Pam-list Digest, Vol 37, Issue 6

Andreas Schindler schindler at az1.de
Thu Mar 8 19:37:43 UTC 2007 

pam-list-request at redhat.com wrote:
> Send Pam-list mailing list submissions to
> 	pam-list at redhat.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://www.redhat.com/mailman/listinfo/pam-list
> or, via email, send a message with subject or body 'help' to
> 	pam-list-request at redhat.com
>
> You can reach the person managing the list at
> 	pam-list-owner at redhat.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Pam-list digest..."
>   
> ------------------------------------------------------------------------
>
> Today's Topics:
>
>    1. Why my module can not be added? (qin)
>    2. Re: How to compile the PAM module (qin)
>   
>
> ------------------------------------------------------------------------
>
> Subject:
> Why my module can not be added?
> From:
> qin <junying.qin at gmail.com>
> Date:
> Thu, 8 Mar 2007 11:48:05 +0800
> To:
> "Pluggable Authentication Modules" <pam-list at redhat.com>
>
> To:
> "Pluggable Authentication Modules" <pam-list at redhat.com>
>
> Content-Transfer-Encoding:
> 7bit
> Precedence:
> junk
> MIME-Version:
> 1.0
> Reply-To:
> Pluggable Authentication Modules <pam-list at redhat.com>
> Message-ID:
> <3f2011250703071948n43f63903v103badc6289d3ea5 at mail.gmail.com>
> Content-Type:
> text/plain; charset=ISO-8859-1; format=flowed
> Message:
> 1
>
>
> Hi,
>
> I have built a test pam module to run with sshd. The codes are as
> following:
>
> #define PAM_SM_AUTH
>
> #define _PAM_EXTERN_FUNCTIONS
> #include <security/_pam_macros.h>
> #include <security/pam_modules.h>
> #include <security/pam_ext.h>
>
> PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags
>                    ,int argc, const char **argv)
> {
>     unsigned int ctrl;
>     int retval;
>     const char *name;
>     const void *p;
>
>
>
>     ctrl = _set_ctrl(pamh, flags, NULL, argc, argv);
>
>
>
>     /* get the user'name' */
>
>     retval = pam_get_user(pamh, &name, NULL);
>     if (retval == PAM_SUCCESS)
>     {
>         pam_syslog(pamh, LOG_DEBUG,
>            "XOS:checking logins for '%s'", name);
>     }
>     return retval;   
> }
>
> #ifdef PAM_STATIC
> struct pam_module _pam_xos_auth_modstruct = {
>    "pam_xos_auth",
>    pam_sm_authenticate,
>    NULL,
>    NULL,
>    NULL,
>    NULL,
>    NULL,
> };
>
> I compiled as pam_xos_auth.so, and inserted in pam.d/sshd
> # cat sshd
> auth    required   /path/to/pam_xos_auth.so
> ...
>
> When I used the ssh to login, I was told I had no permission. And
> also, I checked the
> /var/log/secure and found:
> # cat /var/log/secure
> ...
> Mar  8 10:12:19 FedoraC4 sshd[4814]: PAM unable to
> dlopen(/path/to/pam_xos_auth.so)
> Mar  8 10:12:19 FedoraC4 sshd[4814]: PAM [dlerror:
> /path/to/pam_xos_auth.so: undefined symbol: pam_syslog]
> Mar  8 10:12:19 FedoraC4 sshd[4814]: PAM adding faulty module:
> /path/to/pam_xos_auth.so
> Mar  8 10:12:24 FedoraC4 sshd[4814]: Failed password for anqin from
> ::ffff:10.61.0.7 port 4228 ssh2
>
> what is the matter with this? Could somebody give me some advices?
>
> Thank you very much!
>
>
>
> ------------------------------------------------------------------------
>
> Subject:
> Re: How to compile the PAM module
> From:
> qin <junying.qin at gmail.com>
> Date:
> Thu, 8 Mar 2007 13:36:25 +0800
> To:
> "Pluggable Authentication Modules" <pam-list at redhat.com>, "Kenneth
> Geisshirt" <kenneth at geisshirt.dk>
>
> To:
> "Pluggable Authentication Modules" <pam-list at redhat.com>, "Kenneth
> Geisshirt" <kenneth at geisshirt.dk>
> CC:
>
> Content-Transfer-Encoding:
> 7bit
> Precedence:
> junk
> MIME-Version:
> 1.0
> References:
> <3f2011250703070358n34cd78b9ha677b0a56d69ab49 at mail.gmail.com>
> <45EEAF41.2090905 at geisshirt.dk>
> In-Reply-To:
> <45EEAF41.2090905 at geisshirt.dk>
> Reply-To:
> Pluggable Authentication Modules <pam-list at redhat.com>
> Message-ID:
> <3f2011250703072136k60570998lf67073d72f0134d at mail.gmail.com>
> Content-Type:
> text/plain; charset=ISO-8859-1; format=flowed
> Message:
> 2
>
>
> I compiled with -lc:
>
> $ gcc -fPIC -lc pam_module.c -lpam -lpam_misc -lpamc
> $ ld -x --shared -o pam_module.so pam_module.o
>
> and found some functions are not found.
>
> ...
> ....:pam_module.c:undefined reference to '_set_ctrl'
> ...: pam_module.c:undefined reference to 'pam_syslog'
>
> I have linked the libpam.so, libpamc.so and lpam_misc.so, why it can
> not found the missing functions?
>
>
> 2007/3/7, Kenneth Geisshirt <kenneth at geisshirt.dk>:
>> qin wrote:
>>
>> > I have no idea. Could sombody give me some advice?
>>
>> Try:
>>
>> $ gcc -fPIC -c pam_module.c
>> $ ld -x --shared -o pam_module.so pam_module.o
>>
>> /kneth
>>
>> _______________________________________________
>> Pam-list mailing list
>> Pam-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/pam-list
>>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
Are you sure pam_syslog is in one of those libraries ?
Most distribs don't use PAM from the kernel repositiries but something
from red hat & friends. E.g. the current version of pam in Debian 'Etch'
(still testing, but reasonable up to date) is 0.79 !!!
And there ist definitely NO pam_syslog in libpam_misc.
If you really need pam_syslog try this:

-------------------------- snip snip ----------------------------------
#ifndef LOG_IDENT
#define LOG_IDENT "pam"
#endif

#include <syslog.h>
#include <stdarg.h>

static void pam_syslog(pam_handle_t *pamh, int err, const char *format, ...)
{
    va_list args;
    char *service;
  
    if (pam_get_item(pamh, PAM_SERVICE, (const void **)&service) !=
PAM_SUCCESS)
        service = "unknown";
   
    va_start(args, format);
    openlog(service, LOG_PID, LOG_AUTHPRIV);
    vsyslog(err, format, args);
    closelog();
    va_end(args);
}
-------------------------- snip snip ----------------------------------

Call this using:  pam_syslog(pamh, format, arg, arg,....)

The argument pamh is required to aotomatically extract the pam service
name from
the pam environment. If you don't need it,  just remove it and all the
corresponding statements.
All logging goes to the 'authpriv' channel.

Good luck!

Andreas

-- 
Dr.-Ing. Andreas Schindler
 
Alpha Zero One Computersysteme GmbH
Frankfurter Str. 141
63303 Dreieich
 
Telefon 06103-57187-21
Telefax 06103-373245
 
schindler at az1.de
www.az1.de

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20070308/a57716a3/attachment.htm>

More information about the Pam-list mailing list