Is it possible to use custom script for authentication with PAM?
Solution 1
pam_exec can validate passwords using an external program.
Solution 2
You could write your own PAM module if you want. But the other solution is probably better. Check out a sample PAM module here: http://www.freebsd.org/doc/en/articles/pam/pam-sample-module.html
Solution 3
If this rails info is in a mysql dbase you can configure pam_mysql. There are pam modules for just about everything.
Here's one for ftp that I have with mysql:
session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=allow file=/etc/vsftpd/ftpusers onerr=fail
auth sufficient pam_mysql.so user=virt_admin passwd=PASS host=localhost db=DBNAME table=TABLENAME usercolumn=USERNAMECOL passwdcolumn=PASSCOL crypt=3
auth required pam_shells.so
auth include system-auth
account sufficient pam_mysql.so user=virt_admin passwd=PASS host=localhost db=DBNAME table=TABLENAME usercolumn=USERNAMECOL passwdcolumn=PASSCOL crypt=3
account include system-auth
session include system-auth
session required pam_loginuid.so
You could also run a script that periodically dumps the username:passwords into a file and use the pam_pwdfile. There are a slew of choices.
http://www.kernel.org/pub/linux/libs/pam/modules.html
Related videos on Youtube
Comments
-
retro over 1 year
I want to enable users to use my rails application's credentials for login to sftp account. If I understand correctly I should somehow use PAM for this. But I didn't find any info on how to do this?
-
Michael Mior over 14 yearsJust a note that documentation is here: pam-mysql.sourceforge.net
-
retro over 14 yearsThis seems like the solution I need. Although I couldn't find any info how the script should look and what should I return. I'm pretty new to PAM and it seems that pam_exec is not that much used solution. I know I'm asking for a lot, but do you have any other example than one in man page for pam_exec?
-
ptman over 14 yearsNo, I don't have any examples. And that man-page seems older than the one on my system. Based on my man-page I can guess though, that you want something like: auth requisite pam_exec.so expose_authtok seteuid /usr/sbin/password-checking-program where /usr/sbin/password-checking-program reads the password on stdin and returns 0 (success) if it is valid and anything else if it isn't.