EzDevInfo.com

pam interview questions

Top pam frequently asked interview questions

Linux PAM module in Java

I do have a custom authentication mechanism which is written in Java. I was wondering what would be the best way to implement a Linux PAM module without rewriting the code in C?

I am aware of this list of available PAM modules but none of them are Java-related.

There's also JPam but it does the opposite thing: it allows to get user/group information to be used in Java app whereas I need to use existing Java code to authenticate users in Linux (e.g. via SSH).

Any suggestions are welcome.


Source: (StackOverflow)

Limit the memory and cpu available for a user in Linux

I am a little concerned with the amount of resources that I can use in a shared machine. Is there any way to test if the administrator has a limit in the amount of resources that I can use? And if does, to make a more complete question, how can I set up such limit?

Thank you.


Source: (StackOverflow)

Advertisements

How can I add custom two-factor authentication with C++, Pam & Ubuntu?

I am looking to add my own 2-factor authentication to my ubuntu linux server with c++. I am going to have my asterisk box call my cell phone with a unique ID, which must be entered at the linux login prompt, before or after a password, with (or) without a certificate - depending on how I configure it. Either way, I'd like this extra entry step as a part of the login.

Should I use PAM for this? If so, can someone point me to a sample of extra input w/Pam and login?


Source: (StackOverflow)

Linux Pam creates static library instead of shared library

I am trying to cross compile Linux PAM for android in the following way

`#!/bin/sh
# Linux-PAM/build.sh

INSTALL_DIR="`pwd`/out"

export
PATH="android/prebuilts/gcc/linux-x86/arm/arm-linux-androideabi-4.6/bin:$PATH"
export CROSS_COMPILER="$PATH:android/prebuilts/gcc/linux-x86/arm/arm-linux-androideabi-4.6/bin"
export SYS_ROOT="android/prebuilts/ndk/current/platforms/android-9/arch-arm" 
export CC="arm-linux-androideabi-gcc --sysroot=$SYS_ROOT"
export LD="arm-linux-androideabi-ld"
export AR="arm-linux-androideabi-ar"
export RANLIB="arm-linux-androideabi-ranlib"
export STRIP="arm-linux-androideabi-strip"

mkdir -p $INSTALL_DIR
./configure --host=arm-eabi --build=x86_64 --enable-shared --prefix=$INSTALL_DIR LIBS="-lc -lgcc"

make
make install`

The output gives statically built libraries. I want shared libraries. If I compile for linux, it builds shared library by default. But for Android it builds statically. The config.log file has following

configure:3581: arm-linux-androideabi-gcc --sysroot=android/prebuilts/ndk/current/platforms/android-9/arch-arm -v >&5
Using built-in specs.
COLLECT_GCC=arm-linux-androideabi-gcc
COLLECT_LTO_WRAPPER=android/prebuilts/gcc/linux-x86/arm/arm-linux-androideabi-4.6/bin/../libexec/gcc/arm-linux-androideabi/4.6.x-google/lto-wrapper
Target: arm-linux-androideabi
Configured with: /tmp/android-8532/src/build/../gcc/gcc-4.6/configure --prefix=/usr/local --target=arm-linux-androideabi --host=x86_64-linux-gnu --build=x86_64-linux-gnu --with-gnu-as --with-gnu-ld --enable-languages=c,c++ --with-gmp=/tmp/android-8532/obj/temp-install --with-mpfr=/tmp/android-8532/obj/temp-install --with-mpc=/tmp/android-8532/obj/temp-install --without-ppl --without-cloog --disable-libssp --enable-threads --disable-nls --disable-libmudflap --disable-libgomp --disable-libstdc__-v3 --disable-sjlj-exceptions --disable-shared --disable-tls --disable-libitm --with-float=soft --with-fpu=vfp --with-arch=armv5te --enable-target-optspace --with-gcc-version=4.6 --with-binutils-version=2.21 --with-gmp-version=4.2.4 --with-mpfr-version=2.4.1 --with-gdb-version=7.3.x --with-arch=armv5te --with-sysroot=/tmp/android-8532/install/sysroot --with-prefix=/tmp/android-8532/install --with-gold-version=2.21 --enable-gold --program-transform-name='s&^&arm-linux-androideabi-&' --enable-gold=default


....

configure:10632: checking if libtool supports shared libraries
configure:10634: result: no
configure:10637: checking whether to build shared libraries
configure:10658: result: no

What is going wrong?


