headers
Drew Leske | 14 May 2009 21:11
Picon
Picon
Favicon

Differentiating between login and logout under pam_exec and session

Hi all,

I would like to have some machines page me on logins.  It seems to me (with limited PAM understanding and
experience) that the most appropriate place for this is using the following line in system-auth:

session required pam_exec.so (script-name)

The script sends an e-mail using environment variables set by pam_exec to let me know that a given user has
logged in to which box from where, for what service.  The only problem is it sends this on both logins and
logouts and I can't see how to differentiate.  I would like it to either not let me know about logouts, or
preferably, for the script to simply tell me "Bob logged in to service sshd from wherever.example.com" or
"Bob logged out from ..."  I have had my script log all environment variables passed to it and they seem to be
identical in both login/logout scenarios.

Any ideas?  Is this an appopriate use of session, pam, ...?  I know I could add stuff to login scripts or make a
monitor for syslog, but this seems to me to be the best place to put this sort of thing.

Thanks everybody
Drew.

Drew Leske, Unix Services Team, CASS, University of Victoria.
   mel: dleske <at> uvic.ca
   tel: 250-472-5055
   cel: 250-588-4311
Permalink | Reply | 2 comments |
headers
Colin van Niekerk | 14 May 2009 23:49
Picon

RE: Differentiating between login and logout under pam_exec and session

Hi there Drew,

Not sure about pam_exec but...

I have just written a PAM module that does exactly this... well, all but the source of the connection, I'll
figure that out soon enough I'm sure.

I have called it pam_alert. - PLEASE COULD ANYONE LET ME KNOW IF THERE IS ALREADY A MODULE WITH THIS NAME.

Line in /etc/pam.d/sshd -> session  optional  pam_alert.so <I/O/B> address <at> domain.com address2 <at> other.com
I - Logins
O - Logouts
B - Both

Can be upper or lowercase.

Prerequisite: You must have /bin/mail from mailx, pam_alert uses it to send the email

Let me know if you are interested in running it. I have not tested on very many systems so it's without ANY
warranty etc... etc... but you'll have the code so you can see what it's doing. Would be good to get it onto
different systems.

It'll be on sourceforge.net under the SimPL2 license as soon as the project is approved.

Regards,
Colin

-----Original Message-----
From: pam-list-bounces <at> redhat.com [mailto:pam-list-bounces <at> redhat.com] On Behalf Of Drew Leske
Sent: 14 May 2009 09:12 PM
(Continue reading)

Permalink | Reply | 0 comments |
headers
Drew Leske | 15 May 2009 01:04
Picon
Picon
Favicon

RE: Differentiating between login and logout under pam_exec and session

Hi, sorry about the unthreaded post, I shouldn't have subscribed to the list with the digest option on, and I
can't figure out a way to reply to the threads from the mailman list archives.  (sigh)

----------------
    * From: Colin van Niekerk <Colin vanNiekerk mimecast co za>
    * To: Pluggable Authentication Modules <pam-list redhat com>
    * Subject: RE: Differentiating between login and logout under pam_exec and session
    * Date: Thu, 14 May 2009 23:49:01 +0200

Hi there Drew,

Not sure about pam_exec but...

I have just written a PAM module that does exactly this... well, all but the source of the connection, I'll
figure that out soon enough I'm sure.

I have called it pam_alert. - PLEASE COULD ANYONE LET ME KNOW IF THERE IS ALREADY A MODULE WITH THIS NAME.
[...]
----------------

Thanks for your response, Colin, hate to say this but I think you can achieve what you want to do using
pam_exec.  Just set up a script like I have that mails to whichever users you configure (or you could make
your script take the addresses on the command line, even better!).  Looking at the CVS on sourceforge for
pam_exec, it looks like newer versions provide a PAM_TYPE environment variable that will be set to
account, auth, password, open_session or close_session.  So that will work for me.  I just need to grab the
latest, update my script and I'm good to go.

Not to slag your module, man--if you continue with it I believe the source of the connection is just a PAM
environment variable you pass on in your module.  Have a look at the pam_exec source to see how it's done.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Kain, Becki (B. | 22 May 2009 17:52
Picon
Favicon

Pam_pwcheck.so on redhat?

I'm trying to port some configurations from suse to redhat.  I can't seem to find the rpm of pam_pwcheck.so or pam_unix2.so for redhat anywhere.  Does it exist?  Thanks

Becki Kain 

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
Permalink | Reply | 1 comment |
headers
scv | 22 May 2009 19:02
Picon

Re: Pam_pwcheck.so on redhat?

both the modules are not provided by Red Hat. You can find the source of both the modules here, http://www.suse.de/~kukuk/pam/ if you need to include in Red Hat Enterprise Linux.

~scv



On Fri, May 22, 2009 at 9:22 PM, Kain, Becki (B.) <bkain1 <at> ford.com> wrote:

I'm trying to port some configurations from suse to redhat.  I can't seem to find the rpm of pam_pwcheck.so or pam_unix2.so for redhat anywhere.  Does it exist?  Thanks

Becki Kain


_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
Permalink | Reply | 0 comments |

Gmane