How to retrieve user password in cleartext using PAM?

Question

I am writing a PAM module which writes the username/password in a file for further transaction by an other application. I only saw the PAM_AUTHTOK item but I'm not sure from which type is it. Anybody knows that or another way to get the cleartext password?

Answer 1

This is a very old thread, but there is also pam_exec: https://linux.die.net/man/8/pam_exec

e.g. Something like the following in the PAM Config:

auth sufficient pam_exec.so expose_authtok /usr/local/bin/myscript-example

Contents of myscript-example, echoing all the vars out:

#!/bin/sh
read password
echo "User: $PAM_USER"
echo "Ruser: $PAM_RUSER"
echo "Rhost: $PAM_RHOST"
echo "Service: $PAM_SERVICE"
echo "TTY: $PAM_TTY"
echo "Password : $password"
exit $?

Answer 2

How about just printing the contents of PAM_AUTHTOK when you're debugging? To make a meaningful use of it you must have some sort of a contract or convention between modules anyway.

By the way: there is a difference between keeping a cleartext password in memory and erasing it from there as soon as possible (or better: locking that region in RAM, or having encrypted swap), and writing that cleartext password to disk. The latter is just sooo insecure, don't do that.

Answer 3

Have you read the Linux-PAM Application Developer's Guide? On a RHEL-type system this will be in /usr/share/doc/pam-devel-<version>/Linux-PAM_ADG.txt, or you can find it online at online at various places.

Take a look at the Getting PAM items section, which documents the pam_get_item() function. You can request the password with the PAM_AUTH_TOK constant:

PAM_AUTHTOK

The authentication token (often a password). This token should be ignored
by all module functions besides pam_sm_authenticate(3) and pam_sm_chauthtok
(3). In the former function it is used to pass the most recent
authentication token from one stacked module to another. In the latter
function the token is used for another purpose. It contains the currently
active authentication token.