< a href="https://www.packtpub.com/article/development-with-pluggable-authentication-modules-pam" rel="noreferrer">https://www.packtpub.com/article/development-with- Pluggable-authentication-modules-pam
If you are looking for pam based face authentication during login, you need to write a module which does that for you and plug that in login configuration file at /etc/pam.d/login.
Before directly get into this, I would suggest you to write some simple module to understand the flow, working of PAM and configuration file like start playing with sshd pam configuration file and try to plug some sample pam module available. I found these article quite helpful :
PAM_EXTERN int pam_sm_authenticate(pam_handle_t *handle, int flags, int argc, const char **argv){
/* In this function we will ask the username and the password with pam_get_user()
* and pam_get_authtok(). We will then decide if the user is authenticated */
}
PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) {
/* In this function we check that the user is allowed in the system. We already know
* that he's authenticated, but we could apply restrictions based on time of the day,
* resources in the system etc. */
}
PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) {
/* We could have many more information of the user other then password and username.
* These are the credentials. For example, a kerberos ticket. Here we establish those
* and make them visible to the application */
}
PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) {
/* When the application wants to open a session, this function is called. Here we should
* build the user environment (setting environment variables, mounting directories etc) */
}
PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) {
/* Here we destroy the environment we have created above */
}
PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv){
/* This function is called to change the authentication token. Here we should,
* for example, change the user password with the new password */
}
Before starting writing the module I advise you to read the configuration tutorial first, in which you can learn what does the module do.
To sum up, a module is a shared object loaded by PAM when the application wants to authenticate. Every time the application triggers a "stage" (auth, account, session, password) the correspondent function is called in the module. Therefore, your module should provide the following functions:
PAM_EXTERN int pam_sm_authenticate(pam_handle_t *handle, int flags, int argc, const char **argv){
/* In this function we will ask the username and the password with pam_get_user()
* and pam_get_authtok(). We will then decide if the user is authenticated */
}
PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) {
/* In this function we check that the user is allowed in the system. We already know
* that he's authenticated, but we could apply restrictions based on time of the day,
* resources in the system etc. */
}
PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) {
/* We could have many more information of the user other then password and username.
* These are the credentials. For example, a kerberos ticket. Here we establish those
* and make them visible to the application */
}
PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) {
/* When the application wants to open a session, this function is called. Here we should
* build the user environment (setting environment variables, mounting directories etc) */
}
PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) {
/* Here we destroy the environment we have created above */
}
PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv){
/* This function is called to change the authentication token. Here we should,
* for example, change the user password with the new password */
}
In this functions you will use PAM functions to retrieve the username and the password from the application. This happens through a conversation function that must be defined in the application (see this tutorial). At the end of every function, you must return a PAM return code that determines the result (for PAM error codes see this and the module writer documentation in general).
发布评论
评论(3)
如果您在登录期间寻找基于 pam 的人脸身份验证,则需要编写一个模块来为您执行此操作,并将其插入位于 /etc/pam.d/login 的登录配置文件中。
在直接进入这一点之前,我建议您编写一些简单的模块来了解 PAM 的流程、工作和配置文件,例如开始使用 sshd pam 配置文件并尝试插入一些可用的示例 pam 模块。我发现这些文章非常有帮助:
http://aplawrence.com/Basics/understandpam.html
< a href="https://www.packtpub.com/article/development-with-pluggable-authentication-modules-pam" rel="noreferrer">https://www.packtpub.com/article/development-with- Pluggable-authentication-modules-pam
仅供参考:Rohan Anil 在 GSOC08 期间在 opensuse 下开发了 pam-face-authentication,托管于 code.google.com/p/pam-face-authentication/
If you are looking for pam based face authentication during login, you need to write a module which does that for you and plug that in login configuration file at /etc/pam.d/login.
Before directly get into this, I would suggest you to write some simple module to understand the flow, working of PAM and configuration file like start playing with sshd pam configuration file and try to plug some sample pam module available. I found these article quite helpful :
http://aplawrence.com/Basics/understandingpam.html
https://www.packtpub.com/article/development-with-pluggable-authentication-modules-pam
FYI : Rohan Anil developed pam-face-authentication during GSOC08 under opensuse which is hosted at code.google.com/p/pam-face-authentication/
由于答案实在是太长了,所以我可以给您链接我的 PAM 教程:
编写 Linux PAM 模块 和
Linux PAM 配置教程
在开始编写模块之前,我建议您先阅读配置教程,您可以在其中了解该模块的用途。
总而言之,模块是应用程序想要进行身份验证时由 PAM 加载的共享对象。每次应用程序触发一个“阶段”(身份验证、帐户、会话、密码)时,都会在模块中调用相应的函数。因此,您的模块应提供以下功能:
在该功能中,您将使用 PAM 功能从应用程序检索用户名和密码。这是通过必须在应用程序中定义的对话函数来实现的(请参阅 本教程)。在每个函数的末尾,您必须返回一个确定结果的 PAM 返回代码(有关 PAM 错误代码,请参阅 此 和模块 一般编写者文档)。
Since the answer is really to long to be written here, I can link you my PAM tutorials:
Write a Linux PAM module and
Linux PAM Configuration tutorial
Before starting writing the module I advise you to read the configuration tutorial first, in which you can learn what does the module do.
To sum up, a module is a shared object loaded by PAM when the application wants to authenticate. Every time the application triggers a "stage" (auth, account, session, password) the correspondent function is called in the module. Therefore, your module should provide the following functions:
In this functions you will use PAM functions to retrieve the username and the password from the application. This happens through a conversation function that must be defined in the application (see this tutorial). At the end of every function, you must return a PAM return code that determines the result (for PAM error codes see this and the module writer documentation in general).
编写 pam 模块的最佳资源之一是文档
本身:
Linux-PAM 模块编写者指南
不过我同意 @GG< /a> 确保您首先了解 PAM 的工作原理。
One of the best resources for authoring pam modules is the documentation
itself:
The Linux-PAM Module Writers' Guide
However I agree with @GG in making sure you understand how PAM works first.