Sun Dec 04 17:50:21 UTC 2016
PAM and pam_lua Introduction
This is meant as a small introduction to PAM and pam_lua, mainly as a "what to read next" style guide.
PAM stands for "Pluggable Authentication Modules" and it is a library/infrastructure for just that.
First, we need to clear what it does.
1) Credential authentication
- This one is obvious. PAM modules get the username and can ask for input, such as a password or a one-time code. It then returns success or failure.
2) Account management and credential changing
- Password changing, but also changing of user information, for example the real name.
3) Session management.
- Things to do pre- or post-login, such as setting of environment variables.
There are three main parts involved in using PAM:
+-----+ +-------------+ +-------------+ | APP | <--> | PAM Library | <--> | PAM Modules | +-----+ +-------------+ +-------------+
- This is the program itself, such as sshd or passwd.
- The PAM library manages the interaction between the program and the PAM modules.
- It also picks which PAM modules to use based on configuration files, more on that later.
- These are the ones doing the work. There are different module types for each purpose of PAM.
On pretty much any PAM-based system, there are multiple modules used, because they are supposed to be simple and chainable.
The combination of these pam modules do the job, resulting in a rather customizable setup.
A few common PAM modules are the following:
- pam_unix does the "traditional" UNIX authentication, with /etc/passwd and such. Pretty much always there.
- Checks passwords for weaknesses.
- Checks if the user is allowed access at this time.
- Mount's encrypted directories or even encrypted home folders automatically.
Configuration of PAM is quite nice. It is profile based, modular, ...
Sadly, a configuration guide would not only be OS specific, but also distribution specific.
Therefore, I won't cover it. I advise you to look at your distributions documentation.
I hope I could get the basics of PAM down. This writeup most likely contains mistakes, so be warned.
pam_lua is a pam module for Lua scripting, just like it's name sounds.
It allows Lua to be used to write PAM modules, allowing you to quickly and easily write new authentication methods.
It's located here.
It's README contains the documentation and an example.
It should be quite easy for anyone knowing Lua to write their own authentication script.
However, given that you write the script, if you fuck up, someone could get into your system.
One possible use case for this is a custom second-factor authentication method, which is what I intended it for.
Another one would be to set up the session by setting environment variables, printing a banner, the time or something similar.
Both aren't very hard to do with pam_lua and don't require recompiling anything. Or dealing with the raw PAM API.