如何使用不具有root特权的PAM验证用户名/密码 [英] How to authenticate username/password using PAM w/o root privileges
问题描述
我有用C编写的程序.它使用2个参数username/password并尝试使用PAM对该用户进行身份验证.当我生根时,它工作正常.当我是普通"用户时,它适用于该用户,但不适用于另一用户.我认为,这是由于使用了影子密码.
I have program written in C. It takes 2 arguments username/password and try to authenticate this user using PAM. It works fine when I'm root. When I'm 'normal' user, it works for this user, but not for another one. I think, it's due to using shadow passwords..
我正在使用的服务:
retval = pam_start("test", username, &local_conversation, &local_auth_handle);
我将此添加到/etc/pam.d/test
I add this to the /etc/pam.d/test
#%PAM-1.0
auth required pam_unix.so shadow nullok
account required pam_unix.so
session required pam_unix.so
能帮我吗? 非常感谢!
Could you help me, please? Thanks a lot!
推荐答案
该应用程序需要能够读取/etc/shadow
.
The application needed to be able to read /etc/shadow
.
请参见我的帖子一种实现方法.
如果链接断开,请从上面的链接添加帖子
Add post from above link in case the link ever breaks
我用C ++编写了身份验证模块,该模块可以检查 通过Linux中的PAM使用用户名/密码(我使用的是Fedora Linux).一世 想要与您分享我的所作所为:-).所以,我们开始:-)
I wrote authentication module in C++ which alows to check username/password through PAM in Linux (I’m using Fedora Linux). I would like to share with you, what I made :-) . So, let’s go :-)
先决条件:
Install package pam-devel
(This step is necessary when you use shadow password) Create new Linux user and group. Set this group as default for this user. Then
遵循以下步骤: 转到/etc 以root身份登录(su) 将组更改为用于文件阴影的新组(chgrp new_group阴影) 为此组设置读取"特权(chmod 0440阴影)
follow with these steps: Go to /etc Log in as root (su) Change group to the new one for file shadow (chgrp new_group shadow) Set ‘read’ privilage for this group (chmod 0440 shadow)
编写此代码:(authModule.c)将明文复制到剪贴板打印吗?
Write this code: (authModule.c) view plaincopy to clipboardprint?
#include <stdio.h>
#include <security/pam_appl.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
struct pam_response *reply;
// //function used to get user input
int function_conversation(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr)
{
*resp = reply;
return PAM_SUCCESS;
}
int authenticate_system(const char *username, const char *password)
{
const struct pam_conv local_conversation = { function_conversation, NULL };
pam_handle_t *local_auth_handle = NULL; // this gets set by pam_start
int retval;
retval = pam_start("su", username, &local_conversation, &local_auth_handle);
if (retval != PAM_SUCCESS)
{
printf("pam_start returned: %d\n ", retval);
return 0;
}
reply = (struct pam_response *)malloc(sizeof(struct pam_response));
reply[0].resp = strdup(password);
reply[0].resp_retcode = 0;
retval = pam_authenticate(local_auth_handle, 0);
if (retval != PAM_SUCCESS)
{
if (retval == PAM_AUTH_ERR)
{
printf("Authentication failure.\n");
}
else
{
printf("pam_authenticate returned %d\n", retval);
}
return 0;
}
printf("Authenticated.\n");
retval = pam_end(local_auth_handle, retval);
if (retval != PAM_SUCCESS)
{
printf("pam_end returned\n");
return 0;
}
return 1;
}
int main(int argc, char** argv)
{
char* login;
char* password;
printf("Authentication module\n");
if (argc != 3)
{
printf("Invalid count of arguments %d.\n", argc);
printf("./authModule <username> <password>");
return 1;
}
login = argv[1];
password = argv[2];
if (authenticate_system(login, password) == 1)
{
printf("Authenticate with %s - %s through system\n", login, password);
return 0;
}
printf("Authentication failed!\n");
return 1;
}
编译代码:
gcc -o authModule authModule.c -lpam
以新用户身份运行代码!
Run code (as the new user!):
./authModule user password
仅此而已! :-)希望对您有所帮助!
That’s all!! :-) Hope it helps!
这篇关于如何使用不具有root特权的PAM验证用户名/密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!