I'm currently developing an authentication module for an application. The decision was made to do this by using PAM. I have made this work but it can only authenticate the user that started the application.
This means that if I started the application as the user 'appname' the authentication only tells me it is successful if the user is 'appname' and not 'some_user'
If I su to that 'some_user' and started the application in that terminal then I can authenticate 'some_user' but not 'appname'
I turned on the debug flag for pam_unix in common-auth. Resulting in the following output when it rejects:
unix_chkpwd[4107]: check pass; user unknown
unix_chkpwd[4107]: password check failed for user (pamtest)
[app]: pam_unix(other:auth): authentication failure; logname=[appname] uid=1000 euid=1000 tty= ruser=[appname] rhost= user=pamtest
Best Answer
PAM is not a daemon, but just a library. As a normal user has no access to authentication data (like
/etc/shadow), programs running under a normal user cannot authenticate. There is one small exception: The user can authenticate himself, because in this case the SETGID /sbin/unix_chkpwd helper program is automatically called, which has access to authentication data (but does not allow to authenticate other users).So you need either give the program itself root rights via SUID flags (I do not recommend it as it is difficult to not open a backdoor) so that it runs under root or need to authenticate via a network service or by running a SUID program like
su.In this question possible solutions are discussed.