Hi,
I’m trying to implement pam authentication with pam_exec and running a php
script to implement doble authentication validation (I could use pam_google but
in my case I want to have some users without doble auth - probably there is
another method….) using pam_exec but some times I don’t see the password, I’m
not sure if the problem is in libreswan or in pam side.
Can you help me?
Appreciate any tip to figure out the problem…
The pluto configuration is:
auth required pam_exec.so debug expose_authtok /scripts/ipsec_xauth.php
account required pam_exec.so debug /scripts/ipsec_xauth.php
session required pam_exec.so debug /scripts/ipsec_xauth.php
And the connection I’ve got "xauthby=pam"
I’ve modified the source code files programs/pluto/pam_auth.c and
programs/pluto/pam_conv.c to print the password in the debug:
diff --git a/programs/pluto/pam_auth.c b/programs/pluto/pam_auth.c
index b6b12031ae..7d5f78318e 100644
--- a/programs/pluto/pam_auth.c
+++ b/programs/pluto/pam_auth.c
@@ -160,9 +160,10 @@ static int pam_child(void *arg, struct logger *logger)
{
struct pam_auth *pamauth = arg;
- dbg("PAM: #%lu: PAM-process authenticating user '%s'",
+ dbg("PAM: #%lu: PAM-process authenticating user '%s' with password
'%s'",
pamauth->serialno,
- pamauth->ptarg.name);
+ pamauth->ptarg.name,
+ pamauth->ptarg.password);
bool success = do_pam_authentication(&pamauth->ptarg, logger);
dbg("PAM: #%lu: PAM-process completed for user '%s' with result %s",
pamauth->serialno, pamauth->ptarg.name,
@@ -198,8 +199,8 @@ bool pam_auth_fork_request(struct ike_sa *ike,
pamauth->ptarg.c_instance_serial =
ike->sa.st_connection->instance_serial;
pamauth->ptarg.atype = atype;
- dbg("PAM: #%lu: main-process starting PAM-process for authenticating
user '%s'",
- pamauth->serialno, pamauth->ptarg.name);
+ dbg("PAM: #%lu: main-process starting PAM-process for authenticating
user '%s' password: '%s'",
+ pamauth->serialno, pamauth->ptarg.name, pamauth->ptarg.password);
pamauth->child = server_fork("pamauth", pamauth->serialno, md,
pam_child,
pam_callback, pamauth,
diff --git a/programs/pluto/pam_conv.c b/programs/pluto/pam_conv.c
index 6546055e03..f49688830f 100644
--- a/programs/pluto/pam_conv.c
+++ b/programs/pluto/pam_conv.c
@@ -110,10 +110,10 @@ static int pam_conv(int num_msg,
static void dbg_pam_step(const struct pam_thread_arg *arg, const char *what)
{
- dbg("%s helper thread %s for state #%lu, %s[%lu] user=%s.",
+ dbg("%s helper thread %s for state #%lu, %s[%lu] user=%s password=%s.",
arg->atype, what,
arg->st_serialno, arg->c_name,
- arg->c_instance_serial, arg->name);
+ arg->c_instance_serial, arg->name, arg->password);
}
From the logs it looks ok, the password is not empty:
Mar 19 10:06:41 marces pluto[512823]: "tunnel5"[14] 192.168.10.169 #14: XAUTH:
PAM authentication method requested to authenticate user '1000@lab.local'
Mar 19 10:06:41 marces pluto[512823]: | PAM: #14: main-process starting
PAM-process for authenticating user '1000@lab.local' password: 'pwd247956'
Mar 19 10:06:41 marces pluto[512823]: | forked child pamauth 3129126
Mar 19 10:06:41 marces pluto[512823]: | pid: newref @0x55aaaf79f878(0->1)
(add_pid() +139 programs/pluto/server_fork.c)
Mar 19 10:06:41 marces pluto[512823]: | clone logger: newref
@0x55aaaf7a45b8(0->1) (add_pid() +147 programs/pluto/server_fork.c)
Mar 19 10:06:41 marces pluto[512823]: | struct msg_digest: addref
@0x55aaaf794a48(1->2) (add_pid() +148 programs/pluto/server_fork.c)
Mar 19 10:06:41 marces pluto[512823]: | complete v1 state transition with
STF_SUSPEND
Mar 19 10:06:41 marces pluto[512823]: | #14 STATE_XAUTH_R0: retransmits: cleared
Mar 19 10:06:41 marces pluto[512823]: | #14 spent 0.75 (0.75) milliseconds in
process_v1_packet_tail()
Mar 19 10:06:41 marces pluto[512823]: | packet from 192.168.10.169:500: delref
@0x55aaaf794a48(2->1) (process_iface_packet() +320 programs/pluto/demux.c)
Mar 19 10:06:41 marces pluto[512823]: | spent 1.66 (1.66) milliseconds in
process_iface_packet() reading and processing packet
Mar 19 10:06:41 marces pluto[3129126]: | PAM: #14: PAM-process authenticating
user '1000@lab.local' with password 'pwd247956'
Mar 19 10:06:41 marces pluto[3129126]: | XAUTH helper thread pam_start for
state #14, tunnel5[14] user=1000@lab.local password=pwd247956.
