I know how to execute an action on login, by adding a line to /etc/profile
. But that only gets executed, if the login was successful. I would like to have action executed even when login fails. For example run a script script.sh
.
I suspect, this can be set up in pam
, but I have no idea where to start.
Best Answer
You can do this with
pam_exec
module and somePAM
trickery.PAM
configuration is usually very different across distributions so you will have to understand your configuration and try to tweak it.For Debian (tested with 7.1) edit
/etc/pam.d/common-auth
(comments left out for clarity)before
after
What is actually happing, is that in case
pam_unix.so
succeeds, it will skip 2 following modules and jump to thepam_permit.so
which will always succeed. In case of authentication failurePAM
continues with execution of our script first, followed bypam_deny
. That one will always fail, and because it hasrequisite
control flag set no other module will be executed.For completeness, program spawned by
pam_exec
runs with real user ID of the calling process (setuid
option makes it run with effective user ID) and the process environment looks like this