Linux 如何创建一个pam模块?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4841203/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
how to create a pam module?
提问by Innovators
Can anyone tell me about this... I want to create a pam module similar to the login module in /etc/pam.d
谁能告诉我这个...我想创建一个类似于 /etc/pam.d 中的登录模块的 pam 模块
回答by GG.
If you are looking for pam based face authentication during login, you need to write a module which does that for you and plug that in login configuration file at /etc/pam.d/login.
如果您在登录期间寻找基于 pam 的人脸认证,您需要编写一个模块来为您执行此操作,并将其插入 /etc/pam.d/login 的登录配置文件中。
Before directly get into this, I would suggest you to write some simple module to understand the flow, working of PAM and configuration file like start playing with sshd pam configuration file and try to plug some sample pam module available. I found these article quite helpful :
在直接进入这个之前,我建议你写一些简单的模块来理解流程、PAM 的工作和配置文件,比如开始玩 sshd pam 配置文件并尝试插入一些可用的示例 pam 模块。我发现这些文章很有帮助:
http://aplawrence.com/Basics/understandingpam.html
http://aplawrence.com/Basics/understandingpam.html
https://www.packtpub.com/article/development-with-pluggable-authentication-modules-pam
https://www.packtpub.com/article/development-with-pluggable-authentication-modules-pam
FYI : Rohan Anil developed pam-face-authentication during GSOC08 under opensuse which is hosted at code.google.com/p/pam-face-authentication/
仅供参考:Rohan Anil 在 GSOC08 期间在 opensuse 下开发了 pam-face-authentication,托管在 code.google.com/p/pam-face-authentication/
回答by Dwight Spencer
One of the best resources for authoring pam modules is the documentation itself:
编写 pam 模块的最佳资源之一是文档本身:
http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_MWG.html
http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_MWG.html
However I agree with @GGin making sure you understand how PAM works first.
但是,我同意@GG 的观点,即确保您首先了解 PAM 的工作原理。
回答by Federico Taschin
Since the answer is really to long to be written here, I can link you my PAM tutorials: Write a Linux PAM moduleand Linux PAM Configuration tutorial
由于答案实在是太长了,所以我可以链接你我的 PAM 教程: 编写 Linux PAM 模块和 Linux PAM 配置教程
Before starting writing the module I advise you to read the configuration tutorial first, in which you can learn what does the module do.
在开始编写模块之前,我建议您先阅读配置教程,您可以在其中了解模块的作用。
To sum up, a module is a shared object loaded by PAM when the application wants to authenticate. Every time the application triggers a "stage" (auth, account, session, password) the correspondent function is called in the module. Therefore, your module should provide the following functions:
综上所述,模块就是应用程序要进行身份验证时由 PAM 加载的共享对象。每次应用程序触发“阶段”(身份验证、帐户、会话、密码)时,模块中都会调用相应的函数。因此,您的模块应提供以下功能:
PAM_EXTERN int pam_sm_authenticate(pam_handle_t *handle, int flags, int argc, const char **argv){
/* In this function we will ask the username and the password with pam_get_user()
* and pam_get_authtok(). We will then decide if the user is authenticated */
}
PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) {
/* In this function we check that the user is allowed in the system. We already know
* that he's authenticated, but we could apply restrictions based on time of the day,
* resources in the system etc. */
}
PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) {
/* We could have many more information of the user other then password and username.
* These are the credentials. For example, a kerberos ticket. Here we establish those
* and make them visible to the application */
}
PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) {
/* When the application wants to open a session, this function is called. Here we should
* build the user environment (setting environment variables, mounting directories etc) */
}
PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) {
/* Here we destroy the environment we have created above */
}
PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv){
/* This function is called to change the authentication token. Here we should,
* for example, change the user password with the new password */
}
In this functions you will use PAM functions to retrieve the username and the password from the application. This happens through a conversation function that must be defined in the application (see this tutorial). At the end of every function, you must return a PAM return code that determines the result (for PAM error codes see thisand the module writer documentation in general).
在此函数中,您将使用 PAM 函数从应用程序中检索用户名和密码。这是通过必须在应用程序中定义的对话函数来实现的(请参阅本教程)。在每个函数的末尾,您必须返回一个确定结果的 PAM 返回代码(有关 PAM 错误代码,请参阅this和一般的模块编写器文档)。
