Problem getting user input through script called by pam_exec
up vote
0
down vote
favorite
I was trying to use pam_exec.so on Ubuntu to call a script, prompt for user input and allow the user to log in through SSH if the script exits with an exit code of 0. I was unable to get this to work. So I wrote a simple script as follows to test pam_exec.so and see if the problem was with my original script. However I am getting the same issues even with this simple script.
/usr/local/bin/test.sh
#!/bin/bash
echo -n "Please enter your name:"
read name
echo "Hello $name"
I called it by including the following line after @include common-auth in /etc/pam.d/sshd
auth required pam_exec.so stdout /usr/local/bin/test.sh
But when I SSH into this system as seen below, I do not get a prompt to enter any input. As soon as I enter the password, I get logged in. However, the output of the script is visible.
Then I changed the above script as follows to exit with an exit code of 1 if no input is given.
#!/bin/bash
echo -n "Please enter your name:"
read name
if [ -z "$name" ]
then
exit 1
else
echo "Hello $name"
exit 0
fi
Then I am unable to SSH into the system (screenshot below) even when I enter the correct password and I do not see any output of the script.
So what I want to know is how can I correct this problem and use pam_exec.so to run a script, get user input, and allow ssh authorization only if that script exits with an exit code of 0?
ubuntu pam
asked Nov 7 '17 at 5:49
Nilushan
379
add a comment |
up vote
0
down vote
favorite
I was trying to use pam_exec.so on Ubuntu to call a script, prompt for user input and allow the user to log in through SSH if the script exits with an exit code of 0. I was unable to get this to work. So I wrote a simple script as follows to test pam_exec.so and see if the problem was with my original script. However I am getting the same issues even with this simple script.
/usr/local/bin/test.sh
#!/bin/bash
echo -n "Please enter your name:"
read name
echo "Hello $name"
I called it by including the following line after @include common-auth in /etc/pam.d/sshd
auth required pam_exec.so stdout /usr/local/bin/test.sh
But when I SSH into this system as seen below, I do not get a prompt to enter any input. As soon as I enter the password, I get logged in. However, the output of the script is visible.
Then I changed the above script as follows to exit with an exit code of 1 if no input is given.
#!/bin/bash
echo -n "Please enter your name:"
read name
if [ -z "$name" ]
then
exit 1
else
echo "Hello $name"
exit 0
fi
Then I am unable to SSH into the system (screenshot below) even when I enter the correct password and I do not see any output of the script.
So what I want to know is how can I correct this problem and use pam_exec.so to run a script, get user input, and allow ssh authorization only if that script exits with an exit code of 0?
ubuntu pam
asked Nov 7 '17 at 5:49
Nilushan
379
1
pam_exec doesn't handle user input, so you have to look for a different solution.
– Ipor Sircer
Nov 7 '17 at 7:12
1
@IporSircer, do you know any PAM module for this task that can accept user input? I was unable to find one
– Nilushan
Nov 8 '17 at 10:03
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I was trying to use pam_exec.so on Ubuntu to call a script, prompt for user input and allow the user to log in through SSH if the script exits with an exit code of 0. I was unable to get this to work. So I wrote a simple script as follows to test pam_exec.so and see if the problem was with my original script. However I am getting the same issues even with this simple script.
/usr/local/bin/test.sh
#!/bin/bash
echo -n "Please enter your name:"
read name
echo "Hello $name"
I called it by including the following line after @include common-auth in /etc/pam.d/sshd
auth required pam_exec.so stdout /usr/local/bin/test.sh
But when I SSH into this system as seen below, I do not get a prompt to enter any input. As soon as I enter the password, I get logged in. However, the output of the script is visible.
Then I changed the above script as follows to exit with an exit code of 1 if no input is given.
#!/bin/bash
echo -n "Please enter your name:"
read name
if [ -z "$name" ]
then
exit 1
else
echo "Hello $name"
exit 0
fi
Then I am unable to SSH into the system (screenshot below) even when I enter the correct password and I do not see any output of the script.
