Why we don't and can't use the
pam_exec PAM module
Yesterday I mentioned that
we have a locally written PAM module that runs a shell script to
do various post-password-change things. If you're reasonably familiar
with PAM modules, you may be reminded of the
pam_exec module, and you might even be
wondering why we don't just use it instead of having our own module.
That's actually a good question, and when I was working on this
recently I wondered it myself and went as far as setting it up and
testing it to see if we could use it.
Sadly, it turns out that the answer fits in a Tweet:
pam_exec(passwd:chauthtok): expose_authtok not supported for type password
That's the sound of my clever PAM idea going down in flames.
Pam_exec has an
expose_authtok option that sends the user's
password to your script on standard input, which is exactly what we need
in order to do things like propagate the new password into our Samba
servers. Except it unfortunately isn't supported when you're changing
passwords. I don't know why. If it's that
expose_authtok is not
really right for the password change case, I don't know why there isn't
a similar option specifically to expose the new password.
(No doubt the PAM people have their reasons, and this is arguably sort of documented because the option is described with the phrase 'during authentication'.)
This may be the first time I've looked at pam_exec, but if so
it probably shouldn't have been. Pam_exec dates back to 2006
(according to the git history of the current linux-pam repo), while
our PAM module only dates to 2010, so pam_exec was available
at the time (even on the Ubuntu LTS version we would have been
using). It's possible that the version of pam_exec that we had
available at the time lacked the
expose_authtok option, which
would have made it obviously unsuitable.
(The option was added in 2009, but in early 2010 when we set up our PAM module we were using Ubuntu 8.04, which almost certainly would not have backported that into the 8.04 version.)
We next came near our PAM module at the end of 2012, when we upgraded our password master machine to Ubuntu 12.04. 12.04 has a version of pam_exec with the expose_authtok option, so it would have been worth trying if I'd noticed it (and then I'd have found out it didn't work). Instead, I think I didn't bother looking to see if there now was a standard module that would work; I just recompiled and tested our custom module.
Will I look again at pam_exec in the future? Maybe. Writing this entry makes it more likely, but said future is four years away (when Ubuntu 16.04 stops being supported) and my memory is likely to have faded by then. And anyways, I suspect that it still won't have any way of feeding our script the user's new password. If the PAM people haven't done that by now, they probably feel they have a good reason for not having that functionality.
(For all I know, how our module operates is a hack that only works in a subset of PAM environments. My six year old memory is that how you write PAM modules and get at things like the user's new password is somewhat underdocumented, with the inevitable result.)