Select (or create) a PAM configuration in
/etc/pam.d. Then use the PAM API to perform
authentication with respect to that configuration. For example, the
following application uses the
su
configuration, which means every user but
root must supply his login password:
#include <security/pam_appl.h> #include <security/pam_misc.h> #include <pwd.h> #include <sys/types.h> #include <stdio.h> #define MY_CONFIG "su" static struct pam_conv conv = { misc_conv, NULL }; main( ) { pam_handle_t *pamh; int result; struct passwd *pw; if ((pw = getpwuid(getuid( ))) == NULL) perror("getpwuid"); else if ((result = pam_start(MY_CONFIG, pw->pw_name, &conv, &pamh)) != PAM_SUCCESS) fprintf(stderr, "start failed: %d\n", result); else if ((result = pam_authenticate(pamh, 0)) != PAM_SUCCESS) fprintf(stderr, "authenticate failed: %d\n", result); else if ((result = pam_acct_mgmt(pamh, 0)) != PAM_SUCCESS) fprintf(stderr, "acct_mgmt failed: %d\n", result); else if ((result = pam_end(pamh, result)) != PAM_SUCCESS) fprintf(stderr, "end failed: %d\n", result); else Run_My_Big_Application( ); /* Run your application code */ }
Compile the program, linking with libraries libpam and libpam_misc:
$ gcc myprogram.c -lpam -lpam_misc
The PAM libraries include functions to start PAM and check
authentication credentials. Notice how the details of authentication
are completely hidden from the application: simply reference your
desired PAM module (in this case, su
) and
examine the function return values. Even after your application is
compiled, you can change the authentication behavior by editing
configurations in /etc/pam.d. Such is the beauty
of PAM.
pam_start(3), pam_end(3), pam_authenticate(3), pam_acct_mgmt(3). The Linux PAM Developer’s Guide is at http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_appl.html.
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.