So what I want to know is how can I correct this problem and use pam_exec.so to run a script, get user input, and allow ssh authorization only if that script exits with an exit code of 0?
ubuntu pam
asked Nov 7 '17 at 5:49
Nilushan
379
I was trying to use pam_exec.so on Ubuntu to call a script, prompt for user input and allow the user to log in through SSH if the script exits with an exit code of 0. I was unable to get this to work. So I wrote a simple script as follows to test pam_exec.so and see if the problem was with my original script. However I am getting the same issues even with this simple script.
/usr/local/bin/test.sh
#!/bin/bash
echo -n "Please enter your name:"
read name
echo "Hello $name"
I called it by including the following line after @include common-auth in /etc/pam.d/sshd
auth required pam_exec.so stdout /usr/local/bin/test.sh
But when I SSH into this system as seen below, I do not get a prompt to enter any input. As soon as I enter the password, I get logged in. However, the output of the script is visible.
Then I changed the above script as follows to exit with an exit code of 1 if no input is given.
#!/bin/bash
echo -n "Please enter your name:"
read name
if [ -z "$name" ]
then
exit 1
else
echo "Hello $name"
exit 0
fi
Then I am unable to SSH into the system (screenshot below) even when I enter the correct password and I do not see any output of the script.
So what I want to know is how can I correct this problem and use pam_exec.so to run a script, get user input, and allow ssh authorization only if that script exits with an exit code of 0?
ubuntu pam
ubuntu pam
asked Nov 7 '17 at 5:49
Nilushan
379
asked Nov 7 '17 at 5:49
Nilushan
379
asked Nov 7 '17 at 5:49
Nilushan
379
asked Nov 7 '17 at 5:49
Nilushan
379
asked Nov 7 '17 at 5:49
Nilushan
379
379
1
pam_exec doesn't handle user input, so you have to look for a different solution.
– Ipor Sircer
Nov 7 '17 at 7:12
1
@IporSircer, do you know any PAM module for this task that can accept user input? I was unable to find one
– Nilushan
Nov 8 '17 at 10:03
add a comment |
1
pam_exec doesn't handle user input, so you have to look for a different solution.
– Ipor Sircer
Nov 7 '17 at 7:12
1
@IporSircer, do you know any PAM module for this task that can accept user input? I was unable to find one
– Nilushan
Nov 8 '17 at 10:03
1
1
pam_exec doesn't handle user input, so you have to look for a different solution.
– Ipor Sircer
Nov 7 '17 at 7:12
pam_exec doesn't handle user input, so you have to look for a different solution.
– Ipor Sircer
Nov 7 '17 at 7:12
1
1
@IporSircer, do you know any PAM module for this task that can accept user input? I was unable to find one
– Nilushan
Nov 8 '17 at 10:03
@IporSircer, do you know any PAM module for this task that can accept user input? I was unable to find one
– Nilushan
Nov 8 '17 at 10:03
add a comment |
1 Answer
1
active
oldest
votes
up vote
0
down vote
I'm not familiar with pam_exec.so implementation but I've done a small PAM and I think it's tricky for any module to handle interactive session with a third-party script due to the way PAM conversation works (pam_conv_* functions) and the need to know when the third party script would be reading from stdin or not (as the script is not simply exec by the module in foreground).
Depending on the amount of effort one is willing to go, building a PAM is not complicated and you have easy to read examples in python or golang
Another (maybe quicker) option is to use stdin option in pam_exec.so.
Security aside, and depending on your use case, this might be enough as it sends the password to the script stdin.
If having your script input concatenated with password is an option for you (like some 2FA implementations where you input password + OTP in the password field):
- Add
stdinoption to yourpam_exec.soline - In your script, split password from your second input
- Handle password authentication itself (as
pam_unixwill fail to do it with the extra input) - Make use of your extra input
answered Dec 5 at 13:38
Filipe Pina
101
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f402977%2fproblem-getting-user-input-through-script-called-by-pam-exec%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
I'm not familiar with pam_exec.so implementation but I've done a small PAM and I think it's tricky for any module to handle interactive session with a third-party script due to the way PAM conversation works (pam_conv_* functions) and the need to know when the third party script would be reading from stdin or not (as the script is not simply exec by the module in foreground).
