PAM-script : Executer des scripts à l'authentification, l'ouverture et la fermeture de session

From / Bloc Notes Informatique
Jump to: navigation, search

1 Introduction

You may need to run some things at authentication, opening or closing session. Here is what I've found. It's a module for pam.

2 Installation

Download from the Freashmeat project and untar it :

wget wget
tar -xzvf libpam-script_0.1.12.tar.gz

Now install the dependancies :

Command aptitude
aptitude install libpam-dev gcc make

Now compile it :

Command make
$ make
gcc -Wall -pedantic -fPIC -shared  -o pam_script.c

Now you just need to copy it :

Command cp
cp /lib/security

3 Configuration

3.1 PAM

3.1.1 Session

I would like to launch at session boot something with root permissions, edit the /etc/pam.d/common-session and add this line :

Configuration File /etc/pam.d/common-session
session required skel=/etc/skel/ umask=0022
session required runas=root onsessionopen=/etc/security/onsessionopen
session sufficient
session required        pam_unix

So after pam_script, you can do :

  • runas : choose the user you want to run script (runas=root)
  • onsessionopen : this script will be launched on started session (onsessionopen=/etc/security/onsessionopen)
  • onsessionclose : this script will be launched on closed session (onsessionclose=/etc/security/onsessionclose)

3.1.2 Auth

You may also want to launch something at authentification :

Configuration File /etc/pam.d/common-auth
auth    required nullok_secure
auth     required onauth=/etc/security/onauth

3.2 Scripts

Just create the default scripts and add your needed rights :

touch /etc/security/onsessionopen /etc/security/onsessionclose /etc/security/onauth
chmod 755 /etc/security/onsessionopen /etc/security/onsessionclose /etc/security/onauth

And add this minimum content :

Configuration File /etc/security/on*

4 Test & Debug

You can now test by adding for example "touch /tmp/test_ok" on the "onsessionopen" script. To have more details, please look at the logs :

Command tail
$ tail /var/log/auth.log
Jul 15 13:03:35 moonlight sshd[3777]: PAM-script: Real User is: pmavro
Jul 15 13:03:35 moonlight sshd[3777]: PAM-script: Command is:   /etc/security/onsessionopen
Jul 15 13:03:35 moonlight sshd[3777]: PAM-script: Executing uid:gid is: 0:0

All looks good :-)