pam interview questions
Top pam frequently asked interview questions
I do have a custom authentication mechanism which is written in Java. I was wondering what would be the best way to implement a Linux PAM module without rewriting the code in C?
I am aware of this list of available PAM modules but none of them are Java-related.
There's also JPam but it does the opposite thing: it allows to get user/group information to be used in Java app whereas I need to use existing Java code to authenticate users in Linux (e.g. via SSH).
Any suggestions are welcome.
Source: (StackOverflow)
I am a little concerned with the amount of resources that I can use in a shared machine. Is there any way to test if the administrator has a limit in the amount of resources that I can use? And if does, to make a more complete question, how can I set up such limit?
Thank you.
Source: (StackOverflow)
I am looking to add my own 2-factor authentication to my ubuntu linux server with c++. I am going to have my asterisk box call my cell phone with a unique ID, which must be entered at the linux login prompt, before or after a password, with (or) without a certificate - depending on how I configure it. Either way, I'd like this extra entry step as a part of the login.
Should I use PAM for this? If so, can someone point me to a sample of extra input w/Pam and login?
Source: (StackOverflow)
I am trying to cross compile Linux PAM for android in the following way
`#!/bin/sh
# Linux-PAM/build.sh
INSTALL_DIR="`pwd`/out"
export
PATH="android/prebuilts/gcc/linux-x86/arm/arm-linux-androideabi-4.6/bin:$PATH"
export CROSS_COMPILER="$PATH:android/prebuilts/gcc/linux-x86/arm/arm-linux-androideabi-4.6/bin"
export SYS_ROOT="android/prebuilts/ndk/current/platforms/android-9/arch-arm"
export CC="arm-linux-androideabi-gcc --sysroot=$SYS_ROOT"
export LD="arm-linux-androideabi-ld"
export AR="arm-linux-androideabi-ar"
export RANLIB="arm-linux-androideabi-ranlib"
export STRIP="arm-linux-androideabi-strip"
mkdir -p $INSTALL_DIR
./configure --host=arm-eabi --build=x86_64 --enable-shared --prefix=$INSTALL_DIR LIBS="-lc -lgcc"
make
make install`
The output gives statically built libraries. I want shared libraries. If I compile for linux, it builds shared library by default. But for Android it builds statically. The config.log file has following
configure:3581: arm-linux-androideabi-gcc --sysroot=android/prebuilts/ndk/current/platforms/android-9/arch-arm -v >&5
Using built-in specs.
COLLECT_GCC=arm-linux-androideabi-gcc
COLLECT_LTO_WRAPPER=android/prebuilts/gcc/linux-x86/arm/arm-linux-androideabi-4.6/bin/../libexec/gcc/arm-linux-androideabi/4.6.x-google/lto-wrapper
Target: arm-linux-androideabi
Configured with: /tmp/android-8532/src/build/../gcc/gcc-4.6/configure --prefix=/usr/local --target=arm-linux-androideabi --host=x86_64-linux-gnu --build=x86_64-linux-gnu --with-gnu-as --with-gnu-ld --enable-languages=c,c++ --with-gmp=/tmp/android-8532/obj/temp-install --with-mpfr=/tmp/android-8532/obj/temp-install --with-mpc=/tmp/android-8532/obj/temp-install --without-ppl --without-cloog --disable-libssp --enable-threads --disable-nls --disable-libmudflap --disable-libgomp --disable-libstdc__-v3 --disable-sjlj-exceptions --disable-shared --disable-tls --disable-libitm --with-float=soft --with-fpu=vfp --with-arch=armv5te --enable-target-optspace --with-gcc-version=4.6 --with-binutils-version=2.21 --with-gmp-version=4.2.4 --with-mpfr-version=2.4.1 --with-gdb-version=7.3.x --with-arch=armv5te --with-sysroot=/tmp/android-8532/install/sysroot --with-prefix=/tmp/android-8532/install --with-gold-version=2.21 --enable-gold --program-transform-name='s&^&arm-linux-androideabi-&' --enable-gold=default
....
configure:10632: checking if libtool supports shared libraries
configure:10634: result: no
configure:10637: checking whether to build shared libraries
configure:10658: result: no
What is going wrong?
