Writing PAM Module that Will Read Password From File and Log the User In

StackOverflow https://stackoverflow.com/questions/8681963

  •  06-05-2021
  •  | 
  •  

Question

I am trying to write a pam module that will read password from a file then let the user log in without entering password.

[EDIT: File will be stored in a external device. (Trying to satisfy two-factor authentication). This may sound very insecure but, file will be encrypted with a appropriate encryption algorithm. Key exchange and encryption/decryption is not an issue]

When the external device is connected, user will only enter his username on login screen (KDM) then my PAM Module will get required password from device then log the user in.

I am newbie in PAM topic, i have done some research but couldn't find whether it is possible (if it is how) or not.

I'll be grateful if you point out the way to solve this problem.

Was it helpful?

Solution 4

The answer is here:

  1. Write your custom pam module. (Tons of examples can be found on internet)
  2. Read data as you wish. (read from file or smthing else with any function you may like)
  3. Compare hashed passwords as it shown below and here:
if ((!pwd->pw_passwd[0] && (flags & PAM_DISALLOW_NULL_AUTHTOK)) ||
      (crypt_password = crypt(password, pwd->pw_passwd)) == NULL ||
      strcmp(crypt_password, pwd->pw_passwd) != 0)
      pam_err = PAM_AUTH_ERR;

if match, return success.

That is it.

OTHER TIPS

I wrote the PamUUID module that is similar to the pamusb module mentioned by Paweł Hajdan. Inserting the correct usb drive into the computer grants access to the user.

The module is very simple so you can edit it for your application. It is mainly the pam_uuid.c file which can be configured by writing a corresponding pam_uuid.h, in a suckless way. The pen is detected by searching for the device corresponding an UUID in the pen. In the config file you only have to list the UUID user associations.

So basically you simply don't want a password at all.

You say the real password is encrypted in a file. With what key? Who else has access to the password file (encrypted or not does not matter)? Who else has physical access to the login screen?

Everyone with physical access to your login screen needs to know only the username to log in.

This can be achieved by the existing pam_permit module more easily. Insert that one into your configuration and be done with it. See man pam_permit and man pam.d for details.

A 1:1 translation of your question would be using PAM items to pass the password from your module to some other module (e.g. just like try_first_pass / use_first_pass, see Linux-PAM sources). This should be relatively easy, there are many code examples for that.

What you could try to do instead is just recognize the right USB key. There used to be a module called pam_usb doing just that, see http://sourceforge.net/projects/pamusb/ and https://github.com/aluzzardi/pam_usb

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top