gpt4 book ai didi

c - 跳过指纹读取器 PAM 模块以从 C 应用程序使用 PAM 进行身份验证

转载 作者:塔克拉玛干 更新时间:2023-11-03 01:07:55 26 4
gpt4 key购买 nike

我想使用 PAM 对我的 C 网络应用程序的用户进行身份验证,并且我找到了一个 a nice PAM example在 Stack 上,我附在底部。问题是,在我的开发机器中,我有一个 PAM 设置使用的指纹读取器,如 /etc/pam.d/common-auth 中所示:

#%PAM-1.0                                                                                                                                                                                                                        
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Authentication-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth required pam_env.so
auth sufficient pam_fprint.so
auth optional pam_gnome_keyring.so
auth required pam_unix2.so

pam_fprint.so 是指纹读取器插件。当您正常登录时,扫描可能会失败并提示您输入密码。但是,sshd 守护进程根本不启动指纹,我想了解它是如何跳过它的,因为例如 /etc/pam.d/sshd 引用了 common-auth 模块,所以它必须拉它..

#%PAM-1.0
auth requisite pam_nologin.so
auth include common-auth
account requisite pam_nologin.so
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
session optional pam_lastlog.so silent noupdate showfailed

我已尝试从 C 程序中引用“sshd”方案,但它仍会启动指纹读取器。我想以某种方式在 C 中跳过指纹读取器并保留我的指纹读取器默认配置。

    #include <stdlib.h>
#include <iostream>
#include <fstream>
#include <security/pam_appl.h>
#include <unistd.h>

// To build this:
// g++ test.cpp -lpam -o test

struct pam_response *reply;

//function used to get user input
int function_conversation(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr)
{
*resp = reply;
return PAM_SUCCESS;
}

int main(int argc, char** argv)
{
if(argc != 2) {
fprintf(stderr, "Usage: check_user <username>\n");
exit(1);
}
const char *username;
username = argv[1];

const struct pam_conv local_conversation = { function_conversation, NULL };
pam_handle_t *local_auth_handle = NULL; // this gets set by pam_start

int retval;

// local_auth_handle gets set based on the service
retval = pam_start("common-auth", username, &local_conversation, &local_auth_handle);

if (retval != PAM_SUCCESS)
{
std::cout << "pam_start returned " << retval << std::endl;
exit(retval);
}

reply = (struct pam_response *)malloc(sizeof(struct pam_response));

// *** Get the password by any method, or maybe it was passed into this function.
reply[0].resp = getpass("Password: ");
reply[0].resp_retcode = 0;

retval = pam_authenticate(local_auth_handle, 0);

if (retval != PAM_SUCCESS)
{
if (retval == PAM_AUTH_ERR)
{
std::cout << "Authentication failure." << std::endl;
}
else
{
std::cout << "pam_authenticate returned " << retval << std::endl;
}
exit(retval);
}

std::cout << "Authenticated." << std::endl;

retval = pam_end(local_auth_handle, retval);

if (retval != PAM_SUCCESS)
{
std::cout << "pam_end returned " << retval << std::endl;
exit(retval);
}

return retval;
}

最佳答案

我怀疑 sshd 是否真的跳过了那个模块。相反,我怀疑指纹识别器身份验证模块(明智地)正在检查身份验证用户是在本地系统上还是通过网络(它可以从 rhost 等 PAM 数据中找出来) ) 如果这是网络身份验证,则只是默默地不执行任何操作。您可以尝试查看源代码,看看它是否有这样的测试,或者尝试通过 pam_set_item 设置 PAM_RHOST,看看是否会改变行为。

为了回答您的实际问题,我认为除了一个模块之外,没有办法告诉 PAM 运行特定的 PAM 组。做你想做的事情的预期方法是在 /etc/pam.d 中创建一个新的配置文件,该文件与你传递给 pam_start 的应用程序名称匹配em>不包含common-auth,而是只包含您要运行的模块。

关于c - 跳过指纹读取器 PAM 模块以从 C 应用程序使用 PAM 进行身份验证,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/10912459/

26 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com