I want to be able to execute a custom script when pam does the authentication but I get an error out that I can't seem to pass:
Feb 20 17:39:47 DC03R07DS25-08 sockd[2874]: pam_exec(sockd:auth): send password to child
Feb 20 17:39:47 DC03R07DS25-08 sockd[2893]: pam_exec(sockd:auth): Calling /tmp/test.sh ...
Feb 20 17:39:47 DC03R07DS25-08 sockd[2874]: pam_exec(sockd:auth): waitpid returns with -1: No child processes
That's a very basic script that just prints out a 0 to allow everthing.
#!/bin/bash
# read the users password from stdin (pam_exec.so gives the provided password
# if invoked with expose_authtok)
read password
echo $password > /tmp/a.txt
exit 0
And here's my pam.d config:
auth required pam_exec.so debug expose_authtok /tmp/test.sh
account required pam_permit.so
I really need expose_authtok so I can have access to the password in that script.
I am using Ubuntu 14.04.
It seems to be a reaping race. calling process (sockd ?) sets SIGCHLD handler, which reapes test.sh instead of pam_exec. see https://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2009-January/001627.html
Edit: sorry, let me explain what you can find on the link above: when I came across this bug, I had to recompile pam_exec.so with some modification in pam_exec.c. Set SIGCHLD handler to default before fork(), and reset it after waitpid() and after fork failed (pid==-1 branch). Something like:
set:
reset: