Skip to content

dirk-olmes/jaas-pam

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
src
src
 
 
.gitignore
.gitignore
 
 
LICENSE.txt
LICENSE.txt
 
 
Readme.md
Readme.md
 
 
pom.xml
pom.xml
 
 

Repository files navigation

JAAS LoginModule using PAM

This is a JAAS LoginModule that uses PAM (via libpam4j).

Usage

Create a login.conf containing:

pam-login {
    de.codedo.jaas.PamLoginModule required
    service = sshd;
};

and the activate the config passing

-Djava.security.auth.login.config=login.cfg

on the commandline.

Implementation Notes

After successful login, the module will put a PamPrincipal instance into the Subject that's used for Authentication. This principal will contain all the info that the pam login returned.

Caveats with pam_unix Authentication

When a process running as non-root user tries to autheticate via pam_unix.so it invokes the unix_chkpwd helper binary. This helper program changes its effective uid to the user that's running the binary. Since this user typically does not have access to the /etc/shadow file only the currently logged in user can be authenticated. The /etc/shadow file is typically owned by root. Some Linux distributions (e.g. Debian) use a special group to govern access to this file. In that case you'd have to add the user that runs the process to the respective group to make authentication work for other users.

References:

About

JAAS LoginModule using libpam4j

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages