On Linux PAM, pam_exec(8) expose_authtok sends the password followed by a NUL character. The FreeBSD version doesn't send the NUL. The invoked program may or may not notice, depending on the language, but since the point of expose_authtok is to be compatible with Linux PAM we should send that trailing NUL too.
- Group Reviewers
- rS338453: For full Linux-PAM compatibility, add a trailing NUL character when
Create an executable script /tmp/test.sh to dump the password into a file:
#!/bin/sh cat > /tmp/captured
Create a service file /etc/pam.d/my-service containing:
auth required /path/to/pam_exec.so expose_authtok /tmp/test.sh account required pam_permit.so
Install pamtester with pkg, and then test with:
pamtester my-service abc authenticate
Enter "hello" at the password prompt. Now od -c /tmp/captured should show:
0000000 h e l l o \0 0000006
The same test run on a Linux system ("apt-get install pamtester" for Debian) shows the same output.