Is it possible to use custom script for authentication with PAM?

Question

I want to enable users to use my rails application's credentials for login to sftp account. If I understand correctly I should somehow use PAM for this. But I didn't find any info on how to do this?

score 3 · Answer 1 · answered Mar 01 '10 at 15:17

3

You could write your own PAM module if you want. But the other solution is probably better. Check out a sample PAM module here: http://www.freebsd.org/doc/en/articles/pam/pam-sample-module.html

answered Mar 01 '10 at 15:17

Michael Mior

388
1
5
17

score 3 · Accepted Answer · answered Mar 01 '10 at 15:29

3

pam_exec can validate passwords using an external program.

answered Mar 01 '10 at 15:29

ptman

28,394
2
30
45

This seems like the solution I need. Although I couldn't find any info how the script should look and what should I return. I'm pretty new to PAM and it seems that pam_exec is not that much used solution. I know I'm asking for a lot, but do you have any other example than one in man page for pam_exec? – retro Mar 01 '10 at 16:28
No, I don't have any examples. And that man-page seems older than the one on my system. Based on my man-page I can guess though, that you want something like: auth requisite pam_exec.so expose_authtok seteuid /usr/sbin/password-checking-program where /usr/sbin/password-checking-program reads the password on stdin and returns 0 (success) if it is valid and anything else if it isn't. – ptman Mar 02 '10 at 06:46

score 1 · Answer 3 · answered Mar 01 '10 at 14:40

If this rails info is in a mysql dbase you can configure pam_mysql. There are pam modules for just about everything.

Here's one for ftp that I have with mysql:

session    optional     pam_keyinit.so    force revoke
auth       required pam_listfile.so   item=user sense=allow file=/etc/vsftpd/ftpusers onerr=fail
auth       sufficient   pam_mysql.so      user=virt_admin passwd=PASS host=localhost db=DBNAME table=TABLENAME usercolumn=USERNAMECOL passwdcolumn=PASSCOL crypt=3
auth       required pam_shells.so
auth       include  system-auth
account    sufficient   pam_mysql.so       user=virt_admin passwd=PASS host=localhost db=DBNAME table=TABLENAME usercolumn=USERNAMECOL passwdcolumn=PASSCOL crypt=3
account    include  system-auth
session    include  system-auth
session    required     pam_loginuid.so

You could also run a script that periodically dumps the username:passwords into a file and use the pam_pwdfile. There are a slew of choices.

http://www.kernel.org/pub/linux/libs/pam/modules.html

Just a note that documentation is here: http://pam-mysql.sourceforge.net — Michael Mior, Mar 01 '10 at 15:18

Is it possible to use custom script for authentication with PAM?

3 Answers3