Mar 19 10:06:41 marces pluto[3129126]: | XAUTH helper thread pam_set_item for
state #14, tunnel5[14] user=1000@lab.local password=pwd247956.
Mar 19 10:06:41 marces pluto[3129126]: pam_exec(pluto:auth): send password to
child
Mar 19 10:06:41 marces pluto[3129127]: pam_exec(pluto:auth): Calling
/scripts/ipsec_xauth.php ...
Mar 19 10:06:42 marces pluto[512823]: | processing signal PLUTO_SIGCHLD
Mar 19 10:06:42 marces pluto[512823]: | waitpid returned nothing left to do
(all child processes are busy)
Mar 19 10:06:42 marces pluto[512823]: | spent 0.00694 (0.00686) milliseconds in
signal handler PLUTO_SIGCHLD
Mar 19 10:06:42 marces pluto[3129126]: | XAUTH helper thread pam_authenticate
for state #14, tunnel5[14] user=1000@lab.local password=pwd247956.
Mar 19 10:06:42 marces pluto[3129128]: pam_exec(pluto:account): Calling
/scripts/ipsec_xauth.php ...
Mar 19 10:06:42 marces pluto[512823]: | processing signal PLUTO_SIGCHLD
Mar 19 10:06:42 marces pluto[512823]: | waitpid returned nothing left to do
(all child processes are busy)
Mar 19 10:06:42 marces pluto[512823]: | spent 0.0126 (0.0699) milliseconds in
signal handler PLUTO_SIGCHLD
Mar 19 10:06:42 marces pluto[3129126]: pam_exec(pluto:account):
/scripts/ipsec_xauth.php failed: exit code 1
Mar 19 10:06:42 marces pluto[3129126]: "tunnel5"[14] 192.168.10.169 #14: XAUTH
FAILED during pam_acct_mgmt with 'System error' for state #14, tunnel5[14]
user=1000@lab.local.
But in my php script reading the password from STDIN some times is empty.
The script:
<?php
$password = trim(fgets(STDIN));
$logFile = "/var/log/pam_exec.log";
file_put_contents($logFile, "Script executed at " . date("Y-m-d H:i:s") . "
_ENV: ".json_encode($_ENV)." argv: ".json_encode($argv)." _SERVER:
".json_encode($_SERVER)." password:'".$password."'\n", FILE_APPEND);
?>
The log:
Script executed at 2025-03-19 10:06:42 _ENV:
{"PAM_SERVICE":"pluto","PAM_USER":"1000@lab.local","PAM_RHOST":"192.168.10.169","PAM_TYPE":"account"}
argv: ["\/scripts\/ipsec_xauth.php"] _SERVER:
{"PAM_SERVICE":"pluto","PAM_USER":"1000@lab.local","PAM_RHOST":"192.168.10.169","PAM_TYPE":"account","PHP_SELF":"\/scripts\/ipsec_xauth.php","SCRIPT_NAME":"\/scripts\/ipsec_xauth.php","SCRIPT_FILENAME":"\/scripts\/ipsec_xauth.php","PATH_TRANSLATED":"\/scripts\/ipsec_xauth.php","DOCUMENT_ROOT":"","REQUEST_TIME_FLOAT":1742375202.0661640167236328125,"REQUEST_TIME":1742375202,"argv":["\/scripts\/ipsec_xauth.php"],"argc":1}
password:''
If I manually run pamtest is ok:
[10:11:53][marces][~]# pamtester pluto 1000@lab.local authenticate
Password:
pamtester: successfully authenticated
The log:
Script executed at 2025-03-19 10:12:13 _ENV:
{"PAM_SERVICE":"pluto","PAM_USER":"1000@lab.local","PAM_TYPE":"auth"} argv:
["\/scripts\/ipsec_xauth.php"] _SERVER:
{"PAM_SERVICE":"pluto","PAM_USER":"1000@lab.local","PAM_TYPE":"auth","PHP_SELF":"\/scripts\/ipsec_xauth.php","SCRIPT_NAME":"\/scripts\/ipsec_xauth.php","SCRIPT_FILENAME":"\/scripts\/ipsec_xauth.php","PATH_TRANSLATED":"\/scripts\/ipsec_xauth.php","DOCUMENT_ROOT":"","REQUEST_TIME_FLOAT":1742375533.4040420055389404296875,"REQUEST_TIME":1742375533,"argv":["\/scripts\/ipsec_xauth.php"],"argc":1}
password:'pwd381568'
—
António Silva
Tel: +34 918 039 251
_______________________________________________
Swan-dev mailing list -- swan-dev@lists.libreswan.org
To unsubscribe send an email to swan-dev-le...@lists.libreswan.org
