Linux 简单的 PAM 示例
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/6105836/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Simple PAM example
提问by beatgammit
I want to develop an authentication module using PAM, but I'm having trouble getting a simple example working.
我想使用 PAM 开发一个身份验证模块,但我无法让一个简单的示例工作。
For starters, I would like to do a simple SSH login system where if the user enters the username backdoor, then the user will be logged in without a password (just like in TRON Legacy).
首先,我想做一个简单的 SSH 登录系统,如果用户输入 username backdoor,那么用户将无需密码即可登录(就像在 TRON Legacy 中一样)。
I tried using this guideas a template, but I can't get it to work. Here is my code so far:
我尝试使用本指南作为模板,但我无法让它发挥作用。到目前为止,这是我的代码:
PAM_EXTERN int pam_sm_setcred( pam_handle_t *pamh, int flags, int argc, const char **argv ) {
return PAM_SUCCESS ;
}
PAM_EXTERN int pam_sm_authenticate( pam_handle_t *pamh, int flags,int argc, const char **argv ) {
int retval;
printf("I'm here");
const char* pUsername;
retval = pam_get_user(pamh, &pUsername, "Username: ");
if (retval != PAM_SUCCESS) {
return retval;
}
if (strcmp(pUsername, "backdoor") != 0) {
return PAM_AUTH_ERR;
}
return PAM_SUCCESS;
}
When I log in with the name backdoor, I get permission denied. I've tried creating the user account, but I still get prompted for the password.
当我使用 name 登录时backdoor,我的权限被拒绝。我已经尝试创建用户帐户,但仍然提示我输入密码。
When I log in with a valid user, I see the "I'm here" printout. Is there a better way to debug something like this or is it mostly trial and error?
当我使用有效用户登录时,我会看到“我在这里”打印输出。有没有更好的方法来调试这样的东西,还是主要是反复试验?
EDIT:
编辑:
I added this to my /etc/pam.d/sshdafter @include common-auth:
我/etc/pam.d/sshd在@include common-auth 之后添加了这个:
auth sufficient mypam.so
auth sufficient mypam.so
This comes after 2 other .so files, but I'm pretty sure it's getting executed every time.
这是在其他 2 个 .so 文件之后,但我很确定它每次都会被执行。
I have not modified pam.conf (there isn't anything there). I figured that starting with SSH would be easiest because I don't have to log out each time.
我没有修改 pam.conf (那里没有任何东西)。我认为从 SSH 开始会最简单,因为我不必每次都注销。
EDIT:
编辑:
I finally got it working. Here's the result:
我终于让它工作了。结果如下:
https://github.com/beatgammit/simple-pam
https://github.com/beatgammit/simple-pam
It's open-source, so if you're interested, take a look!
它是开源的,所以如果您有兴趣,请看一看!
采纳答案by Ciclamino
First off, sufficient will still fail if a previous required module has failed. Since you say you have put your sufficient line beneath the include of common-auth you may be seeing a failure because some required module in common-auth has denied access already. Plus you have have sshd getting in the way.
首先,如果之前所需的模块失败,足够的仍然会失败。由于您说已将足够的行放在 common-auth 的包含之下,您可能会看到失败,因为 common-auth 中的某些必需模块已经拒绝访问。此外,您还遇到了 sshd。
I'd get all this stuff out of the way so you know your test is really a test of your pam module and not some further interaction with other things. I'd start with a simple test program like the one herewith /etc/pam.d/check_user listing your module instead of pam_unix.
我会把所有这些东西都放在一边,所以你知道你的测试实际上是对你的 pam 模块的测试,而不是与其他东西的进一步交互。我会从一个简单的测试程序开始,比如这里的 /etc/pam.d/check_user 列出你的模块而不是 pam_unix。
