Chapter 33: PAM

Hello!
I have a couple of questions about PAM. Maybe someone knows answers to them and can help me out.
- On the page PAM Rules one can read:
auth: Instructs the application to prompt the user for identification (username, password, etc). May set credentials and grant privileges.
Do I undrestand that correctly? If a PAM-aware application wants to authenticate a user, ...
- It calles PAM with the type auth.
- PAM loads all modules related to auth for that application.
- If one of these modules requires a username and password, it asks the application to ask the user to supply a username and a password.
- The applications prompts the user for a username and a password.
- The application send these inputs back to PAM.
- And the PAM modules verify that they are correct.
- If that is how it works, that means all PAM aware applications must have some kind of callback function that PAM modules can invoke to "communicate" with user of the application. And PAM modules don't interact with the user directly. Correct?
- If point 2 is true, what happens if I as a system administrator want to change the way users have to authenticate for a certain application/service. For example I want the user to sing a song and I write a PAM module (song_chk) that checks if the user knows the lyrics and sings sufficiently well. Now my song_chk module would have to ask the application to ask the user to sing a song, record it, and send the audio back to the song_chk for verification. Somehow I can't imagine that's how this would work, because that would mean that any PAM aware application would have to be able to ask the user for any kind of input and be able to pass any kind of user input to PAM.
Well, any help is highly appreciated. Thanks!
Comments
-
Hi @schuam, I'm not a PAM expert or PAM coder, but I think I can point to some useful resources:
1.- This is an introductory article:
https://www.redhat.com/sysadmin/pluggable-authentication-modules-pam2.- Take a look to "Ten steps to designing a simple PAM login app":
https://developer.ibm.com/technologies/linux/tutorials/l-pam/
3.- The Linux-PAM Module Writers' Guide (this one is good, a bit old):
http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_MWG.html
Regards,
Luis.0 -
https://www.redhat.com/sysadmin/pluggable-authentication-modules-pam
Here is another short description how PAM works.
Lee
0 -
Hi @luisviveropena and @lee42x !
Thanks a lot for your answers and the links to the resources. After reading through a lot of it, it seems as if the subject is more complicated than I was hoping.
In the introductory article Luis mentioned under point 1, one can find the following:
The login application prompts for a user name and password, then makes a libpam authentication call to ask, "Is this user who they say they are?" The pam_unix module is responsible for checking the local account authentication. Other modules may also be checked, and ultimately the result is passed back to the login process.
To me this seems to contradict the sentence from chapter 33:
Instructs the application to prompt the user for identification (username, password, etc). May set credentials and grant privileges.
The program flow is slightly different in those explanations.
In Linux-PAM Module Writers' Guide Luis mentioned under point 3, one can find a "Conversation Function" in the PAM modules. The first sentence of the description of that conversation function reads like this:
The PAM library uses an application-defined callback to allow a direct communication between a loaded module and the application. This callback is specified by the struct pam_conv passed to pam_start(3) at the start of the transaction.
This sentence and the rest of the description of the conversation function seem to support my understanding of the program flow:
- Application calls PAM
- PAM loads PAM modules
- PAM module call callback (conversation function)
- Application prompts user and send input to PAM module
- PAM module does the authentication
Unfortunately I still don't know how I would integrate my song_chk PAM module. But I guess to figure this out, I would have to study some source code of existing PAM modules or of a PAM aware application as a references. But since this song_chk was just a theoretical construct to understand PAM better, and nothing I was actually going to implement, I think I'll leave it for now and look back into it, in case I actually need it at some point.
Thanks again for your answers @luisviveropena and @lee42x
Kind regards,
Andreas1 -
How about this, an example Pam module and example test program.
1 -
Hi @schuam ,
Thanks a lot for your answers and the links to the resources.
It's a pleasure!
After reading through a lot of it, it seems as if the subject is more complicated than I was hoping.
Oh, perhaps it's a bit more complicated yet, hehehe. From my perspective, PAM is one of the most challenging topics here. Things change time to time, so perhaps that's why you are finding some differences in the documentation. Also, usually there is more than one way to implement things. So, I think the best way to make it work and understand it, is by trying it.
Regards,
Luis.0 -
@lee42x: Thanks for the link, I'll check it out, once I find the time to do so.
@luisviveropena: I guess you're right. The best way would be to try it out. I actually might at some point, but right now I was just hoping to understand everything, without implementing my one PAM module
.
