Chapter 33: PAM
Hello!
I have a couple of questions about PAM. Maybe someone knows answers to them and can help me out.
- On the page PAM Rules one can read:
auth: Instructs the application to prompt the user for identification (username, password, etc). May set credentials and grant privileges.
Do I undrestand that correctly? If a PAM-aware application wants to authenticate a user, ...
- It calles PAM with the type auth.
- PAM loads all modules related to auth for that application.
- If one of these modules requires a username and password, it asks the application to ask the user to supply a username and a password.
- The applications prompts the user for a username and a password.
- The application send these inputs back to PAM.
- And the PAM modules verify that they are correct.
- If that is how it works, that means all PAM aware applications must have some kind of callback function that PAM modules can invoke to "communicate" with user of the application. And PAM modules don't interact with the user directly. Correct?
- If point 2 is true, what happens if I as a system administrator want to change the way users have to authenticate for a certain application/service. For example I want the user to sing a song and I write a PAM module (song_chk) that checks if the user knows the lyrics and sings sufficiently well. Now my song_chk module would have to ask the application to ask the user to sing a song, record it, and send the audio back to the song_chk for verification. Somehow I can't imagine that's how this would work, because that would mean that any PAM aware application would have to be able to ask the user for any kind of input and be able to pass any kind of user input to PAM.
Well, any help is highly appreciated. Thanks!
Comments
-
Hi @schuam, I'm not a PAM expert or PAM coder, but I think I can point to some useful resources:
1.- This is an introductory article:
https://www.redhat.com/sysadmin/pluggable-authentication-modules-pam2.- Take a look to "Ten steps to designing a simple PAM login app":
https://developer.ibm.com/technologies/linux/tutorials/l-pam/
3.- The Linux-PAM Module Writers' Guide (this one is good, a bit old):
http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_MWG.html
Regards,
Luis.0 -
https://www.redhat.com/sysadmin/pluggable-authentication-modules-pam
Here is another short description how PAM works.
Lee
0 -
Hi @luisviveropena and @lee42x !
Thanks a lot for your answers and the links to the resources. After reading through a lot of it, it seems as if the subject is more complicated than I was hoping.
In the introductory article Luis mentioned under point 1, one can find the following:
The login application prompts for a user name and password, then makes a libpam authentication call to ask, "Is this user who they say they are?" The pam_unix module is responsible for checking the local account authentication. Other modules may also be checked, and ultimately the result is passed back to the login process.
To me this seems to contradict the sentence from chapter 33:
Instructs the application to prompt the user for identification (username, password, etc). May set credentials and grant privileges.
The program flow is slightly different in those explanations.
In Linux-PAM Module Writers' Guide Luis mentioned under point 3, one can find a "Conversation Function" in the PAM modules. The first sentence of the description of that conversation function reads like this:
The PAM library uses an application-defined callback to allow a direct communication between a loaded module and the application. This callback is specified by the struct pam_conv passed to pam_start(3) at the start of the transaction.
This sentence and the rest of the description of the conversation function seem to support my understanding of the program flow:
- Application calls PAM
- PAM loads PAM modules
- PAM module call callback (conversation function)
- Application prompts user and send input to PAM module
- PAM module does the authentication
Unfortunately I still don't know how I would integrate my song_chk PAM module. But I guess to figure this out, I would have to study some source code of existing PAM modules or of a PAM aware application as a references. But since this song_chk was just a theoretical construct to understand PAM better, and nothing I was actually going to implement, I think I'll leave it for now and look back into it, in case I actually need it at some point.
Thanks again for your answers @luisviveropena and @lee42x
Kind regards,
Andreas1 -
How about this, an example Pam module and example test program.
1 -
Hi @schuam ,
Thanks a lot for your answers and the links to the resources.
It's a pleasure!
After reading through a lot of it, it seems as if the subject is more complicated than I was hoping.
Oh, perhaps it's a bit more complicated yet, hehehe. From my perspective, PAM is one of the most challenging topics here. Things change time to time, so perhaps that's why you are finding some differences in the documentation. Also, usually there is more than one way to implement things. So, I think the best way to make it work and understand it, is by trying it.
Regards,
Luis.0 -
@lee42x: Thanks for the link, I'll check it out, once I find the time to do so.
