WitHol
WitHol

Reputation: 31

PAM authentication fails despite the right password

I am trying to use PAM for authentication:

// gcc [file] -lstdc++ -lpam -lpam_misc
#include <iostream>
#include <security/pam_appl.h> 
#include <security/pam_misc.h>

int main()
{
    const char * username = "********";
    const char * password = "********";
    const char * data[] = {username, password};

    struct pam_conv pconv = {misc_conv, data};
    struct pam_handle *phandle = NULL;
    int result;

    result = pam_start("display_manager", username, &pconv, &phandle);
    std::cout << "pam_start: " << pam_strerror(phandle, result) << "\n";

    result = pam_authenticate(phandle, 0);
    std::cout << "pam_authenticate: " << pam_strerror(phandle, result) << "\n";
}

However it fails with no helpful error message (it just says "Authentication failed") despite me providing the right password.

Here is my journalctl (i replaced username and host name with ********):

Oct 08 19:50:26 ******** main[42928]: pam_warn(display_manager:auth): function=[pam_sm_authenticate] flags=0 service=[display_manager] terminal=[<unknown>] user=[********] ruser=[<unknown>] rhost=[<unknown>]
Oct 08 19:50:26 ******** main[42928]: PAM pam_close_session: NULL pam handle passed
Oct 08 19:50:26 ******** main[42928]: PAM pam_setcred: NULL pam handle passed
Oct 08 19:50:26 ******** main[42928]: PAM pam_end: NULL pam handle passed

Upvotes: 0

Views: 584

Answers (1)

oditynet
oditynet

Reputation: 61

You are not writing the authorization module correctly! The password is checked in the pam_sm_authenticate function and in it you must implement the verification of your password. If it is correct, then return " PAM_SUCCESS" or "PAM_AUTH_ERR".

There cannot be a "main" function in your program. This is not an executable file, but a module. I suggest you look at my written module and how it is compiled. https://github.com/oditynet/2fact-telegram

For example logical from my project:

pin= converse(pamh, PAM_PROMPT_ECHO_OFF, "Please enter the PIN: "); 
    if (atoi(pin) == 12345)
    {
        return PAM_SUCCESS;
    }
    return PAM_AUTH_ERR ;

Upvotes: 0

Related Questions