Differentiating between login and logout under pam_exec and session

Drew Leske dleske at uvic.ca
Thu May 14 23:04:49 UTC 2009


Hi, sorry about the unthreaded post, I shouldn't have subscribed to the list with the digest option on, and I can't figure out a way to reply to the threads from the mailman list archives.  (sigh)

----------------
    * From: Colin van Niekerk <Colin vanNiekerk mimecast co za>
    * To: Pluggable Authentication Modules <pam-list redhat com>
    * Subject: RE: Differentiating between login and logout under pam_exec and session
    * Date: Thu, 14 May 2009 23:49:01 +0200

Hi there Drew,

Not sure about pam_exec but...

I have just written a PAM module that does exactly this... well, all but the source of the connection, I'll figure that out soon enough I'm sure.

I have called it pam_alert. - PLEASE COULD ANYONE LET ME KNOW IF THERE IS ALREADY A MODULE WITH THIS NAME.
[...]
----------------

Thanks for your response, Colin, hate to say this but I think you can achieve what you want to do using pam_exec.  Just set up a script like I have that mails to whichever users you configure (or you could make your script take the addresses on the command line, even better!).  Looking at the CVS on sourceforge for pam_exec, it looks like newer versions provide a PAM_TYPE environment variable that will be set to account, auth, password, open_session or close_session.  So that will work for me.  I just need to grab the latest, update my script and I'm good to go.

Not to slag your module, man--if you continue with it I believe the source of the connection is just a PAM environment variable you pass on in your module.  Have a look at the pam_exec source to see how it's done.

Here's my script, for anybody who's interested--basically:

---------------
#!/bin/bash

ADDRESSES=$@

if [ -z "$PAM_TYPE" -o "$PAM_TYPE" == "open_session" ]
then
  /usr/bin/echo "Login to $(hostname -s)/$PAM_SERVICE by $PAM_USER from $PAM_RHOST" | /usr/bin/mail $ADDRESSES
fi
------------------

The reason for the OR clause up there is so that on systems where I haven't yet upgraded the pam_exec module, I still get paged.

Cheers,
Drew.


Drew Leske, Unix Services Team, CASS, University of Victoria.
   mel: dleske at uvic.ca
   tel: 250-472-5055
   cel: 250-588-4311
________________________________________
From: Drew Leske
Sent: May 14, 2009 12:11 PM
To: pam-list at redhat.com
Subject: Differentiating between login and logout under pam_exec and session

Hi all,

I would like to have some machines page me on logins.  It seems to me (with limited PAM understanding and experience) that the most appropriate place for this is using the following line in system-auth:

session required pam_exec.so (script-name)

The script sends an e-mail using environment variables set by pam_exec to let me know that a given user has logged in to which box from where, for what service.  The only problem is it sends this on both logins and logouts and I can't see how to differentiate.  I would like it to either not let me know about logouts, or preferably, for the script to simply tell me "Bob logged in to service sshd from wherever.example.com" or "Bob logged out from ..."  I have had my script log all environment variables passed to it and they seem to be identical in both login/logout scenarios.

Any ideas?  Is this an appopriate use of session, pam, ...?  I know I could add stuff to login scripts or make a monitor for syslog, but this seems to me to be the best place to put this sort of thing.

Thanks everybody
Drew.




Drew Leske, Unix Services Team, CASS, University of Victoria.
   mel: dleske at uvic.ca
   tel: 250-472-5055
   cel: 250-588-4311




More information about the Pam-list mailing list