Mac iTOps Tube

Wednesday, May 16, 2012

Can't get auth token for non-local users with PAM module

I've wrote a PAM module that should provide authentication for linux hosts with user accounts that are managed from a central site. Reading the username works fine, but the password is some garbage when the specified username is not existing on the local system, for example:


May 15 23:59:10 localhost sshd[24920]: pam_test[24920] NOTICE: got username 'test'

May 15 23:59:10 localhost sshd[24920]: pam_test[24920] NOTICE: authtok '^H


For me, it is required to be able to collect both username and password first, even if the specified username is not a local system account. Both informations are sent to a central authentication server in the background, which will reply the appropriate user account then (if the authentication succeeds).

The code for my PAM module:


#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <syslog.h>

#include <unistd.h>

#include <security/pam_modules.h>

#include <security/pam_modutil.h>

#include <security/pam_ext.h>

#include <security/_pam_macros.h>


int pam_sm_authenticate(pam_handle_t *pamh, int flags,

                        int argc, const char **argv)


        int retval, ctrl;

        const char *user, *password;

        char *resp = NULL, *pass;


        retval = pam_get_user(pamh, &user, NULL);

        if (retval != PAM_SUCCESS || user == NULL) {

                syslog(LOG_ALERT, "pam_test[%d] ERROR: no user specified", getpid());

                return PAM_USER_UNKNOWN;

        } else {

                syslog(LOG_WARNING, "pam_test[%d] NOTICE: got username '%s'", getpid(),



        retval = pam_get_authtok(pamh, PAM_AUTHTOK, (const char **)&pass, NULL);

        syslog(LOG_WARNING, "pam_test[%d] NOTICE: authtok '%s'", getpid(), pass);

        return PAM_USER_UNKNOWN;


Any help is appreciated.

No comments:

Post a Comment