.

Have you thought of using pam_exec?

It allows you to run a script for PAM.

e.g. You add something like the following to your PAM config:

auth sufficient pam_exec.so expose_authtok /usr/local/bin/myscript-example

Here's a simply script that echoes all the vars out, but you could just as easily have it kick off a Java program, passing the needed vars in.

Based on whether the script succeeds or errors out should control whether the auth is successful or not.

Example Script to reflect all the vars:

#!/bin/sh
read password
echo "User: $PAM_USER"
echo "Ruser: $PAM_RUSER"
echo "Rhost: $PAM_RHOST"
echo "Service: $PAM_SERVICE"
echo "TTY: $PAM_TTY"
echo "Password : $password"
exit $?

You could try:

• Compile your Java program using GCJ to native code
• Write glue C program which embeds JVM and loads your Java code

but neither of those ideas seem ideal.

Write a C wrapper to interface with PAM and within the implementation, use JNI to invoke an instance of the JVM.

JVM launching wrappers were very popular when people still wanted to deliver "exe"s that really ran programs in JARs. You'll want to look into what's not normally done with JNI, calling a JVM from a binary executable; unfornately, most JNI instructions focus on calling C code from Java.

A good example of how to create a JVM from C code can be found here. Turning the C code module into a PAM shared object library will take a little work, but it's not likely to be too difficult.

Finally, don't forget that JNI uses and returns Java types for most of it's operations. This means you'll have to read the "C" data types (probably char*) and create Java strings prior to passing them into your JVM. The same is true in reverse for receiving information from Java and passing it back to the PAM libraries.

Good luck!

You can actually get Java to talk to a C stub that in-turn connects to the PAM callbacks. Read up on JNI (Java Native Interface). Mostly JNI is used to expose C to Java, but you can actually do it the other way around. You may also want to investigate GNU CNI as it's actually more convenient to use. There are a lot of resources listed at the Wikipedia JNI page

http://jaas-pam.sourceforge.net/

It does user authentication and works with Tomcat's jaas realm, but returns no group/role info, so no role based web auth.