Add expose_authtok option to pam_exec(8).
ClosedPublic
Actions

Authored by munro_ip9.org on Jul 7 2018, 11:26 AM.

Details

Reviewers

Commits

rS337732: Add support for Linux-PAM's badly named expose_authtok option.

Summary

For compatibility with Linux PAM's pam_exec module, allow the password to be optionally passed to the executed program's stdin.

Test Plan

Install "pamtester" from pkg/ports.

Create an executable script my_script.sh containing:

#!/bin/sh
read password
if [ "$PAM_USER" == "abc" ] && [ "$password" == "123" ] ; then
  exit 0
else
  exit 1
fi

Create /etc/pam.d/my-service containing:

auth required /path/to/pam_exec.so expose_authtok /path/to/my_script.sh
account required pam_permit.so

Now run:

pamtester my-service abc authenticate

It waits for a password; entering "123" succeeds, anything else fails.

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

munro_ip9.org created this revision.Jul 7 2018, 11:26 AM

Herald added a reviewer: manpages. · View Herald TranscriptJul 7 2018, 11:26 AM

Herald added subscribers: Contributor Reviews (src), imp. · View Herald Transcript

Added handling for EAGAIN on write() (not sure if that case is reachable).

des accepted this revision.Aug 14 2018, 12:10 AM

des accepted this revision.

des edited reviewers, added: des; removed: manpages.

This revision is now accepted and ready to land.Aug 14 2018, 12:11 AM

Closed by commit rS337732: Add support for Linux-PAM's badly named expose_authtok option. (authored by des). · Explain WhyAug 14 2018, 12:14 AM

This revision was automatically updated to reflect the committed changes.

des mentioned this in rS337732: Add support for Linux-PAM's badly named expose_authtok option..

Thanks!

Revision Contents
Changeset List

Path

Size

head/

lib/

libpam/

modules/

pam_exec/

pam_exec.8

5 lines

pam_exec.c

81 lines

Diff 46643

View Options

head/lib/libpam/modules/pam_exec/pam_exec.8