This is a collection of instructions and simple example scripts to help customize the login to a Linux box with pam, using libpam-python and/or libpam-script.
It is a work-in-progress, and new ideas and hints are welcome.
The instructions and the scripts have been tested with Ubuntu 12.04 LTS. Run them at your risk.
Since working with PAM can lead to problems in authentication, keep a shell with root access open while experimenting.
Install the package libpam-python:
sudo apt-get install libpam-python
Copy the provided pam_custom.py and pam_custom.sh in /lib/security:
sudo cp pam_custom.py pam_custom.sh /lib/security
Make a backup of the file /etc/pam.d/common-auth:
sudo cp /etc/pam.d/common-auth /etc/pam.d/common-auth.original
Edit the file /etc/pam.d/common-auth introducing a line in which you
declare your custom authentication method. It should be something like
this:
auth [success=2 default=ignore] pam_python.so pam_custom.py /lib/security/pam_custom.sh
and should be put just before (or after, according to your needs) the other authentication methods.
Some explanations:
-
"success=2" means that the 2 following lines should be skipped in case of success (edit as needed)
-
"pam_python.so" is the name of the shared object that will be called by pam
-
"pam_custom.py" is the script in python that we provide
-
"/lib/security/pam_custom.sh" is the bash script that is called by the python script (if needed)
Edit the file /lib/security/pam_custom.sh according to your needs. It is a bash script that
receives username and password as command line arguments, and must exit with 0 if the authentication
is to be granted, or a non-zero value otherwise.