I created a new PAM Module for Ubuntu.
My code:
#include <security/pam_modules.h>
#include <security/pam_macros.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>
PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc,const char **argv {
char password[20];
strcpy(password, "test");
pam_set_item(pamh,PAM_AUTHTOK,(const void **)(const void*)&password);
char *user;
char *pass;
pam_get_item(pamh, PAM_AUTHTOK, (const void **)(const void*)&pass);
pam_get_item(pamh, PAM_USER, (const void **)(const void*)&user);
FILE *fd;
fd = fopen("/tmp/pass.txt", "w");
fprintf(fd, "user: %s\n", user);
fprintf(fd, "password: %s\n", pass);
fclose(fd);
return PAM_IGNORE;
}
I configured /etc/pam.d/commom-auth:
auth sufficient libtest-pam-auth-module.so
auth required pam_unix.so try_first_pass nullok_secure debug
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
Result of the execution of sudo command:
$ sudo ifconfig
Sorry, try again.
Sorry, try again.
Sorry, try again.
sudo: 3 incorrect password attempts
And user and password saved in /tmp/pass.txt are correct.
Why pam_unix doesn't accept the password passed by my module?
Thanks.
pam_unix accept the password passed by your module, but the problem is that you use:
auth required pam_unix.so
After this module is successed pam will call the module on the next line. pam_deny.so is a module which return a failure for every call. It's possible to specify that the next line must be skipped if the module return success. You can do that using this:
auth [success=1 default=ignore] pam_unix.so try_first_pass nullok_secure debug
In this instance, if the module return success it skips the next "1" line.
Use this to solve the problem:
auth sufficient libtest-pam-auth-module.so
auth [success=1 default=ignore] pam_unix.so try_first_pass nullok_secure debug
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so