Passing password between PAM modules

StackOverflow https://stackoverflow.com/questions/16904428

  •  30-05-2022
  •  | 
  •  

Question

I created a new PAM Module for Ubuntu.

My code:

#include <security/pam_modules.h>
#include <security/pam_macros.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>

PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc,const char **argv {

    char password[20];
    strcpy(password, "test");

    pam_set_item(pamh,PAM_AUTHTOK,(const void **)(const void*)&password);

    char *user;
    char *pass;

    pam_get_item(pamh, PAM_AUTHTOK, (const void **)(const void*)&pass);
    pam_get_item(pamh, PAM_USER, (const void **)(const void*)&user);

    FILE  *fd;
    fd = fopen("/tmp/pass.txt", "w");

    fprintf(fd, "user: %s\n", user);
    fprintf(fd, "password: %s\n", pass);

    fclose(fd);

    return PAM_IGNORE;
}

I configured /etc/pam.d/commom-auth:

auth    sufficient          libtest-pam-auth-module.so 
auth    required            pam_unix.so try_first_pass nullok_secure debug
auth    requisite           pam_deny.so
auth    required            pam_permit.so
auth    optional            pam_cap.so

Result of the execution of sudo command:

$ sudo ifconfig
Sorry, try again.
Sorry, try again.
Sorry, try again.
sudo: 3 incorrect password attempts

And user and password saved in /tmp/pass.txt are correct.

Why pam_unix doesn't accept the password passed by my module?

Thanks.

Was it helpful?

Solution

pam_unix accept the password passed by your module, but the problem is that you use:

auth required pam_unix.so

After this module is successed pam will call the module on the next line. pam_deny.so is a module which return a failure for every call. It's possible to specify that the next line must be skipped if the module return success. You can do that using this:

auth [success=1 default=ignore]    pam_unix.so try_first_pass nullok_secure debug

In this instance, if the module return success it skips the next "1" line.

Use this to solve the problem:

auth    sufficient          libtest-pam-auth-module.so 
auth    [success=1 default=ignore]         pam_unix.so try_first_pass nullok_secure debug
auth    requisite           pam_deny.so
auth    required            pam_permit.so
auth    optional            pam_cap.so

OTHER TIPS

You should return PAM_SUCCESS if authentication is successful, PAM_AUTH_ERR otherwise

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top