Date: Wed, 26 Apr 2023 17:35:55 +0300 From: George Kontostanos <gkontos.mail@gmail.com> To: freebsd-hackers@freebsd.org Subject: Re: Interacting with PAM issues Message-ID: <CA%2BdUSyqpe_OxmBbRHKeqsA53BmzmDO7BmRuEgdp7_Oa9E-rZSA@mail.gmail.com> In-Reply-To: <9e35b8cb-e5de-bdb5-c2da-cee44e18683c@yahoo.com> References: <31aa9f0f-44d9-fb61-2eb3-36af63ce9ed7@yahoo.com> <9e35b8cb-e5de-bdb5-c2da-cee44e18683c@yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
unsubscribe On Wed, Apr 26, 2023 at 9:26=E2=80=AFAM Mikhail Zakharov <zmey20000@yahoo.c= om> wrote: > > FWD to record the solution in the history of the maillist. > > Exactly what is required, for the exact mentioned purpose of a terminal > screenlocker application: https://github.com/mezantrop/sclocka. Thank > you again! > > Best, > M > > On 4/25/2023 9:20 PM, Jesper Schmitz Mouridsen wrote: > > Hi > > > > Yes for pam_unix.so root is always required. > > > > The following gives some background info and might help you > > > > https://github.com/Zirias/unix-selfauth-helper > > > > ported in security/unix-selfauth-helper > > > > On 25.04.2023 20.50, Mikhail Zakharov wrote: > >> Wow! Thanks Jesper, it really works as root! > >> > >> But, I'd like to avoid running as root. The goal is to re-check the > >> user's password to ensure, this is still the same user working on. I > >> looked through https://docs.freebsd.org/en/articles/pam/ and > >> unfortunately didn't see anything appropriate except pam_unix. So, am > >> I doomed to SUID? > >> > >> Best, > >> > >> M > >> > >> On 4/25/2023 8:12 PM, Jesper Schmitz Mouridsen wrote: > >>> Hi > >>> > >>> If I am not mistaken pam_unix.so requires root so try to run your > >>> program as root. > >>> > >>> On 25.04.2023 20.05, Mikhail Zakharov wrote: > >>>> No, just a common user, id 1001 > >>>> > >>>> On 4/25/2023 8:01 PM, Jesper Schmitz Mouridsen wrote: > >>>>> > >>>>> > >>>>> On 25.04.2023 19.26, Mikhail Zakharov wrote: > >>>>>> Hi, > >>>>>> > >>>>>> I'm trying to write a custom PAM conversation function and > >>>>>> perform authentication (re-check password) for my already logged > >>>>>> in user. Below is the function: > >>>>>> > >>>>>> int pam_conv(int n, const struct pam_message **msg, struct > >>>>>> pam_response **resp, void *data) { > >>>>>> > >>>>>> struct pam_response *pr; > >>>>>> int i; > >>>>>> > >>>>>> > >>>>>> if (n <=3D 0 || n > PAM_MAX_NUM_MSG) return PAM_CONV_ERR; > >>>>>> if ((pr =3D calloc(n, sizeof(*pr))) =3D=3D NULL) return PAM_B= UF_ERR; > >>>>>> > >>>>>> for (i =3D 0; i < n; i++) { > >>>>>> pr[i].resp =3D NULL; > >>>>>> pr[i].resp_retcode =3D 0; > >>>>>> switch (msg[i]->msg_style) { > >>>>>> case PAM_PROMPT_ECHO_OFF: > >>>>>> case PAM_PROMPT_ECHO_ON: > >>>>>> pr[i].resp =3D strdup(passwd); > >>>>>> break; > >>>>>> case PAM_ERROR_MSG: /* Do we need this? *= / > >>>>>> case PAM_TEXT_INFO: > >>>>>> fprintf(stderr, "\n\r%s\n", msg[i]->msg); > >>>>>> break; > >>>>>> default: > >>>>>> /* Clear possible passwords in responces; then > >>>>>> free memory */ > >>>>>> for (i =3D 0; i < n; i++) > >>>>>> if (pr[i].resp) { > >>>>>> memset(pr[i].resp, 0, > >>>>>> strlen(pr[i].resp)); > >>>>>> free(pr[i].resp); > >>>>>> } > >>>>>> free(pr); > >>>>>> *resp =3D NULL; > >>>>>> return PAM_CONV_ERR; > >>>>>> } > >>>>>> } > >>>>>> *resp =3D pr; > >>>>>> return PAM_SUCCESS; > >>>>>> } > >>>>>> > >>>>>> And that's how I call it: > >>>>>> > >>>>>> int pam_auth(char *user) { > >>>>>> static pam_handle_t *pamh; > >>>>>> static struct pam_conv pamc; > >>>>>> int rval; > >>>>>> char *tty_name; > >>>>>> > >>>>>> > >>>>>> pamc.conv =3D &pam_conv; > >>>>>> /* Pretend we want login service */ > >>>>>> rval =3D pam_start("login", user, &pamc, &pamh); > >>>>>> tty_name =3D ttyname(STDIN_FILENO); > >>>>>> if (rval =3D=3D PAM_SUCCESS) rval =3D pam_set_item(pamh, PAM_= TTY, > >>>>>> tty_name); > >>>>>> if (rval =3D=3D PAM_SUCCESS) rval =3D pam_authenticate(pamh, = 0); > >>>>>> if (pam_end(pamh, rval) !=3D PAM_SUCCESS) pamh =3D NULL; > >>>>>> > >>>>>> return rval =3D=3D PAM_SUCCESS ? 0 : 1; > >>>>>> } > >>>>>> > >>>>>> Well, PAM login, allows to login as the same user without > >>>>>> checking a password: > >>>>>> > >>>>>> # auth > >>>>>> auth sufficient pam_self.so no_warn > >>>>>> auth include system > >>>>>> > >>>>>> When trying other services e.g. "system", "ssh", "other" > >>>>>> pam_authenticate() return Authentication error, PAM error 9. > >>>>>> > >>>>>> What do I do wrong? Surprisingly, I do not see the same issue on > >>>>>> Mac and Centos. > >>>>>> > >>>>>> Best, Mikhail Zakharov > >>>>>> > >>>>>> > >>>>> Hi > >>>>> Do you run it as root? > >>>>> > >>>>> > --=20 George Kontostanos ---
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2BdUSyqpe_OxmBbRHKeqsA53BmzmDO7BmRuEgdp7_Oa9E-rZSA>