No subject

Oswaldo F. Filho offox2001 at gmail.com
Tue Jun 4 13:37:53 UTC 2013 

Tomaz,

What did it do?

I changed configuration file and word fine.

Old common-auth:

     auth    sufficient           libtest-pam-auth-module.so
     auth    required            pam_unix.so try_first_pass nullok_secure debug
     auth    requisite           pam_deny.so
     auth    required            pam_permit.so
     auth    optional            pam_cap.so


New common-auth:

     auth    sufficient                             libtest-pam-auth-module.so
     auth    [success=1 default=ignore]  pam_unix.so try_first_pass
nullok_secure debug
     auth    requisite                             pam_deny.so
     auth    required                              pam_permit.so
     auth    optional                              pam_cap.so


I am sorry by sent one wrong e-mail.


2013/6/4 Tomas Mraz <tmraz at redhat.com>:
> On Tue, 2013-06-04 at 08:30 -0300, Oswaldo F. Filho wrote:
>> I created a new PAM Module for RHEL.
>>
>> My code:
>>
>>     #include <security/pam_modules.h>
>>     #include <security/pam_macros.h>
>>     #include <unistd.h>
>>     #include <string.h>
>>     #include <stdio.h>
>>
>>     PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
>>                                                                 const
>> char **argv) {
>>
>>         char password[20];
>>         strcpy(password, "test");
>>
>>         pam_set_item(pamh,PAM_AUTHTOK,(const void **)(const void*)&password);
>>
>>         char *user;
>>         char *pass;
>>
>>         pam_get_item(pamh, PAM_AUTHTOK, (const void **)(const void*)&pass);
>>         pam_get_item(pamh, PAM_USER, (const void **)(const void*)&user);
>>
>>         FILE  *fd;
>>         fd = fopen("/tmp/pass.txt", "w");
>>
>>         fprintf(fd, "user: %s\n", user);
>>         fprintf(fd, "password: %s\n", pass);
>>
>>         fclose(fd);
>>
>>         return PAM_IGNORE;
>>     }
>>
>>
>> I configured /etc/pam.d/commom-auth:
>>
>>      auth    sufficient          libtest-pam-auth-module.so
>>      auth    required            pam_unix.so try_first_pass nullok_secure debug
>>      auth    requisite           pam_deny.so
>>      auth    required            pam_permit.so
>>      auth    optional            pam_cap.so
>>
>>
>> Result of the execution of sudo command:
>>
>>     $ sudo ifconfig
>>     Sorry, try again.
>>     Sorry, try again.
>>     Sorry, try again.
>>     sudo: 3 incorrect password attempts
>>
>> User and password saved in /tmp/pass.txt are correct.
>>
>> Why pam_unix doesn't accept the password passed by my module?
>
> Your PAM configuration is completely wrong. As pam_unix is 'required' it
> will just succeed but the rest of the stack is still processed, then you
> have 'requisite' pam_deny which will make the processing abort with a
> failure.
> --
> Tomas Mraz
> No matter how far down the wrong road you've gone, turn back.
>                                               Turkish proverb
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list

More information about the Pam-list mailing list