No subject
Oswaldo F. Filho
offox2001 at gmail.com
Tue Jun 4 13:37:53 UTC 2013
Tomaz,
What did it do?
I changed configuration file and word fine.
Old common-auth:
auth sufficient libtest-pam-auth-module.so
auth required pam_unix.so try_first_pass nullok_secure debug
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
New common-auth:
auth sufficient libtest-pam-auth-module.so
auth [success=1 default=ignore] pam_unix.so try_first_pass
nullok_secure debug
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
I am sorry by sent one wrong e-mail.
2013/6/4 Tomas Mraz <tmraz at redhat.com>:
> On Tue, 2013-06-04 at 08:30 -0300, Oswaldo F. Filho wrote:
>> I created a new PAM Module for RHEL.
>>
>> My code:
>>
>> #include <security/pam_modules.h>
>> #include <security/pam_macros.h>
>> #include <unistd.h>
>> #include <string.h>
>> #include <stdio.h>
>>
>> PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
>> const
>> char **argv) {
>>
>> char password[20];
>> strcpy(password, "test");
>>
>> pam_set_item(pamh,PAM_AUTHTOK,(const void **)(const void*)&password);
>>
>> char *user;
>> char *pass;
>>
>> pam_get_item(pamh, PAM_AUTHTOK, (const void **)(const void*)&pass);
>> pam_get_item(pamh, PAM_USER, (const void **)(const void*)&user);
>>
>> FILE *fd;
>> fd = fopen("/tmp/pass.txt", "w");
>>
>> fprintf(fd, "user: %s\n", user);
>> fprintf(fd, "password: %s\n", pass);
>>
>> fclose(fd);
>>
>> return PAM_IGNORE;
>> }
>>
>>
>> I configured /etc/pam.d/commom-auth:
>>
>> auth sufficient libtest-pam-auth-module.so
>> auth required pam_unix.so try_first_pass nullok_secure debug
>> auth requisite pam_deny.so
>> auth required pam_permit.so
>> auth optional pam_cap.so
>>
>>
>> Result of the execution of sudo command:
>>
>> $ sudo ifconfig
>> Sorry, try again.
>> Sorry, try again.
>> Sorry, try again.
>> sudo: 3 incorrect password attempts
>>
>> User and password saved in /tmp/pass.txt are correct.
>>
>> Why pam_unix doesn't accept the password passed by my module?
>
> Your PAM configuration is completely wrong. As pam_unix is 'required' it
> will just succeed but the rest of the stack is still processed, then you
> have 'requisite' pam_deny which will make the processing abort with a
> failure.
> --
> Tomas Mraz
> No matter how far down the wrong road you've gone, turn back.
> Turkish proverb
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
More information about the Pam-list
mailing list