我试图通过 ssh 获取输入用户的用户名和密码,但我只能看到注册用户和非注册用户(Ubuntu 用户)的密码,我得到字符串 "INC" 。我正在尝试替换 Ubuntu 身份验证,并通过我自己的数据库测试用户是否合法,如果是,则重定向默认用户和密码。我的代码:
int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) {
const char *user = NULL;
const char * password=NULL;
int pgu_ret, snp_ret, a_ret,retVal=0;
int i =0,pam_err=0;
FILE * fp =fopen("/var/log/test_pam_debug.txt","a");
fprintf(fp,"pam_sm_authenticate function start \n");
pgu_ret = pam_get_user(pamh, &user, NULL);
if (pgu_ret != PAM_SUCCESS || user == NULL) {
fprintf(fp,"pam_sm_authenticate get user failed \n");
fclose(fp);
return(PAM_IGNORE);
}
else
fprintf(fp,"pam_sm_authenticate user :%s \n",user);
/* get this user's authentication token */
retVal = pam_get_authtok(pamh, PAM_AUTHTOK, &password , NULL);
if (retVal != PAM_SUCCESS) {
if (retVal != PAM_CONV_AGAIN)
{
fprintf(fp,"auth could not identify password for [%s]\n", user);
}
else
{
fprintf(fp,"conversation function is not ready yet \n");
}
fclose(fp);
fprintf(fp,"retVal : %d \n ",retVal);
return(retVal);
}
else if(password)
fprintf(fp,"user=%s, password=[%s]\n", user,password);
/*TODO : here i will check the user && pasword via db in if so continue else return PAM_USER_UNKNOWN*/
if ((pam_err = pam_set_item(pamh, PAM_RUSER, "default_user")) != PAM_SUCCESS)
{ printf("\n pam_set_item( pamh, PAM_RUSER, rad) error msg : %s and return code : %d \n ", pam_strerror(pamh, pam_err),pam_err);
fclose(fp);
return(PAM_USER_UNKNOWN);
}
if ((pam_err = pam_set_item(pamh, PAM_AUTHTOK, "default_userPwd")) != PAM_SUCCESS)
{
printf("\n pam_set_item( pamh, PAM_AUTHTOK, rad123) error msg : %s and return code : %d \n ", pam_strerror(pamh, pam_err),pam_err);
fclose(fp);
return(PAM_CRED_INSUFFICIENT);
}
fclose(fp);
return(PAM_SUCCESS);
}
我将其编译为.so并添加了此内容以进行/etc/pam.d/sshd足够的身份验证/lib/x86_64-linux-gnu/security/pam_test.so
我的指纹在/var/log/test_pam_debug.txt
user=wewe, password=[ ]对于未知或有时
2..user=jhjh, password=[ IN]对于已知用户,它会打印用户密码(不是用户输入的密码,我似乎无法更改它)
答案1
发现问题如下:https://www.linuxquestions.org/questions/programming-9/can%27t-get-auth-token-for-non-local-users-with-pam-module-945164/
基本上问题是无法从未知用户获取密码,\b\n\r\177INCORRECT如果 Linux PAM 无法从系统数据库获取有关用户的信息(名称服务开关,请参阅 man nsswitch.conf), Linux PAM 将替换密码。可能的解决方法是使用 getpawn 检查用户是否存在。例子:
/* The actual pam functions are merely wrappers around succeed_if */
PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) {
const char * password=NULL;
struct passwd *pwd;
const char *user;
int pam_err=0;
/* identify user */
pam_err = pam_get_user(pamh, &user, NULL);
if (pam_err != PAM_SUCCESS)
{
return (pam_err);
}
if ((pwd = getpwnam(user)) == NULL)
{
return (PAM_USER_UNKNOWN);
}
/* note : if user is not defined password return will be "^H$^M^?INCORRECT^@" */
pam_err = pam_get_authtok(pamh, PAM_AUTHTOK, &password , NULL);
if (pam_err!=PAM_SUCCESS)
{
return (pam_err);
}
/* here add personal auhtentication */
pam_err = isAuthenticate((char *)user,(char *)password);
if (pam_err != PAM_OK)
{
return (PAM_AUTH_ERR);
}
return (PAM_SUCCESS);
}