Linux custom authentication with pam_exec

About

Asked 26/3, 2013 at 15:28 Answered 21/7, 2020 at 13:44

I'm having trouble finding an example on how to use pam_exec to run an external program that will authenticate users when they log in.

I have the following in my pam.d file:

auth required pam_exec.so debug log=/tmp/aa /path/to/myscript

What should my script contain to allow or disallow authentication?

Fennell answered 26/3, 2013 at 15:28 Comment(0)

pam_exec will simply examine exit code of your script. If it is not equal to zero you will have denied authorization.

Wolk answered 10/10, 2013 at 2:47 Comment(1)

My script exits with status 0, but PAM still denies auth with 0: NO "authentication failed" – Angarsk 24/7, 2018 at 18:36

In reaction to the above comment: In my case, the auth script was OK, but PAM failed at the account stage:

authentication: pam_unix(postgresql:account): could not identify user (from getpwnam(myuser))

This is logged to syslog (if you are tinkering with PAM in docker, pass -v /dev/log:/dev/log to docker run to see the PAM syslog messages in host's syslog).

The solution was to add the following to the pam.d file:

account sufficient pam_permit.so

Strengthen answered 21/7, 2020 at 13:44 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags