PAM-script : Executer des scripts à l'authentification, l'ouverture et la fermeture de session

From Deimos.fr / Bloc Notes Informatique
Jump to: navigation, search

1 Introduction

You may need to run some things at authentication, opening or closing session. Here is what I've found. It's a module for pam.

2 Installation

Download from the Freashmeat project and untar it :

Command 
wget wget http://freshmeat.net/redir/pam_script/22413/url_tgz/libpam-script_0.1.12.tar.gz
tar -xzvf libpam-script_0.1.12.tar.gz

Now install the dependancies :

Command aptitude 
aptitude install libpam-dev gcc make

Now compile it :

Command make 
$ make
gcc -Wall -pedantic -fPIC -shared  -o pam_script.so pam_script.c

Now you just need to copy it :

Command cp 
cp pam_script.so /lib/security

3 Configuration

3.1 PAM

3.1.1 Session

I would like to launch at session boot something with root permissions, edit the /etc/pam.d/common-session and add this line :

Configuration File /etc/pam.d/common-session 
session required        pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required        pam_script.so runas=root onsessionopen=/etc/security/onsessionopen
session sufficient      pam_ldap.so
session required        pam_unix

So after pam_script, you can do :

  • runas : choose the user you want to run script (runas=root)
  • onsessionopen : this script will be launched on started session (onsessionopen=/etc/security/onsessionopen)
  • onsessionclose : this script will be launched on closed session (onsessionclose=/etc/security/onsessionclose)

3.1.2 Auth

You may also want to launch something at authentification :

Configuration File /etc/pam.d/common-auth 
auth    required        pam_unix.so nullok_secure
auth     required pam_script.so onauth=/etc/security/onauth

3.2 Scripts

Just create the default scripts and add your needed rights :

Command 
touch /etc/security/onsessionopen /etc/security/onsessionclose /etc/security/onauth
chmod 755 /etc/security/onsessionopen /etc/security/onsessionclose /etc/security/onauth

And add this minimum content :

Configuration File /etc/security/on* 
#!/bin/sh

4 Test & Debug

You can now test by adding for example "touch /tmp/test_ok" on the "onsessionopen" script. To have more details, please look at the logs :

Command tail 
$ tail /var/log/auth.log
Jul 15 13:03:35 moonlight sshd[3777]: PAM-script: Real User is: pmavro
Jul 15 13:03:35 moonlight sshd[3777]: PAM-script: Command is:   /etc/security/onsessionopen
Jul 15 13:03:35 moonlight sshd[3777]: PAM-script: Executing uid:gid is: 0:0

All looks good :-)

Retrieved from "https://wiki.deimos.fr/index.php?title=PAM-script_:_Executer_des_scripts_à_l%27authentification,_l%27ouverture_et_la_fermeture_de_session&oldid=8799"