Yesterday I mentioned that we have a locally written PAM module that runs a shell script to do various post-password-change things. If you're reasonably familiar with PAM modules, you may be reminded of the pam_exec module, and you might even be wondering why we don't just use it instead of having our own module. That's actually a good question, and when I was working on this recently I wondered it myself and went as far as setting it up and testing it to see if we could use it.

Sadly, it turns out that the answer fits in a Tweet:

pam_exec(passwd:chauthtok): expose_authtok not supported for type password

That's the sound of my clever PAM idea going down in flames.

Pam_exec has an expose_authtok option that sends the user's password to your script on standard input, which is exactly what we need in order to do things like propagate the new password into our Samba servers. Except it unfortunately isn't supported when you're changing passwords. I don't know why. If it's that expose_authtok is not really right for the password change case, I don't know why there isn't a similar option specifically to expose the new password.

(No doubt the PAM people have their reasons, and this is arguably sort of documented because the option is described with the phrase 'during authentication'.)

This may be the first time I've looked at pam_exec, but if so it probably shouldn't have been. Pam_exec dates back to 2006 (according to the git history of the current linux-pam repo), while our PAM module only dates to 2010, so pam_exec was available at the time (even on the Ubuntu LTS version we would have been using). It's possible that the version of pam_exec that we had available at the time lacked the expose_authtok option, which would have made it obviously unsuitable.

(The option was added in 2009, but in early 2010 when we set up our PAM module we were using Ubuntu 8.04, which almost certainly would not have backported that into the 8.04 version.)

We next came near our PAM module at the end of 2012, when we upgraded our password master machine to Ubuntu 12.04. 12.04 has a version of pam_exec with the expose_authtok option, so it would have been worth trying if I'd noticed it (and then I'd have found out it didn't work). Instead, I think I didn't bother looking to see if there now was a standard module that would work; I just recompiled and tested our custom module.

Will I look again at pam_exec in the future? Maybe. Writing this entry makes it more likely, but said future is four years away (when Ubuntu 16.04 stops being supported) and my memory is likely to have faded by then. And anyways, I suspect that it still won't have any way of feeding our script the user's new password. If the PAM people haven't done that by now, they probably feel they have a good reason for not having that functionality.

(For all I know, how our module operates is a hack that only works in a subset of PAM environments. My six year old memory is that how you write PAM modules and get at things like the user's new password is somewhat underdocumented, with the inevitable result.)