Source: (StackOverflow)

Enable PAM configuration (limits.conf) for a running daemon

I'm currently attempting to develop a sandbox using Docker. Docker spawns process through a running daemon, and I am having a great deal of trouble enabling the limits set forth in the limits.conf file such that they apply to the daemon. Specifically, I am running a forkbomb such that the daemon is the process that spawns all the new processes. The nproc limitation I placed on the user making this call doesn't seemed to get applied and I for the life of me can not figure out how to make it work. I'm quiet positive it will be as simple as adding the correct file to /etc/pam.d/, but I'm not certain.


Source: (StackOverflow)

How to authenticate a user using PAM?

I've read through this page, but I'm a little confused...

  • pam_start
    • What is struct pam_conv and how should it be filled in?
    • What on earth is service_name and what does it mean?

Is there an example somewhere of using PAM to log in a user (or at least verify their provided credentials)?


Source: (StackOverflow)

Hudson fails to use unix user/group to do authentication

I'm trying to use unix user/group database as security realm of hudson. The linux server is using NIS for user management. My account could login the hudson server via ssh.

And the hudson server is running by user 'hudson' that is also a member of group 'shadow', so hudson could read /etc/shadow. And I tested the configuration using 'test' button, hudson tells me it works well.

But I can't use my unix account and password to login the hudson sever.

And I found below java exception in the log of hudson,

Jan 12, 2011 8:23:42 AM hudson.security.AuthenticationProcessingFilter2 onUnsuccessfulAuthentication
INFO: Login attempt failed
org.acegisecurity.BadCredentialsException: pam_authenticate failed : Authentication failure; nested exception is org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication failure
    at hudson.security.PAMSecurityRealm$PAMAuthenticationProvider.authenticate(PAMSecurityRealm.java:100)
    at org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:195)
    at org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:45)
    at org.acegisecurity.ui.webapp.AuthenticationProcessingFilter.attemptAuthentication(AuthenticationProcessingFilter.java:71)
    at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:252)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:173)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
    at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:66)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
    at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
    at winstone.FilterConfiguration.execute(FilterConfiguration.java:195)
    at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:368)
    at winstone.RequestDispatcher.forward(RequestDispatcher.java:333)
    at winstone.RequestHandlerThread.processRequest(RequestHandlerThread.java:244)
    at winstone.RequestHandlerThread.run(RequestHandlerThread.java:150)
    at java.lang.Thread.run(Thread.java:595)
Caused by: org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication failure
    at org.jvnet.libpam.PAM.check(PAM.java:105)
    at org.jvnet.libpam.PAM.authenticate(PAM.java:123)
    at hudson.security.PAMSecurityRealm$PAMAuthenticationProvider.authenticate(PAMSecurityRealm.java:90)
    ... 18 more

Update on Jan. 17,

The host is RHEL 4.5, and I created user and group shadow, then add hudson into group shadow.

-bash-3.00$ cat  /etc/redhat-release 
Red Hat Enterprise Linux WS release 4 (Nahant Update 5)
-bash-3.00$ ll /etc/shadow
-r--r-----  1 root shadow 1114 Jan  4 11:37 /etc/shadow
-bash-3.00$ cat /etc/group |grep shadow
shadow:x:44:hudson

I also tried to setup hudson on another RHEL 4.8 host. This time I ran the hudson by root,

kzhu0@pek-wb-rhws4_32:~$ ps -ef|grep hudson
root     18764 29161  0 Jan14 pts/5    00:00:33 /usr/bin/java -Dcom.sun.akuma.Daemon=daemonized -Djava.awt.headless=true -DHUDSON_HOME=/var/lib/hudson -jar /usr/lib/hudson/hudson.war --logfile=/var/log/hudson/hudson.log --daemon --httpPort=8080 --debug=5 --handlerCountMax=100 --handlerCountMaxIdle=20
kzhu0    22404 18833  0 10:52 pts/2    00:00:00 grep hudson
kzhu0@pek-wb-rhws4_32:~$ cat /etc/redhat-release 

But I still don't have luck to get unix user/password group work. And I can't find any pam error message in /var/log/messages and /var/log/secure. It looks like hudson throws the exception before actually using pam to get authentication. Red Hat Enterprise Linux WS release 4 (Nahant Update 8)


Source: (StackOverflow)

How do I use the PAM capabilities module to grant capabilities to a particular user and executable?

