jeroennijhof/pam_script

complete working PAM example for RHEL 7 (clones)

Opened this issue · 1 comments

roostercactus commented

Hi, we're moving forward with the POC and I'd like to use the software as intended (based on exit codes). I can get it to work but if I rely on the exit codes it logs a PAM error to the OS log. I had opened another issue (#11) with details of my setup. You had replied the issue is that other PAM modules are attempting to run (required modules). I tried every combination and order of the PAM config that I could think of and it still doesn't seem to be the correct order.

Can you please post a complete working PAM example file that I can look at and try to figure out why my setup is not working? I'd like to see a complete PAM config file, not just the lines to add but the whole file so I can see where in the file the lines are being added where it works properly.

If you have a RHEL example that would be nice since that's what I'm using. I have been adding my lines to /etc/pam.d/sshd. Thanks for your help.

alochym01 commented

i using vsftpd for example

  • vsftpd authenticated virtual account users(username/password) vi pam_url by using pam_script_auth
  • vsftpd check virtual account user via pam_url by using pam_script_acct
    my configuration:
  1. create pam_script_auth and chmod +x for pam_script_auth
  2. config vsftpd using pam for authentication after authentication process succeed, the pam_script_auth will be executed
  3. web server should repsonse exactly string in pam_url.conf(returncode)

the config file:

  • pam_script_auth
pam_url:
{
    settings:
    {
        url         = "http://127.0.0.1:5000/account/check"; # URI to fetch
        returncode  = "OK";                        # The remote script/cgi should return a 200 http code and this string as its only results
        userfield   = "username";                      # userfield name to send
        passwdfield = "password";                     # passwdfield name to send
        extradata   = "&do=login";                 # extra data to send
        prompt      = "Token: ";                   # password prompt
    };

    ssl:
    {
        verify_peer = true;                               # Verify peer?
        verify_host = true;                               # Make sure peer CN matches?
        client_cert = "/etc/pki/tls/certs/totpcgi.crt";   # Client-side certificate
        client_key  = "/etc/pki/tls/private/totpcgi.pem"; # Client-side key
        ca_cert     = "/etc/pki/tls/certs/ca-bundle.crt"; # ca cert - defaults to ca-bundle.crt
    };
};
  • /etc/pam.d/vsftpd

# Auth in Pam_URL
auth sufficient pam_url.so [config=/etc/pam_url.conf]
auth required pam_script.so onerr=success dir=/etc 

# Account in URL
account required pam_url.so [config=/etc/pam_url.conf]
  • /etc/pam-script.d/pam_script_auth

#!/bin/sh
echo "I got here" >> /tmp/script.out 2>&1
echo $PAM_USER >> /tmp/script.out 2>&1
if [ ! -d "/alochym/ftp/$PAM_USER" ]; then
  /usr/bin/env mkdir /alochym/ftp/$PAM_USER
  /usr/bin/env chown vsftpd:vsftpd /alochym/ftp/$PAM_USER
fi