PAM module development question
Christopher Chisholm
christopher.chisholm at syamsoftware.com
Tue Dec 13 10:01:01 EST 2005
Hi All,
I'm having an issue with a PAM-aware authentication module I've written,
but only in x64 versions of Linux. I will attempt to explain in detail
our issue regarding PAM and x64 Linux distros.
Our product in Java needs to authenticate based on OS users. To
accomplish this, we determined we would use Pluggable Authentication
Modules (PAM) to see if a username/password is valid for the OS. To do
this we needed two parts: some code written in C to actually invoke
PAM, set up a conversation structure, that sort of thing. This C code
gets compiled into a shared object called libsyamlogin.so. The other
part was a Java login function, which loads libsyamlogin.so and through
JNI is able to gain access to its functions.
Our java code is run using the Java Service Wrapper, which basically
provides an executable script and a config file to run a java program as
a system service. At first, our login code would not work at all. We
discovered we needed to add a line to the service wrapper executable
script:
LD_PRELOAD=<path to>libpam_misc.so.0
There is one other file of note, and that's the PAM configuration file
to use. This file goes into /etc/pam.d with other configuration files,
and defines how your application authenticates. In the C portion of the
code, you call a ' pam_start' function, which accepts as one of its
parameters a configuration file to use. I was unable to find any good
documentation on how this actually works, but at first I created what I
thought would be a simple working config file, which looked as follows:
<start file>
#%PAM-1.0
auth required pam_unix_auth.so
<end file>
This worked on some distros, and didn't work on others, so I switched
over to a standard one that already existed called 'system-auth', which
looks like this:
<start file>
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
<end file> (this file is slightly different on some distros, different
paths and such)
That so far has worked nicely for all x86 Linux distros. The problem
now is that this is not working at all on any x64 distros that we've
tried (RedHat, SuSE). I believe the problem has something to do with
the LD_PRELOAD line in the service wrapper script. Even though I know
the path to libpam_misc.so is correct, Linux says it cannot be found,
which prevents login from occurring.
Essentially I am looking for any ideas or suggestions as to how to
procede. I've found it very hard to find any good documentation on
developing a very simple PAM aware application that simply performs a
check to see if a username/password is correct. I also don't quite
understand why the LD_PRELOAD=libpam_misc.so line is needed when
libpam_misc.so is usually in a folder that's already part of the
system's library path. Any ideas, suggestions, resource links, or
whatever else would be greatly appreciated.
Many thanks,
Christopher Chisholm
SyAM Software
Software Engineer
More information about the gnhlug-discuss
mailing list