如何创建一个pam模块?

时间:2011-01-30 04:45:09

标签: linux pam

任何人都可以告诉我这件事...... 我想创建一个类似于/etc/pam.d

中的登录模块的pam模块

3 个答案:

答案 0 :(得分:11)

如果您在登录期间寻找基于pam的面部身份验证,则需要编写一个为您执行此操作的模块,并将其插入登录配置文件/etc/pam.d/login。

在直接进入此之前,我建议你编写一些简单的模块来理解流程,使用PAM和配置文件,比如开始使用sshd pam配置文件,并尝试插入一些示例pam模块。我发现这些文章非常有用:

http://aplawrence.com/Basics/understandingpam.html

https://www.packtpub.com/article/development-with-pluggable-authentication-modules-pam

仅供参考:Rohan Anil在开放使用的GSOC08期间开发了pam-face-authentication,该版本托管在code.google.com/p/pam-face-authentication /

答案 1 :(得分:3)

创建pam模块的最佳资源之一是文档 本身:

http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_MWG.html

但我同意@GG确保您了解PAM的工作原理。

答案 2 :(得分:3)

由于答案的确很久才写在这里,因此我可以为您链接我的PAM教程: Write a Linux PAM moduleLinux PAM Configuration tutorial

在开始编写模块之前,我建议您首先阅读配置教程,在其中您可以了解模块的作用。

总而言之,模块是应用程序要进行身份验证时由PAM加载的共享对象。每次应用程序触发“阶段”(身份验证,帐户,会话,密码)时,模块中都会调用相应的功能。因此,您的模块应提供以下功能:

PAM_EXTERN int pam_sm_authenticate(pam_handle_t *handle, int flags, int argc, const char **argv){
    /* In this function we will ask the username and the password with pam_get_user()
     * and pam_get_authtok(). We will then decide if the user is authenticated */
}

PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) {
    /* In this function we check that the user is allowed in the system. We already know
     * that he's authenticated, but we could apply restrictions based on time of the day,
     * resources in the system etc. */
}

PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) {
    /* We could have many more information of the user other then password and username.
     * These are the credentials. For example, a kerberos ticket. Here we establish those
     * and make them visible to the application */
}

PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) {
    /* When the application wants to open a session, this function is called. Here we should
     * build the user environment (setting environment variables, mounting directories etc) */
}

PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) {
    /* Here we destroy the environment we have created above */
}

PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv){
    /* This function is called to change the authentication token. Here we should,
     * for example, change the user password with the new password */
}

在此功能中,您将使用PAM功能从应用程序中检索用户名和密码。这是通过必须在应用程序中定义的对话功能来实现的(请参见this tutorial)。在每个函数的最后,您必须返回确定结果的PAM返回代码(有关PAM错误代码,请参见this和模块writer documentation in general)。

相关问题
最新问题