Page MenuHomeFreeBSD

Add expose_authtok option to pam_exec(8).
ClosedPublic

Authored by munro_ip9.org on Jul 7 2018, 11:26 AM.

Details

Summary

For compatibility with Linux PAM's pam_exec module, allow the password to be optionally passed to the executed program's stdin.

Test Plan

Install "pamtester" from pkg/ports.

Create an executable script my_script.sh containing:

#!/bin/sh
read password
if [ "$PAM_USER" == "abc" ] && [ "$password" == "123" ] ; then
  exit 0
else
  exit 1
fi

Create /etc/pam.d/my-service containing:

auth required /path/to/pam_exec.so expose_authtok /path/to/my_script.sh
account required pam_permit.so

Now run:

pamtester my-service abc authenticate

It waits for a password; entering "123" succeeds, anything else fails.

Diff Detail

Repository
rS FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

munro_ip9.org created this revision.Jul 7 2018, 11:26 AM
munro_ip9.org edited the summary of this revision. (Show Details)
munro_ip9.org edited the test plan for this revision. (Show Details)

Added handling for EAGAIN on write() (not sure if that case is reachable).

des accepted this revision.Aug 14 2018, 12:10 AM
des accepted this revision.
des edited reviewers, added: des; removed: manpages.
This revision is now accepted and ready to land.Aug 14 2018, 12:11 AM
This revision was automatically updated to reflect the committed changes.