Automatic testing of pam modules
rozelak at volny.cz
rozelak at volny.cz
Thu Jun 19 21:00:58 UTC 2008
Hallo,
I would like to ask more deeply about the most painless pam-module testing
possibilities. I suppose the use of 'pamtester' app (thanks for recommendation!)
as the highest level front-end. To summarise, the following steps must
be carried out:
- build PAM library with user specified paths, in order not to affect
PAM used by the system (it should not be a problem)
- build pamtester linked with the PAM library created (also no problem)
- write a script(s) which will call pamtester simulating different conditions
of use
Now my problem is, how to AUTOMATICALLY simulate authentication fails/successes
for different users, e.g. to simulate the n-times successful login of
user XY, than some its fails, then attempt of unprivileged users AB,
CD, EF, than successes for XY again, .... (all with different delays
between individual attempts, etc.). I can simply write a script(s) using
pamtester to simulate different models of behaviour - it is perfect.
The only problem is that pam_abl does not carry out authentication as
such (similarly to e.g. pam_tally.so module). Therefore, in order to
be able to write a automatic test suite, I need to have a module which
carries out authentication in PAM 'auth' chain, with access permit/deny
results following the expected behaviour in the test suite (e.g. on
the basis of environment variables or whats-ever?). I looked into 'pamtester',
but there is no such module, is it? Could you, please, recommend me
a simple way to write such automatised testing suite? Is PAM project
thinking about a testing suite which would simplify the development
and testing process (ideally even without the need of PAM rebuild :-))?
There is also second, maybe simpler, issue: each module needs 'pam_handle_t'
structure, provided by PAM library when a module is called. Within PAM
module, the handle must used, among others, in functions pam_set|get_data()
which I use to store module-dependent data. Now I write unit-tests for
some critical procedures, which, however, need to store the data using
pam_set|get_data() procedures. What I plan to do is to write simple
"fake" implementations of all PAM methods used in the module, and link
them to the module instead of real PAM library (for the test suite only,
of course). Is the writing of "fakes" OK, or is there a better solution
available?
Sorry if is seems that I am so fixed on testing. I just want avoid a
bug in the authentication-related mechanism ;-)
Thank you for your answers,
Dan T.
On Friday 02 of May 2008 08:43:56 Kenneth Geisshirt wrote:
> Quoting rozelak at volny.cz:
> > I just would like to ask, if you can give me some hints how to test
> > > > a
> > > > correct function of a PAM module. There is a possibility to put
> > > > the
> > > > > > > > module to /etc/pam.d/ and create an application for test, but
> > > > I would
> > > > > > > > rather preferer to use something more safe. So, is it possible
> > > > to
> > > > > > test
> > > > a PAM module without affecting the system configuration? Could
> > > > you
> > > > > > > > describe, please, what to do? Is there something already existing
> > > > > > (there
> > > > many PAM modules available, so I suppose they were tested somehow
> > > > > > ;-))
> > >
> I use pamtester <http://pamtester.sourceforge.net/>. You can drive
> it
> > using expect <http://expect.nist.gov/>. In my PAM book
> <http://www.packtpub.com/pluggable-authentication-modules/book> there
> > > is chapter of how to test PAM configurations including on how to
> > use
> > > > pamtester.
>
> /kneth
More information about the Pam-list
mailing list