pam_exec.so PAM module does not export variable PAM_USER as stated in the documentation

Question

I'm trying to use the pam_exec.so PAM module to execute a script which needs to know the username/password coming from the application (OpenVPN in this case).

I have a script that executes printenv >>afile, but I don't see all the environment variables that the man pages states that pam_exec.so exports (namely PAM_USER I think), I only see the following:

PAM_SERVICE=openvpn
PAM_TYPE=auth
PWD=/usr/local/openvpn/bin
SHLVL=1
A__z="*SHLVL

I do successfully pick up the password off of STDIN and output it with this same script. But for the life of me I can't get the username.

Any thoughts on what I should try next?

score 2 · Answer 1 · answered Jul 02 '15 at 12:23

If you set key-value pairs with the plugin "openvpn-plugin-auth-pam.so" like this:

plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so "openvpn mykey myval login COMMONNAME"

then it doesn't set PAM_USER (because it calls pam_start with user=NULL), maybe that's your problem?

score 1 · Answer 2 · edited Apr 19 '12 at 18:35

1

What distribution are you using? RHEL and CentOS use pam 0.99. There's currently a bug open for this issue (https://bugzilla.redhat.com/show_bug.cgi?id=554518) but I believe they're just using an ancient version of PAM.

edited Apr 19 '12 at 18:35

mgorven

30,615
7
79
122

answered Nov 23 '11 at 17:44

Jason Antman

1,536
1
12
24

pam_exec.so PAM module does not export variable PAM_USER as stated in the documentation

2 Answers2