PAM application development and internal implementation source code analysis

Article title: PAM application development and internal implementation source code analysis. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
　　 1 Introduction
Identity authentication is one of the important mechanisms for operating system security. The system verifies the user's identity authentication through the authentication mechanism and serves as a condition for determining the user's entry into the system, is the first threshold to prevent malicious users from entering the system. In recent years, authentication theories and technologies have developed rapidly, and various authentication mechanisms have emerged, such as password mechanism, RSA, DCE, kerberos authentication system, S/Key, and smart card-based identity authentication. However, when a new authentication mechanism is introduced in the system, some system entry login services such as login, rlogin, telnet and other applications must be rewritten to adapt to the new authentication mechanism. To solve this problem, Sun's Vipin Samar and Charlie Lai proposed PAM (Pluggable Authentication Modules) in 1995 and applied it to the Solaris system. The PAM framework separates applications from specific authentication mechanisms, so that when the system changes the authentication mechanism, it no longer needs to modify the application using the authentication mechanism, as long as the administrator configures the application's authentication service module, it greatly improves the versatility and flexibility of the authentication mechanism.
　　
Currently, most operating systems use PAM for identity authentication, including Linux-PAM in Linux and OpenPAM in FreeBSD5.x (Linux-PAM in FreeBSD 4.x. Their implementation principles are the same, but the implementation details are different. The following describes PAM application development.
　　
　　 2 PAM application development
2.1 PAM Framework Overview
PAM can be used to plug and remove the authentication module. It provides a central mechanism to authenticate all services and is applicable to applications such as login, remote logon (telnet, rlogin, fsh, ftp, point-to-Point Protocol (PPP), and su. The system administrator uses the PAM configuration file to develop different authentication policies for different applications. application developers use the pam api (pam_xxxx () in the service program to call the authentication method; the developers of the PAM Service Module use pam spi to compile the module (mainly to introduce some functions pam_sm_xxxx () for calling by the PAM interface library) and add different authentication mechanisms to the system; the PAM interface library (libpam) reads the configuration file and associates the application with the corresponding PAM service module. PAM framework structure.
　　
　　 　
Pamh is a pam_handle structure, which is a very important processing handle. it is the only data structure for PAM to communicate with the application, and the only handle for calling the PAM interface library API. The pam_handle data structure is described in the following source code analysis section.
　　
In addition, the service modules shown in are divided into auth (authentication management), account (account Management), session (session management), and passwd (password management, the role of each type of module and the four components of the configuration file: Module type, control mark, module path, module parameters, and so on are described in many articles about PAM configuration management, I will not go into details here.
　　
2.2 Use PAM authentication in applications
Each application that uses PAM authentication starts with pam_start and ends with pam_end. PAM also provides pam_get_item and pam_set_item to share some public information about the authentication session, such as the user name, service name, password, and session function. The application can use these APIs to change the status information after calling pam_start. There are six API functions used for authentication (the following six functions are referred to as authentication APIs ):
　　
Authentication Management-includes pam_authenticate () function to authenticate users, pam_setcred () settings, refresh, or destroy user certificates.
Account management-including pam_acc_mgmt () to check whether authenticated users can access their accounts. This function can implement password validity period and access time restrictions.
Session Management-includes the pam_open_session () and pam_close_session () functions for managing sessions and accounting. For example, the system can store the full time of a session.
Password management-includes the pam_chauthok () function to change the password.
Here is a simple login simulation program:
　　
/* Use the two header files required by PAM */
# Include
# Include
　　
Void main (int argc, char * argv [], char ** renvp)
{
/* Initialize and provide a callback function */
If (pam_start ("login", user_name, & pam_conv, & pamh ))! = PAM_SUCCESS)
Exit (1 );
　　
/* Set some parameters for authenticated user information */
Pam_set_item (pamh, PAM_TTY, ttyn );
Pam_set_item (pamh, PAM_RHOST, remote_host );
　　
While (! Authenticated & retry <MAX_RETRIES)
{
Status = pam_authenticate (pamh, 0);/* authenticate and check whether the password entered by the user is correct */
}
　　
/* If authentication fails, the application exits */
If (status! = PAM_SUCCESS)
{
......
Exit (1 );
}
　　
/* After passing the password authentication, call the account management API to check whether the user account has expired */
If (status = pam_acct_mgmt (pamh, 0 ))! = PAM_SUCCESS)
{
If (status = PAM_AUTHTOK_EXPIRED)
{
Status = pam_chauthtok (pamh, 0);/* requires the user to change the password when it expires */
If (status! = PAM_SUCCESS)
Exit (1 );
}
}
/* Open the session after the account management check */
If (status = pam_open_session (pamh, 0 )! = PAM_SUCCESS)
Exit (status );
......
