Is it possible to use Python as scripts for Linux PAM?
Question:
I want to use a python script to call it in the pam_exec module.
The first answer in this question says that I can’t use a python script and a PAM module together.
First off – you cannot use python code as a PAM module, it has to be compiled code that satisfies certain interface requirements. See here for more info.
Here we are clearly given to understand that pam_exec is a PAM module.
pam_exec – PAM module which calls an external command
So is it possible to use python or not? (This also applies to my previous question.)
Answers:
You can use the pam-python library, which provides bindings and helper functions for working with PAM in Python.
Once your PAM module is written and compiled, you can configure it to be used by the PAM system by modifying the appropriate PAM configuration file. For example, if you want to use your PAM module for password authentication, you would add it to the
/etc/pam.d/common-password file.
The difference between the two answers you cite is because of how the script is used.
In the negative answer, the python script was listed directly as the PAM module. This will not work. PAM modules need to be shared objects, e.g. binary compiled code. The are directly linked into the running process that is uses PAM as needed. A Python script isn’t compiled code.
In the positive answer, the PAM module used is pam_exec. pam_exec is a shared object:
/usr/lib64/security/pam_exec.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=d0c1dbb05c0689e3645193b45d3125d3b27b32ce, stripped
pam_exec then runs a program, which CAN be a Python script. Because it runs a program rather than dynamically linking to an shared object, it doesn’t have the same limitation. This is the whole point of pam_exec really.
So yes, you can use Python, but you must pam_exec the script. Do be aware of this note from pam_exec, it’s important:
Commands called by pam_exec need to be aware of that the user can have control over the environment.
I want to use a python script to call it in the pam_exec module.
The first answer in this question says that I can’t use a python script and a PAM module together.
First off – you cannot use python code as a PAM module, it has to be compiled code that satisfies certain interface requirements. See here for more info.
Here we are clearly given to understand that pam_exec is a PAM module.
pam_exec – PAM module which calls an external command
So is it possible to use python or not? (This also applies to my previous question.)
You can use the pam-python library, which provides bindings and helper functions for working with PAM in Python.
Once your PAM module is written and compiled, you can configure it to be used by the PAM system by modifying the appropriate PAM configuration file. For example, if you want to use your PAM module for password authentication, you would add it to the
/etc/pam.d/common-password file.
The difference between the two answers you cite is because of how the script is used.
In the negative answer, the python script was listed directly as the PAM module. This will not work. PAM modules need to be shared objects, e.g. binary compiled code. The are directly linked into the running process that is uses PAM as needed. A Python script isn’t compiled code.
In the positive answer, the PAM module used is pam_exec. pam_exec is a shared object:
/usr/lib64/security/pam_exec.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=d0c1dbb05c0689e3645193b45d3125d3b27b32ce, stripped
pam_exec then runs a program, which CAN be a Python script. Because it runs a program rather than dynamically linking to an shared object, it doesn’t have the same limitation. This is the whole point of pam_exec really.
So yes, you can use Python, but you must pam_exec the script. Do be aware of this note from pam_exec, it’s important:
Commands called by pam_exec need to be aware of that the user can have control over the environment.