[SOLVED] PAM Authentication - how to hand user/pass vars to

[davidparks21]

I'm trying to configure PAM authentication such that a script is called that will perform an external authentication routine.

I set up the PAM module, it calls an "openvpn" PAM service, which uses pam_exec.so to call my script. All is well, the script executes (and in its current state of development successfully writes out the environment variables and parameters)

But I can figure out how to get the username/password to my script. I've tried every resource google will feed me, and nothing really talks about passing parameters, so maybe I'm still missing some fundamental truth about how PAM works.

I need to run this through PAM because the authentication process is a 3-5 second task that clearly shouldn't lock up the whole system to perform.

Config to date:

server.conf
plugin /usr/local/openvpn/sbin/openvpn-auth-pam.so "openvpn name USERNAME password PASSWORD"

/etc/pam.d/openvpn
auth required pam_exec.so /tmp/outputenv

/tmp/outputenv
<writes environment and parameters to a file to validate it was called>

[janjust]

this seems like a pam question and not an OpenVPN question. Nevertheless an interesting question ;_
I did a quick google search and found http://serverfault.com/questions/117857 ... n-with-pam

the second comment on the 'pam_exec' post seems to do what you want:

Based on my man-page I can guess though, that you want something like: auth requisite pam_exec.so expose_authtok seteuid /usr/sbin/password-checking-program where /usr/sbin/password-checking-program reads the password on stdin and returns 0 (success) if it is valid and anything else if it isn't.

[davidparks21]

Oh oh oh, so close now I can taste it!

You are correct, expose_authtok does write to stdin, but only the password. Now I've got the password, but can't figure out the username.

And yeh, I know this isn't openvpn explicitly, but I was hoping this had been done by others for openvpn as well. PAM support seems as decentralized as the concept of decentralized authentication.

perhaps my use of pam_exec.so is off base, it seems like the module has to somehow "query" for a piece of information, as suggested by the openvpn pam module man page:

plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD"

tells auth-pam to (a) use the "login" PAM module, (b) answer a
"login" query with the username given by the OpenVPN client, and
(c) answer a "password" query with the password given by the
OpenVPN client. This provides flexibility in dealing with the different
types of query strings which different PAM modules might generate.
For example, suppose you were using a PAM module called
"test" which queried for "name" rather than "login":

[janjust]

from the 'pam_exec' man page http://www.kernel.org/pub/linux/libs/pa ... _exec.html:

The child's environment is set to the current PAM environment list, as returned by pam_getenvlist(3) In addition, the following PAM items are exported as environment variables: PAM_RHOST, PAM_RUSER, PAM_SERVICE, PAM_TTY, PAM_USER and PAM_TYPE, which contains one of the module types: account, auth, password, open_session and close_session.

so the username is known as an env var and the password is fed to your script with the right option set.

[davidparks21]

That's what I thought. Ah, but I see one error in my ways. I was a DOS kid, I'm not much more than a power user of linux, so I tried using "set" to print the environment variables, and it sure looked like it printed them, not sure what it printed now actually. I should have used "printenv".

Ok, so did that but the only variables printed are:

PAM_SERVICE=openvpn
PAM_TYPE=auth
PWD=/usr/local/openvpn/bin
SHLVL=1
A__z="*SHLVL

I tried outputting $PAM_USER and $PAM_RUSER, but they aren't there. Bugger, even closer, this is at least 98% of the way there. Ok, I'm going to dig in more this morning and I'm sure I'll figure this out shortly. Thanks for all the pointers, they've helped a lot!

[davidparks21]

Got it!! And I stubbed my toe jumping up and down in frustration at the answer.

If you follow the example configuration for the PAM authentication module in openvpn it'll lead you astray in this case. The documentation example suggests an example configuration for server.config of:

Code: Select all

plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD"

So I was haplessly using:

Code: Select all

plugin openvpn-auth-pam.so "openvpn login USERNAME password PASSWORD"

And when I finally tried (after about 30 hail-mary style guess-and-check attempts at every wild possibility under the sun) changing the configuration to:

Code: Select all

plugin /usr/local/openvpn/sbin/openvpn-auth-pam.so "openvpn"

Voila!! Sweet success, but with a sort of lingering feeling that you somehow cheated to get the answer.

But thank you very much for the replies, they helped clear up a number of problems I had to deal with before this would have worked anyway.

To spell it out clearly, with the above configuration the username is passed to the script as PAM_USER, and the password is written to STDIN followed by an <EOF> marker. The file /etc/pam.d/openvpn has one line in it:

Code: Select all

auth required pam_exec.so expose_authtok /usr/local/openvpn/bin/myshellscript

[janjust]

this makes sense, actually: the 'login' pam module expectes to be fed a username and password, and the example

plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD"

lists the keywords that the plugin should listen for ('login' and 'password') ; since you're using only 'pam_exec' the invocation is indeed different, as you've found out the hard way.

Thanks for sharing this info, I'm sure someone else will find it useful some day.
I'm closing this thread now.