Steinar Bang sb@dod.no: Professa Dementia professa@dementianati.com:
There are plugins that allow you to call some glue logic (Perl, Python, shell scripts, etc) which enables you to interface to pretty much any method (SQL, LDAP, shadow files, etc) you have chosen to save passwords
- that is, as long as you are capable of writing the glue logic yourself.
Thanks for the tip. That let me narrow down the googling to find this: https://metacpan.org/module/Authen::PAM::Module
There are claims in Authen::PAM that it can be used to write PAM modules in perl, but I have yet to find an example showing how.
It is available as a debian package: http://packages.debian.org/wheezy/libauthen-pam-perl (however, while that package contains an .so, it looks like that .so is meant for inclusion into perl, rather than being an .so meant for inclusion into PAM, that would start a perl interpreter and run a script)
The pam_python module is more obviously what I was looking for (ie. an .so residing in /lib/security that runs a python script) http://packages.debian.org/wheezy/libpam-python
However, I'm not really all that familiar with Python, so it may just be simpler to write a module in C or C++. Here are three articles that look like they might be useful to accomplish this. http://www.linuxdevcenter.com/pub/a/linux/2002/05/02/pam_modules.html http://www.linuxdevcenter.com/pub/a/linux/2002/05/23/pam_modules.html http://www.linuxdevcenter.com/pub/a/linux/2002/05/30/pam_modules.html
(The articles are 11 years old, though, so they may be a bit out of date)