How to retrieve user password in cleartext using PAM?

Asked 11/10, 2011 at 12:5 Answered 1/10, 2016 at 1:48

I am writing a PAM module which writes the username/password in a file for further transaction by an other application. I only saw the PAM_AUTHTOK item but I'm not sure from which type is it. Anybody knows that or another way to get the cleartext password?

Energy answered 11/10, 2011 at 12:5 Comment(2)

Most (good) authentication systems don't store the cleartext password; they hash or otherwise one-way encrypt the incoming password and store that, and use it for future comparisons. – Loaves 11/10, 2011 at 12:11

@Joe, that's true, but you're looking at this from the wrong side of the transaction. PAM is the part that prompts you for your password and then validates; it doesn't "store" the password. So PAM modules do have access to the cleartext password (this is what allows the use_first_pass option on many PAM modules to work). – Caudle 11/10, 2011 at 13:36

This is a very old thread, but there is also pam_exec: https://linux.die.net/man/8/pam_exec

e.g. Something like the following in the PAM Config:

auth sufficient pam_exec.so expose_authtok /usr/local/bin/myscript-example

Contents of myscript-example, echoing all the vars out:

#!/bin/sh
read password
echo "User: $PAM_USER"
echo "Ruser: $PAM_RUSER"
echo "Rhost: $PAM_RHOST"
echo "Service: $PAM_SERVICE"
echo "TTY: $PAM_TTY"
echo "Password : $password"
exit $?

Cockburn answered 1/10, 2016 at 1:48 Comment(2)

Well, that may be so, but it will be a little difficult getting a shell script to compile as a C program, unless I'm missing something obvious... – Thoroughbred 1/10, 2016 at 1:53

@DavidC.Rankin pam_exec allows you to run a script and passes PAM related variables over to it (Hence the $PAM_USER, etc). This effectively allows you to write a PAM module in any language supported by the OS. Take a look at the linked Doc and you will see. – Cockburn 1/10, 2016 at 12:24

Have you read the Linux-PAM Application Developer's Guide? On a RHEL-type system this will be in /usr/share/doc/pam-devel-<version>/Linux-PAM_ADG.txt, or you can find it online at online at various places.

Take a look at the Getting PAM items section, which documents the pam_get_item() function. You can request the password with the PAM_AUTH_TOK constant:

PAM_AUTHTOK

The authentication token (often a password). This token should be ignored
by all module functions besides pam_sm_authenticate(3) and pam_sm_chauthtok
(3). In the former function it is used to pass the most recent
authentication token from one stacked module to another. In the latter
function the token is used for another purpose. It contains the currently
active authentication token.

Caudle answered 11/10, 2011 at 13:39 Comment(0)

How about just printing the contents of PAM_AUTHTOK when you're debugging? To make a meaningful use of it you must have some sort of a contract or convention between modules anyway.

By the way: there is a difference between keeping a cleartext password in memory and erasing it from there as soon as possible (or better: locking that region in RAM, or having encrypted swap), and writing that cleartext password to disk. The latter is just sooo insecure, don't do that.

Glazer answered 30/12, 2011 at 17:0 Comment(0)

Recommended topics

Hot tags