Page MenuHomeFreeBSD

Add expose_authtok option to pam_exec(8).
ClosedPublic

Authored by munro_ip9.org on Jul 7 2018, 11:26 AM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Nov 3, 3:32 AM
Unknown Object (File)
Sun, Nov 3, 3:31 AM
Unknown Object (File)
Sun, Nov 3, 3:31 AM
Unknown Object (File)
Sun, Nov 3, 3:31 AM
Unknown Object (File)
Sun, Nov 3, 3:23 AM
Unknown Object (File)
Thu, Oct 31, 5:24 AM
Unknown Object (File)
Sun, Oct 20, 4:18 PM
Unknown Object (File)
Oct 3 2024, 10:17 PM

Details

Summary

For compatibility with Linux PAM's pam_exec module, allow the password to be optionally passed to the executed program's stdin.

Test Plan

Install "pamtester" from pkg/ports.

Create an executable script my_script.sh containing:

#!/bin/sh
read password
if [ "$PAM_USER" == "abc" ] && [ "$password" == "123" ] ; then
  exit 0
else
  exit 1
fi

Create /etc/pam.d/my-service containing:

auth required /path/to/pam_exec.so expose_authtok /path/to/my_script.sh
account required pam_permit.so

Now run:

pamtester my-service abc authenticate

It waits for a password; entering "123" succeeds, anything else fails.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

munro_ip9.org edited the summary of this revision. (Show Details)
munro_ip9.org edited the test plan for this revision. (Show Details)

Added handling for EAGAIN on write() (not sure if that case is reachable).

des accepted this revision.
des edited reviewers, added: des; removed: manpages.
This revision is now accepted and ready to land.Aug 14 2018, 12:11 AM