Hi, Just found the root problem… is because PAM pluto configuration:
auth required pam_exec.so debug expose_authtok /scripts/ipsec_xauth.php account required pam_exec.so debug /scripts/ipsec_xauth.php session required pam_exec.so debug /scripts/ipsec_xauth.php The script is actually call twice… one for auth (and is OK I get the password) and other for account (is where I don’t see the password) and if i exit 1 prevents libreswan from authenticating the user. I correct it on my script adjusting the “account” request. Sorry. — António Silva Tel: +34 918 039 251 > On 19 Mar 2025, at 09:14, antonio <[email protected]> wrote: > > > Hi, > > I’m trying to implement pam authentication with pam_exec and running a php > script to implement doble authentication validation (I could use pam_google > but in my case I want to have some users without doble auth - probably there > is another method….) using pam_exec but some times I don’t see the password, > I’m not sure if the problem is in libreswan or in pam side. > > Can you help me? > Appreciate any tip to figure out the problem… > > > The pluto configuration is: > > auth required pam_exec.so debug expose_authtok /scripts/ipsec_xauth.php > account required pam_exec.so debug /scripts/ipsec_xauth.php > session required pam_exec.so debug /scripts/ipsec_xauth.php > > And the connection I’ve got "xauthby=pam" > > > I’ve modified the source code files programs/pluto/pam_auth.c and > programs/pluto/pam_conv.c to print the password in the debug: > > diff --git a/programs/pluto/pam_auth.c b/programs/pluto/pam_auth.c > index b6b12031ae..7d5f78318e 100644 > --- a/programs/pluto/pam_auth.c > +++ b/programs/pluto/pam_auth.c > @@ -160,9 +160,10 @@ static int pam_child(void *arg, struct logger *logger) > { > struct pam_auth *pamauth = arg; > > - dbg("PAM: #%lu: PAM-process authenticating user '%s'", > + dbg("PAM: #%lu: PAM-process authenticating user '%s' with password > '%s'", > pamauth->serialno, > - pamauth->ptarg.name); > + pamauth->ptarg.name, > + pamauth->ptarg.password); > bool success = do_pam_authentication(&pamauth->ptarg, logger); > dbg("PAM: #%lu: PAM-process completed for user '%s' with result %s", > pamauth->serialno, pamauth->ptarg.name, > @@ -198,8 +199,8 @@ bool pam_auth_fork_request(struct ike_sa *ike, > pamauth->ptarg.c_instance_serial = > ike->sa.st_connection->instance_serial; > pamauth->ptarg.atype = atype; > > - dbg("PAM: #%lu: main-process starting PAM-process for authenticating > user '%s'", > - pamauth->serialno, pamauth->ptarg.name); > + dbg("PAM: #%lu: main-process starting PAM-process for authenticating > user '%s' password: '%s'", > + pamauth->serialno, pamauth->ptarg.name, pamauth->ptarg.password); > pamauth->child = server_fork("pamauth", pamauth->serialno, md, > pam_child, > pam_callback, pamauth, > diff --git a/programs/pluto/pam_conv.c b/programs/pluto/pam_conv.c > index 6546055e03..f49688830f 100644 > --- a/programs/pluto/pam_conv.c > +++ b/programs/pluto/pam_conv.c > @@ -110,10 +110,10 @@ static int pam_conv(int num_msg, > > static void dbg_pam_step(const struct pam_thread_arg *arg, const char *what) > { > - dbg("%s helper thread %s for state #%lu, %s[%lu] user=%s.", > + dbg("%s helper thread %s for state #%lu, %s[%lu] user=%s > password=%s.", > arg->atype, what, > arg->st_serialno, arg->c_name, > - arg->c_instance_serial, arg->name); > + arg->c_instance_serial, arg->name, arg->password); > } > > > > From the logs it looks ok, the password is not empty: > > Mar 19 10:06:41 marces pluto[512823]: "tunnel5"[14] 192.168.10.169 #14: > XAUTH: PAM authentication method requested to authenticate user > '[email protected]' > Mar 19 10:06:41 marces pluto[512823]: | PAM: #14: main-process starting > PAM-process for authenticating user '[email protected]' password: 'pwd247956' > Mar 19 10:06:41 marces pluto[512823]: | forked child pamauth 3129126 > Mar 19 10:06:41 marces pluto[512823]: | pid: newref @0x55aaaf79f878(0->1) > (add_pid() +139 programs/pluto/server_fork.c) > Mar 19 10:06:41 marces pluto[512823]: | clone logger: newref > @0x55aaaf7a45b8(0->1) (add_pid() +147 programs/pluto/server_fork.c) > Mar 19 10:06:41 marces pluto[512823]: | struct msg_digest: addref > @0x55aaaf794a48(1->2) (add_pid() +148 programs/pluto/server_fork.c) > Mar 19 10:06:41 marces pluto[512823]: | complete v1 state transition with > STF_SUSPEND > Mar 19 10:06:41 marces pluto[512823]: | #14 STATE_XAUTH_R0: retransmits: > cleared > Mar 19 10:06:41 marces pluto[512823]: | #14 spent 0.75 (0.75) milliseconds in > process_v1_packet_tail() > Mar 19 10:06:41 marces pluto[512823]: | packet from 192.168.10.169:500: > delref @0x55aaaf794a48(2->1) (process_iface_packet() +320 > programs/pluto/demux.c) > Mar 19 10:06:41 marces pluto[512823]: | spent 1.66 (1.66) milliseconds in > process_iface_packet() reading and processing packet > Mar 19 10:06:41 marces pluto[3129126]: | PAM: #14: PAM-process authenticating > user '[email protected]' with password 'pwd247956' > Mar 19 10:06:41 marces pluto[3129126]: | XAUTH helper thread pam_start for > state #14, tunnel5[14] [email protected] password=pwd247956. > Mar 19 10:06:41 marces pluto[3129126]: | XAUTH helper thread pam_set_item for > state #14, tunnel5[14] [email protected] password=pwd247956. > Mar 19 10:06:41 marces pluto[3129126]: pam_exec(pluto:auth): send password to > child > Mar 19 10:06:41 marces pluto[3129127]: pam_exec(pluto:auth): Calling > /scripts/ipsec_xauth.php ... > Mar 19 10:06:42 marces pluto[512823]: | processing signal PLUTO_SIGCHLD > Mar 19 10:06:42 marces pluto[512823]: | waitpid returned nothing left to do > (all child processes are busy) > Mar 19 10:06:42 marces pluto[512823]: | spent 0.00694 (0.00686) milliseconds > in signal handler PLUTO_SIGCHLD > Mar 19 10:06:42 marces pluto[3129126]: | XAUTH helper thread pam_authenticate > for state #14, tunnel5[14] [email protected] password=pwd247956. > Mar 19 10:06:42 marces pluto[3129128]: pam_exec(pluto:account): Calling > /scripts/ipsec_xauth.php ... > Mar 19 10:06:42 marces pluto[512823]: | processing signal PLUTO_SIGCHLD > Mar 19 10:06:42 marces pluto[512823]: | waitpid returned nothing left to do > (all child processes are busy) > Mar 19 10:06:42 marces pluto[512823]: | spent 0.0126 (0.0699) milliseconds in > signal handler PLUTO_SIGCHLD > Mar 19 10:06:42 marces pluto[3129126]: pam_exec(pluto:account): > /scripts/ipsec_xauth.php failed: exit code 1 > Mar 19 10:06:42 marces pluto[3129126]: "tunnel5"[14] 192.168.10.169 #14: > XAUTH FAILED during pam_acct_mgmt with 'System error' for state #14, > tunnel5[14] [email protected]. > > But in my php script reading the password from STDIN some times is empty. > > The script: > <?php > $password = trim(fgets(STDIN)); > $logFile = "/var/log/pam_exec.log"; > file_put_contents($logFile, "Script executed at " . date("Y-m-d H:i:s") . " > _ENV: ".json_encode($_ENV)." argv: ".json_encode($argv)." _SERVER: > ".json_encode($_SERVER)." password:'".$password."'\n", FILE_APPEND); > > ?> > > The log: > Script executed at 2025-03-19 10:06:42 _ENV: > {"PAM_SERVICE":"pluto","PAM_USER":"[email protected]","PAM_RHOST":"192.168.10.169","PAM_TYPE":"account"} > argv: ["\/scripts\/ipsec_xauth.php"] _SERVER: > {"PAM_SERVICE":"pluto","PAM_USER":"[email protected]","PAM_RHOST":"192.168.10.169","PAM_TYPE":"account","PHP_SELF":"\/scripts\/ipsec_xauth.php","SCRIPT_NAME":"\/scripts\/ipsec_xauth.php","SCRIPT_FILENAME":"\/scripts\/ipsec_xauth.php","PATH_TRANSLATED":"\/scripts\/ipsec_xauth.php","DOCUMENT_ROOT":"","REQUEST_TIME_FLOAT":1742375202.0661640167236328125,"REQUEST_TIME":1742375202,"argv":["\/scripts\/ipsec_xauth.php"],"argc":1} > password:'' > > > If I manually run pamtest is ok: > [10:11:53][marces][~]# pamtester pluto [email protected] authenticate > Password: > pamtester: successfully authenticated > > The log: > Script executed at 2025-03-19 10:12:13 _ENV: > {"PAM_SERVICE":"pluto","PAM_USER":"[email protected]","PAM_TYPE":"auth"} argv: > ["\/scripts\/ipsec_xauth.php"] _SERVER: > {"PAM_SERVICE":"pluto","PAM_USER":"[email protected]","PAM_TYPE":"auth","PHP_SELF":"\/scripts\/ipsec_xauth.php","SCRIPT_NAME":"\/scripts\/ipsec_xauth.php","SCRIPT_FILENAME":"\/scripts\/ipsec_xauth.php","PATH_TRANSLATED":"\/scripts\/ipsec_xauth.php","DOCUMENT_ROOT":"","REQUEST_TIME_FLOAT":1742375533.4040420055389404296875,"REQUEST_TIME":1742375533,"argv":["\/scripts\/ipsec_xauth.php"],"argc":1} > password:'pwd381568' > > > > — > António Silva > Tel: +34 918 039 251 >
_______________________________________________ Swan-dev mailing list -- [email protected] To unsubscribe send an email to [email protected]