@luisviveropena: I guess you're right. The best way would be to try it out. I actually might at some point, but right now I was just hoping to understand everything, without implementing my one PAM module .
0
Categories
- All Categories
- 60 LFX Mentorship
- 113 LFX Mentorship: Linux Kernel
- 618 Linux Foundation IT Professional Programs
- 321 Cloud Engineer IT Professional Program
- 142 Advanced Cloud Engineer IT Professional Program
- 55 DevOps Engineer IT Professional Program
- 68 Cloud Native Developer IT Professional Program
- 6 Express Training Courses
- 6 Express Courses - Discussion Forum
- 2.3K Training Courses
- 19 LFC110 Class Forum - Discontinued
- 9 LFC131 Class Forum
- 31 LFD102 Class Forum
- 175 LFD103 Class Forum
- 22 LFD121 Class Forum
- 2 LFD137 Class Forum
- 61 LFD201 Class Forum
- 2 LFD210 Class Forum
- 1 LFD210-CN Class Forum
- 1 LFD213 Class Forum - Discontinued
- 128 LFD232 Class Forum - Discontinued
- LFD237 Class Forum
- 23 LFD254 Class Forum
- 653 LFD259 Class Forum
- 108 LFD272 Class Forum
- 1 LFD272-JP クラス フォーラム
- 4 LFD273 Class Forum
- 2 LFS145 Class Forum
- 28 LFS200 Class Forum
- 740 LFS201 Class Forum - Discontinued
- 1 LFS201-JP クラス フォーラム
- 12 LFS203 Class Forum
- 92 LFS207 Class Forum
- 301 LFS211 Class Forum
- 54 LFS216 Class Forum
- 47 LFS241 Class Forum
- 41 LFS242 Class Forum
- 37 LFS243 Class Forum
- 12 LFS244 Class Forum
- 41 LFS250 Class Forum
- 1 LFS250-JP クラス フォーラム
- LFS251 Class Forum
- 142 LFS253 Class Forum
- LFS254 Class Forum
- LFS255 Class Forum
- LFS256 Class Forum
- LFS257 Class Forum
- 1.2K LFS258 Class Forum
- 10 LFS258-JP クラス フォーラム
- 106 LFS260 Class Forum
- 145 LFS261 Class Forum
- 39 LFS262 Class Forum
- 83 LFS263 Class Forum - Discontinued
- 15 LFS264 Class Forum - Discontinued
- 11 LFS266 Class Forum - Discontinued
- 20 LFS267 Class Forum
- 18 LFS268 Class Forum
- 26 LFS269 Class Forum
- 204 LFS272 Class Forum
- 1 LFS272-JP クラス フォーラム
- LFS274 Class Forum
- 3 LFS281 Class Forum
- 249 LFW211 Class Forum
- 177 LFW212 Class Forum
- 9 SKF100 Class Forum
- SKF200 Class Forum
- 907 Hardware
- 220 Drivers
- 74 I/O Devices
- 44 Monitors
- 116 Multimedia
- 210 Networking
- 102 Printers & Scanners
- 86 Storage
- 764 Linux Distributions
- 88 Debian
- 66 Fedora
- 15 Linux Mint
- 13 Mageia
- 24 openSUSE
- 143 Red Hat Enterprise
- 33 Slackware
- 13 SUSE Enterprise
- 357 Ubuntu
- 482 Linux System Administration
- 40 Cloud Computing
- 70 Command Line/Scripting
- Github systems admin projects
- 95 Linux Security
- 80 Network Management
- 108 System Management
- 51 Web Management
- 72 Mobile Computing
- 25 Android
- 32 Development
- 1.2K New to Linux
- 1.1K Getting Started with Linux
- 545 Off Topic
- 132 Introductions
- 223 Small Talk
- 22 Study Material
- 831 Programming and Development
- 282 Kernel Development
- 515 Software Development
- 974 Software
- 260 Applications
- 185 Command Line
- 3 Compiling/Installing
- 119 Games
- 318 Installation
- 65 All In Program
- 65 All In Forum
Upcoming Training
-
August 20, 2018
Kubernetes Administration (LFS458)
-
August 20, 2018
Linux System Administration (LFS301)
-
August 27, 2018
Open Source Virtualization (LFS462)
-
August 27, 2018
Linux Kernel Debugging and Security (LFD440)