Source: (StackOverflow)
I'm currently attempting to develop a sandbox using Docker. Docker spawns process through a running daemon, and I am having a great deal of trouble enabling the limits set forth in the limits.conf file such that they apply to the daemon. Specifically, I am running a forkbomb such that the daemon is the process that spawns all the new processes. The nproc limitation I placed on the user making this call doesn't seemed to get applied and I for the life of me can not figure out how to make it work. I'm quiet positive it will be as simple as adding the correct file to /etc/pam.d/, but I'm not certain.
Source: (StackOverflow)
I've read through this page, but I'm a little confused...
- pam_start
- What is
struct pam_conv
and how should it be filled in?
- What on earth is
service_name
and what does it mean?
Is there an example somewhere of using PAM to log in a user (or at least verify their provided credentials)?
Source: (StackOverflow)
I'm trying to use unix user/group database as security realm of hudson. The linux server is using NIS for user management. My account could login the hudson server via ssh.
And the hudson server is running by user 'hudson' that is also a member of group 'shadow', so hudson could read /etc/shadow. And I tested the configuration using 'test' button, hudson tells me it works well.
But I can't use my unix account and password to login the hudson sever.
And I found below java exception in the log of hudson,
Jan 12, 2011 8:23:42 AM hudson.security.AuthenticationProcessingFilter2 onUnsuccessfulAuthentication
INFO: Login attempt failed
org.acegisecurity.BadCredentialsException: pam_authenticate failed : Authentication failure; nested exception is org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication failure
at hudson.security.PAMSecurityRealm$PAMAuthenticationProvider.authenticate(PAMSecurityRealm.java:100)
at org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:195)
at org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:45)
at org.acegisecurity.ui.webapp.AuthenticationProcessingFilter.attemptAuthentication(AuthenticationProcessingFilter.java:71)
at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:252)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:173)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:66)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
at winstone.FilterConfiguration.execute(FilterConfiguration.java:195)
at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:368)
at winstone.RequestDispatcher.forward(RequestDispatcher.java:333)
at winstone.RequestHandlerThread.processRequest(RequestHandlerThread.java:244)
at winstone.RequestHandlerThread.run(RequestHandlerThread.java:150)
at java.lang.Thread.run(Thread.java:595)
Caused by: org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication failure
at org.jvnet.libpam.PAM.check(PAM.java:105)
at org.jvnet.libpam.PAM.authenticate(PAM.java:123)
at hudson.security.PAMSecurityRealm$PAMAuthenticationProvider.authenticate(PAMSecurityRealm.java:90)
... 18 more
Update on Jan. 17,
The host is RHEL 4.5, and I created user and group shadow, then add hudson into group shadow.
-bash-3.00$ cat /etc/redhat-release
Red Hat Enterprise Linux WS release 4 (Nahant Update 5)
-bash-3.00$ ll /etc/shadow
-r--r----- 1 root shadow 1114 Jan 4 11:37 /etc/shadow
-bash-3.00$ cat /etc/group |grep shadow
shadow:x:44:hudson
I also tried to setup hudson on another RHEL 4.8 host. This time I ran the hudson by root,
kzhu0@pek-wb-rhws4_32:~$ ps -ef|grep hudson
root 18764 29161 0 Jan14 pts/5 00:00:33 /usr/bin/java -Dcom.sun.akuma.Daemon=daemonized -Djava.awt.headless=true -DHUDSON_HOME=/var/lib/hudson -jar /usr/lib/hudson/hudson.war --logfile=/var/log/hudson/hudson.log --daemon --httpPort=8080 --debug=5 --handlerCountMax=100 --handlerCountMaxIdle=20
kzhu0 22404 18833 0 10:52 pts/2 00:00:00 grep hudson
kzhu0@pek-wb-rhws4_32:~$ cat /etc/redhat-release
But I still don't have luck to get unix user/password group work. And I can't find any pam error message in /var/log/messages and /var/log/secure. It looks like hudson throws the exception before actually using pam to get authentication.