/* Create a user certificate for the authentication service */
Status = pam_setcred (pamh, PAM_ESTABLISH_CRED );
If (status! = PAM_SUCCESS)
Exit (status );
......
Pam_end (pamh, PAM_SUCCESS);/* end of PAM transaction */
......
}
　　
From the above procedures, we can understand the general process of using PAM authentication. we can also see that the pam api makes the authenticated application not only do not have to care about the underlying service modules, it is more concise and clear in writing.
　　
For more details about developing and using PAM applications, see The Linux-PAM Application Developers Guide.
　　
2.3 How to develop the PAM Service Module
First, the source program of the service module should contain the following header files:
　　
# Include
　　
The PAM service module is a dynamic link library file (or static library). The PAM interface library loads these libraries through dlopen. Assuming that the source program is named pam_module-name.c, you need to use the following command to compile it into a dynamic link library:
　　
Pam_module-name.c gcc-fPIC-c
Ld-x -- shared-o pam_module-name.so pam_module-name.o
　　
Option-fPIC refers to the Position Independent Code, which supports large offset. Use the -- shared option to put the target code into the shared target Library.
　　
The functions to be implemented by each of the four types of modules are shown in the following table:
　　
　　 　
Of course, the same service module can belong to multiple types at the same time, as long as the functions to be implemented by these types of modules are implemented, for example, the classic password authentication module pam_unix.so provided by PAM can support four types of modules.
　　
The following is a simple source program pam_deny.c of the pam_deny module:
　　
1. # define PAM_SM_AUTH
2. # define PAM_SM_ACCOUNT
3. # define PAM_SM_SESSION
4. # define PAM_SM_PASSWORD
5. # include ".../../libpam/include/security/pam_modules.h"
6./* --- implement the authentication management function ---*/
7. PAM_EXTERN int pam_sm_authenticate (pam_handle_t * pamh, int flags, int argc
8. const char ** argv)
9 .{
10. return PAM_AUTH_ERR;
11 .}
12. PAM_EXTERN int pam_sm_setcred (pam_handle_t * pamh, int flags, int argc
13. const char ** argv)
14 .{
15. return PAM_CRED_UNAVAIL;
16 .}
17./* --- implementation of account management functions ---*/
18. PAM_EXTERN int pam_sm_acct_mgmt (pam_handle_t * pamh, int flags, int argc
19., const char ** argv)
20 .{
21. return PAM_ACCT_EXPIRED;
22 .}
23./* --- implement the password management function ---*/
24. PAM_EXTERN int pam_sm_chauthtok (pam_handle_t * pamh, int flags, int argc
25. const char ** argv)
26 .{
27. return PAM_AUTHTOK_ERR;
28 .}
29./* --- session management function implementation ---*/
30. PAM_EXTERN int pam_sm_open_session (pam_handle_t * pamh, int flags, int argc
31. const char ** argv)
32 .{
33. return PAM_SYSTEM_ERR;
34 .}
35. PAM_EXTERN int pam_sm_close_session (pam_handle_t * pamh, int flags, int argc
36., const char ** argv)
37 .{
38. return PAM_SYSTEM_ERR;
39 .}
40./* end of module definition */
41./* static module data */
42. # ifdef PAM_STATIC
43. struct pam_module _ pam_deny_modstruct = {
44. "pam_deny ",
45. pam_sm_authenticate,
46. pam_sm_setcred,
47. pam_sm_acct_mgmt,
48. pam_sm_open_session,
49. pam_sm_close_session,
50. pam_sm_chauthtok
51 .};
52. # endif
　　
It is easy to see that the pam_deny module supports four types of modules. The first four lines contain some prototype declarations of static modules. line 37-39 implements four types of functions, because this is just a simple denial-of-service module, therefore, these functions simply return PAM errors such as authentication errors or system errors. The last few lines define a module data structure required for the program to be compiled into a static module.
　　
Therefore, pam spi makes the development of the service module quite simple and specific, because the service module no longer needs to consider the interaction with the application, as long as it implements its own algorithm.
　　
The flags parameter values and return values available for The Module source program are not fully described here. For more information, see The Linux-PAM Module Writers Guide.
　　
　　 3. PAM interface library source code analysis
The above describes how to use PAM and how to develop the PAM Service Module. to have a thorough understanding of the internal mechanism of PAM, we need to further analyze the code of the PAM interface library. The following is the source of the Linux-based pam-0.75-40.src.rpm package.