jeroennijhof / pam_script Goto Github PK

Is there anyone lucky enough to make this work under macos?? I was able to make it work under debian linux, with exactly same setup i cant make it work under macos.

Using pam_script with SSH, it seems that SSH_CONNECTION always contains the same information, in all sessions (same goes for the deprecated SSH_CLIENT environment variable). Logging the environment variables to file shows the same remote ip / remote port combo, no matter where the client connects from.

I am still digging through openssh and pam_script's source to find the culprit, but any assistance / idea would be helpful. I've seen a lot of documentation and examples on the net using SSH_CONNECTION to obtain this information, so I'm wondering if they're all broken or if there's been a change in PAM or SSH.

Using Debian 7.

I'm using this script to run a single script, just in the auth department, to check if the current session is locked.

Doing so currently involves creating a directory with a single script inside, which has to have a predefined name (pam_script_auth). It would be nicer if I could just use any arbitrary script, and pass its name to the module instead. e.g. something like:

auth required pam_script.so script=/etc/pam.d/is-current-session-locked.sh

Hello,
I'm running into a possible bug when pam_script is implemented and root attempts to do a forced password change.

Regardless of what I use in PAM (requisite, sufficient, etc), when root is attempting to set the password for an account that doesn't have a password, the change fails.

Root is prompted for the new password and to confirm, but then is prompted for "Current password" for which nothing will ever match. Leaving this blank or incorrect does not work and results in:
passwd: Authentication token manipulation error passwd: password unchanged

I am using "onerr=success", but this doesn't appear to make a difference. Also, I have attempted by removing my called script (so that nothing runs) but I still encounter this issue.

Thoughts?

goodperms() function should dereference soft links in pam_script shell script:
use like

stat_output=/usr/bin/stat -Lc "%A:%u:%g" "$path"

When calling pam_script_auth during auth for sshd (configured as required), i get the cleartext password in PAM_AUTHTOK only when the login is successful. Great.
However, if the login is unsuccessful the PAM_AUTHTOK environment variable contains a couple of binary characters and not the password in the clear, as expected.
Is this a bug in pam-script?

I'm a newbie hence might miss something but anyway:
INSTALL contains outdated instructions. Should refer to:
aclocal
autoconf
automake --add-missing
Still I am getting following errors:
configure.ac:20: installing 'config/compile'
configure.ac:29: installing 'config/config.guess'
configure.ac:29: installing 'config/config.sub'
configure.ac:16: installing 'config/install-sh'
configure.ac:29: error: required file 'config/ltmain.sh' not found
configure.ac:16: installing 'config/missing'
configure.ac:18: error: required file 'config.h.in' not found
Makefile.am: installing 'config/depcomp'

Hi, sorry to bother you. I do not know where else to post this question.

How to obtain the ENVs of current session? I have pam_krb5 run to auth user. And it set a KRB5CCNAME that I need to know in pam_script_ses_open.

Hi, I've been trying to get this software to work but can't quite get there. Most of the examples/readme files are old.

Am I understanding how it works correctly?

The basic idea is to write a script that returns 0 or 1. If 0 then allow access. If 1 (or not 0) then deny access.

So the script name is based on what part of PAM you want to run against (auth, account, password, or session).

For CentOS7, if I wanted to use 'auth' I'm placing this file in /etc/pam-script.d/ and naming it pam_script_auth.

Then in /etc/pam.d/sshd (for example) I'm adding a line:

auth required pam_script.so

I now expect that when someone logs in via ssh that the /etc/pam-script.d/pam_script_auth will run and return a 0 or 1. If 0, then allow ssh acces. If 1, then deny ssh access.

Is this how it's supposed to work? Thanks for the help.

I've recently migrated from Apache/mod-auth-external to using nginx/auth_pam/auth_pam_script.

My Debian wheezy package pam_script_auth is occaisionally hanging (getting zombie processes). It' adapted from a long running one that I used under load via Apache mod-auth-external) to call a REST API authentication method on a different app on the same machine.

I'm having difficulty reproducing the error condition as script works fine on command line and only occasionally hangs. But when this happens, I then get a number of hung pam_script_auth scripts up to the number of worker processes available to the local app (uwsgi).

Any suggestions?

Below is a summary of what is in the pam_script_auth

def main():
        try:
                username = os.environ["PAM_USER"]
                password = os.environ["PAM_AUTHTOK"]    
        except KeyError:
                username = raw_input("Enter your username: ")
                password= raw_input("Enter your password: ")
        conn = httplib.HTTPConnection(HOST)
        <construct HTTP API authentication call>
        r1 = conn.getresponse()
        data1 = r1.read()
        conn.close()
        if data1 != 'true':
                logging.error("nope")
                sys.exit("invalid auth")

if __name__ == "__main__":
        sys.exit(main())

Hi -

did you ever see this launch pad bug ? https://bugs.launchpad.net/ubuntu/+source/libpam-script/+bug/1411225 . I think this may still be a problem as I have just been bitten by the entries:

(account|auth|password) sufficient                      pam_script.so

being added to the common-* files leaving my Ubuntu instance open to a user with any password as was reported on launch pad.

I'm wondering if it would be better to omit this auto-configuration as a security precaution for others?

Thanks,
Piers Harding.

These days it appears that pam_exec comes bundled with PAM on Linux.

Why should i use pam_script instead of pam_exec? Does it have advantages? Is it because pam_exec is not available elsewhere?

The fact that with pam_exec PAM_AUTHTOK is passed via stdin instead of the environment (and only when enabled via a parameter) makes it appear to be safer than pam_script. Perhaps you should switch to that mechanism, too?

I am trying to setup the following pam process:

1. pam_script checks environment, if return value = 0 than do password auth
2. if return value != 0 then do fingerprint auth

I test this with sudo and polkit-1 (GUI) authentication. The pam config for either service looks like this:

auth    [success=1 default=ignore]      pam_script.so dir=/etc/pam.d/is-locked
auth    [success=2 default=ignore]      pam_fprintd.so max_tries=1
auth    [success=1 default=ignore]      pam_unix.so nullok_secure try_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so

What happens now is:
return code != 0:
sudo/polkit-1 pam authentication process shows password prompt and asks for correct password --> that's ok and expected

return code = 0
sudo/polkit-1 pam authentication process also shows password prompt and asks for password and accepts any or empty password, then fingerprint auth gets invoked
--> that's not ok and not expected

If I change

auth    [success=1 default=ignore]      pam_script.so dir=/etc/pam.d/is-locked

to

auth    [success=ignore default=ignore]      pam_script.so dir=/etc/pam.d/is-locked

still the initial passowrd prompt in case of return code != 0 is shown.

In case I change

auth    [success=1 default=ignore]      pam_script.so dir=/etc/pam.d/is-locked

to

auth    [success=ignore default=ignore]      pam_exec.so /usr/bin/echo 123

no additional password prompt is shown.

What am I doing wrong?

Hi, we're moving forward with the POC and I'd like to use the software as intended (based on exit codes). I can get it to work but if I rely on the exit codes it logs a PAM error to the OS log. I had opened another issue (#11) with details of my setup. You had replied the issue is that other PAM modules are attempting to run (required modules). I tried every combination and order of the PAM config that I could think of and it still doesn't seem to be the correct order.

Can you please post a complete working PAM example file that I can look at and try to figure out why my setup is not working? I'd like to see a complete PAM config file, not just the lines to add but the whole file so I can see where in the file the lines are being added where it works properly.

If you have a RHEL example that would be nice since that's what I'm using. I have been adding my lines to /etc/pam.d/sshd. Thanks for your help.