Red Hat Enterprise Linux WS release 4 (Nahant Update 8)
Source: (StackOverflow)
I'm attempting to make a program which uses raw sockets run correctly as non-root with Linux capabilities. The program is as follows:
#include <netinet/ip.h>
int main()
{
int sd = socket(PF_INET, SOCK_RAW, IPPROTO_TCP);
if(sd < 0)
{
perror("socket() error");
return 1;
}
return 0;
}
If I compile it and run it as non-root, I get an error, as expected:
[user@localhost ~]$ make socket
cc socket.c -o socket
[user@localhost ~]$ ./socket
socket() error: Operation not permitted
If I add the cap_net_raw capability, as an effective and permitted capability, it works.
[user@localhost ~]$ sudo setcap cap_net_raw+ep socket
[sudo] password for user:
[user@localhost ~]$ ./socket
[user@localhost ~]$
Now, I want to use pam_cap.so to make it so that only a particular user can run this program with cap_net_raw, instead of everyone. My /etc/security/capability.conf is:
cap_net_raw user
My /etc/pam.d/login is (note that I also tried /etc/pam.d/sshd but that did not seem to work either):
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth substack system-auth
auth include postlogin
#Added this line to use pam_cap
auth required pam_cap.so
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session include postlogin
-session optional pam_ck_connector.so
I had an ssh session, I logged out and back in after that and executed the following commands:
[user@localhost ~]$ sudo setcap cap_net_raw+p socket
[sudo] password for user:
[user@localhost ~]$ getcap socket
socket = cap_net_raw+p
[user@localhost ~]$ ./socket
socket() error: Operation not permitted
[user@localhost ~]$
My question is: Why was I not able to execute the 'socket' program with cap_net_raw? I thought that when I logged in, my user would obtain it as a permitted capability, and it would allow 'user' to run 'socket' with the cap_net_raw.
Thanks! This is what I'm running on:
[user@localhost ~]$ uname -a
Linux localhost.localdomain 3.10.0-123.el7.x86_64 #1 SMP Mon Jun 30 12:09:22 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
[user@localhost ~]$ cat /etc/redhat-release
CentOS Linux release 7.0.1406 (Core)
Source: (StackOverflow)
I'm trying to write a PAM module. The PAM module creates a directory on first log in. Very similar to the pam_mkhomedir.
Here is the code.
PAM_EXTERN int
pam_sm_open_session (pam_handle_t *pamh, int flags, int argc,
const char **argv)
{
int retval;
const char *user;
const struct passwd *pwd;
struct stat St;
// Parse the args
_pam_parse(pamh, flags, argc, argv);
pam_info (pamh, "\nThese are the args flags. skel: %s, mkdir: %s, umask: %o",SkelDir, MkDir, UMask );
// Determine the user name
retval = pam_get_user(pamh, &user, NULL);
if (retval != PAM_SUCCESS || user == NULL || *(const char *)user == '\0')
{
pam_syslog(pamh, LOG_NOTICE, "user unknown");
return PAM_USER_UNKNOWN;
}
strcpy(DestDir, MkDir);
strcat(DestDir,"/");
strcat(DestDir, user);
// Get the password entry
pwd = pam_modutil_getpwnam (pamh, user);
if (pwd == NULL)
{
return PAM_CRED_INSUFFICIENT;
}
// For some reason stat wont work, using access instead.
//retval = stat(DestDir,&St);
retval = access(DestDir, F_OK);
if ( retval == 0)
{
pam_info(pamh, "directory exists %s" ,DestDir);
}
return PAM_SUCCESS;
}
As you can see, right now, the module just prints the arguments specified in the pam config file at login time.
The problem is with the stat function. When I use it, nothing gets printed, even though the pam_info functions are called before the stat function.
If I use the access function, the module executes properly.
I'm kinda stumped as to why this is happening.
EDIT: I had included some code that checked the errno and other return values, but that code does not get executed. I didnt include it in the question because I didnt want to make the code too long to read. The module seems to fail and exit completely. It doesnt print anything. It just does nothing. But if I use access() the module works fine.
Source: (StackOverflow)
I need to put my Java information in a String so I use the String(byte[] arrB)
constructor.
Now this information is sent to the C program as a char*
type. Now I need to get back original bytes since, from my understanding, they were encoded in the process of creating a Java String
.
How can I do that in the C program?
