C pam module
PAM - Pluggable Authentication Module
PAM Modules are modules that can hook up to different applications that implement PAM patterns, such as SSH.
Contents
Setup
To begin development, some configuration may need to be done to some of the PAM configuration files. For this example I will use SSH.
These files are located
/etc/pam.d/sshd
Tip* For SSH, if you need to conversate, turn on Challenge Response in the SSHD config file.
/etc/ssh/sshd_config Line: ChallengeResponseAuthentication yes
Need to install the PAM development files.
apt-get install libpam0g-dev
C Code
/* Define which PAM interfaces we provide */
#define PAM_SM_ACCOUNT
#define PAM_SM_AUTH
#define PAM_SM_PASSWORD
#define PAM_SM_SESSION
/* Include PAM headers */
#include <stdio.h>
#include <security/pam_appl.h>
#include <security/pam_modules.h>
#include <syslog.h>
/* PAM entry point for session creation */
int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) {
printf("open_session\n");
return(PAM_IGNORE);
}
/* PAM entry point for session cleanup */
int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) {
printf("close_session\n");
return(PAM_IGNORE);
}
/* PAM entry point for accounting */
int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) {
printf("acct_mgmt\n");
return(PAM_IGNORE);
}
/* PAM entry point for authentication verification */
PAM_EXTERN
int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) {
printf("authentication 2\n");
int pam_err;
struct pam_response *resp = NULL;
struct pam_message msg;
const struct pam_message *msgp;
msg.msg_style = PAM_PROMPT_ECHO_ON;
msg.msg = "What color is the sky:";
msgp = &msg;
struct pam_conv *conv;
int retval = pam_get_item(pamh, PAM_CONV, (void *)&conv);
if (retval != PAM_SUCCESS) {
return retval;
}
pam_err = conv->conv(1, &msgp, &resp, conv->appdata_ptr);
free(conv);
return(PAM_SUCCESS);
}
/*
PAM entry point for setting user credentials (that is, to actually
establish the authenticated user's credentials to the service provider)
*/
int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) {
printf("setcred\n");
return(PAM_IGNORE);
}
/* PAM entry point for authentication token (password) changes */
int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) {
printf("chauthtok\n");
return(PAM_IGNORE);
}
Build
gcc -fPIC -DPIC -shared -rdynamic -std=c99 -o pam_ignore.so pam_ignore.c
Install
cp pam_ignore.so /lib/x86_64-linux-gnu/security/
chown root:root /lib/x86_64-linux-gnu/security/pam_ignore.so
chmod 755 /lib/x86_64-linux-gnu/security/pam_ignore.so
More setup
Need to activate the PAM module in SSH PAM config
Add the following line to /etc/pam.d/sshd
auth required pam_ignore.so debug
Resources
https://code.google.com/p/google-authenticator/
http://www.rkeene.org/projects/info/wiki/222
http://www.informit.com/articles/article.aspx?p=30602&seqNum=3
http://ditesh.gathani.org/blog/2011/06/pam-authentication-for-fun-and-profit/