I'm attempting to make a program which uses raw sockets run correctly as non-root with Linux capabilities. The program is as follows:

#include <netinet/ip.h>

int main()
{
  int sd = socket(PF_INET, SOCK_RAW, IPPROTO_TCP);
  if(sd < 0)
  {
    perror("socket() error");
    return 1;
  }
  return 0;
}

If I compile it and run it as non-root, I get an error, as expected:

[user@localhost ~]$ make socket
cc     socket.c   -o socket
[user@localhost ~]$ ./socket 
socket() error: Operation not permitted

If I add the cap_net_raw capability, as an effective and permitted capability, it works.

[user@localhost ~]$ sudo setcap cap_net_raw+ep socket
[sudo] password for user: 
[user@localhost ~]$ ./socket 
[user@localhost ~]$ 

Now, I want to use pam_cap.so to make it so that only a particular user can run this program with cap_net_raw, instead of everyone. My /etc/security/capability.conf is:

cap_net_raw user

My /etc/pam.d/login is (note that I also tried /etc/pam.d/sshd but that did not seem to work either):

#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       substack     system-auth
auth       include      postlogin
#Added this line to use pam_cap
auth       required     pam_cap.so
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    include      postlogin
-session   optional     pam_ck_connector.so

I had an ssh session, I logged out and back in after that and executed the following commands:

[user@localhost ~]$ sudo setcap cap_net_raw+p socket
[sudo] password for user: 
[user@localhost ~]$ getcap socket
socket = cap_net_raw+p
[user@localhost ~]$ ./socket 
socket() error: Operation not permitted
[user@localhost ~]$ 

My question is: Why was I not able to execute the 'socket' program with cap_net_raw? I thought that when I logged in, my user would obtain it as a permitted capability, and it would allow 'user' to run 'socket' with the cap_net_raw.

Thanks! This is what I'm running on:

[user@localhost ~]$ uname -a
Linux localhost.localdomain 3.10.0-123.el7.x86_64 #1 SMP Mon Jun 30 12:09:22 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
[user@localhost ~]$ cat /etc/redhat-release 
CentOS Linux release 7.0.1406 (Core) 

Source: (StackOverflow)

stat() function doesnt seem to be working in test PAM module

I'm trying to write a PAM module. The PAM module creates a directory on first log in. Very similar to the pam_mkhomedir.

Here is the code.

PAM_EXTERN int
pam_sm_open_session (pam_handle_t *pamh, int flags, int argc,
             const char **argv)
{
   int retval;
   const char *user;
   const struct passwd *pwd;
   struct stat St;

    // Parse the args
   _pam_parse(pamh, flags, argc, argv);
   pam_info (pamh, "\nThese are the args flags. skel: %s, mkdir: %s, umask: %o",SkelDir, MkDir, UMask );

   // Determine the user name  
   retval = pam_get_user(pamh, &user, NULL);
   if (retval != PAM_SUCCESS || user == NULL || *(const char *)user == '\0')
   {
      pam_syslog(pamh, LOG_NOTICE, "user unknown");
      return PAM_USER_UNKNOWN;
   }

   strcpy(DestDir, MkDir);
   strcat(DestDir,"/");
   strcat(DestDir, user);

   // Get the password entry   
   pwd = pam_modutil_getpwnam (pamh, user);
   if (pwd == NULL)
   {
      return PAM_CRED_INSUFFICIENT;
   }

   // For some reason stat wont work, using access instead. 

   //retval = stat(DestDir,&St); 


   retval = access(DestDir, F_OK);
   if ( retval == 0)
   {
    pam_info(pamh, "directory exists %s" ,DestDir); 
   }

    return PAM_SUCCESS;

}

As you can see, right now, the module just prints the arguments specified in the pam config file at login time.
The problem is with the stat function. When I use it, nothing gets printed, even though the pam_info functions are called before the stat function.
If I use the access function, the module executes properly. I'm kinda stumped as to why this is happening.
EDIT: I had included some code that checked the errno and other return values, but that code does not get executed. I didnt include it in the question because I didnt want to make the code too long to read. The module seems to fail and exit completely. It doesnt print anything. It just does nothing. But if I use access() the module works fine.


Source: (StackOverflow)

Send byte[] in a String from Java to a C program

I need to put my Java information in a String so I use the String(byte[] arrB) constructor. Now this information is sent to the C program as a char* type. Now I need to get back original bytes since, from my understanding, they were encoded in the process of creating a Java String.

How can I do that in the C program?