So, on the C side I have these bytes:
7e 53 e9 94 d4 46 f5 7c 66 cf 85 34 18 5a ff 6 2d a3 89 48 d2 e4 46 b8 6b 43 ec 64 3a 67 f9 2 6d 12 ac e7 0 c4 99 52 68 76 76 77 12 2 de 7d 5b e7 4e 5 6 73 f4 fc 91 54 12 71 64 7a 25 3d
They are in a char*
but the reach Java as a String and the String is:
7E 53 EF BF BD EF BF BD 46 EF BF BD 7C 66 CF 85 34 18 5A EF BF BD 06 2D EF BF BD EF BF BD 48 EF BF BD EF BF BD 46 EF BF BD 6B 43 EF BF BD 64 3A 67 EF BF BD 02 6D 12 EF BF BD EF BF BD
As you can see there many similarities...
Source: (StackOverflow)
Specifically, running a chain of postfix, dovecot and nginx to provide a "nice" mail service to (not so many) users. All services share Pluggable authentication module (PAM) as a possible authentication method. Currently, the system's "passwd" database is being used to auth again via PAM.
AWS Identity and Access Management (IAM) is a hard requirement. Therefore, any other service (like duosecurity) is not an option. Before I start to code a PAM module, I'm asking for your experience - how would you do it? Thanks!
Source: (StackOverflow)
Given a username and password, I need to check if there's a user on the local system with said username and password.
I'm aware of posix_getpwnam
and using the PAM
package, but both of these methods require that the PHP script have access to /etc/shadow
. I'd rather not mess with permissions of system files or daemon users.
I imagine that this could be done either by messing with standard system commands such as sudo
, or by writing my own small setuid C program. I could also try to connect to localhost via FTP or SSH with said username/password to validate it. Is there a simpler way?
Source: (StackOverflow)
I have a python script "start.py" that executes well from the command line. There is only one statement in it (print "hello"). EDIT: start.py contains also a working interpreter directive in the first line.
As soon as I run the script from a cron job, every time it fires there is a message in syslog:
Jun 7 02:57:01 mit CRON[23275]: Module is unknown
I tried already to add PATH and PYTHONPATH information to the cron file:
$ cat /etc/cron.d/my_cron
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PYTHONPATH=/usr/lib/python2.6:/usr/lib/python2.6/plat-linux2:/usr/lib/python2.6/lib-tk:/usr/lib/python2.6/lib-old:/usr/lib/python2.6/lib-dynload:/usr/lib/python2.6/dist-packages:/usr/lib/pymodules/python2.6:/usr/lib/pymodules/python2.6/gtk-2.0:/usr/local/lib/python2.6/dist-packages
* * * * * mit /home/mit/dev/start.py
I found several answers and solutions that seem the same but nothing helped me. What am I missing?
Source: (StackOverflow)
I am trying to install a vsftpd with some virtual users using the Berkeley DB. I have mainly followed this guide: http://www.neant.ro/2012/04/secure-ftp-with-vsftpd/ . Everything works fine, but I want to have the passwords hashed inside the database. I am using CentOS 6.3 with glibc 2.12.
From the manpage of pam_userdb.so I assume that I can use what crypt provides. If we take a look of crypt(3) manpage we can use SHA-256 and SHA-512. I would to use one of those.
My doubt is how to implement it. From what I know i need to go to my pam.d file and edit and add the argument crypt but... which value should I give it? 5 for SHA-256? 6 for SHA-512?
auth sufficient pam_userdb.so db=/path/to/db/virtual-users crypt=?
account sufficient pam_userdb.so db=/path/to/db/virtual-users crypt=?
session sufficient pam_loginuid.so
Now I need the password in SHA-256/SHA-512 inside the database. Which is the correct way to get the hash? I suppose I have to use the crypt function. However, I need to get it using Ruby, is there any way?
Thanks in advance for the help,
Source: (StackOverflow)
My link line to gcc includes the following two entries in succession:
-lrt
-lpam
And this appears expanded as:
/usr/lib64/librt.so /usr/lib/libpam.so
Why is rt resolved to lib64 whereas pam is resolved to lib and consequently fails:
/usr/lib/libpam.so: could not read symbols: File in wrong format
Since it is only 32 bit ELF. There is a /usr/lib64/libpam.so with is 64 bit ELF, why isn't it taken?
Source: (StackOverflow)