Depending on the amount of effort one is willing to go, building a PAM is not complicated and you have easy to read examples in python or golang
Another (maybe quicker) option is to use stdin option in pam_exec.so.
Security aside, and depending on your use case, this might be enough as it sends the password to the script stdin.
If having your script input concatenated with password is an option for you (like some 2FA implementations where you input password + OTP in the password field):
- Add
stdinoption to yourpam_exec.soline - In your script, split password from your second input
- Handle password authentication itself (as
pam_unixwill fail to do it with the extra input) - Make use of your extra input
answered Dec 5 at 13:38
Filipe Pina
101
add a comment |
up vote
0
down vote
I'm not familiar with pam_exec.so implementation but I've done a small PAM and I think it's tricky for any module to handle interactive session with a third-party script due to the way PAM conversation works (pam_conv_* functions) and the need to know when the third party script would be reading from stdin or not (as the script is not simply exec by the module in foreground).
Depending on the amount of effort one is willing to go, building a PAM is not complicated and you have easy to read examples in python or golang
Another (maybe quicker) option is to use stdin option in pam_exec.so.
Security aside, and depending on your use case, this might be enough as it sends the password to the script stdin.
If having your script input concatenated with password is an option for you (like some 2FA implementations where you input password + OTP in the password field):
- Add
stdinoption to yourpam_exec.soline - In your script, split password from your second input
- Handle password authentication itself (as
pam_unixwill fail to do it with the extra input) - Make use of your extra input
answered Dec 5 at 13:38
Filipe Pina
101
add a comment |
up vote
0
down vote
up vote
0
down vote
I'm not familiar with pam_exec.so implementation but I've done a small PAM and I think it's tricky for any module to handle interactive session with a third-party script due to the way PAM conversation works (pam_conv_* functions) and the need to know when the third party script would be reading from stdin or not (as the script is not simply exec by the module in foreground).
Depending on the amount of effort one is willing to go, building a PAM is not complicated and you have easy to read examples in python or golang
Another (maybe quicker) option is to use stdin option in pam_exec.so.
Security aside, and depending on your use case, this might be enough as it sends the password to the script stdin.
If having your script input concatenated with password is an option for you (like some 2FA implementations where you input password + OTP in the password field):
- Add
stdinoption to yourpam_exec.soline - In your script, split password from your second input
- Handle password authentication itself (as
pam_unixwill fail to do it with the extra input) - Make use of your extra input
answered Dec 5 at 13:38
Filipe Pina
101
I'm not familiar with pam_exec.so implementation but I've done a small PAM and I think it's tricky for any module to handle interactive session with a third-party script due to the way PAM conversation works (pam_conv_* functions) and the need to know when the third party script would be reading from stdin or not (as the script is not simply exec by the module in foreground).
Depending on the amount of effort one is willing to go, building a PAM is not complicated and you have easy to read examples in python or golang
Another (maybe quicker) option is to use stdin option in pam_exec.so.
Security aside, and depending on your use case, this might be enough as it sends the password to the script stdin.
If having your script input concatenated with password is an option for you (like some 2FA implementations where you input password + OTP in the password field):
- Add
stdinoption to yourpam_exec.soline - In your script, split password from your second input
- Handle password authentication itself (as
pam_unixwill fail to do it with the extra input) - Make use of your extra input
answered Dec 5 at 13:38
Filipe Pina
101
answered Dec 5 at 13:38
Filipe Pina
101
answered Dec 5 at 13:38
Filipe Pina
101
answered Dec 5 at 13:38
Filipe Pina
101
101
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f402977%2fproblem-getting-user-input-through-script-called-by-pam-exec%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
pam_exec doesn't handle user input, so you have to look for a different solution.
– Ipor Sircer
Nov 7 '17 at 7:12
1
@IporSircer, do you know any PAM module for this task that can accept user input? I was unable to find one
– Nilushan
Nov 8 '17 at 10:03