Welcome to the Linux Foundation Forum!

Chapter 33: PAM

Hello!

I have a couple of questions about PAM. Maybe someone knows answers to them and can help me out.

  1. On the page PAM Rules one can read:

auth: Instructs the application to prompt the user for identification (username, password, etc). May set credentials and grant privileges.

Do I undrestand that correctly? If a PAM-aware application wants to authenticate a user, ...

  • It calles PAM with the type auth.
  • PAM loads all modules related to auth for that application.
  • If one of these modules requires a username and password, it asks the application to ask the user to supply a username and a password.
  • The applications prompts the user for a username and a password.
  • The application send these inputs back to PAM.
  • And the PAM modules verify that they are correct.
  1. If that is how it works, that means all PAM aware applications must have some kind of callback function that PAM modules can invoke to "communicate" with user of the application. And PAM modules don't interact with the user directly. Correct?
  2. If point 2 is true, what happens if I as a system administrator want to change the way users have to authenticate for a certain application/service. For example I want the user to sing a song and I write a PAM module (song_chk) that checks if the user knows the lyrics and sings sufficiently well. Now my song_chk module would have to ask the application to ask the user to sing a song, record it, and send the audio back to the song_chk for verification. Somehow I can't imagine that's how this would work, because that would mean that any PAM aware application would have to be able to ask the user for any kind of input and be able to pass any kind of user input to PAM.

Well, any help is highly appreciated. Thanks!

Comments

  • Hi @schuam, I'm not a PAM expert or PAM coder, but I think I can point to some useful resources:

    1.- This is an introductory article:
    https://www.redhat.com/sysadmin/pluggable-authentication-modules-pam

    2.- Take a look to "Ten steps to designing a simple PAM login app":

    https://developer.ibm.com/technologies/linux/tutorials/l-pam/

    3.- The Linux-PAM Module Writers' Guide (this one is good, a bit old):

    http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_MWG.html

    Regards,
    Luis.

  • lee42x
    lee42x Posts: 380

    https://www.redhat.com/sysadmin/pluggable-authentication-modules-pam

    Here is another short description how PAM works.

    Lee

  • schuam
    schuam Posts: 11

    Hi @luisviveropena and @lee42x !

    Thanks a lot for your answers and the links to the resources. After reading through a lot of it, it seems as if the subject is more complicated than I was hoping.

    In the introductory article Luis mentioned under point 1, one can find the following:

    The login application prompts for a user name and password, then makes a libpam authentication call to ask, "Is this user who they say they are?" The pam_unix module is responsible for checking the local account authentication. Other modules may also be checked, and ultimately the result is passed back to the login process.

    To me this seems to contradict the sentence from chapter 33:

    Instructs the application to prompt the user for identification (username, password, etc). May set credentials and grant privileges.

    The program flow is slightly different in those explanations.

    In Linux-PAM Module Writers' Guide Luis mentioned under point 3, one can find a "Conversation Function" in the PAM modules. The first sentence of the description of that conversation function reads like this:

    The PAM library uses an application-defined callback to allow a direct communication between a loaded module and the application. This callback is specified by the struct pam_conv passed to pam_start(3) at the start of the transaction.

    This sentence and the rest of the description of the conversation function seem to support my understanding of the program flow:

    • Application calls PAM
    • PAM loads PAM modules
    • PAM module call callback (conversation function)
    • Application prompts user and send input to PAM module
    • PAM module does the authentication

    Unfortunately I still don't know how I would integrate my song_chk PAM module. But I guess to figure this out, I would have to study some source code of existing PAM modules or of a PAM aware application as a references. But since this song_chk was just a theoretical construct to understand PAM better, and nothing I was actually going to implement, I think I'll leave it for now and look back into it, in case I actually need it at some point.

    Thanks again for your answers @luisviveropena and @lee42x

    Kind regards,
    Andreas

  • lee42x
    lee42x Posts: 380
    edited January 2021

    How about this, an example Pam module and example test program.

    https://github.com/beatgammit/simple-pam

  • Hi @schuam ,

    Thanks a lot for your answers and the links to the resources.

    It's a pleasure!

    After reading through a lot of it, it seems as if the subject is more complicated than I was hoping.

    Oh, perhaps it's a bit more complicated yet, hehehe. From my perspective, PAM is one of the most challenging topics here. Things change time to time, so perhaps that's why you are finding some differences in the documentation. Also, usually there is more than one way to implement things. So, I think the best way to make it work and understand it, is by trying it.

    Regards,
    Luis.

  • schuam
    schuam Posts: 11

    @lee42x: Thanks for the link, I'll check it out, once I find the time to do so.

    @luisviveropena: I guess you're right. The best way would be to try it out. I actually might at some point, but right now I was just hoping to understand everything, without implementing my one PAM module :p .

Categories

Upcoming Training