So, on the C side I have these bytes:

7e 53 e9 94 d4 46 f5 7c 66 cf 85 34 18 5a ff 6 2d a3 89 48 d2 e4 46 b8 6b 43 ec 64 3a 67 f9 2 6d 12 ac e7 0 c4 99 52 68 76 76 77 12 2 de 7d 5b e7 4e 5 6 73 f4 fc 91 54 12 71 64 7a 25 3d

They are in a char* but the reach Java as a String and the String is:

7E 53 EF BF BD EF BF BD 46 EF BF BD 7C 66 CF 85 34 18 5A EF BF BD 06 2D EF BF BD EF BF BD 48 EF BF BD EF BF BD 46 EF BF BD 6B 43 EF BF BD 64 3A 67 EF BF BD 02 6D 12 EF BF BD EF BF BD

As you can see there many similarities...


Source: (StackOverflow)

Is there any way to use IAM as a authentication "method" for PAM?

Specifically, running a chain of postfix, dovecot and nginx to provide a "nice" mail service to (not so many) users. All services share Pluggable authentication module (PAM) as a possible authentication method. Currently, the system's "passwd" database is being used to auth again via PAM.

AWS Identity and Access Management (IAM) is a hard requirement. Therefore, any other service (like duosecurity) is not an option. Before I start to code a PAM module, I'm asking for your experience - how would you do it? Thanks!


Source: (StackOverflow)

PHP: authenticate local unix user (without direct access to /etc/shadow)

Given a username and password, I need to check if there's a user on the local system with said username and password.

I'm aware of posix_getpwnam and using the PAM package, but both of these methods require that the PHP script have access to /etc/shadow. I'd rather not mess with permissions of system files or daemon users.

I imagine that this could be done either by messing with standard system commands such as sudo, or by writing my own small setuid C program. I could also try to connect to localhost via FTP or SSH with said username/password to validate it. Is there a simpler way?


Source: (StackOverflow)

python script does not run from cron

I have a python script "start.py" that executes well from the command line. There is only one statement in it (print "hello"). EDIT: start.py contains also a working interpreter directive in the first line.

As soon as I run the script from a cron job, every time it fires there is a message in syslog:

Jun  7 02:57:01 mit CRON[23275]: Module is unknown

I tried already to add PATH and PYTHONPATH information to the cron file:

$ cat /etc/cron.d/my_cron
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PYTHONPATH=/usr/lib/python2.6:/usr/lib/python2.6/plat-linux2:/usr/lib/python2.6/lib-tk:/usr/lib/python2.6/lib-old:/usr/lib/python2.6/lib-dynload:/usr/lib/python2.6/dist-packages:/usr/lib/pymodules/python2.6:/usr/lib/pymodules/python2.6/gtk-2.0:/usr/local/lib/python2.6/dist-packages
* * * * * mit /home/mit/dev/start.py

I found several answers and solutions that seem the same but nothing helped me. What am I missing?


Source: (StackOverflow)

Encrypted password in Berkeley DB for vsftpd using pam_userdb.so

I am trying to install a vsftpd with some virtual users using the Berkeley DB. I have mainly followed this guide: http://www.neant.ro/2012/04/secure-ftp-with-vsftpd/ . Everything works fine, but I want to have the passwords hashed inside the database. I am using CentOS 6.3 with glibc 2.12.

From the manpage of pam_userdb.so I assume that I can use what crypt provides. If we take a look of crypt(3) manpage we can use SHA-256 and SHA-512. I would to use one of those.

My doubt is how to implement it. From what I know i need to go to my pam.d file and edit and add the argument crypt but... which value should I give it? 5 for SHA-256? 6 for SHA-512?

auth    sufficient pam_userdb.so db=/path/to/db/virtual-users crypt=?
account sufficient pam_userdb.so db=/path/to/db/virtual-users crypt=?
session sufficient pam_loginuid.so

Now I need the password in SHA-256/SHA-512 inside the database. Which is the correct way to get the hash? I suppose I have to use the crypt function. However, I need to get it using Ruby, is there any way?

Thanks in advance for the help,


Source: (StackOverflow)

How does gcc linker choose /usr/lib versus /usr/lib64 for library resolution?

My link line to gcc includes the following two entries in succession:

-lrt
-lpam

And this appears expanded as:

/usr/lib64/librt.so /usr/lib/libpam.so

Why is rt resolved to lib64 whereas pam is resolved to lib and consequently fails:

/usr/lib/libpam.so: could not read symbols: File in wrong format

Since it is only 32 bit ELF. There is a /usr/lib64/libpam.so with is 64 bit ELF, why isn't it taken?


Source: (StackOverflow)