Steinar Bang sb@dod.no: Professa Dementia professa@dementianati.com:
There are plugins that allow you to call some glue logic (Perl, Python, shell scripts, etc) which enables you to interface to pretty much any method (SQL, LDAP, shadow files, etc) you have chosen to save passwords - that is, as long as you are capable of writing the glue logic yourself.
[snip! PAM modules in perl and python]
However, I'm not really all that familiar with Python, so it may just be simpler to write a module in C or C++. Here are three articles that look like they might be useful to accomplish this. http://www.linuxdevcenter.com/pub/a/linux/2002/05/02/pam_modules.html http://www.linuxdevcenter.com/pub/a/linux/2002/05/23/pam_modules.html http://www.linuxdevcenter.com/pub/a/linux/2002/05/30/pam_modules.html
(The articles are 11 years old, though, so they may be a bit out of date)
The articles weren't all that helpful really. They missed the most important part: a simple example showing all of the parts that take place in a module.
But anyway, here is a PAM module, written in ANSI C/POSIX, that will hook into a password change in PAM, and use the password change to update a CRAM-MD5 coded version of the same password, in the file "/etc/dovecot/cram-md5.pwd" (currently hardcoded). https://github.com/steinarb/pam_dovecotmd5pwd
Some PAM module basics:
- #define the roles your module will have. My module only hooked into password changes, so I only have the line: #define PAM_SM_PASSWORD
- Include the pam_modules.h file (Note: this must be _after_ the #defines that defines the roles
- Implement the method(s) for the roles you you have #define'd (I have only one)
- Inside "#ifdef PAM_STATIC" define a struct that will hold the name of the module, and function pointers to all the implemented methods. This struct is used if all of the PAM modules are linked statically into a single binary
Hm... here was actually a good example of a module that hooks into all roles and return "ignore" on all of them: http://www.rkeene.org/projects/info/wiki/222