0
Categories
- All Categories
- 232 LFX Mentorship
- 232 LFX Mentorship: Linux Kernel
- 812 Linux Foundation IT Professional Programs
- 365 Cloud Engineer IT Professional Program
- 183 Advanced Cloud Engineer IT Professional Program
- 82 DevOps Engineer IT Professional Program
- 151 Cloud Native Developer IT Professional Program
- 138 Express Training Courses & Microlearning
- 138 Express Courses - Discussion Forum
- Microlearning - Discussion Forum
- 6.4K Training Courses
- 48 LFC110 Class Forum - Discontinued
- 71 LFC131 Class Forum
- 44 LFD102 Class Forum
- 228 LFD103 Class Forum
- 19 LFD110 Class Forum
- 42 LFD121 Class Forum
- 18 LFD133 Class Forum
- 8 LFD134 Class Forum
- 18 LFD137 Class Forum
- 71 LFD201 Class Forum
- 5 LFD210 Class Forum
- 5 LFD210-CN Class Forum
- 2 LFD213 Class Forum - Discontinued
- 128 LFD232 Class Forum - Discontinued
- 2 LFD233 Class Forum
- 4 LFD237 Class Forum
- 24 LFD254 Class Forum
- 702 LFD259 Class Forum
- 111 LFD272 Class Forum - Discontinued
- 4 LFD272-JP クラス フォーラム
- 13 LFD273 Class Forum
- 186 LFS101 Class Forum
- 1 LFS111 Class Forum
- 3 LFS112 Class Forum
- 3 LFS116 Class Forum
- 7 LFS118 Class Forum
- LFS120 Class Forum
- 9 LFS142 Class Forum
- 8 LFS144 Class Forum
- 4 LFS145 Class Forum
- 3 LFS146 Class Forum
- 2 LFS148 Class Forum
- 15 LFS151 Class Forum
- 4 LFS157 Class Forum
- 45 LFS158 Class Forum
- LFS158-JP クラス フォーラム
- 10 LFS162 Class Forum
- 2 LFS166 Class Forum
- 4 LFS167 Class Forum
- 3 LFS170 Class Forum
- 2 LFS171 Class Forum
- 3 LFS178 Class Forum
- 3 LFS180 Class Forum
- 2 LFS182 Class Forum
- 5 LFS183 Class Forum
- 32 LFS200 Class Forum
- 737 LFS201 Class Forum - Discontinued
- 3 LFS201-JP クラス フォーラム - Discontinued
- 19 LFS203 Class Forum
- 135 LFS207 Class Forum
- 2 LFS207-DE-Klassenforum
- 1 LFS207-JP クラス フォーラム
- 302 LFS211 Class Forum
- 56 LFS216 Class Forum
- 52 LFS241 Class Forum
- 48 LFS242 Class Forum
- 38 LFS243 Class Forum
- 15 LFS244 Class Forum
- 5 LFS245 Class Forum
- LFS246 Class Forum
- LFS248 Class Forum
- 52 LFS250 Class Forum
- 2 LFS250-JP クラス フォーラム
- 1 LFS251 Class Forum
- 156 LFS253 Class Forum
- 1 LFS254 Class Forum
- 1 LFS255 Class Forum
- 9 LFS256 Class Forum
- 1 LFS257 Class Forum
- 1.3K LFS258 Class Forum
- 10 LFS258-JP クラス フォーラム
- 132 LFS260 Class Forum
- 160 LFS261 Class Forum
- 43 LFS262 Class Forum
- 82 LFS263 Class Forum - Discontinued
- 15 LFS264 Class Forum - Discontinued
- 11 LFS266 Class Forum - Discontinued
- 24 LFS267 Class Forum
- 25 LFS268 Class Forum
- 32 LFS269 Class Forum
- 6 LFS270 Class Forum
- 202 LFS272 Class Forum - Discontinued
- 2 LFS272-JP クラス フォーラム
- 4 LFS147 Class Forum
- 1 LFS274 Class Forum
- 4 LFS281 Class Forum
- 12 LFW111 Class Forum
- 262 LFW211 Class Forum
- 184 LFW212 Class Forum
- 15 SKF100 Class Forum
- 1 SKF200 Class Forum
- 1 SKF201 Class Forum
- 797 Hardware
- 199 Drivers
- 68 I/O Devices
- 37 Monitors
- 104 Multimedia
- 174 Networking
- 91 Printers & Scanners
- 85 Storage
- 759 Linux Distributions
- 82 Debian
- 67 Fedora
- 17 Linux Mint
- 13 Mageia
- 23 openSUSE
- 148 Red Hat Enterprise
- 31 Slackware
- 13 SUSE Enterprise
- 354 Ubuntu
- 470 Linux System Administration
- 39 Cloud Computing
- 71 Command Line/Scripting
- Github systems admin projects
- 95 Linux Security
- 78 Network Management
- 102 System Management
- 47 Web Management
- 69 Mobile Computing
- 18 Android
- 38 Development
- 1.2K New to Linux
- 1K Getting Started with Linux
- 374 Off Topic
- 115 Introductions
- 174 Small Talk
- 24 Study Material
- 807 Programming and Development
- 304 Kernel Development
- 485 Software Development
- 1.8K Software
- 263 Applications
- 183 Command Line
- 3 Compiling/Installing
- 987 Games
- 317 Installation
- 103 All In Program
- 103 All In Forum
Upcoming Training
-
August 20, 2018
Kubernetes Administration (LFS458)
-
August 20, 2018
Linux System Administration (LFS301)
-
August 27, 2018
Open Source Virtualization (LFS462)
-
August 27, 2018
Linux Kernel Debugging and Security (LFD440)